The Spanish Data Protection Agency (AEPD) has just published a new guide on “Data protection and employment relationships” (the “Guide”), providing a practical tool that helps public and private entities to comply with data protection rules. The Guide updates the previous guidelines (subject to the prior data protection act) adapting them to the current framework.
The Guide addresses (i) the changes triggered by the current data protection rules; and (ii) various issues often raised before the AEPD, including
- Employers checking employees’ social media;
- Whistleblowing channels;
- Monitoring of working hours;
- Data protection of workplace harassment victims or women victims of gender violence;
- The use of wearables for monitoring purposes.
In sum, the Guide includes:
- A general section, covering generic aspects like:
| – Legal bases, right to information and other rights in the context of employment – The data minimization principle, under which employment contracts do not entitle employers to access any kind of personal data – Secrecy and security obligations – Limits on data processing in recruitment and hiring processe |
2. Various specific sections on the stages of employment relationships:
| – Recruitment and hiring – Development of the employment relationship – Monitoring employees’ activity – Union representation – Health and safety supervision |
Either because they are new developments or those most frequently raised before the AEPD, we outline below the most remarkable aspects of the specific sections:
- Recruiting and social media: The AEPD specifies that applicants are not required to allow their potential employers to check their social media. Employers may only process the data obtained from social media (i) with a valid legal basis; (ii) informing the concerned applicant; and (iii) proving that processing the data is necessary and appropriate for the job. The AEPD also emphasizes that employers are not allowed to send “friend requests” to applicants in social media or to request access to the applicant’s social media posts.
- Whistleblowing channels: According to the AEPD, it is a priority that complainants and potential addressees of complaints be informed. Only (i) those responsible for whistleblowing mechanisms and compliance; or (ii) processors, may access these data. Human resources staff may only access these data during disciplinary proceedings.
- Mandatory monitoring of working hours: The AEPD recommendations include adopting the least invasive system possible and that it not be publicly available or visible. Also, any collected data may only be used to monitor working hours. Therefore, employers are not allowed to track the employees’ location, as that requires a specific legal basis.
- The right to information of workers’ legal representatives: The AEPD implements the recent reform of the Workers Statute adopted by Royal Decree-Law 9/2021, providing the right of works councils to be informed (and thus the employers’ obligation to inform) of any parameters, rules and instructions that serve as the basis of algorithms or artificial intelligence systems that could have an impact on working conditions, access to and continuation of employment. See a more detailed analysis in this blog entry and in the round of webinars we held.
- Safeguarding the privacy of workplace harassment victims or women victims of gender-based violence: According to the AEPD, the personal data and identity of victims generally qualify as special categories of personal data requiring enhanced protection. Therefore, the alleged victims and offenders should be assigned an identification code to safeguard their privacy. The same applies to victims of gender-based violence, whose data may be processed if required to fulfill legal obligations, but only by assigning a code that prevents third parties from linking the information to the victim.
- Wearables. The AEPD emphasizes that tracking health data with smart devices like wristbands or watches is prohibited unless explicitly allowed by a regulatory or statutory provision. Tracking health data falls outside the scope of occupational risk prevention, and thus it would entail processing a special category of data with no legal basis.
The Guide will be helpful for the various parties processing data in the workplace, clarifying the existing data protection requirements in employment relationships. We will pay careful attention on this blog to the application of the Guide.
Authors: Josu Andoni Eguiluz, Adaya Esteban and Jorge Monclús