This post is also available in: Español

Today, December 7, the new Spanish Organic Law 3/2018 of December 5 on Data Protection and Guarantee of Digital Rights (LOPDGDDD) comes into force. This new regulation strengthens and expands employees’ rights to the protection of their personal data against their employer, thus increasing the employer’s liability. Any infringement or excess committed by employers can be penalized by the Spanish Data Protection Agency (AEPD) with very high fines.


It is significant that the new law that adapts the Spanish legal system to the General Data Protection Regulation (GDPR) has added to its title an explicit reference to the “guarantee of digital rights,” which no doubt reflects the approach of the new law and of a time when personal data is the essential content of digital innovation.

Specifically, the new LOPDGDD includes five important provisions (articles 87 to 91) to regulate certain matters of the highest interest for human resources teams in companies. These matters had not yet been regulated yet, but they had been outlined over the years by Spanish and European case law:

  1. Use of digital devices in the workplace
  • The law expressly acknowledges employees’ right to the protection of their privacywhen using digital devices provided to them by their employer, and it requires companies to establish the criteria for employees’ use of those digital devices, respecting in all cases the minimum privacy protection standards, in line with the recent requirements of the European Court of Human Rights (Barbulescu II case, discussed in this Post). The company must inform employees of these criteria for use.
  • As a new development, the law states that the employees’ legal representatives must be involved in establishing these criteria (which until now had been included in internal policies or codes of online conduct). The law does not determine the extent of their involvement, a point that Spanish courts will have to clarify eventually.
  • The company is allowed to access the contents of digital devices only to monitor fulfilment of job responsibilities and to ensure the integrity of digital devices.
  • However, for the company to access the contents of digital devices whose use for private purposes by the employees it has authorized, it must specify the authorized uses and establish guarantees to protect employees’ privacy, such as, if applicable, indicating when they can use these devices for private purposes.
  1. Video surveillance and audio recording in the workplace
  • Another point expressly regulated by the law, which is not free from questions of interpretation, is the use of images captured in general (article 22) and those captured as part of the employment relationship (article 89).
  • As a rule, the new law states that the company can use the information obtained through video surveillance systems to monitor employees’ performance, provided they have informed the employees and their representatives, if applicable, of this measure in an explicit, clear and concise way.
  • However, the duty of information will be regarded as fulfilled when employees are captured committing a flagrantly illegal act, and there is at least the informative sign placed in a sufficiently visible location and specifying, at least, that processing may be carried out, the identity of the data controller, and the employees’ possibility of exercising their rights of access, rectification, erasure and restriction of processing (article 22.4).
  • But the main new development for companies is that, in addition to prohibiting surveillance cameras in areas intended for employees’ rest or recreation, such as locker rooms, toilets, dining rooms and similar spaces, it can be inferred that using them to prove an employee’s illegal act ceases to be lawful if captured by means of hidden cameras. This is because it could be interpreted that the law also requires, in the case of an employee’s flagrant illegal act, the duty of previous information by means of the relevant informative sign (unless authorized by a court, even if it is understood that the law does not expressly state it).
  • As for audio recording in the workplace, it is only allowed on the grounds of guaranteeing the safety of people, property and facilities. In any case, the company must respect the principles of proportionality and minimum intervention.
  1. Use of geolocation systems in the workplace
  • The company can process the data collected through geolocation systems to monitor its employees’ performance.
  • First, it must inform the employees and representatives, if applicable, in an explicit, clear and concise way, of the existence and characteristics of these devices, including their rights of access, rectification, erasure, and the right to restriction of processing. It should be pointed out that the law does not refer to the purpose of the installation of the device among the points included in the duty of information.
  1. New right to disconnect from work-related electronic communications
  • Possibly the most striking new development in the law is the recognition, for the first time in the Spanish legal system, of the right to disconnect outside working hours to guarantee employees’ work-life balance.
  • After establishing the right to disconnect outside of working hours, the new law leaves to collective bargaining and the company’s internal policies the ways of exercising this right, as well as any training and awareness-raising initiatives for employees on the reasonable use of IT tools, with particular focus on teleworking.
  • We recently wrote about the questions of interpretation in the practical implementation of this right, which has been recognized in France since 2017, in this Post.
  1. Digital rights in collective bargaining
  • Finally, the law refers to collective bargaining agreements to establish additional guarantees for the rights and freedoms associated to processing employees’ personal data and the protection of digital rights in the workplace.
  • Collective bargaining may improve, but not lower, the standards for protection established in the new law.

The main new developments introduced by the LOPDGDD are summarized in our Legal Flash, which is available here.

Author: Jennifer Bel Antaki, Knowledge and Innovation.


This post is also available in: Español



42 artículos

Abogada del Área de Conocimiento e Innovación de Cuatrecasas. Profesora colaboradora en ESADE