The new Data Protection Act entered into force on 6 December 2018, introducing a number of so-called 'digital rights' (for further details please see "New Data Protection Act introduces digital rights for employees").
Notably, the Spanish legal system already provided a framework regarding the use of digital devices at work and how employers can exercise control over them in view of employees' right to privacy.
Existing legal framework
Although there were no legal provisions on this issue, the Supreme Court had ruled on the matter by adapting the provisions referenced in the notable European Court of Human Rights judgment in Barbulescu v Romania (5 September 2017).
In its judgment of 8 February 2018, the Supreme Court provided a general overview of the use of digital devices at work (eg, email or mobile phones) and how employers can exercise control over them while also guaranteeing their employees' right to privacy.
Thus, in order to monitor employees without violating their privacy, employers must consider the following questions:
- Does the employee have an expectation of privacy? (If the employer prohibits the use of work devices for personal purposes, there will be no expectation of privacy.)
- Has the employee been informed of the possibility that their employer may monitor their devices and the scope of this monitoring? The information in this sense must be clear and circulated in advance.
- How will the employer exercise control over its digital devices? Will the dissemination of communications be controlled or rather the content of such communications? Will control be exercised over all communications or only some?
- Are there legitimate arguments to justify the employer exercising control over digital devices?
- Could a system based on less intrusive measures be established instead?
- Will the employer use the results of the device monitoring properly and will they accomplish the goal of exercising such control?
- Has the employer offered the employee adequate guarantees regarding the monitoring (specifically, has it notified the employee in advance)?
Data Protection Act
The Data Protection Act provides a new legal framework in relation to employees' right to privacy in the use of digital devices at work, although no great changes have been made to the existing legal framework.
The act recognises the right of employees and public servants to privacy in the use of digital devices provided by their employer.
Further, it limits employers' control of such monitoring to:
- ensuring that employees comply with their employment obligations (or statutory obligations in the case of public servants); and
- guaranteeing the physical integrity of the digital devices.
As regards information to be provided to employees, the act states that employers must establish criteria for the use of digital devices which comply with the minimum standards of privacy protection in accordance with social customs and legal and constitutional rights. Employee representatives should be involved in establishing such criteria.
In addition to providing criteria for the use of digital devices, every time that employers authorise the private use of devices, they must specifically determine the authorised use and guarantees in order to preserve their employee' privacy (eg, the periods in which the devices can be used for private purposes). Employees must be informed of all such criteria for the use of devices.
Although the new Data Protection Act has introduced no significant changes regarding the use of digital devices at work, employees' right to privacy regarding such use has now been set out in law.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.