The Spanish Data Protection Agency offers pointers on how to protect workers’ data

The Spanish Data Protection Agency (AEPD) has published its guidelines on data protection in labor relations  to help both public and private organizations adequately comply with the law in force. The guidelines are in response to questions that have arisen in the current legal framework, particularly following publication of the General Data Protection Regulation (GDPR) in the EU.

The entry into force of the GDPR imposed numerous obligations related to the collection of data, consent, storage and use of protected data and their disclosure. To supplement the above, the AEPD has published various different guidelines to promote and clarify the application of current data protection legislation.

But the truth is that in the specific area of labor relations, the above obligations had been giving rise, and still do today, to important questions both from the standpoint of interpretation and especially, from a practical standpoint.

It is precisely to try to answer some of these questions that the AEPD has published its guidelines on data protection in labor relations.

Specifically, the guidelines are divided into six large sections:

• Background
• Recruitment and hiring
• Changes in employment relationships
• Control of activity at the workplace
• Workforce- and union-elected representatives
• Health monitoring

The guidelines give a summarized theoretical account, but specifically focused on the subject-matter addressed in each case. This is then supplemented with specific practical examples such as opinions or judgments that give an insight into the decisions handed down, which is particularly interesting.

The guidelines include aspects that have been studied in greater detail such as the processing of data in relation to employment contracts or pay statements, specifying that more superfluous information or additional details in relation to income and deductions resulting from the employment contract should not appear and indicating that reference should not be made to union membership. In this regard, they conclude that no companies may require their employees to provide data on said union membership, political ideology, religious beliefs or sexual orientation.

In addition, the guidelines underscore in particular, references to aspects which, because they are much more topical, have been analyzed less and are therefore creating greater uncertainty.

For example, an entire section is dedicated to data processing in relation to innovative whistleblowing systems, indicating that these systems must respect the principle of purpose limitation. As a result, information obtained in this way, cannot be used for different purposes to those for which the system was implemented and all necessary measures should be adopted to provide adequate security and confidentiality.

It also alerts readers to the implications of data protection as regards salary registers, which, in principle, do not require data processing. However, as the guidelines state, such processing could end up being compulsory for example in professional categories or groups with a small number of workers, in which certain information that has been made anonymous could become personal data.

A detailed analysis is also included of data processing generated in video surveillance, geolocation and access control, as well as in the capture of biometric data, giving details of different requirements and conditions that both the AEPD and the courts are demanding from a data protection standpoint. In this regard, an example is given of an employer that installs an access control and video surveillance system at the entrance to a room containing servers on which the company’s sensitive data are stored digitally. If any data are accessed without authorization or are lost or stolen, the records kept by the employer will provide insight on who had access to the room at that time. Opinion 2/2017 on this matter concludes that given that processing is necessary and does not breach workers’ right to a private life, it could be lawful if employees have received adequate information on the processing. Conversely, it finds that the continuous observation of the frequency and exact times the workers enter and leave cannot be justified if these data are also used for other purposes, such as to assess performance.

All the references to data processing in relation to access to information by the workers’ representatives or the publication of personal data on notice boards, are equally interesting. In this regard, although it is not disputed that compliance with obligations and the exercise of the representatives’ rights allow the workers’ personal data to be processed without their consent, such processing must be limited to the necessary data and the employer may only disclose to the representatives, the data that are essential to perform their duties, which is known as data minimization.

In short, as is indicated in the presentation of the guidelines, their aim is not just to summarize or structure the contents of provisions in this regard, but also, in particular, to provide a practical guide, although, as is underscored, it is not binding. In our opinion, mission accomplished.