A few days ago the Spanish Agency for Data Protection (AEPD) published a brief resolution that opened up a host of questions. In it, the claim of a worker who had been added to two WhatsApp groups in which your parcel company organized the workdistributing routes or indicating where the parked vans were left.
The General Data Protection Regulation (RGPD) stipulates that all data processing must have a legal basis that legitimizes it. In that resolution, the AEPD understood that this basis was the employment contract itself, and did not specify whether the worker was complaining because she had been added to those groups with the number of her personal device or with a company phone.
Numerous data protection experts then shared their opinion on social networks, understanding that with this resolution the AEPD surprised with a change of criteria with respect to resolutions, sometimes immediately prior. Months ago, the AEPD resolved that a community of neighbors had violated the GDPR by adding the stair cleaner to a group.
One of those experts Gonzalo Oliverlegal adviser specialized in privacy, data protection and cybersecurity for Ozonia Consultants, requested a legal report from the AEPD. The answer has already arrived and it is, for many of these professionals, reassuring.
In the document, the Agency highlights “as a preliminary matter” that “the resolution of a certain specific file” does not imply that the AEPD “assumes a general criterion valid for all situations that may occur in daily practice.” “Some specific facts are analyzed in specific situations, which are studied accordingly.”
On the specific case itself, he does not give more details, so there are many unknowns around it. In the field of labor relations, andThe processing of personal data is legally based on the execution of the employment contractalthough certain data may also be processed to meet the requirements imposed by law or a collective agreement,” he says.
In this sense, companies can use the personal data of an employee to send them payroll, shifts, and other types of communications. However, creating a WhatsApp group with the rest of the company’s colleagues may result in disproportionate data processing for the initial purposes.
For this reason, the AEPD, although it does not give more details about this case -if the worker was actually using a company device, for example-, does understand that the WhatsApp groups processed “minimum data necessary for the organization of work” and the company had “informed the workers of the purpose of the treatment”.
In general terms, it is recommended to give a company phone number or ask for voluntary consent
Despite this, the report from the Data Protection Agency refers to previously published guides —on data processing that an employer can request from an employee or on data protection in labor relations— so, from a point of view For a “general” view, an employee’s email address and telephone number “can be ignored by the employer.”
Consequently, its treatment “would exceed what was initially permitted by the data protection regulations” and it would not have that legitimizing basis: the employment contract would not be enough. But there is a way.
“If the circumstances of the provision of services for the company entail a personal availability of the worker outside his center or working hours, a more moderate and equally effective measure to achieve communication between the company and the worker would be the provision of of the same of a work tool such as a company telephone”.
Reporting corruption is expensive and Europe wanted to avoid it, but not like this: they alert Brussels that the Spanish law reaches the Senate with “serious deficiencies”
In addition, the AEPD understands that “it would be possible for those affected to provide the data referring to their private email and telephone number”, but the collection of these data would have to be “voluntary, after obtaining the consent of the worker, who may subsequently oppose the their treatment by exercising the rights of opposition or deletion”.
“It is necessary to distinguish between the use of tools provided by the company or if it is private media, which is where consent could come into play. Everything must be considered on a case-by-case basis. Hence, any resolution isolated from its context can lead to conclusions that do not conform to the established criteria”remarks the control body.
For this reason, the Agency concludes that an employment contract “does not legitimize the company to request all this data from the workers.” “The need for treatment will have to be considered on a case-by-case basis,” he says, citing a 2015 Supreme Court ruling.
The right to disconnect, in turn, “must not be forgotten either”regardless of whether the tool is “corporate or private”, ditch.