AEPD (Spain) - EXP202102529
From GDPRhub
| AEPD - EXP202102529 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 4(15) GDPR Article 5(1)(c) GDPR Article 6 GDPR Article 9 GDPR Article 57(1)(a) GDPR Article 57(1)(f) GDPR Article 57(1)(h) GDPR Article 58(1) GDPR Article 5.1 Regulation (EU) 679/2016 Regulation (EU) 2016/679 Art 48.1 Organic Law 3/2018 of December 5 LOPDGDD Art 63.2 of LOPDGDD Article 47 Organic Law 3/2018 of December 5 LOPDGDD |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | 26.08.2021 |
| Decided: | |
| Published: | 11.04.2022 |
| Fine: | n/a |
| Parties: | University of Navarra Liberum Asociación |
| National Case Number/Name: | EXP202102529 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
Complaint against the University of Navarro for a data breach involving the sharing of Covid-19 Vaccination Information with third parties. Student feels forced to share health data amidst e-mail from the University.
English Summary
Facts
A student handed in a complaint against the University of Navarra because they asked the students to fill in their vaccination status. The complainant understands this as a breach of the data protection regulation because it would access the students medical records. The grounds are based on an e-mail from the University of Navarra, in which it announces to collaborate with the Navarro Health Service in the Vaccination against COVID-19 and it asks the students to inform about their vaccination status. On October 26, 2021 the University of Navarra replied to the complaint that the students were not coerced to give the information, but they were given the possibility to do so. The University does not process the personal data of the students without their explicit consent. The consent would in no case be vitiated since no condition has been established that could nullify the correct will of the interested party to the processing. There is no measure contrary to the interests of those students who do not provide the information freely and voluntarily. The sole purpose of the communication made is to comply with the objective of the collaboration agreement reached with the Government of Navarra by virtue of the actions taken in its place against SARS-CoV-2 pandemic. The complaint filed was admitted for processing on November 24, 2021 in Accordance with Article 65 of the LOPDGDD. The collaboration was known to the public. There is a press release stating the fact that the University of Navarra should communicate the list of persons who are to receive the vaccine so that their identity can be recorded in the health databases. This is in compliance with a legal obligation in terms of prevention of legal risks. This is due to the severity of the pandemic. The form for acceptance of the data processing states that the compliance with the form is voluntary. The first field of the form is the request for consent. Furthermore it is added that the information provided will not be communicated to third parties unless the health authorities require it. This clause can also be accepted.
Holding
The Court does not consider that there is a violation of the provisions of the regulation in force regarding protection, and there is no substantive issue to support such an allegation. In accordance with the functions that Article 57 (1) a, f and h of Regulation (EU) 2016/679 GDPR confers to each supervisory authority and according to the provisions of Articles 47 and 48 (1) of LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve these investigative actions. In light of provisions (Article 4 (15) GDPR, Article 9 GDPR, Article 6 GDPR) the vaccination of a person against Covid-19 implies the provision of a health care service. Therefore the information about whether or not an identified natural person has received the Covid-19 vaccine is in the nature of personal data concerning health, falling within the category of special of sensitive data regulated in Article 9 GDPR. The task of the University was to provide the Navarra Health Department, Osasunbidea, with the lists of the people who were going to receive the vaccine so that they could be registered in the health database. The students that wanted to fill out the form on the vaccination were fully informed about the processing of the data, this is on the legal obligation to take care of the health of students in Article 7.1.n Royal Decree 1791/2010. It has not been possible to prove that the students were forced to provide information on their vaccination status. The transfer of data is completely voluntary and informed, requesting the consent of the person concerned and the data is (if even) only transferred to health authorities. No evidence has been found to prove the existence of an infringement within the competence of the Spanish Data Protection Agency. The interested parties may file an appeal.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12
File No.: EXP202102529
RESOLUTION OF FILE OF ACTIONS
Of the actions carried out by the Spanish Agency for Data Protection and te-
based on the following:
FACTS
FIRST: LIBERUM ASOCIACIÓN (hereinafter, the complaining party), dated 26
August 2021, filed a claim with the Spanish Agency for the Protection of
Data. The claim is directed against the UNIVERSITY OF NAVARRA, with NIF
R3168001J (hereinafter, the accused party).
The reasons on which the claim is based are the following:
The complaining Association states that the University of Navarra has sent an email
email to his students in which he announces that said entity will collaborate with the
NAVARRO HEALTH SERVICE in the Vaccination against COVID-19, and requests
students to report their vaccination status, before 1
September 2021, which they understand represents a breach of regulations
of data protection, since it would be accessing the medical history of the
students and transferring vaccination data to third parties. He adds in his writing
claim the literal of the communication sent by the aforementioned University to the
students containing the following relevant paragraphs:
“[…]
The University of Navarra, in accordance with the provisions of article 7.1.n) of the
Royal Decree approving the University Student Statute, is
is obliged to provide its students with information and training on prevention
tion of risks and to have the means to guarantee their health and safety in the
development of their learning activities.
Among the new measures, according to the health authorities in the year
exercise of its powers, the University of Navarra will collaborate in the Campaign
Vaccination against the virus.
We inform you that the health authorities of Navarra have requested the
University that participates in the inoculation of the vaccine to its students. Said va-
crib will be delivered to the University by the Navarrese Health Service, responsible for the
Vaccination campaign.
To facilitate your access to vaccination, we ask you to inform us of
your situation through the following link, before September 1, whether you already
You have been vaccinated, as if you are waiting to receive one or two doses.
Vaccination will take place from the beginning of September. With character
Before the date, they will give you the information sheet drawn up by the authorities
in which they will inform you of the type and brand of vaccine that is offered to you and other
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/12
issues related to the vaccination process.
We remind you that for any questions related to Covid-19 and to co-
communicate positives and close contacts, you can contact the virtual medical office,
Covid area, through the email atencioncovid©unav.es or by calling (…).
[…]”
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the complaint was sent to the accused party, so that they could
yield to its analysis and inform this Agency within a period of one month, of the actions
tions carried out to adapt to the requirements provided for in the regulations of
data protection.
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Public Administrations
cas (hereinafter, LPACAP), was collected on October 4, 2021, as stated
in the acknowledgment of receipt in the file.
On October 26, 2021, this Agency received a written response indicating
when, in summary, the following:
That the request for information made occurs in relation to the email
email sent to the students of the University through which they were informed
of the actions carried out to protect the health of workers and
students, as well as the collaboration between the Institution and the Navarro Service of
Salud-Osasunbidea (hereinafter, the “SNS-O”), in relation to the vaccination campaign-
tion against COVID-19. Likewise, and in response to the requests made by the
SNS-O, in said email the University offered the student the possibility of reporting
your vaccination status.
They add that in no way can it be asserted that the
students to provide information about their vaccination status since it is
clearly indicates that it is a request that is made regarding the situation
vaccination with the sole purpose of facilitating the tasks carried out by the SNS-
Or, in the fight against the pandemic suffered, due to the universal spread of the
SARS-CoV-2 and its catastrophic effects on health. And all this based on the agreement
reached with the Government of Navarra. Furthermore, they state that it has been manipulated
the information found in the statement.
They continue to indicate that the basis that would legitimize the processing of data
personal nature that could be carried out would be the consent of the students.
tes. Consent that in no case would be found vitiated by not having established
ceded no condition that could nullify the correct will of the interested party in the transaction.
treatment. There is not, nor has any measure been planned contrary to the interests of those
Students who do not provide this information freely and voluntarily, such as
It could not be otherwise.
In short, and in view of what is stated in the information note sent to the
students of the Institution, the true reason for which the complaint is made is unknown
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/12
a violation of the provisions of current regulations regarding protection does not
there being any substantive issue that supports such an allegation, which we consider
which may be clouded by an attempted violation of the state.
established by article 15 of the Spanish Constitution that recognizes the right to
life and physical integrity.
As has been stated throughout this writing, the University, in
In no case does it process personal data related to vaccination status.
tion of students without their express acceptance.
In this sense, it is necessary to mention again that the object of the community
nication made is none other than complying with the objective of the collaboration agreement
reached with the Government of Navarra, by virtue of the actions followed in its place.
cha against the SARS-CoV-2 pandemic. Emphasizing the rigorous respect of this part
with the rule of law and the rights of the people, which reinforces diligence
shown by the University, as well as its efforts and proactivity in ensuring
rar and protect the privacy of the interested parties.
THIRD: On November 24, 2021, in accordance with article 65 of
the LOPDGDD, the complaint filed was admitted for processing.
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
question, by virtue of the functions assigned to the control authorities in the article
57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), and in accordance
with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, te-
having knowledge of the following extremes:
Requested from the denounced party the full communication sent to the stu-
diantes, basis of legitimation for the processing of specially protected data
by that University, details of this data processing and framework of measures adopted.
ted in the face of the pandemic caused by SARS-CoV-2, dated December 17
of 2021 is received in this Agency, with registration number O00007128e2100051725,
response document sent by the accused party from which the following is extracted
information:
- The veracity of the statement presented in the complaint is confirmed according to the document
No. 1.
In this regard, the accused party states that it is a statement
totally informative, written to comply with the mandate of the Ministry of
Health of the Government of Navarra, competent health authority and organizer of the
vaccination campaign against COVID 19, to the Universities of Navarra. This he-
This is not unknown to citizens, since the local media
them, as well as the Government of Navarra itself in a press release published in Navarra
rra.es, have echoed such collaboration.
Attached as document No. 2 is the press release whose title reads “The Government
of Navarra agrees with the universities on a procedure to vaccinate their students.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/12
people from other communities and countries.” From this press release the following is extracted
relevant content for the case at hand:
“[...] The initial administrative work is carried out by the universities, which
They must provide the Department of Health with a list of the people who will
to receive the vaccine, so that your identity can be registered in the databases
of health data.
In the case of the Public University of Navarra (UPNA), vaccination was carried out
will take place in the center's own sports center, provided since March by the university to
its use as a population vaccination point. In the case of the University of Nava-
rra, this provides the logistics in the administration of the doses. […]”
Regarding the basis of legitimization of this treatment, the claimed party
nifiesta compliance with a legal obligation regarding the prevention of laxative risks.
borales in accordance with the provisions of Law 31/1995 and Royal Decree 1791/2010,
so in this sense this part understands that it is under the umbrella of what
established by article 6.1. of the GDPR. And all this without forgetting, which is still
a voluntary action on the part of the student.
Indeed, given the severity of the pandemic and the ease of spread of the
present coronavirus can be considered to be facing obligations that affect
the Institution, students, workers and the university community in general. In
By virtue of the provisions of article 7.1 letter n of Royal Decree 1791/2010, the
student has the right “to receive training on risk prevention and to have access to
the means that guarantee their health and safety in the development of their activities.
learning".
Regarding the details of this data processing, the claimed party attaches
Document No. 3 is the form that the students had to fill out in the case
that they decided to reflect their vaccination status.
Already in the first paragraph it is verified that compliance with the form is voluntary.
volunteer indicating: “The University of Navarra is collaborating with the authorities
health measures in the Vaccination Campaign against Covid-19, facilitating everyone
those students who wish to do so and have not been fully vaccinated or not
have received the complete guideline […]”, to then clarify that compliance
The form implies the student's consent for the processing of their data.
with certain purposes listed below:
“a) To be able to offer a better provision of its services in an environment that is as
possible insurance in relation to the Covid19 pandemic.
b) In order to establish and design effective relative measures to avoid
spread of the virus among the university community.
c) To collaborate with the competent health authorities in the campaigns
prevention and vaccination against the virus.”
In this sense, it is verified that the first field of the form is the request.
consent. In this field, there is the option to access the clauses included
training sessions in which the student is informed that the information provided
It will only be treated by the University of Navarra with the purpose of minimizing the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/12
risk of contagion and spread of Covid-19, its basis of legitimation, the period of
conservation (that which is strictly necessary for the fulfillment of the aforementioned purposes).
tioned, as well as to carry out the additional actions that correspond in
prevention), that the information provided will not be communicated to third parties
Unless the health authorities so require, the rights of the interested party and the
procedure to follow to exercise them in the event that you consider that they have
been violated. Finally, these informative clauses state “By clicking on "Yes",
gives your express consent to the University of Navarra to process your data
personal data, including health data, with the purpose of collaborating in the surveillance of
health of the university community.”
Within the action plan against the spread of covid-19, the re-
Clamada has developed contingency measures that are included in the
document No. 4, “COVID-19 contingency plan”, which specifies the conditions
following:
· Personal prevention measures: use of masks, limitation of contacts, hygiene,
etc
· Case management: action protocol in the event of the appearance of infections.
· Vulnerable personnel: communication to the Joint Risk Prevention Service.
Labor gos and possible actions.
· Ventilation of spaces: classrooms, offices, meeting rooms, customer service offices
public, cafeteria, etc.
· Cleaning and disinfection
· And other aspects to observe such as measures in transportation, communication and information.
mation and signage.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the functions that article 57.1 a), f) and h) of the Regulation
(EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) con-
fers to each control authority and in accordance with the provisions of articles 47 and 48.1 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantees
aunt of digital rights (hereinafter LOPDGDD), is competent to resolve
these investigative actions the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions re-
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Legality of the treatment
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/12
Article 6 of the GDPR, which regulates the legality of processing, establishes the following:
next:
"1. Treatment will only be legal if at least one of the following is met
conditions:
a) the interested party gave his consent for the processing of his personal data.
final for one or more specific purposes;
b) the processing is necessary for the performance of a contract in which the
interested party is a party or for the application at his request of pre-contractual measures;
c) the processing is necessary for compliance with an applicable legal obligation.
cable to the data controller;
d) the processing is necessary to protect the vital interests of the interested party or
from another natural person;
e) the processing is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers conferred on the person responsible for the
treatment;
f) the processing is necessary for the satisfaction of legitimate interests
guided by the person responsible for the treatment or by a third party, provided that on said
interests do not prevail over the interests or fundamental rights and freedoms of the
interested party that requires the protection of personal data, in particular when the
teresado is a child.
The provisions of letter f) of the first paragraph will not apply to the treatment.
ment carried out by public authorities in the exercise of their functions.
2. Member States may maintain or introduce more specific provisions.
in order to adapt the application of the rules of this Regulation with
regarding the treatment in compliance with section 1, letters c) and e), establishing in
more precise specific treatment requirements and other measures to ensure
lawful and equitable treatment, including other specific situations of treatment
treatment in accordance with chapter IX.
3. The basis of the treatment indicated in section 1, letters c) and e), must be
established by:
a) Union law, or
b) the law of the Member States that applies to the controller
I lie.
The purpose of the treatment must be determined in said legal basis
or, with regard to the treatment referred to in section 1, letter e), it will be necessary
for the fulfillment of a mission carried out in the public interest or in the exercise of power
public rights conferred on the person responsible for the treatment. This legal basis may
contain specific provisions to adapt the application of the rules of this
Regulation, among others: the general conditions that govern the legality of the treatment
by the person responsible; the types of data being processed; the interested
affected; the entities to which personal data may be communicated and the purposes
of such communication; the limitation of the purpose; the conservation periods of the data
as well as the operations and procedures of treatment, including
to ensure lawful and equitable treatment, such as those relating to other situations.
specific treatment requirements in accordance with Chapter IX. The Law of the Union or of
Member States will fulfill an objective of public interest and will be proportionate to the purpose
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/12
legitimately persecuted.
4. When the treatment for another purpose other than that for which it was collected
personal data is not based on the consent of the interested party or on the
Union or Member State law constituting a necessary measure
and proportional in a democratic society to safeguard the indicated objectives
in Article 23(1), the controller, in order to determine
if the treatment for another purpose is compatible with the purpose for which they were initially collected.
mind the personal data, it will take into account, among other things:
a) any relationship between the purposes for which the data have been collected
personal data and the purposes of the intended further processing;
b) the context in which the personal data have been collected, in particular by
regarding the relationship between the interested parties and the data controller;
c) the nature of the personal data, specifically when they are processed categorically.
special provisions of personal data, in accordance with Article 9, or personal data
nals relating to criminal convictions and offences, in accordance with article 10;
d) the possible consequences for the data subjects of the subsequent processing
seen;
e) the existence of adequate safeguards, which may include encryption or security.
donimization."
III
Processing of special categories of personal data
Article 9 of the GDPR, which regulates the treatment of special categories of
personal data, establishes the following:
"1. The processing of personal data that reveals the origin of the data is prohibited.
ethnic or racial, political opinions, religious or philosophical convictions, or affiliation
union affiliation, and the processing of genetic data, biometric data aimed at identifying
univocally identify a natural person, data relating to health or data relating to
you to the sexual life or sexual orientation of a natural person.
2. Section 1 will not apply when one of the circumstances occurs.
following:
a) the interested party gave his explicit consent for the processing of said
personal data for one or more of the specified purposes, except when the Right
law of the Union or the Member States establishes that the aforementioned prohibition
in section 1 it cannot be lifted by the interested party;
b) the processing is necessary for the fulfillment of obligations and the exercise of
specific rights of the data controller or the interested party in the field.
bito of labor law and social security and protection, to the extent that this
authorized by Union or Member State law or a collective agreement
in accordance with the law of the Member States that establishes adequate guarantees
respect for fundamental rights and the interests of the interested party;
c) the processing is necessary to protect the vital interests of the interested party or
of another natural person, in the event that the interested party is not qualified, physical or
legally, to give consent;
d) the treatment is carried out, within the scope of its legitimate activities and with
due guarantees, by a foundation, an association or any other body
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/12
non-profit, whose purpose is political, philosophical, religious or union, always
that the treatment refers exclusively to current or former members of such
organizations or persons who maintain regular contact with them in relation to
for its purposes and provided that personal data is not communicated outside of them without
the consent of the interested parties;
e) the processing refers to personal data that the interested party has made.
unfestively public;
f) the treatment is necessary for the formulation, exercise or defense of
claims or when the courts act in the exercise of their judicial function;
g) the processing is necessary for reasons of essential public interest, especially
the basis of Union or Member State law, which must be proportionate
nal to the objective pursued, to essentially respect the right to data protection
and establish appropriate and specific measures to protect the interests and rights
fundamentals of the interested party;
h) the treatment is necessary for preventive or occupational medicine purposes, eva-
luation of the worker's work capacity, medical diagnosis, provision of assistance
possession or treatment of a health or social nature, or management of healthcare systems and services
health and social assistance, on the basis of Union or State law
members or under a contract with a healthcare professional and without prejudice to the
conditions and guarantees contemplated in section 3;
i) the treatment is necessary for reasons of public interest in the field of
public health, such as protection against serious cross-border threats to the
health, or to guarantee high levels of quality and safety of care
health and medicines or health products, on the basis of the Law of
the Union or the Member States establishing appropriate and specific measures
to protect the rights and freedoms of the interested party, in particular professional secrecy.
sional;
j) the processing is necessary for archiving purposes in the public interest, purposes of
scientific or historical research or statistical purposes, in accordance with the article
89(1) on the basis of Union or Member State law,
which must be proportional to the objective pursued, essentially respect the right to
data protection and establish appropriate and specific measures to protect
the interests and fundamental rights of the interested party.
3. The personal data referred to in section 1 may be processed to the fi-
mentioned in section 2, letter h), when its treatment is carried out by a professional.
professional subject to the obligation of professional secrecy, or under his responsibility, of
in accordance with the law of the Union or of the Member States or with the applicable rules.
established by the competent national bodies, or by any other person
also subject to the obligation of secrecy in accordance with Union or European Union law.
Member States or the rules established by national bodies
competent.
4. Member States may maintain or introduce additional conditions.
them, including limitations, with respect to the processing of genetic data, biological data,
metrics or data relating to health."
IV
Principles relating to treatment
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/12
Letter c) of article 5.1 of the RGPD advocates:
"1. Personal data will be:
(…)
c) adequate, relevant and limited to what is necessary in relation to the purposes
for those who are processed ("data minimization");"
V
Treatment for which the claimed party is responsible and nature of the data
treaties
The GDPR, article 4.15, defines “health-related data” as “data
personal data relating to the physical or mental health of a natural person, including the
tion of health care services, which reveal information about your health status.
health;".
Recital 35 of the GDPR refers to them in the following terms:
<<Personal data related to health must include all data
related to the state of health of the interested party that provide information about his or her state of health.
physical or mental health past, present or future. Information about the person is included.
physical data collected on the occasion of your registration for health care purposes, or
on the occasion of the provision of such assistance, in accordance with the Directive
2011/24/EU of the European Parliament and of the Council (1); any number, symbol or data
assigned to a natural person who uniquely identifies him/her for health purposes.
rivers; information obtained from tests or examinations of a part of the body or a
bodily substance, including that from genetic data and biological samples, and
any information relating, by way of example, to an illness, a disability,
condition, risk of disease, medical history, clinical treatment or
physiological or biomedical state of the interested party, regardless of its source, for
example a doctor or other healthcare professional, a hospital, a medical device, or
an in vitro diagnostic test.>>
In short, recital 35 of the GDPR determines that “the information
on the natural person collected on the occasion of their registration for the purposes of assistance
health care, or on the occasion of the provision of such care, in accordance with the
Directive 2011/24/EU of the European Parliament and of the Council” is included in the
special category of health data.
In light of the provisions cited, the vaccination of a person against
Covid-19 involves the provision of a healthcare service.
Therefore, information about whether an identified natural person has
received or not the Covid-19 vaccine is in the nature of personal data related to the
health, framed in the category of special or sensitive data regulated in the
Article 9 of the GDPR.
The complaint is made concrete in the access to the medical history of the students by
part of the University denounced and the transfer of vaccination data to third parties.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/12
It is necessary to analyze, next, whether the treatment carried out by the University
of Navarra of the students' health data is in accordance with the provisions of the
GDPR.
All data processing must comply with the regulations governing this
fundamental right, especially the principles that govern the treatment,
established in article 5.1 of Regulation (EU) 679/2016, among them (section a)
that of legality.
As already indicated, the RGPD, article 9.1., generally prohibits,
the processing of “special data”, among which it mentions those related to the
health. However, section 2 of the provision introduces ten exceptions; ten
cases in which the prohibition of treatment can be lifted if a
of them. These circumstances that exempt the general rule of prohibition are
connected with “any” of the legal bases that according to article 6.1 of the RGPD
legitimize the processing of data.
It is necessary to refer to the possibility that, in the treatment of
data that constitutes the object of the claim, if any of the
exceptions that lift the general prohibition provided for in article 9.1 of the RGPD.
Article 9.2 of the GDPR refers to several causes that would lift the ban:
“a) the interested party gave his explicit consent for the processing of said
personal data for one or more of the specified purposes, except when the
Union or Member State law establishes that the prohibition
mentioned in section 1 cannot be lifted by the interested party;”.
“g) the treatment is necessary for reasons of essential public interest, especially
the basis of Union or Member State law, which must be
proportional to the objective pursued, respect in essence the right to
data protection and establish appropriate and specific measures to protect
the interests and fundamental rights of the interested party;”
“h) the treatment is necessary for preventive or occupational medicine purposes,
evaluation of the worker's work capacity, medical diagnosis,
provision of health or social assistance or treatment, or management of
health and social assistance systems and services, based on Law
of the Union or the Member States or under a contract with a
healthcare professional and without prejudice to the conditions and guarantees contemplated
in section 3;”
“i) the treatment is necessary for reasons of public interest in the field of
public health, such as protection against serious cross-border threats
for health, or to guarantee high levels of quality and safety of the
health care and medicines or health products, on the basis
of Union or Member State law establishing measures
appropriate and specific to protect the rights and freedoms of the interested party,
in particular professional secrecy.
The treatment carried out is part of a collaboration campaign of the
University with health authorities in the vaccination campaign against the virus
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/12
Covid. The Ministry of Health of the Government of Navarra makes an assignment to the
Universities of that Foral Community to carry out this collaboration and that
students who voluntarily wanted to do so could be vaccinated on campus or
in some other educational center. The news was published in the press.
The document object of claim in which it was indicated that coercion was
to the students and health data was accessed and transferred, it is the generic information that was
facilitated this collaboration campaign.
The work of the Universities was to facilitate the Department of Health of
Navarra, Osasunbidea, the lists of people who were going to receive the vaccine for
to be registered in health databases.
If the student voluntarily wanted to fill out the vaccination form,
was fully informed about the processing of these data, adding the
legitimizing basis for it: the legal obligation to take care of the health of the students who
is included in article 7.1.n) of Royal Decree 1791/2010 (vaccination is a
further section of the Covid-19 Contingency Plan for the 2021-2022 Academic Year, prepared
by the Joint Occupational Risk Prevention Service of the University
of Navarra), as well as the free consent of students who wanted to be vaccinated
in the places designated for this purpose by the University.
SAW
Conclusion
It has not been possible to prove that the reported events occurred:
“coercion to provide information about vaccination status” or “obvious ce-
transfer of data to third parties for the purpose of vaccination”, or the case of “access to medical history”.
clinical situation of the students”, indicated by the complainant.
The vaccination at the reported University is carried out under the agreement with the
government of Navarra to vaccinate its students from other communities and countries.
From the data collection form, the transfer of data is totally
voluntary and informed, also requesting the consent of the affected person and not yielding
providing these data to third parties except health authorities.
On the other hand, according to the documentation in the file, there is no
There is no reason or reason for access to the clinical history of the students.
denounced by the denounced University.
Finally, it is verified that the ease of vaccination at the University denounces
is accompanied by other contingency measures against the adverse effects
of the pandemic caused by the SARS-CoV-2 virus in order to make the
University a safe space.
Therefore, based on what is indicated in the previous paragraphs, there have been no
found evidence that proves the existence of an infringement in the area of jurisdiction.
cial of the Spanish Data Protection Agency.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/12
Thus, in accordance with what was stated, by the Director of the Spanish Agency
Data Protection:
HE REMEMBERS:
FIRST: PROCEED TO THE ARCHIVE of these proceedings.
SECOND: NOTIFY this resolution to LIBERUM ASOCIACIÓN and UNIVER-
SITY OF NAVARRE.
In accordance with the provisions of article 50 of the LOPDGDD, the presentation
The Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as stipulated
do by art. 114.1.c) of Law 39/2015, of October 1, on the Administrative Procedure
Common Treaty of Public Administrations, and in accordance with the provisions
in the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties can
may optionally file an appeal for reconsideration before the Director of the Agency.
Spanish Data Protection Agency within a period of one month from the next day.
following the notification of this resolution or directly admissible contentious appeal.
nistrative before the Contentious-administrative Chamber of the National Court, with
in accordance with the provisions of article 25 and section 5 of the additional provision
fourth of Law 29/1998, of July 13, regulating the Contentious-Ad-Jurisdiction
administrative, within a period of two months counting from the day following the notification
of this act, as provided for in article 46.1 of the aforementioned Law.
940-110422
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
