Technological evolution, globalization and the use of Internet constantly raise new questions regarding how to act in situations with a potential impact on personal data protection. This is especially relevant in an employment context, in which multiple situations arise in which it becomes necessary to analyze the impact of an employer’s decisions in connection with employee personal data protection.

In an employment context, questions regarding the possibility of recording telephone conversations and using those recordings as evidence of labor infringements have been analyzed by the courts. Specifically, the Constitutional Court, in its judgment of October 4, 2021, ruled on a presumed violation of the right to personal data protection in the case of an employee (a sales representative) who was dismissed on grounds of serious and culpable breach due to deficient attention to customers evidenced in recordings of telephone conversations. The court concluded that the right to data protection had not been violated, given that the employer had complied with the prior information requirement regarding the possibility of recording telephone conversations and because said recordings were used for purposes of providing quality service and training, as undertaken by the employer vis-à-vis its employees’ statutory representatives. Furthermore the employee had previously been warned that his conduct was inconsistent with the goals of ensuring quality service and providing him with suitable training. It was precisely his failure to heed these warnings that led to the termination of the employment contract on grounds of serious and culpable breach. The court concluded by ruling that there had not been a violation of the dismissed employee’s rights.

The use of surveillance cameras as evidence of labor infringements has also been analyzed by the labor courts, inter alia, in judgments such as the one handed down on July 21, 2021 by the Labor Chamber of the Supreme Court, in which the Chamber confirmed the lawfulness of their use, provided such use meets the requirements of being suitable, necessary and proportionate.

Another challenge was created by the generalization of teleworking due to the COVID-19 pandemic, i.e., the challenge of personal data protection in situations of employee mobility, either because employees are traveling frequently, or due to exceptional circumstances, or because teleworking has been adopted by the employer as an alternative to working at the workplace.

The Spanish Data Protection Agency published a number of recommendations for these situations, which include advising the employer to define a data protection policy for situations of mobility. The recommended measures include that of informing employees of the mechanisms used to monitor digital devices, stipulating how company equipment is to be used (regulating access to social networks or the use of personal e-mail) or setting guidelines related to the right to privacy and to digital disconnection, as well as an employee’s duty of confidentiality.

Another aspect on which employee personal data protection can have an impact relates to the record of hours worked. In article 34.9, the Workers’ Statute imposes an obligation on employers to guarantee a daily record of hours worked, indicating that this record of hours worked is to be organized and documented through collective bargaining or company agreement, or otherwise by decision of the employer following a consultation with the employees’ statutory representatives. The lawfulness of the option to formalize the record of hours worked using systems such as digital fingerprinting has been assessed by the Spanish Data Protection Agency, which concluded that in said categories of personal data (e.g., biometric fingerprint data), the system must be justified and proven to be necessary and proportionate, and consideration must be given to whether other, potentially less intrusive, technical measures exist.

Lastly, with respect to personal data protection in connection with an employer’s obligation to keep a salary record pursuant to Royal Decree 902/2020, of October 13, 2020, on remunerative equality between men and women and to article 28.2 of the Workers’ Statue, the Spanish Data Protection Agency has clarified that, because this is statutory obligation, the employer does not require the employee’s consent. It also indicated that the record should not specify each employee’s salary, but rather the average salary values, salary supplements and non-salary amounts received, broken down by sex and distributed by job group, job category or jobs that are equal or of equal value, specifying that the record is to contain anonymized data rather than personal data or information that enables the identification of a given person.

In short, the use of new technologies creates new challenges which, in an employment context and in connection with data protection, make it advisable for employers to undertake a careful analysis of the interests involved and to review their internal practices and policies with a view to bringing them into line with the applicable legislation, where necessary.

Mónica Díaz

Garrigues Labor and Employment Department