skip to Main Content
BY THE SPANISH DATA PROTECTION AUTHORITY: The AEPD Publishes A Guideline On Personal Data Protection And Employment Relations

BY THE SPANISH DATA PROTECTION AUTHORITY: the AEPD publishes a guideline on personal data protection and employment relations

This post is also available in: Italiano Español Français

  • The guideline has been drawn up by the Agency with the cooperation of the Labor Ministry, employers and trade union organizations;
  • The document faces out frequently asked questions, like the consultation by the employer of social networks, inner complainant systems, the registration of the working time, the protection of data of victims of abuses on the working place, usage of wearable technology like a control element.

The Spanish Data Protection Agency (AEPD) has published today the guideline “Protection of Data and Employment Relations” with the purpose of offering a practical instrument for helping public and private organization for the correct respect of the legislation. This guideline has been drawn up by the Agency with the participation of the Working and Social Economy Ministry, employers and trade union organizations.

The application of the General Data Protection Regulation and the Organic Law on Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD) has lead to a series of changes both in relation with working rights of employees that into the recollection and the usage of their data by employers. At the same time, the guideline faces also frequently asked question, like the consultation by the employer of social networks of the employee, inner complainant systems (whistleblowing), the registration of the working time, the protection of data of victims of abuses on the working place, usage of wearable technology like a control element.

The document starts by recollecting basis which legitimate the processing of personal data, information that shall be provided and rights of personal data protection applied into the working environment. It faces also the minimization principle, because the execution of a working contract does not imply that the employer can know personal data of employees. In addition to obligation of security and confidentiality (which means that personal data are known only by the data subject and users into the organization which have usage powers, consultation or modification of those data), the document establishes also limitations into the processing of data, in personnel selection and recruitment processes.

In the section of personnel selection and social network, the Agency underlines that people are not obliged to permit to the employer be informed on their social media profiles, neither during the selection process nor during the execution of the contract. Even if the social network profile of a person who is candidate to a job is publicly accessible, the employer can not process personal data obtained in this way if he/she has not a valid legal basis and for thi reason will be useful inform the employer and demonstrate that this processing is necessary and relevant in order to carried out the job. From the other part, the Agency clarifies that the company has not the right to ask the “friendship” to candidate in order that they provide the access to contents of their profiles.

Taking about the inner systems of reporting or irregularities reports, the Agency thinks that information both for complainants and potential complainants are primary in nature. The LOPDGDD admits anonymous complainant systems and, in case in which the complaint is not anonymous, the confidentiality of information of the complainant shall be sure and the identification shall not be provided to the defendant. In addition, the personal with management and controls functions of human resources shall have the access to those data only in cases of disciplinary procedures, without prejudice to the communication of the relevant authority of criminal or administrative offences.

As regards mandatory one working day registration, the Agency recommends that the least invasive system possible be adopted and this cannot be publicly accessible or located in a visible place. Similarly, the data in this log cannot be used for purposes other than day-to-day control, such as position control. This is the example of an itinerant worker whose working day is recorded by geolocation. The purpose of this record is to check when your working time starts and ends, but not to check where you are at all times, as the processing of geolocation data requires a specific legal basis.

The guide also incorporates a relevant innovation on the right of the company board to be informed by the parameters on which the algorithms or systems of artificial intelligence are based, including the elaboration of profiles, which can influence the conditions, access to and maintenance of employment. This innovation, approved in the recent RD-law 9/2021, which modifies the Workers’ Statute, constitutes a precedent of further transparency to the guarantees of data protection legislation.

Another aspect that the document addresses is the dissemination of aid granted by social action, specifying that companies may not publish the list of aid granted and denied on a web page freely accessible, or on a notice board located in an area open to the public. Where the aid is linked to particular categories of data (for example, aid for children with disabilities), the disclosure of the aid must not allow the identification of the person concerned.

The “Data Protection and Employment Relations” guide also addresses the protection of the privacy of victims of harassment at work and of women who have survived gender-based violence and determines that your personal data and in particular your identity are, in general, considered as special categories of personal data and, in any case, are sensitive data that require enhanced protection. Therefore, it states that an identification code must be assigned to both the allegedly harassed person and the molester in order to preserve their identity. In addition, the employer may know and process the data of a worker linked to the status of a woman who has survived gender violence when it is necessary to comply with legal obligations but, in any event, the holding’s documentation must include a code which does not allow third parties to associate such information with the worker.

The Agency also addresses wearable technology in driving. The AEPD indicates that monitoring of health data through intelligent devices, such as wristbands or watches, is, in general, prohibited unless it is established by laws or regulations, since it is not part of health surveillance itself of the prevention of occupational risks, it implies the processing of a special category of data (health) without a legal basis, has no legitimate purpose and violates the principle of proportionality, since it involves permanent monitoring and would allow the employer to access specific health data, and not only the assessment of the ability to perform the work.



Back To Top