Existing legal framework
Data Protection Act

The new Data Protection Act entered into force on 6 December 2018, introducing a number of so-called 'digital rights' (for further details please see "New Data Protection Act introduces digital rights for employees and "New digital rights: employees' right to disconnect").

Notably, the Spanish legal system already provided a framework regarding the use of digital devices at work and how employers can exercise control over them in view of employees' right to privacy.

Existing legal framework

Although there were no legal provisions on this issue, the Supreme Court had ruled on the matter by adapting the provisions referenced in the notable European Court of Human Rights judgment in Barbulescu v Romania (5 September 2017).

In its judgment of 8 February 2018, the Supreme Court provided a general overview of the use of digital devices at work (eg, email or mobile phones) and how employers can exercise control over them while also guaranteeing their employees' right to privacy.

Thus, in order to monitor employees without violating their privacy, employers must consider the following questions:

  • Does the employee have an expectation of privacy? (If the employer prohibits the use of work devices for personal purposes, there will be no expectation of privacy.)
  • Has the employee been informed of the possibility that their employer may monitor their devices and the scope of this monitoring? The information in this sense must be clear and circulated in advance.
  • How will the employer exercise control over its digital devices? Will the dissemination of communications be controlled or rather the content of such communications? Will control be exercised over all communications or only some?
  • Are there legitimate arguments to justify the employer exercising control over digital devices?
  • Could a system based on less intrusive measures be established instead?
  • Will the employer use the results of the device monitoring properly and will they accomplish the goal of exercising such control?
  • Has the employer offered the employee adequate guarantees regarding the monitoring (specifically, has it notified the employee in advance)?

Data Protection Act

The Data Protection Act provides a new legal framework in relation to employees' right to privacy in the use of digital devices at work, although no great changes have been made to the existing legal framework.

The act recognises the right of employees and public servants to privacy in the use of digital devices provided by their employer.

Further, it limits employers' control of such monitoring to:

  • ensuring that employees comply with their employment obligations (or statutory obligations in the case of public servants); and
  • guaranteeing the physical integrity of the digital devices.

As regards information to be provided to employees, the act states that employers must establish criteria for the use of digital devices which comply with the minimum standards of privacy protection in accordance with social customs and legal and constitutional rights. Employee representatives should be involved in establishing such criteria.

In addition to providing criteria for the use of digital devices, every time that employers authorise the private use of devices, they must specifically determine the authorised use and guarantees in order to preserve their employees' privacy (eg, the periods in which the devices can be used for private purposes). Employees must be informed of all such criteria for the use of devices.


Although the new Data Protection Act has introduced no significant changes regarding the use of digital devices at work, employees' right to privacy regarding such use has now been set out in law.

For further information on this topic please contact César Navarro at CMS Albiñana & Suarez de Lezo by telephone (+34 91 451 9300) or email ([email protected]). The CMS Albiñana & Suarez de Lezo website can be accessed at www.cms-asl.com.