Do I need consent to process employee data?

In order to process the personal data of an employee in a company, it will be necessary to request and obtain the employee’s consent. Both internally within the company and in order to publish or transfer them to third parties that provide services to the company.

The document containing the consent must inform about where the data are stored, the purpose for which they are going to be used and how to exercise the rights of access, rectification, cancellation, opposition, limitation and portability.

The signature is necessary in order to have proof that we have informed the employee and have his or her authorisation to process his or her personal data.

What are the privacy and data protection issues inherent in alcohol / drug testing?

From a legal point of view, some of the actions in this area are limited by the workers’ right to privacy. Article 22.1 of Law 31/1995, of 8 November 1995, on the Prevention of Occupational Risks, establishes that, although the employer must guarantee the monitoring of workers’ health, this can only be carried out with their consent. Consequently, the company could not, for example, force a worker to undergo a breathalyser test or any other physical screening test without his or her consent. This, in turn, leads to a certain insecurity of action due to the lack of evidence to justify such action.

In accordance with the law, the worker will have to undergo medical tests and controls as a condition for access to or maintenance of the job, only for the evaluation or identification of pathologies or health conditions that are contraindicated for work.

The act of self-determination that authorises an intervention on areas of personal privacy, in order to be effective, requires that the worker be expressly informed of the medical tests that are particularly invasive of his or her privacy.

How can I legitimately monitor employees’ email, internet usage and social media?

The employer can control the regular use of computer, technological and digital media without the employee’s consent. In order for this control to be lawful and valid, the company must have previously neutralised or eliminated the employee’s expectations of privacy, secrecy or confidentiality.

It is necessary for companies to implement corporate policies with the rules for the use of digital and technological media, warning workers of the means and measures of corporate control, complying with the duty of information that is required of them (previously establishing the rules for the use of these media, with the application of absolute or partial prohibitions, and informing workers that there will be control and of the means to be applied in order to verify the correctness of the uses).

The duty to provide information on company monitoring must be fulfilled by providing employees with clear and precise information on its scope, nature and purpose. The requirements of the prior duty to provide information cannot be displaced even when there are rules prohibiting the non-work-related use of technological and IT resources. The right to secrecy of communications (Art. 18 EC) only covers communications made through closed channels, leaving out of constitutional protection those forms of correspondence that are legally configured as open communication and therefore not secret.

In criminal proceedings, in order to be able to grant evidential value to the interception of communications, judicial authorisation and intervention are always necessary. In order to affirm the validity of the evidence obtained through corporate monitoring, it is necessary to pass the test of proportionality in the limitation of fundamental rights (suitability, necessity and proportionality in the strict sense).

The choice and application of the control measure is governed by the principle of necessity, which imposes that there are no other measures that are less burdensome for the fundamental rights of the employee and equally useful for the clarification of the facts. Appropriate measures or guarantees must be adopted in favour of the employee in the use of these surveillance and monitoring measures, and in particular it must be ensured that the employer cannot have access to the content of the communications without the employee having been notified beforehand.

In the application of monitoring measures on the use of the Internet and electronic communications, the principles laid down in personal data protection legislation (necessity, legitimate purpose, transparency, legitimacy, proportionality and security) should be respected.

What are the limits of using artificial intelligence in employment?

The establishment of a legitimising legal basis is the first step in determining the compliance of the artificial intelligence solution with the data protection regulation. Legitimation for the different stages of the lifecycle and for each processing has to be established at the conception phase of the processing, be this processing the creation of an artificial intelligence component itself. From a Data Protection point of view, legitimation is the first element to be established within the design phase of the processing. If no legitimate basis is found, the processing should not be carried out.

The different stages of the lifecycle of an artificial intelligence solution are:

• Conception and analysis, where the functional and non-functional requirements of the artificial intelligence solution are set. These will be set by business objectives derived from the treatment where it will be incorporated or the market where the component is intended to be marketed. It will include project plans, regulatory constraints, erc.
• Development: including the stages of research and prototyping, design, testing, training, validation. Not all stages will always be present and their existence will depend on the specific artificial intelligence solution adopted. For example, the training stage will be present in artificial intelligence components based on machine learning.
• Exploitation: this stage comprises the execution of different actions and some of them will be executed in parallel: integration, production, deployment, inference, decision, maintenance and evolution.
• Final removal of the processing/component
• The different stages of the lifecycle of an artificial intelligence solution at which personal data processing could take place have been listed.
• Each of these stages has a different purpose and, in addition to the fact that data of the data subject to whom the service is being provided may be processed, data of third parties may also be processed.

Due to the nature of artificial intelligence systems, at each stage of the lifecycle a different legal basis could be used for:

• Training and/or validation of the model
• The use of third party data in inference
• The communication of data implicit in the model
• The processing of the data subject’s data in the framework of the service provided by the artificial intelligence.
• Data processing and the evolution of the model

Article 6 of the Data Protection Regulation sets out the six legal bases on the basis of which the processing of personal data can be considered lawful. The most common legal bases that will legitimise the processing in an artificial intelligence solution are:

• The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures at the request of the data subject. This could be the case of developers hiring subjects to make use of their personal data in the training stage of the system. It could also be that the data controller, which provides a service to third party interests and which includes an artificial intelligence solution, uses their data in the framework of the service contract.
• In legitimate interest, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
• Consent of the data subject, which, as set out in Article 4(11) of the Data Protection Regulation, is any freely given, specific, informed and unambiguous indication of the data subject’s agreement, either by a statement or by a clear affirmative action, to the processing of personal data relating to him or her.

 In more special cases from the point of view of artificial intelligence solutions, the following may also be legal bases:

• protection of vital interests
• reasons of public interest or exercise of public powers
• fulfilment of legal obligations

The last two legal bases have to be established via EU or Member State law, which will establish the legal basis for the processing.

It is important to take into account the principle of limitation of performance. A legal basis does not entitle the use of data for any purpose at all times, but must be restricted to those specified, explicit and legitimate purposes that have been identified, avoiding processing in a way that is incompatible with those purposes. In addition, data subjects whose data are processed must be made aware of how they will be used, which is closely related to the principle of information and transparency.

What are the data protection issues in whistleblowing?

The systems or channels for internal reporting of non-compliance with regulations have taken on special importance following the establishment of the criminal liability of legal persons, linked to models for the prevention of crimes that can be committed by legal persons (compliance programmes) in accordance with international standards in terms of prevention programmes for the fight against corruption.

In the execution of these internal whistleblowing systems, access is gained to personal data, the processing of which is subject to the regulations of the Data Protection Regulation and the Organic Law on Data Protection.

The Organic Law on Data Protection has introduced as a novelty the express regulation of internal whistleblowing systems. The basis of legitimisation for the processing resulting from the establishment of the complaint channels is the law itself.

It is accepted that the notification of a private entity of the commission of acts or conduct that may be contrary to the regulations may even be made anonymously. The Organic Law on Data Protection expressly establishes that employees and third parties must be informed of the existence of internal whistleblowing information systems.

Access to the data contained in these systems shall be limited exclusively to those who, whether or not they are part of the entity, carry out the functions of internal control and compliance, or to the persons in charge of the processing that may be designated for this purpose.

However, their access by other persons, or even their communication to third parties, shall be unlawful when necessary for the adoption of disciplinary measures or for the processing of any legal proceedings, as the case may be.

After three months have elapsed since the data were entered, they must be deleted from the complaints system, unless the purpose of their retention is to leave evidence of the functioning of the model for the prevention of the commission of offences by the legal person and without prejudice to their processing by the body responsible for investigating the reported facts.