The new Spanish Organic Law 3/2018 on Protection of Personal Data and Guarantee of Digital Rights (Ley Orgánica 3/2018, de Protección de Datos Personales y Garantía de los Derechos Digitales), referred to from now on as the Spanish Data Protection Act, has taken advantage of the necessary adaptation to EU Regulation on Data Protection to include new employment rights in the digital area, including the right to digital disconnection and the right to privacy in the use of digital devices in the work environment.

The Spanish Data Protection Act came into force on 7 December 2018 and no transitional period for its application has been set out. As a result, the legal provisions on digital rights are technically effective as from the date the law came into force. Nevertheless, it would be reasonable to consider that there will be a progressive implementation of the new rights such as the right to digital disconnection.

We detail below the main changes included in the regulation:

Internal whistleblowing systems have been regulated

The Spanish Data Protection Act establishes the criteria for the setting up and maintenance of information systems whereby the company can be informed, anonymously if necessary, of actions or behaviours that might be in breach of rules applicable to the company.

Although the introduction of such whistleblowing systems is not mandatory, they could be a determining factor for the company to discharge its responsibility. If they are implemented, employees and third parties (customers, suppliers, etc.) must be informed of their existence.

As a general rule, access to the data obtained from these information systems is to be restricted exclusively to those persons performing internal control and compliance duties, or to the data processors specifically designated. Third-party access may be allowed on an exceptional basis when it is necessary to take disciplinary action or carry out pertinent legal proceedings. Particular restrictions are placed on access by human resources personnel, whose access is only permitted when it may be necessary to take disciplinary measures against an employee. The brief and limit wording of this provision makes it advisable to take special care on this matter, analysing on a case by case basis before the information is accessed.

Steps must be taken to preserve the identity and ensure the confidentiality of the data of the persons affected by the information provided, including those of the whistle-blower. The data can only be maintained for as long as it is necessary to determine whether there are grounds to initiate an investigation of the reported facts.

In any event, data is to be removed from the system after three months have elapsed from its inclusion, unless it is necessary to retain it to demonstrate the operation of the system for compliance purposes. Reports that have not been investigated with will only be held in an anonymous basis. Once the three-month term has been exceeded, data may continue to be used for disciplinary purposes to investigate the matters that have been reported, although the data must not be held on the internal whistle-blowing system.

Data protection officers will have special employment protection

If the data protection officer is an employee, the data protection officer cannot be dismissed or sanctioned for carrying out such duties, except in cases of wilful abuse or gross negligence in the exercise of those duties.

Subject to the interpretation that may be given to this rule, it is likely that such protection is to be considered similar to that of personnel assigned to risk prevention duties.

The right to digital disconnection is an effective right for employees

Employees have been granted the right to digital disconnection, with recognition of their rights to rest, leave, and holidays, as well as to personal and family privacy. The rule expressly states that the right to disconnection will apply in the case of remote or home working conditions as regards the use of technology tools.

Employers must draw up an internal policy (to be applied to all personnel, including management), indicating how the right to disconnection can be exercised and the training and other awareness actions for employees on the reasonable use of technology tools.

The drawing up of this policy must involve worker representatives, who must be given a hearing. In addition, the ways in which the right can be exercised must be compliant with the Collective Bargaining Agreement.

Pending interpretation by the courts and the Employment Inspectorate, we consider that the absence of representatives of the employees would not affect the obligation to draw up the internal policy on digital disconnection. It is likely, however, that future inspections will not result in penalties until there is some development by collective bargaining or by means of informative notes on the different alternatives for digital disconnection, as long as the company has shown willingness to act on the matter.

Recognition of the right to privacy in the use of digital devices in the work environment

Spanish Data Protection Act recognises the rights of workers to the protection of their privacy in the use of digital devices provided by the company. Companies will be able to access content derived from such use as long as the devices have been provided by the company itself and the purpose of such access is to control that the employees are complying with their contractual obligations, as well as to ensure the integrity of the devices themselves. This measure must take into account the Spanish and EU case law that requires the employees to be informed in advance of the existence of these controls, which must be suitable, necessary, balanced and objectively justified.

Companies must establish criteria for the use of digital devices, complying with minimum privacy standards in accordance with social customs and worker rights. Worker representatives should participate in the drawing up of usage criteria (although that criteria do not need to be agreed upon with), and workers must be informed of their existence.

If devices are authorised for personal use, employer access to their content requires prior communication of the authorised uses and the establishing of guarantees to preserve worker privacy.

Once again, we understand that the absence of legal representatives will in no way waive the obligation to draw up such policies.

Rights to privacy have been established in the case of video monitoring and sound recording devices in the workplace

The use of video monitoring systems to control work activity is allowed, as long as it protects the dignity of workers, once the workers, and if applicable, their representatives, have been expressly, clearly and concisely informed of the existence of this measure. Once again, it has to be taken into account that EU case law also requires the monitoring to be suitable, necessary, balanced and objectively justified.

Only in case of blatant commission of an infringement, this obligation to previously inform the employees about the recordings can be considered fulfilled by placing an informative sign in a sufficiently visible place identifying the existence of the processing of the data obtained from the cameras, the identity of the person responsible for such processing and the possibility of exercising the rights recognised in the Spanish Data Protection Act regarding the data obtained.

Workplace sound recording is more restrictive: it is only allowed if it is necessary for the safety of installations, goods and persons, and, in all cases, it must observe the principles of proportionality and minimum intervention, in addition to the guarantees established for video monitoring.

The use of sound recording and video monitoring systems is not permitted in areas set aside for worker rest or leisure.

Recorded images and sounds must be erased within a month or less or their recording, unless they must be kept as evidence of an infringement.

The use of location tracking systems is allowed under employee privacy rights

The use of data obtained from GPS tracking systems to control work activity is allowed as long as it respects the dignity of workers, once the workers, and if applicable, their representatives, have been expressly, clearly and concisely informed of the existence of the devices and of their rights to access, rectify, restrict processing and eliminate the data.

Control must be carried out within their legal framework and its limits, once again making it necessary to ensure that the measures are of suitable, necessary, balanced and objectively justified.

Digital rights are expected to be considered within Collective Bargaining Agreements

Collective Bargaining Agreements can improve the rights and freedoms related to personal data processing and digital rights safeguard.

Sanctioning regime

The rule does not establish any specific regime to sanction any breaches of the digital rights. Pending an amendment to the Spanish Employment Infringements and Penalties Act (Ley de Infracciones y Sanciones del Orden Social) any infringements will be sanctioned under the general regime that covers the breaches of the right to privacy or the infringements of working timetables.