AEPD published guidelines on data protection and labor relations
AEPD published guidelines on data protection and labor relations in collaboration with the Ministry of Labor and the employers and trade union organizations.
The AEPD published guidelines recently, aiming at offering a practical tool to aid public and private organizations in upholding their compliance with the legislation in place. The agency collaborated with the Ministry of labor and social economy and the employers and trade union organizations in order to prepare this guide. The guide is centered around compliance with the GDPR and the DPA with specific focus on updates regarding the rights of workers and the collection and use of their data by employers. This guide covers quite a range of issues including employee data protection within the organization and even employer access to social media profiles, internal whistleblowing and privacy for victims and alleged harassers in the workplace.
The guidelines outline the general bases of legitimate data processing by employers.
The guidelines from the AEPD proposes the data protection rights to be upheld in a working environment. In the document the AEPD addresses the importance of applying the principle of data minimisation. An employment contract does not automatically give employers access to any and all personal information of employees, therefore these guidelines outline what information may or may not be necessary. The document sets the limits for the processing of data in the hiring process, as well as throughout the course of the employment contract. The AEPD explains that due to the duties of secrecy and security, personal data should only be known by the affected party and by those uses within the organization who have the power to use, consult or modify the data.
The AEPD suggests using the least invasive system possible for tracking employee working days.
According to the guidelines published by the AEPD, with regards to tracking employee workdays, the least invasive system possible should be adopted. This information cannot be publicly accessible or located in a visible place. In addition, the data registered by these systems must not be used for any purposes other than the tracking of the working day. In the example of a worker who travels to perform their role, a working day tracker would be used for the sole purpose of recording when their workday begins and ends, and not to constantly monitor their location. The processing of geolocation data requires a specific legal basis.
The guidelines cover access by employers to social media profiles and data from wearable technology like smart watches.
The AEPD explains that employees are not obligated to allow their employer to access or inquire into their social media profiles. This includes during the hiring process as well as for the execution of the employment contract. Even in cases where a candidate for employment has a social media profile that is publicly accessible, an employer may not process any data obtained in that way, unless there is a valid legal basis for it. In this case it will be necessary for the employer to inform the worker and to demonstrate what the legal basis is including its relevance to the performance of the role.
The AEPD published guidelines on wearable devices, particularly on the monitoring of health data through devices like smart watches. In general this type of monitoring is prohibited for several reasons. This type of monitoring violates the principle of proportionality as it suggests the constant monitoring of special category data (health), and could allow employers to access data specific to health conditions and not exclusively the data assessing an individual’s ability to perform their job.
The AEPD published guidelines specific to internal whistleblowing and privacy for victims and alleged perpetrators.
In instances of gender-based violence, or harassment, personal data, particularly identity is generally considered to be special category data. Sensitive data of this nature requires enhanced protection. According to the guidelines, an identification code should be assigned to the alleged victim as well as the alleged perpetrator in these cases. When it is necessary to process data for compliance to legal obligations, an employer may process data of a worker regarding their condition as it relates to gender-based violence or harassment. In cases of harassment at work, both the identity of the alleged harasser and the alleged victim of harassment must be protected.
The guidelines state that the works council now has the right to information on the parameters of a company’s algorithms and artificial intelligence systems.
As the use of artificial intelligence becomes more prevalent, the guide includes groundbreaking information on the rights of the works council to be informed by companies, on the framework for any algorithms or AI systems used within their company. This includes explanations on profiles which could prossible affect access to, as well as conditions, and maintenance of employment. This condition was newly introduced into law (RD-law 9/2021), modifying the Workers’ Statute, and introducing an additional level of transparency to the process.
Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and national data protection legislation in handling employee data? Aphaia provides ePrivacy, GDPR and data protection consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.
- The risks associated with geolocation data: an assessment by LINC, CNIL - August 11, 2022
- CJEU ruling on special categories of personal data - August 9, 2022
- Fine imposed on Volkswagen by German Data Protection Commissioner for multiple GDPR violations - August 4, 2022