The introduction of new technologies in the workplace has resulted in great progress in terms of organization, production and management, but, at the same time, a number of complex issues of both practical and legal nature have arisen, including employee data privacy concerns.
Many employee data privacy issues can be easily solved by straight-forward application of the Spanish Data Protection Act 15/1999 (Ley Orgánica 15/1999, de 13 de Diciembre de Protección de datos de carácter personal) (Spanish Act), and developing regulations thereunder that implement the dictates of article 18 of the Spanish Constitution, which recognized the right of any individual to personal privacy, secrecy of communications and the protection of personal data. However, some employee data privacy issues have not been addressed directly by the regulations and thus have become a challenge for the both the employees and employers facing such situations, as well as for the Spanish Courts or the Spanish Data Protection Agency — the entity in charge of ensuring compliance with the data protection regulation and imposing penalties in the event of breach of such regulations. Some of the more challenging problems relate to the following issues.
The requirements for the installation and use of cameras for the purposes of video surveillance have been relaxed in the last few years as a consequence of a recent investigation of the use of cameras carried out by the Spanish Data Protection Agency.
Under current regulations, the most notable requirements are:
- Maintaining security measures to limit the access to the images captured through the video surveillance systems.
- Gaining consent from employees for the treatment of images when the images to be used for certain purposes.
- Avoiding taking close-up shots of any employee or employee’s screens and (iv) informing the employees of the existence of such video surveillance systems. The video surveillance systems must be located only in limited venues or areas and cannot be located in areas meant for employee’s private use (i.e., toilets, recreation rooms, etc.).
One of the major controversies has been whether or not it is lawful for employers to monitor how work computers are used by the employees as well as the employee’s email traffic and content. Legal doctrine recognize that computers belong to the employer and therefore, it is up to employer to establish the policy for the use of such computers. Additionally, it has been widely recognized that there is no legal obligation on the part of the employers to allow employees to use the company’s email for personal ends. Some case law has even considered that the use of companys resources for private purposes is a breach of the employee’s contractual good faith obligation. However, this principle should be considered with the right to privacy and the right to privacy in communications established in article 18 of the Spanish Constitution.
Accordingly, an employer may lawfully monitor, in limited situations, an employee’s email. The analysis of whether monitoring is lawful is based on the particular facts and circumstances of the matter. In this regard it is important that an employer ensures its employees are aware that email may be monitored and that a policy limiting the use of the computers and emails for professional purposes is put in place. Additionally, the monitoring cannot be discriminatory or arbitrary and should be justifiable and necessary for the investigation to be carried out. Only information related to the investigation at hand (e.g., an improper use of the computer or email, a disciplinary action) should be monitored and collected.
The Spanish Data Protection Agency has allowed the existence of whistleblowing schemes in companies, provided that security measures are put in place that are necessary or advisable for the purposes of discharging the employee’s tasks. The employer should keep all employees informed of its whistleblowing policies and procedures. Whistleblowing schemes should ensure the confidentiality of the whistleblower, although reports of any wrongdoing cannot be done anonymously. The information gathered in the course of an investigation so initiated should be kept only for as long as necessary to carry out the internal investigation and shall ensure that the rights of any employee involved are respected, specially the right of access, rectification, opposition, etc. Extra care should be used in case the employees involved belong to a trade union, as the trade union may have the right to be informed of any actions adopted in the process.
Personal Data Disclosure
An employer may collect and process a large amount of personal data for a number of different reasons and for different purposes (e.g., payroll, career management, fringe benefits). As a consequence of that, some personal information of the employee may be disclosed to the employer. In order to avoid problems in this area the general principle embedded in the Spanish Act is that the employer should limit the type of data gathered to that which is essential for the employment relation.
Additionally, the employer should make sure that the employees’ personal data is only disclosed to third parties (e.g., services providers, insurance companies, payroll external companies) in order to serve purposes which are directly related to the lawful functions of both the assignor and the person who receives the data, and only if disclosure has been specifically consented. Disclosure of personal data between a previous employer and a potential future employer is not permitted without the worker’s consent. This consent should also be sought in case the disclosure is made within companies belonging to the same group as the employer.
In summary, the Spanish Act allows the collection of personal data only if it:
- Has the express consent of the individual
- Is kept accurate and updated
- Is not excessive in relation to the purposes for which it was obtained
- Is not to be used for other incompatible purposes for which the data was collected
- Is correctly stored to permit the exercise of the right of access (an other rights) by the individual
- Is eliminated if such information ceases to be necessary or relevant when proved to be inaccurate or updated
Compliance with the Spanish Act is important, and violations may result in substantial penalties. The Spanish Act provides for sanctions ranging from €600 to €60,000, €60,000 to €300,000, €300,000 to €600,000, depending on the type of infringement. Additionally, the Spanish Criminal Code provides for prison sentences (from one to seven years) should the offense be extremely serious.