AEPD (Spain) - EXP202102529

From GDPRhub
Revision as of 16:36, 9 January 2024 by Leoniebernicia (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202102529 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/e-12617-2021.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202102529
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(15) GDPR
Article 5(1)(c) GDPR
Article 6 GDPR
Article 9 GDPR
Article 57(1)(a) GDPR
Article 57(1)(f) GDPR
Article 57(1)(h) GDPR
Article 58(1) GDPR
Article 5.1 Regulation (EU) 679/2016
Regulation (EU) 2016/679
Art 48.1 Organic Law 3/2018 of December 5 LOPDGDD
Art 63.2 of LOPDGDD
Article 47 Organic Law 3/2018 of December 5 LOPDGDD
Type: Complaint
Outcome: Rejected
Started: 26.08.2021
Decided:
Published: 11.04.2022
Fine: n/a
Parties: University of Navarra
Liberum Asociación
National Case Number/Name: EXP202102529
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

Complaint against the University of Navarro for a data breach involving the sharing of Covid-19 Vaccination Information with third parties. Student feels forced to share health data amidst e-mail from the University.

English Summary

Facts

A student handed in a complaint against the University of Navarra because they asked the students to fill in their vaccination status. The complainant understands this as a breach of the data protection regulation because it would access the students medical records. The grounds are based on an e-mail from the University of Navarra, in which it announces to collaborate with the Navarro Health Service in the Vaccination against COVID-19 and it asks the students to inform about their vaccination status. On October 26, 2021 the University of Navarra replied to the complaint that the students were not coerced to give the information, but they were given the possibility to do so. The University does not process the personal data of the students without their explicit consent. The consent would in no case be vitiated since no condition has been established that could nullify the correct will of the interested party to the processing. There is no measure contrary to the interests of those students who do not provide the information freely and voluntarily. The sole purpose of the communication made is to comply with the objective of the collaboration agreement reached with the Government of Navarra by virtue of the actions taken in its place against SARS-CoV-2 pandemic. The complaint filed was admitted for processing on November 24, 2021 in Accordance with Article 65 of the LOPDGDD. The collaboration was known to the public. There is a press release stating the fact that the University of Navarra should communicate the list of persons who are to receive the vaccine so that their identity can be recorded in the health databases. This is in compliance with a legal obligation in terms of prevention of legal risks. This is due to the severity of the pandemic. The form for acceptance of the data processing states that the compliance with the form is voluntary. The first field of the form is the request for consent. Furthermore it is added that the information provided will not be communicated to third parties unless the health authorities require it. This clause can also be accepted.

Holding

The Court does not consider that there is a violation of the provisions of the regulation in force regarding protection, and there is no substantive issue to support such an allegation. In accordance with the functions that Article 57 (1) a, f and h of Regulation (EU) 2016/679 GDPR confers to each supervisory authority and according to the provisions of Articles 47 and 48 (1) of LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve these investigative actions. In light of provisions (Article 4 (15) GDPR, Article 9 GDPR, Article 6 GDPR) the vaccination of a person against Covid-19 implies the provision of a health care service. Therefore the information about whether or not an identified natural person has received the Covid-19 vaccine is in the nature of personal data concerning health, falling within the category of special of sensitive data regulated in Article 9 GDPR. The task of the University was to provide the Navarra Health Department, Osasunbidea, with the lists of the people who were going to receive the vaccine so that they could be registered in the health database. The students that wanted to fill out the form on the vaccination were fully informed about the processing of the data, this is on the legal obligation to take care of the health of students in Article 7.1.n Royal Decree 1791/2010. It has not been possible to prove that the students were forced to provide information on their vaccination status. The transfer of data is completely voluntary and informed, requesting the consent of the person concerned and the data is (if even) only transferred to health authorities. No evidence has been found to prove the existence of an infringement within the competence of the Spanish Data Protection Agency. The interested parties may file an appeal.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/12








     File No.: EXP202102529



                  RESOLUTION OF FILE OF ACTIONS


Of the actions carried out by the Spanish Agency for Data Protection and te-
based on the following:


                                       FACTS

FIRST: LIBERUM ASOCIACIÓN (hereinafter, the complaining party), dated 26
August 2021, filed a claim with the Spanish Agency for the Protection of
Data. The claim is directed against the UNIVERSITY OF NAVARRA, with NIF

R3168001J (hereinafter, the accused party).

The reasons on which the claim is based are the following:

The complaining Association states that the University of Navarra has sent an email
email to his students in which he announces that said entity will collaborate with the

NAVARRO HEALTH SERVICE in the Vaccination against COVID-19, and requests
students to report their vaccination status, before 1
September 2021, which they understand represents a breach of regulations
of data protection, since it would be accessing the medical history of the
students and transferring vaccination data to third parties. He adds in his writing

claim the literal of the communication sent by the aforementioned University to the
students containing the following relevant paragraphs:
       “[…]
       The University of Navarra, in accordance with the provisions of article 7.1.n) of the
Royal Decree approving the University Student Statute, is

is obliged to provide its students with information and training on prevention
tion of risks and to have the means to guarantee their health and safety in the
development of their learning activities.

       Among the new measures, according to the health authorities in the year
exercise of its powers, the University of Navarra will collaborate in the Campaign

Vaccination against the virus.

       We inform you that the health authorities of Navarra have requested the
University that participates in the inoculation of the vaccine to its students. Said va-
crib will be delivered to the University by the Navarrese Health Service, responsible for the

Vaccination campaign.

       To facilitate your access to vaccination, we ask you to inform us of
your situation through the following link, before September 1, whether you already
You have been vaccinated, as if you are waiting to receive one or two doses.


       Vaccination will take place from the beginning of September. With character
Before the date, they will give you the information sheet drawn up by the authorities
in which they will inform you of the type and brand of vaccine that is offered to you and other

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/12








issues related to the vaccination process.

       We remind you that for any questions related to Covid-19 and to co-

communicate positives and close contacts, you can contact the virtual medical office,
Covid area, through the email atencioncovid©unav.es or by calling (…).
       […]”

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), the complaint was sent to the accused party, so that they could
yield to its analysis and inform this Agency within a period of one month, of the actions
tions carried out to adapt to the requirements provided for in the regulations of
data protection.


The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Public Administrations
cas (hereinafter, LPACAP), was collected on October 4, 2021, as stated
in the acknowledgment of receipt in the file.

On October 26, 2021, this Agency received a written response indicating

when, in summary, the following:

       That the request for information made occurs in relation to the email
email sent to the students of the University through which they were informed
of the actions carried out to protect the health of workers and

students, as well as the collaboration between the Institution and the Navarro Service of
Salud-Osasunbidea (hereinafter, the “SNS-O”), in relation to the vaccination campaign-
tion against COVID-19. Likewise, and in response to the requests made by the
SNS-O, in said email the University offered the student the possibility of reporting
your vaccination status.


       They add that in no way can it be asserted that the
students to provide information about their vaccination status since it is
clearly indicates that it is a request that is made regarding the situation
vaccination with the sole purpose of facilitating the tasks carried out by the SNS-
Or, in the fight against the pandemic suffered, due to the universal spread of the

SARS-CoV-2 and its catastrophic effects on health. And all this based on the agreement
reached with the Government of Navarra. Furthermore, they state that it has been manipulated
the information found in the statement.

       They continue to indicate that the basis that would legitimize the processing of data

personal nature that could be carried out would be the consent of the students.
tes. Consent that in no case would be found vitiated by not having established
ceded no condition that could nullify the correct will of the interested party in the transaction.
treatment. There is not, nor has any measure been planned contrary to the interests of those
Students who do not provide this information freely and voluntarily, such as

It could not be otherwise.

       In short, and in view of what is stated in the information note sent to the
students of the Institution, the true reason for which the complaint is made is unknown

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/12








  a violation of the provisions of current regulations regarding protection does not
  there being any substantive issue that supports such an allegation, which we consider
  which may be clouded by an attempted violation of the state.

  established by article 15 of the Spanish Constitution that recognizes the right to
  life and physical integrity.

          As has been stated throughout this writing, the University, in
  In no case does it process personal data related to vaccination status.
  tion of students without their express acceptance.


          In this sense, it is necessary to mention again that the object of the community
  nication made is none other than complying with the objective of the collaboration agreement
  reached with the Government of Navarra, by virtue of the actions followed in its place.
  cha against the SARS-CoV-2 pandemic. Emphasizing the rigorous respect of this part

  with the rule of law and the rights of the people, which reinforces diligence
  shown by the University, as well as its efforts and proactivity in ensuring
  rar and protect the privacy of the interested parties.

  THIRD: On November 24, 2021, in accordance with article 65 of
  the LOPDGDD, the complaint filed was admitted for processing.


  FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
  of previous investigative actions to clarify the facts in
  question, by virtue of the functions assigned to the control authorities in the article
  57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679

  (General Data Protection Regulation, hereinafter GDPR), and in accordance
  with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, te-
  having knowledge of the following extremes:

          Requested from the denounced party the full communication sent to the stu-

  diantes, basis of legitimation for the processing of specially protected data
  by that University, details of this data processing and framework of measures adopted.
  ted in the face of the pandemic caused by SARS-CoV-2, dated December 17
  of 2021 is received in this Agency, with registration number O00007128e2100051725,
  response document sent by the accused party from which the following is extracted
  information:


- The veracity of the statement presented in the complaint is confirmed according to the document
  No. 1.

          In this regard, the accused party states that it is a statement

  totally informative, written to comply with the mandate of the Ministry of
  Health of the Government of Navarra, competent health authority and organizer of the
  vaccination campaign against COVID 19, to the Universities of Navarra. This he-
  This is not unknown to citizens, since the local media
  them, as well as the Government of Navarra itself in a press release published in Navarra

  rra.es, have echoed such collaboration.

          Attached as document No. 2 is the press release whose title reads “The Government
  of Navarra agrees with the universities on a procedure to vaccinate their students.

  C/ Jorge Juan, 6 www.aepd.es
  28001 – Madrid sedeagpd.gob.es 4/12








people from other communities and countries.” From this press release the following is extracted
relevant content for the case at hand:


       “[...] The initial administrative work is carried out by the universities, which
They must provide the Department of Health with a list of the people who will
to receive the vaccine, so that your identity can be registered in the databases
of health data.
       In the case of the Public University of Navarra (UPNA), vaccination was carried out
will take place in the center's own sports center, provided since March by the university to

its use as a population vaccination point. In the case of the University of Nava-
rra, this provides the logistics in the administration of the doses. […]”

       Regarding the basis of legitimization of this treatment, the claimed party
nifiesta compliance with a legal obligation regarding the prevention of laxative risks.

borales in accordance with the provisions of Law 31/1995 and Royal Decree 1791/2010,
so in this sense this part understands that it is under the umbrella of what
established by article 6.1. of the GDPR. And all this without forgetting, which is still
a voluntary action on the part of the student.

       Indeed, given the severity of the pandemic and the ease of spread of the

present coronavirus can be considered to be facing obligations that affect
the Institution, students, workers and the university community in general. In
By virtue of the provisions of article 7.1 letter n of Royal Decree 1791/2010, the
student has the right “to receive training on risk prevention and to have access to
the means that guarantee their health and safety in the development of their activities.

learning".

       Regarding the details of this data processing, the claimed party attaches
Document No. 3 is the form that the students had to fill out in the case
that they decided to reflect their vaccination status.


       Already in the first paragraph it is verified that compliance with the form is voluntary.
volunteer indicating: “The University of Navarra is collaborating with the authorities
health measures in the Vaccination Campaign against Covid-19, facilitating everyone
those students who wish to do so and have not been fully vaccinated or not
have received the complete guideline […]”, to then clarify that compliance

The form implies the student's consent for the processing of their data.
with certain purposes listed below:

       “a) To be able to offer a better provision of its services in an environment that is as
possible insurance in relation to the Covid19 pandemic.

       b) In order to establish and design effective relative measures to avoid
spread of the virus among the university community.
       c) To collaborate with the competent health authorities in the campaigns
prevention and vaccination against the virus.”


       In this sense, it is verified that the first field of the form is the request.
consent. In this field, there is the option to access the clauses included
training sessions in which the student is informed that the information provided
It will only be treated by the University of Navarra with the purpose of minimizing the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/12








 risk of contagion and spread of Covid-19, its basis of legitimation, the period of
 conservation (that which is strictly necessary for the fulfillment of the aforementioned purposes).
 tioned, as well as to carry out the additional actions that correspond in

 prevention), that the information provided will not be communicated to third parties
 Unless the health authorities so require, the rights of the interested party and the
 procedure to follow to exercise them in the event that you consider that they have
 been violated. Finally, these informative clauses state “By clicking on "Yes",
 gives your express consent to the University of Navarra to process your data
 personal data, including health data, with the purpose of collaborating in the surveillance of

 health of the university community.”

         Within the action plan against the spread of covid-19, the re-
 Clamada has developed contingency measures that are included in the
 document No. 4, “COVID-19 contingency plan”, which specifies the conditions

 following:

· Personal prevention measures: use of masks, limitation of contacts, hygiene,
 etc
· Case management: action protocol in the event of the appearance of infections.
· Vulnerable personnel: communication to the Joint Risk Prevention Service.

 Labor gos and possible actions.
· Ventilation of spaces: classrooms, offices, meeting rooms, customer service offices
 public, cafeteria, etc.
· Cleaning and disinfection
· And other aspects to observe such as measures in transportation, communication and information.

 mation and signage.

                             FOUNDATIONS OF LAW

                                              Yo

                                        Competence

         In accordance with the functions that article 57.1 a), f) and h) of the Regulation
 (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) con-
 fers to each control authority and in accordance with the provisions of articles 47 and 48.1 of the
 Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantees

 aunt of digital rights (hereinafter LOPDGDD), is competent to resolve
 these investigative actions the Director of the Spanish Protection Agency
 of data.

         Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

 processed by the Spanish Data Protection Agency will be governed by the provisions
 in Regulation (EU) 2016/679, in this organic law, by the provisions re-
 regulations dictated in its development and, insofar as they do not contradict them, with a
 subsidiary, by the general rules on administrative procedures."



                                             II
                                   Legality of the treatment


 C/ Jorge Juan, 6 www.aepd.es
 28001 – Madrid sedeagpd.gob.es 6/12








        Article 6 of the GDPR, which regulates the legality of processing, establishes the following:
next:


        "1. Treatment will only be legal if at least one of the following is met
conditions:
        a) the interested party gave his consent for the processing of his personal data.
final for one or more specific purposes;
        b) the processing is necessary for the performance of a contract in which the
interested party is a party or for the application at his request of pre-contractual measures;

        c) the processing is necessary for compliance with an applicable legal obligation.
cable to the data controller;
        d) the processing is necessary to protect the vital interests of the interested party or
from another natural person;
        e) the processing is necessary for the fulfillment of a mission carried out in

public interest or in the exercise of public powers conferred on the person responsible for the
treatment;
        f) the processing is necessary for the satisfaction of legitimate interests
guided by the person responsible for the treatment or by a third party, provided that on said
interests do not prevail over the interests or fundamental rights and freedoms of the
interested party that requires the protection of personal data, in particular when the

teresado is a child.
        The provisions of letter f) of the first paragraph will not apply to the treatment.
ment carried out by public authorities in the exercise of their functions.

        2. Member States may maintain or introduce more specific provisions.

in order to adapt the application of the rules of this Regulation with
regarding the treatment in compliance with section 1, letters c) and e), establishing in
more precise specific treatment requirements and other measures to ensure
lawful and equitable treatment, including other specific situations of treatment
treatment in accordance with chapter IX.


        3. The basis of the treatment indicated in section 1, letters c) and e), must be
established by:
        a) Union law, or
        b) the law of the Member States that applies to the controller
I lie.


        The purpose of the treatment must be determined in said legal basis
or, with regard to the treatment referred to in section 1, letter e), it will be necessary
for the fulfillment of a mission carried out in the public interest or in the exercise of power
public rights conferred on the person responsible for the treatment. This legal basis may

contain specific provisions to adapt the application of the rules of this
Regulation, among others: the general conditions that govern the legality of the treatment
by the person responsible; the types of data being processed; the interested
affected; the entities to which personal data may be communicated and the purposes
of such communication; the limitation of the purpose; the conservation periods of the data

as well as the operations and procedures of treatment, including
to ensure lawful and equitable treatment, such as those relating to other situations.
specific treatment requirements in accordance with Chapter IX. The Law of the Union or of
Member States will fulfill an objective of public interest and will be proportionate to the purpose

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/12








legitimately persecuted.

        4. When the treatment for another purpose other than that for which it was collected

personal data is not based on the consent of the interested party or on the
Union or Member State law constituting a necessary measure
and proportional in a democratic society to safeguard the indicated objectives
in Article 23(1), the controller, in order to determine
if the treatment for another purpose is compatible with the purpose for which they were initially collected.
mind the personal data, it will take into account, among other things:

        a) any relationship between the purposes for which the data have been collected
personal data and the purposes of the intended further processing;
        b) the context in which the personal data have been collected, in particular by
regarding the relationship between the interested parties and the data controller;
        c) the nature of the personal data, specifically when they are processed categorically.

special provisions of personal data, in accordance with Article 9, or personal data
nals relating to criminal convictions and offences, in accordance with article 10;
        d) the possible consequences for the data subjects of the subsequent processing
seen;
        e) the existence of adequate safeguards, which may include encryption or security.
donimization."


                                            III
               Processing of special categories of personal data

        Article 9 of the GDPR, which regulates the treatment of special categories of

personal data, establishes the following:

        "1. The processing of personal data that reveals the origin of the data is prohibited.
ethnic or racial, political opinions, religious or philosophical convictions, or affiliation
union affiliation, and the processing of genetic data, biometric data aimed at identifying

univocally identify a natural person, data relating to health or data relating to
you to the sexual life or sexual orientation of a natural person.

        2. Section 1 will not apply when one of the circumstances occurs.
following:
        a) the interested party gave his explicit consent for the processing of said

personal data for one or more of the specified purposes, except when the Right
law of the Union or the Member States establishes that the aforementioned prohibition
in section 1 it cannot be lifted by the interested party;
        b) the processing is necessary for the fulfillment of obligations and the exercise of
specific rights of the data controller or the interested party in the field.

bito of labor law and social security and protection, to the extent that this
authorized by Union or Member State law or a collective agreement
in accordance with the law of the Member States that establishes adequate guarantees
respect for fundamental rights and the interests of the interested party;
        c) the processing is necessary to protect the vital interests of the interested party or

of another natural person, in the event that the interested party is not qualified, physical or
legally, to give consent;
        d) the treatment is carried out, within the scope of its legitimate activities and with
due guarantees, by a foundation, an association or any other body

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/12








non-profit, whose purpose is political, philosophical, religious or union, always
that the treatment refers exclusively to current or former members of such
organizations or persons who maintain regular contact with them in relation to

for its purposes and provided that personal data is not communicated outside of them without
the consent of the interested parties;
        e) the processing refers to personal data that the interested party has made.
unfestively public;
        f) the treatment is necessary for the formulation, exercise or defense of
claims or when the courts act in the exercise of their judicial function;

        g) the processing is necessary for reasons of essential public interest, especially
the basis of Union or Member State law, which must be proportionate
nal to the objective pursued, to essentially respect the right to data protection
and establish appropriate and specific measures to protect the interests and rights
fundamentals of the interested party;

        h) the treatment is necessary for preventive or occupational medicine purposes, eva-
luation of the worker's work capacity, medical diagnosis, provision of assistance
possession or treatment of a health or social nature, or management of healthcare systems and services
health and social assistance, on the basis of Union or State law
members or under a contract with a healthcare professional and without prejudice to the
conditions and guarantees contemplated in section 3;

        i) the treatment is necessary for reasons of public interest in the field of
public health, such as protection against serious cross-border threats to the
health, or to guarantee high levels of quality and safety of care
health and medicines or health products, on the basis of the Law of
the Union or the Member States establishing appropriate and specific measures

to protect the rights and freedoms of the interested party, in particular professional secrecy.
sional;
        j) the processing is necessary for archiving purposes in the public interest, purposes of
scientific or historical research or statistical purposes, in accordance with the article
89(1) on the basis of Union or Member State law,

which must be proportional to the objective pursued, essentially respect the right to
data protection and establish appropriate and specific measures to protect
the interests and fundamental rights of the interested party.

        3. The personal data referred to in section 1 may be processed to the fi-
mentioned in section 2, letter h), when its treatment is carried out by a professional.

professional subject to the obligation of professional secrecy, or under his responsibility, of
in accordance with the law of the Union or of the Member States or with the applicable rules.
established by the competent national bodies, or by any other person
also subject to the obligation of secrecy in accordance with Union or European Union law.
Member States or the rules established by national bodies

competent.

        4. Member States may maintain or introduce additional conditions.
them, including limitations, with respect to the processing of genetic data, biological data,
metrics or data relating to health."


                                            IV
                            Principles relating to treatment


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/12








       Letter c) of article 5.1 of the RGPD advocates:

       "1. Personal data will be:

(…)
       c) adequate, relevant and limited to what is necessary in relation to the purposes
for those who are processed ("data minimization");"

                                            V
 Treatment for which the claimed party is responsible and nature of the data

                                         treaties


       The GDPR, article 4.15, defines “health-related data” as “data
personal data relating to the physical or mental health of a natural person, including the

tion of health care services, which reveal information about your health status.
health;".

       Recital 35 of the GDPR refers to them in the following terms:

       <<Personal data related to health must include all data

related to the state of health of the interested party that provide information about his or her state of health.
physical or mental health past, present or future. Information about the person is included.
physical data collected on the occasion of your registration for health care purposes, or
on the occasion of the provision of such assistance, in accordance with the Directive
2011/24/EU of the European Parliament and of the Council (1); any number, symbol or data

assigned to a natural person who uniquely identifies him/her for health purposes.
rivers; information obtained from tests or examinations of a part of the body or a
bodily substance, including that from genetic data and biological samples, and
any information relating, by way of example, to an illness, a disability,
condition, risk of disease, medical history, clinical treatment or

physiological or biomedical state of the interested party, regardless of its source, for
example a doctor or other healthcare professional, a hospital, a medical device, or
an in vitro diagnostic test.>>

       In short, recital 35 of the GDPR determines that “the information
on the natural person collected on the occasion of their registration for the purposes of assistance

health care, or on the occasion of the provision of such care, in accordance with the
Directive 2011/24/EU of the European Parliament and of the Council” is included in the
special category of health data.

       In light of the provisions cited, the vaccination of a person against

Covid-19 involves the provision of a healthcare service.

       Therefore, information about whether an identified natural person has
received or not the Covid-19 vaccine is in the nature of personal data related to the
health, framed in the category of special or sensitive data regulated in the

Article 9 of the GDPR.

       The complaint is made concrete in the access to the medical history of the students by
part of the University denounced and the transfer of vaccination data to third parties.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/12









       It is necessary to analyze, next, whether the treatment carried out by the University
of Navarra of the students' health data is in accordance with the provisions of the

GDPR.

       All data processing must comply with the regulations governing this
fundamental right, especially the principles that govern the treatment,
established in article 5.1 of Regulation (EU) 679/2016, among them (section a)
that of legality.


       As already indicated, the RGPD, article 9.1., generally prohibits,
the processing of “special data”, among which it mentions those related to the
health. However, section 2 of the provision introduces ten exceptions; ten
cases in which the prohibition of treatment can be lifted if a

of them. These circumstances that exempt the general rule of prohibition are
connected with “any” of the legal bases that according to article 6.1 of the RGPD
legitimize the processing of data.

       It is necessary to refer to the possibility that, in the treatment of
data that constitutes the object of the claim, if any of the

exceptions that lift the general prohibition provided for in article 9.1 of the RGPD.

      Article 9.2 of the GDPR refers to several causes that would lift the ban:

      “a) the interested party gave his explicit consent for the processing of said

      personal data for one or more of the specified purposes, except when the
      Union or Member State law establishes that the prohibition
      mentioned in section 1 cannot be lifted by the interested party;”.
      “g) the treatment is necessary for reasons of essential public interest, especially
      the basis of Union or Member State law, which must be

      proportional to the objective pursued, respect in essence the right to
      data protection and establish appropriate and specific measures to protect
      the interests and fundamental rights of the interested party;”
      “h) the treatment is necessary for preventive or occupational medicine purposes,
      evaluation of the worker's work capacity, medical diagnosis,
      provision of health or social assistance or treatment, or management of

      health and social assistance systems and services, based on Law
      of the Union or the Member States or under a contract with a
      healthcare professional and without prejudice to the conditions and guarantees contemplated
      in section 3;”
      “i) the treatment is necessary for reasons of public interest in the field of

      public health, such as protection against serious cross-border threats
      for health, or to guarantee high levels of quality and safety of the
      health care and medicines or health products, on the basis
      of Union or Member State law establishing measures
      appropriate and specific to protect the rights and freedoms of the interested party,

      in particular professional secrecy.

       The treatment carried out is part of a collaboration campaign of the
University with health authorities in the vaccination campaign against the virus

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/12








Covid. The Ministry of Health of the Government of Navarra makes an assignment to the
Universities of that Foral Community to carry out this collaboration and that
students who voluntarily wanted to do so could be vaccinated on campus or

in some other educational center. The news was published in the press.

       The document object of claim in which it was indicated that coercion was
to the students and health data was accessed and transferred, it is the generic information that was
facilitated this collaboration campaign.


       The work of the Universities was to facilitate the Department of Health of
Navarra, Osasunbidea, the lists of people who were going to receive the vaccine for
to be registered in health databases.

       If the student voluntarily wanted to fill out the vaccination form,

was fully informed about the processing of these data, adding the
legitimizing basis for it: the legal obligation to take care of the health of the students who
is included in article 7.1.n) of Royal Decree 1791/2010 (vaccination is a
further section of the Covid-19 Contingency Plan for the 2021-2022 Academic Year, prepared
by the Joint Occupational Risk Prevention Service of the University
of Navarra), as well as the free consent of students who wanted to be vaccinated

in the places designated for this purpose by the University.

                                           SAW
                                      Conclusion


       It has not been possible to prove that the reported events occurred:
“coercion to provide information about vaccination status” or “obvious ce-
transfer of data to third parties for the purpose of vaccination”, or the case of “access to medical history”.
clinical situation of the students”, indicated by the complainant.


       The vaccination at the reported University is carried out under the agreement with the
government of Navarra to vaccinate its students from other communities and countries.

       From the data collection form, the transfer of data is totally
voluntary and informed, also requesting the consent of the affected person and not yielding
providing these data to third parties except health authorities.


       On the other hand, according to the documentation in the file, there is no
There is no reason or reason for access to the clinical history of the students.
denounced by the denounced University.


       Finally, it is verified that the ease of vaccination at the University denounces
is accompanied by other contingency measures against the adverse effects
of the pandemic caused by the SARS-CoV-2 virus in order to make the
University a safe space.


       Therefore, based on what is indicated in the previous paragraphs, there have been no
found evidence that proves the existence of an infringement in the area of jurisdiction.
cial of the Spanish Data Protection Agency.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/12








       Thus, in accordance with what was stated, by the Director of the Spanish Agency

Data Protection:

HE REMEMBERS:


FIRST: PROCEED TO THE ARCHIVE of these proceedings.

SECOND: NOTIFY this resolution to LIBERUM ASOCIACIÓN and UNIVER-
SITY OF NAVARRE.


       In accordance with the provisions of article 50 of the LOPDGDD, the presentation
The Resolution will be made public once it has been notified to the interested parties.

       Against this resolution, which puts an end to the administrative procedure as stipulated

do by art. 114.1.c) of Law 39/2015, of October 1, on the Administrative Procedure
Common Treaty of Public Administrations, and in accordance with the provisions
in the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties can
may optionally file an appeal for reconsideration before the Director of the Agency.

Spanish Data Protection Agency within a period of one month from the next day.
following the notification of this resolution or directly admissible contentious appeal.
nistrative before the Contentious-administrative Chamber of the National Court, with
in accordance with the provisions of article 25 and section 5 of the additional provision

fourth of Law 29/1998, of July 13, regulating the Contentious-Ad-Jurisdiction
administrative, within a period of two months counting from the day following the notification
of this act, as provided for in article 46.1 of the aforementioned Law.


                                                                                   940-110422
Sea Spain Martí

Director of the Spanish Data Protection Agency


























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es