The coronavirus crisis continues to lead to the use of individuals’ personal data in new and sometimes unexpected ways.  In this briefing, we consider some possible data protection issues that could arise in connection with proposals by the Spanish government to establish a register of citizens who refuse the COVID-19 vaccination and share this with other European countries.

All data controllers collecting (or planning to collect) data subjects’ personal information for purposes connected with the COVID-19 pandemic will need to consider various questions to ensure that such personal data is processed fairly, proportionately and transparently and in compliance with applicable data protection rules.

These include, among other things, the principles of fair, lawful and transparent processing, ensuring appropriate legal bases for processing, purpose limitation, data minimisation, accuracy, storage limitation and integrity and confidentiality.  

Any personal data, especially special category health-related data, that is processed in connection with the pandemic should be handled carefully.  As the UK Information Commissioner has made clear, action will be taken against any data controllers misusing personal information to exploit the situation or take advantage of this serious public health emergency.