Data protection, a new challenge for companies

One of the aspects of labor relations in which most doubts arise concerns the data protection obligations, rules and policies with which companies must comply. Indeed, an analysis of circulars, instructions, decisions, guidelines, etc. issued by the Spanish Data Protection Agency (AEPD) over the years, reveals that a large proportion of them are dedicated precisely to data processing in the field of labor relations.

The new Data Protection Law (“LOPD”) is due to enter into force this coming May 25, 2018. Still a Bill, the purpose of this law is to bring Spanish legislation into line with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, known as the General Data Protection Regulation.

Since this new regulation is going to have an impact on certain aspects of human resources and labor relations, we will take a look at the most important developments below.

One of the changes in the regulation refers to the processing of data of deceased individuals. In this regard, the heirs of the deceased, the executors or the person or institution designated, may request access to, or the rectification or erasure of personal data, unless this is expressly prohibited by the deceased individual himself or a law. Therefore, these new provisions must be borne in mind in relation to the employees of the company that have passed away, either during the employment relationship or during the time that the personal data are stored.

Another relevant development is that express consent must be obtained from the data subject to process his/her personal data. The data subject must be informed of all the purposes for which his/her personal data will be processed and he/she must expressly consent to the processing for all of these purposes. This leads us to recommend that, as soon as possible, and definitely as from May 25, 2018, the clauses in employment contracts regarding the processing of personal data, be revie2wed to bring them into line with the new law.

Regarding the processing of data that is presumed lawful, the following considerations should be borne in mind:

  • the processing should only refer to the data necessary for the professional location of the employee
  • the purpose of the processing may only be to maintain relations of any nature with the company. This principle is also applicable to the contact data of self-employed workers, provided that the data refer to their status as such and do not include the processing of their data as individuals

Another of the developments of this law is in relation to the processing of data in connection with business succession. That is, the processing of data that may be necessary for the successful outcome of the transaction and which ensure the continuity of the provision of services, where applicable. The Regulation establishes that if the business transaction is not successful, such data should be immediately deleted.

Another interesting aspect is the regulation of processing for video surveillance purposes. The draft LOPD lists the judicial interpretations made in the last few years and the recommendations of the AEPD on the issue, establishing mainly that:

  • images captured by cameras or video surveillance systems may be processed in order to safeguard the security of persons, goods and premises
  • the data must be deleted within a maximum term of one month, except where such images are used to prove certain breaches and conduct
  • a visible informative device should be put in place identifying the existence of the processing, the identity of the controller and the possibility of exercising the relevant rights
  • the employer may use recordings from cameras and video surveillance systems to control employees’ compliance with their obligations, although it is mandatory to inform employees of these measures (it does not specify how)

In addition, employees and third parties must be informed of the existence of any whistleblowing systems that are in place. The confidentiality of the data stored in the system must be guaranteed and such data may be stored for a maximum period of 3 months (after this period, they must be deleted). Furthermore, in cases in which the actions reported may give rise to disciplinary measures, the data may be accessed by the company’s human resources manager, in order to adopt, if applicable, the corresponding disciplinary measures.

Another of the new aspects of the Bill worth noting is that proactive steps by the controller and processor are established (the companies and/or the persons they designate). Each individual situation must be assessed to determine which technical and organizational measures are the most appropriate to ensure and to evidence the correct processing of the data. It is also necessary to evaluate the impact of the data processing, and to record the data processing operations and the steps to be taken.

Finally, there is also an important development in the penalty regime and the amount of the penalties to be imposed. That is, the amount of the penalties has increased in the most serious scenarios to up to 20 million euros, and in the case of companies, to up to 4% of their revenues, whichever is greater.

Numerous voices, even in Europe, have warned that the adaptation of the new law in the Member States is going to be a complex process, which is expected to take longer than the period granted (initially until May 25, 2018). For small and medium-sized companies it will be a challenge that will require adequate planning and advice from experts.


Vanessa Orive Sánchez

Garrigues Labor and Employment Law Department