The impact of the General Data Protection Regulation (GPRD) after its first year of application

After a year of application of the RGPD, it is a good moment to analyze its impact on our legal system through case law.

The General Data Protection Regulation (RGPD) celebrated, this past May 25, its first year of obligatory compliance. Likewise, the Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), has clarified and completed the provisions of the RGPD.

Coinciding with this date, the Spanish Data Protection Agency (AEPD) has published a report summarizing in numbers the main aspects of this first year of life of the RGPD.

The balance of this first year is positive, and it is noted that the degree of knowledge that citizens have about their rights in this area has improved. In this sense, the figures confirm this data, in this first year the number of complaints from citizens for violations of privacy has increased to reach the figure of 150,000 complaints.

In this regard, we highlight the following resolutions issued under the new regulatory framework:

1. The Supreme Court ruling of 10 April 2019, which declares the validity of a contractual clause in the employment contracts of a company, under which employees, by signing the contract, consent to the transfer of their image captured via webcam or any other means, in order to develop the object of the contract. The Supreme Court considered that the consent of the data subject (employee) should not be given expressly when the processing of the data is necessary for the execution of a contract signed by the data subject. And all this in the light of Article 6.1.b (“processing shall only be lawful if it is necessary for the performance of a contract to which the data subject is a party or for the application or request by the data subject of pre-contractual measures”) and 9.2.b (‘processing of biometric data where this is necessary for the performance of obligations and the exercise of specific rights of the controller or the data subject in the field of employment law and social security and protection insofar as it is authorised by the Union law of the Member States or by a collective agreement in accordance with the law of the Member States which provides adequate safeguards for the respect of fundamental rights and the interests of the data subject’) of the DGPS. The key to the case is that the video calls made or received by the worker were within the subject matter of the contract, and therefore fall within the scope of Article 9(2)(b) of the GPRS.
2. The Ruling of the Social Court No. 3 Pamplona, dated February 18, 2019, by which the recordings of the company to accredit the dismissal of an employee are rejected for the first time. In the case in question, the company provided the video surveillance system recordings as evidence. Although it is true that the company previously placed a sign advising of the existence of video surveillance cameras, and therefore complying with the requirement to report the existence of video cameras in the workplace, as established in article 89 of the LOPDGDD, the judge considered that, taking into account the two pillars of transparency and information on which the RGPD is based, it is necessary for the employer to specify the purpose of the recordings, that is, that they can be used for a sanctioning purpose. That ruling is a clear example that, in the face of concepts that are not defined by the Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights, recourse must be had to European regulations.
3. It should also be noted that the Spanish Data Protection Agency has recently issued a resolution sanctioning the Professional Football League with 250,000 Euros for violating the principle of transparency through its official application. In this sense, the Professional Football League, through its official application, used the microphone and the geolocation of other people’s mobiles to detect pirate emissions in bars. According to the Spanish Data Protection Agency, the official application of the Liga de Futbol Profesional violates articles 5.1 and 7.3 of the RGPD, in the sense that it is not transparent with the user of the possibility of withdrawing at any time his consent for his personal data to be used in this way. Although the Professional Football League has already indicated that it will withdraw the function that accesses the microphone from mobile phones from 30 June this year, it has also communicated that it will appeal against the Agency’s resolution.

After this one-year period, there are still some problems related to the interpretation of the regulations and the implementation of measures that guarantee the security and privacy of those affected in the processing of their data. The rulings indicated, as well as the resolution of the Spanish Data Protection Agency, clarify the interpretation and application of the RGPD and the LOPDGDD in the Spanish legal system. In view of the above, it will be necessary to be attentive to future resolutions on data protection, in order to minimize the risk of sanctions for Spanish companies.