Datos de salud de empleados y confidencialidad en la empresa

Employee health data is specially protected personal data. A company cannot disclose, forward or share it with third parties unless there is a clear legal basis, a valid Article 9 GDPR exception and a proportionate need. Treating health data as ordinary employment information can lead to significant fines.

The Spanish Data Protection Agency fined a company 50,000 euros for providing a public entity with contact details and health-related information about an employee. The case shows that, even when there is an external request or an employment dispute, the company must apply minimisation, confidentiality and proportionality.

Why health data has stronger protection

The GDPR treats health data as a special category of personal data. This means that processing is generally prohibited unless a specific exception applies, such as employment obligations, occupational risk prevention, occupational medicine, healthcare or legal claims.

The Spanish Data Protection Act (LOPDGDD) and employment rules reinforce this duty of confidentiality. In practice, the company should always ask: is it essential to process this health data, who needs to know it, and can it be anonymised or limited?

What happened in the 50,000 euro fine case?

In the case, an entity requested information related to complaints and employment situations. The company responded by providing personal data about workers, including health-related information. The AEPD considered that the disclosure was excessive and unjustified.

The key issue was not only that an external request existed, but that the company had to assess what information could be disclosed and what data should be excluded. A request does not automatically legitimise sending complete documents containing sensitive data.

Principles companies must apply

  • Minimisation: disclose only the data strictly necessary.
  • Confidentiality: limit access to those who truly need the information.
  • Purpose limitation: do not use health data for purposes other than those that justify the processing.
  • Legal basis and Article 9 exception: document why the data may be processed or disclosed.
  • Security: protect documents, emails, records and medical certificates.

Common risk situations

Companies often process health data in sick leave, medical certificates, workplace adjustments, occupational risk prevention, workplace accidents, absence justifications, disability and particularly sensitive situations. In all these cases, the rule should be to limit information to the minimum.

For example, HR may need to know that an employee is on sick leave or has a work restriction, but not necessarily the full diagnosis. Similarly, a manager may need to organise shifts without accessing complete medical reports.

How to respond to third-party requests

Before sending documents to a public authority, collaborating entity, client, provider or third party, the company should check whether disclosure is mandatory, what legal rule supports it and which data is strictly necessary. If a document contains unnecessary medical information, it should be removed, anonymised or replaced with less intrusive information.

Where there is doubt, it is better to separate documents, redact sensitive data and keep evidence of the decision. Traceability helps demonstrate diligence if a complaint arises.

Good practices for protecting employee health data

  • Create an internal protocol for sick leave, medical certificates and workplace adjustments.
  • Restrict access to health data to authorised personnel.
  • Avoid sending diagnoses by email unless strictly necessary.
  • Keep medical documentation separate from general employment files.
  • Train managers and HR teams.
  • Review contracts with occupational health providers and other processors.
  • Document third-party disclosures and their justification.

Frequently asked questions

Can the company request the diagnosis behind sick leave?

As a general rule, the company needs to know the employment situation and organisational effects, but not the full diagnosis unless there is a clear legal basis and justified need.

Can a medical report be sent to a third party?

Only where there is a legal obligation, legal basis and proportionate need. The company should check whether a limited, anonymised or redacted version can be sent instead.

Who may access health data within the company?

Only authorised people who need that information for a specific function. General access by managers, colleagues or providers is not acceptable.

What is the risk of sharing health data unlawfully?

It may lead to data protection fines, employment claims, reputational damage and loss of internal trust.

Conclusion

Employee health data requires especially careful management. Before sharing it, the company must check the legal basis, apply minimisation and document necessity. In employment data protection, less information often means stronger compliance.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *