Both the Spanish Data Protection Agency ("AEPD") and the Ministry of Employment and Social Economy, together with employer and trade union organizations, have participated in drafting the document "Data protection in labour relationships" (the "Guide"). The first section of the Guide provides an overview of different data protection matters, such as the legal basis for labour relationships, the way information should be provided to employees, as well as the data protection rights that apply to employees. In particular, AEPD's remark on the minimisation principle should be highlighted (not only in this section but throughout the Guide), insisting on the fact that the employer is only entitled to personal data that is strictly necessary for the normal course of the labour relationship, and shall not collect any other data that is not necessary to perform the employment contract.
In the second section, AEPD mentions different situations that may arise before, during and after a labour relationship. Among them, the following could be highlighted:
- In the selection and hiring stage, the AEPD points out, among other issues, that, though the candidates' profiles on social media may be public, the employer shall have a valid legal basis for the processing of personal data collected through this channel and, therefore, shall provide the candidate with the corresponding information in terms of data protection. In addition, the AEPD clarifies that the company is not in any case entitled to request "friendship" from candidates in order to access their profile content.
- Within the framework of employment relationship, the AEPD has also issued its opinion on the use of biometric data, indicating that said data is only to be considered as a special category of personal data when undergoing a technical process aimed at biometric identification, and not in the case of verification or authentication. When processing biometric data, AEPD's recommendation is to choose verification or authentication systems based on reading biometric data, which are stored in encrypted devices that can be exclusively kept by employees (such as, for example, smart cards). Likewise, the AEPD issues several recommendations on proper handling of biometric data, such as that (i) the biometric data should be stored as a biometric template, whenever possible, (ii) the biometric system used and the security measures chosen shall not allow the re-use of biometric data for another purpose, (iii) the use of mechanisms based on encryption technology should be used, in order to avoid non-authorised reading, copy, modification or deletion of biometric data, (ii) the biometric system should be designed in such a way that the ID link could be reversed or (iv) the biometric data should be used in data formats or specific technologies that make it impossible to interconnect biometric databases and the disclosure of unapproved data.
- Concerning internal reporting systems (whistleblowing), the AEPD highlights the importance to comply with the duty of information and points out that both the reported person and the whistle-blower should be informed beforehand about the existence of such systems and the processing of the data involved, including its communication to a third company in order for the incident to be investigated and, after a reasonable period of time during which a preliminary investigation has been conducted, notify the reported person about the accusation made against him. Lastly, in this section, the AEPD insists upon the data being deleted three months after being introduced in the reporting system without applying the obligation of blocking, unless the purpose of keeping the data is to prove how the model of crime prevention by the legal person works.
- Another issue outlined in the Guide is the register of working hours, stating that such register should be kept for four years and be made available to the employees, as well as to the employees' representatives and the Labour and Social Security Inspectorate. AEPD also insists on the register not being publicly available nor being placed in a visible way and that the data collected shall not be used for other purposes rather than controlling the working hours. Furthermore, it is highlighted that the data protection officer shall be present through all the life cycle of the documentation linked to the register (including advising the management of the company about the drafting and custody of the documentation as well as solving the incidents that may arise).
- Regarding the control of the labour activity, the Guide also addresses the implementation of geolocation systems indicating, on the one hand, that companies shall make sure that the data collected through such systems are not used for the purpose of allowing the continuous observation of employees and, on the other hand, employees will not be forced to provide personal means to facilitate such geolocation. Likewise, incident data recorders are mentioned by AEPD on this regard, as they are sometimes installed in cars and get activated by specific events (for example, sudden changes of direction or accidents) and, according to the agency, are especially invasive as they allow to observe and check the employee's behaviour at the wheel.
- Regarding health surveillance, the AEPD highlights that the company's and prevention delegate's right to access health information are very limited and, in practice, they are only entitled to know the suitability or not of the working people.
In essence, it can certainly be affirmed that this Guide will be a road map for companies, when facing the main problems that may arise within the labour framework since the entry into force of the General Data Protection Regulation.