Workers' right to digital disconnection in relation to company obligations

With the entry into force in Europe of the General Data Protection Regulation and the subsequent approval of the Organic Law on Data Protection in Spain, the so-called Digital Rights are included in the national regulations, in a new way.

The above-mentioned Digital Rights regulate the right to Internet neutrality; to universal access to the Internet; to digital security; to digital education; to rectification on the Internet; to update information in digital communication media; to privacy in the use of digital devices in the workplace; to digital disconnection; to privacy in the face of the use of video surveillance and sound recording devices in the workplace; to privacy when using cameras or geolocation systems, also in the workplace; to the protection of children's data on the Internet; to digital will; to oblivion and portability in Internet searches, social network services and equivalent services; and digital law in collective bargaining.

The above-mentioned rights are regulated and are in close connection with Article 18 of the Spanish Constitution, which refers to the right to honor, privacy and the secrecy of communications. As a fundamental right, the measures that companies must establish for regulatory compliance in relation to digital rights must be structured giving them the importance they deserve and taking into account the consequences of their non-compliance.

In relation to digital rights, they constitute, on the one hand, rights for workers and, on the other, obligations for companies. These regulatory changes have caused companies to adapt, both internally and externally, to the new regulatory requirements. In this way, we can affirm that Spanish companies and companies need to update many of their internal policies.

In line with what was established in the previous paragraph, in the workplace, the new Organic Law on Data Protection and Guarantee of Digital Rights has been quite profuse, since there are up to five rights in this area, contained in articles 87 to 97, which in turn are complemented by the final 13th and 14th provisions that modify the Workers' Statute and the Basic Statute of Public Employees. In this regard, the Spanish legislator has established a series of rights and guarantees that must be taken into account when exercising the control function by the employer. To this end, the above-mentioned Organic Law has implemented the authorization set out in Recital 155 of the General Data Protection Regulation, which establishes the following:

”Member State law or collective agreements, including “company agreements”, may establish specific rules relating to the processing of personal data of workers in the workplace, in particular in relation to the conditions under which personal data in the employment context may be processed on the basis of the worker's consent, the purposes of hiring, the execution of the employment contract, including the fulfillment of obligations established by law or by collective agreement, the management, planning and organization of work, equality and safety in the workplace, health and safety at work, as well as for the purpose of the exercise and enjoyment, either individually or collectively, of rights and benefits related to employment and for the purpose of terminating the employment relationship.”

This means that the employer must set the criteria for the use of digital devices through internal protocols and must count on the collaboration of employee representatives in the elaboration of these criteria.

Focusing on the tourism sector, these are companies that handle and process a large volume of data and carry out, in most cases, data transfers to third countries or unrelated companies, and must offer greater guarantees, both to users and consumers, and to workers, in compliance with data protection regulations and the guarantee of digital rights.

In addition, the right of workers to protect their privacy in the workplace constitutes a great recognition of rights for the employee. However, for the company, given the difficulty of the standard and the lack of precision, it involves a large list of measures, protocols, analyses and studies to be carried out in order to guarantee compliance with supervisory authorities, what we know as the novel principle of proactive responsibility.

This translates into the elaboration of an internal code to regulate the use of the company's technological means by the employee, as well as to respect the worker outside their working hours, and must guarantee the right to digital disconnection after the end of the working day. You must also take security measures so as not to interfere with the privacy of workers, considering the importance of the data obtained and the most appropriate measure that least harms the employee's right. Finally, it is worth mentioning the possibility for companies to include in collective bargaining the agreements they may reach between employee representatives and employers regarding data protection.

For all that has been said, many of the companies in the tourism sector are using professionals who are experts in the field, to know and adapt to the legislative changes that apply to them. Complying with the Personal Data Protection Act allows them to focus on exploiting their business, greatly reducing the risks of facing fines and administrative sanctions.

Rosario Saldarriga (T&L Attorney)

Article published in the May edition From the monthly newspaper CEHAT