The SDPA publishes the updated guidelines on data protection in labour relations

The new guidelines on "Data protection and labour relations" (Link[1]) drafted by the Spanish Data Protection Agency ("SDPA") with the participation of the Ministry of Labour, employers' and trade union organisations deals with different data processing in the labour context. The SDPA had already drawn up a document with practical recommendations on this type of processing, which was removed from the SDPA's website for being outdated.

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC together with the subsequent approval of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights, made it necessary to adapt the previous guidelines to the new regulatory framework.

Although it is true that in these guidelines the SDPA does not change the criteria maintained in the previous guide published, it does include new examples of specific processing operations and situations that have become commonplace in day-to-day life with the introduction of new tools and technologies. In this way, the published guidelines introduce substantial changes such as references to the digital rights of employees, wearable technology, the processing of data of women who have suffered gender-based violence, etc.

The guidelines are structured in seven sections, the first two of which focus on general aspects, general principles of data processing, lawfulness of processing, data subjects' rights, duties and obligations of the parties involved in the processing, data transfers and transfer of personal data to third countries. The remaining five sections deal with more specific aspects of processing in the labour environment:

1. Recruitment and hiring process. The section focuses special attention on the investigation of candidate profiles on social networks, the position of third-party recruitment agencies, companies dedicated to the selection of people, etc. At this point, it is relevant to highlight that the SDPA states that a company is not legitimised to request 'friendship' from candidates in order to them to provide access to the contents of their profiles.

In relation to the personal data of unsuccessful candidates, the SDPA clarifies that unless the employer can demonstrate a legitimate interest, candidates’ personal data may only be retained with his/her consent. Otherwise, the CV must be destroyed, and the personal data must be deleted and blocked.

2. Performance of the employment relationship. Following the life cycle of data processing, the SDPA dedicates a section to the processing of data carried out during the development of the employment relationship. In this sense, the aforementioned section deals with data processing such as payrolls payment, life insurance and pensions, whistleblowing channels, record of working time, transfers of data to third party companies, reconciliation rights, etc.

One of the novel points is related to personal data concerning victims of harassment at work and women survivors of gender-based violence. The SDPA, in relation to the Legal Opinion 149/2019[2], clarifies that these personal data, especially victims’ identity, have the consideration of special categories of personal data and, in any case, are sensitive data that require enhanced protection. Thus, it understands that "an identification code must be assigned to both the person allegedly harassed and the alleged harasser, in order to preserve their identity". In addition, the employer may know and process the data of a worker linked to the condition of a woman survivor of gender violence when it is necessary for the fulfilment of legal obligations. In any case, the company's documentation must include a code that does not allow third parties to associate this information with the worker.

3. Supervision of working obligations. In this regard, the SDPA recalls that the employee’s consent is not necessary as it is foreseen in Article 20.3 of the Workers' Statute. However, the SDPA stresses the need to carry out a proportionality test for the adoption of the control measures to be implemented. The guidelines analyse the processing of data relating to the control of access to facilities, video surveillance, geolocation, absence control due to illness or accident, and the use of private detectives.

4. Unitary and union workers' representation. This section analyses the classic processing of personal data published on bulletin boards, the payment of union dues, data transfers to union delegates, etc. The criteria of the SDPA on these points have not changed in recent years. However, what is new is the incorporation of the right of the works council to be informed by the company of the parameters on which the algorithms or artificial intelligence systems are based, including profiling, which may affect the conditions, access and maintenance of employment. This novelty, approved in the recent Royal Decree-act 9/2021, which amends Article 64.4 of the Workers' Statute.

5. Health surveillance. The regulations on the Labor Risk Prevention require the company to carry out a set of activities whose ultimate aim is to prevent or reduce the risks arising from work. These tasks result in the processing of sensitive personal data relating to employees. As established by the SDPA and sectorial regulations, the employer is not entitled to know the specific medical diagnosis, so that it can only access the conclusions of the health surveillance referred to the concept of "fit" or "unfit", or the breakdown of the tasks that it is possible to perform, with the relevant recommendations on the adaptation or change of position.

Special mention to wearable technology (monitoring of health data through smart devices) must be done. The SDPA clarifies that generally this processing is prohibited, unless it is established by law or regulation, due to the lack on the lawfulness of processing, purpose and violates the principle of proportionality.

Publication of Royal Decree-Act 9/2021 to guarantee the labour rights of persons engaged in delivery in the field of digital platforms

Without going into a complete analysis of the regulation, the publication of Royal Decree-act 9/2021, of May 11, amending the revised text of the Workers' Statute, approved by Royal Legislative Decree 2/2015, of October 23, to guarantee the labour rights of persons engaged in delivery within the scope of digital platforms (Link[3]), is relevant from the point of view of data protection for regulating the right of access of the work council to parameters and/or systems established by the employer that may affect the conditions, access and maintenance of employment, which in certain cases will entail access to personal data.

Specifically, Royal Decree-act 9/2021 introduces a new letter d) in Article 64.4 of the Workers' Statute, establishing that the works council must "Be informed by the company of the parameters, rules and instructions on which algorithms or artificial intelligence systems are based that affect decision-making that may affect working conditions, access to and maintenance of employment, including profiling".