The Spanish Data Protection Agency has produced a guide that aims to facilitate compliance with data protection regulations in the field of labour relations.
The Spanish Data Protection Agency (AEPD) has recently published the guide “Data protection in labour relations”. This document aims to facilitate compliance with data protection regulations for companies and those responsible for the processing of personal data in the company’s relations with its employees.
The purpose of the guide is not exclusively to summarise or structure the content of the data protection regulations, but to provide practical guidance to facilitate compliance with the legislation for data controllers and persons or entities in charge of processing (in the terminology of the GDPR and hereinafter, “data processors”), with the support of the experience of the AEPD.
This article covers some of the most relevant points discussed in the guide. For this purpose, the same structure provided by the guide will be followed, the guide being divided into six main working sections:
Information on the processing of and rights to protection of employment data
With regard to this section, we shall briefly summarise, as it is not a new aspect, that the employer must inform employees in clear and simple language about the data processing that is being carried out. For their part, employees may exercise the following rights:
Right of access. The employee has the right to confirmation that data processing is taking place and to know how it is taking place.
Right of rectification. Employees may demand the rectification of inaccurate data undergoing processing, as well as the completion of incomplete data.
Right to erasure. Employees may demand the erasure of personal data undergoing processing.
Selection and recruitment
Social networks and job applicants
Enquiries into the social network profiles of job applicants are only justified if they are related to professional purposes. For this, it must be demonstrated that such processing is necessary and relevant for the performance of the job. In any case, the employee has the right to be informed about such processing.
However, the company is not entitled to “befriend” applicants in order for them to provide access to the contents of their profiles (Opinion 2/2017 on data processing at work of the Article 29 Working Party).
Nor is the employer entitled to ask an employee or job applicant for information that he or she shares with others via social media.
Interviews and personal questions about religion or politics
The candidate’s answers in a job interview do not amount to consent to processing as if they were personal data.
Therefore, data obtained through inference in an interview about a candidate’s religious beliefs or trade union or political affiliation cannot be processed unless it is necessary for the performance of the contract, there is a legitimate interest or there is consent.
But the employer must take into account that it is considered a very serious administrative offence “to request personal data in selection processes or to establish conditions, through advertising, dissemination or by any other means, that constitute discrimination in access to employment on grounds of sex, origin, including racial or ethnic origin, age, marital status, disability, religion or belief, political opinion, sexual orientation, trade union membership, social status and language within the State” (art. 16.1.c) TRLISOS).
Interviews and personal questions on health
According to the Council of Europe Recommendation 2015 (2), para. 9.2), a job applicant may only be questioned about his/her state of health and/or be medically examined to indicate his/her suitability for future employment and/or to meet the requirements of preventive medicine.
Medical examinations are voluntary for the worker, unless they are made compulsory by law in activities where there is a risk of occupational disease.
The guide explains that, if the CV was sent by post or e-mail and there is an e-mail address provided by the person concerned, information can be sent to him/her by this means, requesting confirmation of receipt and making the processing of the data conditional upon acknowledgement of receipt. If the data subject presented himself/herself at a service desk or office, he/she should be informed there by any means that proves compliance with this duty, such as posters or acknowledgement of receipt documents.
On the other hand, if the applicant is not hired, his or her consent would be necessary for future processing, such as in a company job exchange. However, if this is not the case or if there is no consent, the CV must be destroyed and the personal data deleted and blocked.
Development of the employment relationship
Pay slips should not contain superfluous or additional information other than a statement of income and deductions arising from the employment contract. In particular, no mention of trade union membership should be included in the salary statement, and it is advisable that any deduction of trade union dues be identified in such a way that third parties do not have access to this information, since the payslip is usually required by public and private entities in order to carry out certain procedures.
Pay slips, together with the information referring to their salaries, could contain other data, such as the tax address, the current account in which payments are made and even specially protected data referring to health or ideology, as well as the deduction, if applicable, of union dues for union members.
These data must not be made known to third parties, nor to certain persons if the purpose does not justify it, without the consent of the person concerned. The transparency of remuneration and the breakdown of remuneration items, which may even be a legal requirement in certain areas, does not extend to other personal data, even if they are included in the pay slip.
The data in the register may not be used for purposes other than the monitoring of working time (purpose limitation principle). The working time register is an instrument for verifying the daily working hours worked by each worker and its purpose is to create a framework of legal certainty in the reciprocal relations between workers and companies, as well as to enable control by the Labour and Social Security Inspectorate. In addition, the company, after analysing the data in the working time register, will be able to know if any of the workers have not complied with their working hours and, for this reason, it is not necessary for the worker to have been specifically informed of the results of this control. However, the time recording could not be used for other purposes, such as checking the location of a worker.
Geolocators are an instrument for checking working time and not the place where the activity takes place, in cases where an itinerant worker has established that the recording of his/her working time is done by geolocation.
Therefore, the purpose of time recording is to check when the worker starts and finishes working time, but not to check where he/she is at any given moment.
The principles of minimisation and purpose limitation are fully operational. Consequently, if the purpose of geolocation is time recording, the data cannot be used to verify the location of the worker at any given moment, but only the start and end times of the activity, which is what the legal basis of time recording allows (art. 34.9 of the ET).
Termination of the employment relationship: letter of dismissal
The letter of dismissal may not include personal data that the employer is not entitled to know, for example, those special categories of personal data, such as the medical diagnosis that motivates a dismissal for unfitness (STS 5138/2005, of 22 July, Sala de lo Social).
Termination of the employment relationship: non-competition agreement and surveillance on LinkedIn
According to Opinion 2/2017 of the Article 29 Working Party, this possibility is admitted provided that the employer can demonstrate that such monitoring is necessary to protect its legitimate interests, that there are no other less invasive means and that the former employees have been adequately informed of the scope of the periodic monitoring of their public communications.
Monitoring of work activity
According to art. 89 of the LOPDGDD, these images may be processed for the exercise of the functions of monitoring employees, with the following requirements:
The legal basis for the control of workers by means of video surveillance is the employment contract and the legal powers of control granted to the employer (art. 20.3 of the ET), so that consent is not required.
Video surveillance should only be used when it is not possible to resort to other means that cause less impact on privacy. In this sense, video-surveillance systems for business monitoring should only be adopted when there is a relationship of proportionality between the purpose pursued and the way in which the images are processed and there is no other more suitable measure. Audiovisual monitoring must respect the fundamental rights of the worker, especially the right to personal privacy (STC 98/2000, of 10 April and 186/2000, of 10 July).
Data processing takes place whether the cameras record images or reproduce them in real time. On the other hand, data protection rules do not apply to simulated cameras, since, as they do not capture images of identified or identifiable natural persons, no processing of personal data takes place. On the other hand, existing data protection principles and applicable sectoral legislation should be applied to cameras that are simply deactivated and can be activated without excessive effort.
In the judgment of the European Court of Human Rights (STEDH López Ribalda II of 17-10-2019) it is accepted that the failure to warn the worker about the location of the camera, in a case in which there has been information about the installation of video surveillance cameras and there is a reliable suspicion of serious breach of work obligations (continuous theft of company products with high economic value) does not lead to the nullity of the evidence obtained to impose a sanction on the worker, but the company can be held liable in the field of data protection, for breach of the obligation to inform, and must face the civil and administrative liabilities that may arise from this breach.
Employees using geolocation tools must be fully informed about the monitoring carried out and the purpose of their use by the employer.
The employer should clearly inform employees that a tracking device has been installed in the company car and that their movements are being recorded while they are using it (and that, depending on the technology used, their driving behaviour may also be recorded). It is advisable for this information to be displayed in a prominent place in each vehicle, in full view of the driver.
A geolocation device could be justified in the transport of goods, where it is relevant to know where the vehicle is and when it will be able to make a particular delivery.
It is not permissible to impose on the worker the obligation to provide personal means to facilitate geolocation (e.g. mobile phone). The Judgment of the Audiencia Nacional, SAN 136/2019, of 6 February, Sala de lo Social, declared that it is contrary to the right to data protection to impose a clause in the contract that requires the worker to communicate to the employer an email address and to have a mobile phone with internet connection to install a geolocation application that allows customers to track orders during delivery.
According to article 20.4 of the ET,the employer may verify the worker’s state of illness or accident that is alleged by the worker to justify his or her absences from work, by means of an examination by medical personnel.
The employee’s refusal to undergo such examinations may result in the suspension of any economic rights that may be payable by the employer for such situations.
It is entirely valid for the company to use the medical services of an external subcontracted company to examine workers who are absent for health reasons, as long as this is carried out within the limits of good faith and is proportional to the objectives sought. (STS 481/2018, of 25 January, Social Chamber)
Hiring a Detective
Art. 20.3 of the ET empowers the employer to adopt control and surveillance measures of very different intensity, and among them, it could resort to a private detective, with the following precautions:
This measure, like any other control measure, requires passing the proportionality test, so it is not justified if there are other equally suitable, but less invasive, measures.
The processing of data does not require the consent of the employees, as the legal basis is the employment contract, in relation to art. 20.3 of the ET.
It is forbidden to investigate “the intimate life of persons in their homes or other private places”, as well as to use “personal, material or technical means in this type of service in such a way as to violate the right to honour, personal or family privacy or self-image or the secrecy of communications or data protection” (art. 49.4 of Law 5/2014, of 4 April, on private security).
Unitary and trade union representation of employees
When a company has workers’ representatives and sometimes has to provide them with information relating to other workers, there are some limits on data protection that both the company and the representatives must respect.
When a company needs to carry out an ERTE or any other collective measure (dismissals, transfers, suspensions or substantial modifications), a consultation period must be held with the workers’ representatives. These consultation periods include negotiations in which information must be provided to the representatives. In this regard, it should be borne in mind that:
Such information may include personal data of the workers, such as name and surname or the position they hold. In addition, in some cases, information must be provided on the criteria to be used to select the workers affected by the measure, such as age, seniority or productivity. In these cases, the company must respect the “principle of minimisation” and provide only the information necessary for the negotiations and not provide information that is not necessary, such as workers’ addresses or ID card numbers.
Workers’ representatives may not use the data for any purpose other than negotiating with the company to try to reach an agreement. To this end, they have a duty of confidentiality with regard to information that the company has provided them with confidential information, such as the company’s financial data, and with regard to confidential data to which they have access.
Communications by e-mail
Workers’ representatives may send e-mails to the employees of a company. In this sense, the sending of trade union information by e-mail is a right of representatives protected by the fundamental right to freedom of association. However, this right has some limitations:
The company cannot give the representatives the employees’ private e-mail address.
The representatives must respect the employees’ right to object, so that they can object to continuing to receive emails of a trade union nature.
Companies must make a notice board available to representatives at the workplace and respect the following conditions:
It must prevent unauthorised third parties, such as customers or suppliers, from accessing the information posted on the board. Therefore, it must not be located in places that are freely accessible to third parties.
If, due to teleworking, the company has set up a part of the intranet for representatives to post trade union information, it must be ensured that it cannot be accessed by persons outside the company.
If representatives post judgements of cases they have won, they should be anonymised (they should not contain personal data).
Data monitoring through smart devices, such as wristbands or watches, is generally prohibited. Moreover, given the unequal relationship between companies and workers and the sensitive nature of health data, workers are not truly “free” to consent.
Even if the employer uses a third party to collect the health data, the processing would still be unlawful unless a legitimate interest, a specific purpose, proportionate monitoring, or complete anonymisation of the data is ensured.
An example of this would be when an organisation offers fitness trackers as a gift to its employees. The devices count the number of steps workers take and record their heartbeat and sleep patterns over time. The resulting health data should only be accessible to the worker and not to the employer. Any data transferred between the worker (as the data subject) and the device/service provider (as the data controller) is a matter for both parties.
The Labour Management department of AddVANTE remains at your disposal for further information or to resolve any queries that may arise in relation to this article.