GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Spain
Spain’s Data Protection and Digital Rights Act, effective December 2018, implemented the GDPR in the nation. This Act includes rights for employees in the areas of sensitive personal data, monitoring and disconnection from work.
Sensitive Personal Data: Employee consent is considered insufficient when the main purpose of processing sensitive personal data is to identify an employee’s ideology, trade union membership, religion/beliefs, sexual orientation or racial/ethnic origin. Processing this sensitive personal information is permitted when necessary to comply with a legal obligation relating to employment laws.
Employee Monitoring: Employers are required to implement policies relating to the use of digital devices in the workplace. These policies should be implemented in conjunction with worker representatives (if applicable).
Video surveillance and GPS tracking is permitted under the Act as long as employees are clearly informed in advance of any surveillance/tracking. Video surveillance is not allowed in spaces intended for employee rest and recreation (i.e., changing rooms, bathrooms, cafeterias).
Right to Disconnect: Employees in Spain have the right to disconnect from work during their time-off, leave and holidays. Employers are required to implement policies in conjunction with worker representatives (if applicable) to ensure that employees may be disconnected from work outside of working hours.