The Spanish Agency for Data Protection (AEPD) has just published a new guide that aims to serve as a practical tool to help,but not binding, public organizations and private companies for adequate compliance with the legislation.
The guide Data protection in industrial relations
also aims to serve as a manual to those responsible for the processing of personal data in their obligation to communicate to the persons whose data have been affected, as well as to notify the data protection authorities.
What are your main changes? What topics does this guide address on personal data protection and ensuring digital rights? Is the employee entitled to digital disconnection?
These are some of the questions to which this guide gives an answer and from the labor consultancy of AYCE Laborytax we intend to collect in this article.
Employees’ rights over data protection
The new guide Data Protection in Labour Relations 2021 delves, in essence, into the rights of employees in this area recognised by Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) and the General Data Protection Regulation (GDPR).
This guide updates the version published in 2018,when the GDPR began to apply and includes the experience collected in this time.
The main purpose of this guide is to facilitate the effective and efficient fulfillment of the ultimate objectives of the notification of personal data breaches
These purposes include: the effective protection of the rights and freedoms of individuals, the creation of a more resilient environment based on knowledge of the vulnerabilities of the organization, and the guarantee of legal security by providing those responsible with a means to demonstrate diligence in the fulfillment of their obligations.
It also addresses current issues such as the consultation by the employer of the social networks,internal complaint systems, the recording of working hours and wages, right to digital disconnection,health surveillance, or data processing by workers’ representatives.
But first we must refer and explain what the concept of processing of personal data is.
According to Article 4.1 of the GDPR, “any information relating to an identified or identifiable natural person”is considered personal data.
It can be from the date of birth, marital status, address, to any information about childhood, academic, professional or work life, about life and consumption habits to any evaluation and assessment that refers to specific people.
Based on this premise, now yes, we will address the main points and recommendations contained in the guide on Data Protection in Labor Relations given the importance of the issues it addresses.
Keys to the new AEPD Data Protection and Labor Relations Guide
Selection of personnel
In the section on personnel selection and social networks, the guide details that people are not obliged to allow the employer to in-search their social media profiles,neither during the selection process nor during the execution of the contract.
Even if it is publicly accessible, the employer may not process the data obtained in this way if it does not have a valid legal basis for it.
This will require informing the worker and demonstrating that such treatment is necessary and relevant to the performance of the job.
On the other hand, the agency clarifies that the company is not entitled to request ‘friendship’ from candidates so that they provide access to the contents of their profiles.
Registration of working hours and wages
As for the
registration of working hours,
which has its legal basis in a legal obligation to include the specific start and end time of the working day of each worker, it is recommended that the least invasive system possible for the worker be adopted.
In addition, the guide states that the worker shall have the right to be informed and, where appropriate, to exercise the rights of access, rectification, opposition and deletion, regardless of whether the registration is more or less sophisticated.
This day record must not include more personal data than is essential (principle of minimization).
Nor can the data in this register be used for purposes other than monitoring the working day, such as checking the location.
You are interested in:
The registration of working hours in telework is also mandatory
Internal whistleblowing systems
The guide points out, with regard to the internal complaint systems that are usually configured through the creation of internal mailboxes through which workers, usually through an online procedure, reveal the commission of acts or conduct contrary to the law or the collective agreement. In this case, information is of paramount importance.
The LOPDGDD admits anonymous reporting systems and, if it is not, the confidentiality of the complainant’s information must be safe and the complainant must not be identified.
The existence of these mailboxes must respect the principle of proportionality,so that the complaints refer only to cases in which the facts or actions have an effective implication in the relationship between the company and the defendant.
One of the main obligations of the employer in the field of occupational risk prevention is the monitoring of the health of workers.
It is an obligation that does not imply a correlative duty for workers, since medical examinations by the employer are, in general, voluntary for employees, who must give their consent.
The employer is not entitled to know the specific medical diagnosis, so that it will only be able to access the conclusions of such health surveillance referring to the concept of “fit” or “unfit”.
The employer shall ensure that the workers in his service are regularly monitored in the light of the risks inherent in the work. Such surveillance may be carried out only if the worker gives his consent.
The guidance also states that monitoring health data through smart devices, such as wristbands or watches, is generally prohibited,unless established by law or regulation.
Communication to those affected
As a complement to the Guide, the AEPD has a tool called ‘Comunica-Brecha RGPD’,which offers help to companies to decide whether or not to communicate a data breach to the people affected. This obligation is independent of the obligation to notify the supervisory authority of such a breach.
This resource is based on a short form that gathers details that allow the application of basic criteria indicative of the risk associated with the gap.
When completing the form, the tool will advise three possible scenarios:that the security breach should be notified to the affected people when a high risk is assessed; whereas such communication is not necessary; or that the level of risk cannot be determined.