Spain has joined other EU Member States by enacting its own Data Protection Act, the Organic Law for the Protection of Personal Data and the Guarantee of Digital Rights (Act). The Act was approved by a large majority in the Spanish Parliament on November 21 and will take effect the day after it is published in the Spanish Official State Gazette, which is expected to occur by December 6. In addition to implementing the General Data Protection Regulation (GDPR), the Act introduces new requirements and recognizes new “digital rights,” which include employee-specific rights that are likely to have significant implications for employers in Spain.
New Spanish Digital Rights
The Act introduces multiple “digital rights,” which include:
Right to Internet Neutrality. Internet Service Providers (ISPs) must provide a seamless service offering without discrimination for technical or economic reasons.
Right to Universal Internet Access. All individuals are entitled to access the Internet regardless of their personal, social, economic, or geographical condition. Universal, affordable, quality, and non-discriminatory access is guaranteed.
Right to Digital Security. Individuals are entitled to secure communications transmitted and received over the Internet.
Right to a Digital Education. The education system is obligated to ensure the training of students in the safe and appropriate use of the Internet by including such training in academic curricula. Teachers must receive adequate training required for teaching such information.
Right to a Digital Will. Heirs of a deceased individual are entitled to exercise the right of access, deletion, or rectification of the deceased individual’s personal data that is contained online or in a social media account. However, heirs cannot do so if barred by another law or if the deceased individual had prohibited such access when alive, unless the content to be accessed is part of the deceased’s estate.
New Spanish Employee Digital Rights
The Act also introduces employment-specific “digital rights.” These digital rights for employees include:
Right to Privacy in Use of Digital Devices in the Workplace. Employees are entitled to privacy when using electronic devices provided by an employer. Employers may only access content on corporate electronic devices for the purpose of controlling compliance with labor or statutory obligations and to ensure the integrity of the devices. Clear rules for employer access to corporate electronic devices must be established with participation of the workers’ representatives.
Right to Digital Disconnect Outside of Working Hours. Employees are entitled to disconnect from the use of electronic devices and company networks outside of standard working hours to ensure that employees’ time off and personal and family privacy are respected. Employers must develop an internal policy, with input from workers’ representatives, outlining procedures for exercising the right to disconnect and providing for staff training and awareness activities.
Right to Privacy Against Certain Video Surveillance and Sound Recording in the Workplace. Video surveillance and sound recording systems cannot be installed in places intended for employee rest or recreations, such as changing rooms, toilets, dining rooms and the like. Employers may process images from video cameras for the exercise of control functions foreseen in Article 20.3 of the Workers’ Statute, Spain’s main source of employment law, which allows employers to monitor and control employees for the purpose of ensuring compliance with their work obligations and duties (e.g., by monitoring employees’ use of work servers, email accounts, and internet). Any processing of images from video cameras must be exercised within the Workers’ Statute’s legal framework. Employers must inform employees of such measures in advance.
Right to Privacy with Use of Geolocation Systems in the Workplace. Employers may process data obtained through geolocation systems for the exercise of control functions foreseen in Article 20.3 of the Workers’ Statute, so long as any such processing is exercised within its legal framework. Employers must expressly and clearly inform employees in advance of the existence and characteristics of geolocation devices.
In addition to new “digital rights,” the Act addresses privacy issues associated with whistleblowing and internal employee complaints. Businesses that create and maintain information systems to log employee complaints and whistleblowing must inform employees of the existence of such information systems. Access to such systems is limited to those positions responsible for internal control and compliance, unless disciplinary action is necessary. In that case, HR may also have access to the data. The Act places limits on how long data may be maintained in the system, and requires necessary measures be taken to guarantee the confidentiality of the data as it relates to the persons affected by the information, including the individual who reports such information to the entity. This last point is particularly important, as the Act allows reports to be made anonymously for the first time in Spain.
In light of Spain’s new Act, employers and organizations processing personal data in Spain should review their compliance programs to ensure continued compliance with the law.