GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Spain
Spain’s Data Protection and Digital Rights Act, effective December 2018, implemented the GDPR in the nation. This Act includes rights for employees in the areas of sensitive personal data, monitoring and disconnection from work.
Sensitive Personal Data: Employee consent is considered insufficient when the main purpose of processing sensitive personal data is to identify an employee’s ideology, trade union membership, religion/beliefs, sexual orientation or racial/ethnic origin. Processing this sensitive personal information is permitted when necessary to comply with a legal obligation relating to employment laws.
The Law on Social Order Infringements and Sanctions (Art. 16.1.c) prohibits requests for personal data in recruitment procedures that represent discrimination in access to employment. The Spanish Data Protection Authority issued a statement stating that employers cannot process COVID-19 immunity information as part of the hiring process. In addition, if an applicant voluntarily includes this information in their CV, the employer cannot use the COVID-19 immunity information to make a hiring decision and is obligated to delete this information.
Employee Monitoring: Employers are required to implement policies relating to the use of digital devices in the workplace. These policies should be implemented in conjunction with worker representatives (if applicable).
Video surveillance and GPS tracking is permitted under the Act as long as employees are clearly informed in advance of any surveillance/tracking. Video surveillance is not allowed in spaces intended for employee rest and recreation (i.e., changing rooms, bathrooms, cafeterias).
Royal Legislative Decree 28/2020, of 22 September of Remote Work (Art. 17) gives individuals the right to privacy when using digital devices for remote work, in accordance with the principles of suitability, necessity and proportionality. Employers may not require the installation of programs or applications on an employee’s personal device. Employers also cannot require that employees use private devices for remote work. Employers should work together with the employees’ representative, to determine use criteria to avoid a breach of the right to privacy.
Right to Disconnect: Employees in Spain have the right to disconnect from work during their time-off, leave and holidays. Employers are required to implement policies in conjunction with worker representatives (if applicable) to ensure that employees may be disconnected from work outside of working hours.
This right was reinforced with Royal Legislative Decree 28/2020, of 22 September of Remote Work (Art. 18). Under this decree, employers must guarantee that employees are able to disconnect from work (i.e., the employer should limit the use of business devices during rest periods, respect working hours and limits to working hours). Employers should work with the employee representative to implement policies defining: modalities for exercising the right to disconnect; trainings; and, awareness-raising actions on the reasonable use of digital devices, which avoids the risk of computer fatigue.