Category: Spain

Spanish DPA publishes new tool for notifiability of data breaches

2. November 2022

A few days ago the Spanish Data Protection Authority launched a new tool called “Asesora Brecha” in order to simplify the notifiaibility of data breaches. This was deemed necessary due to the large number of reported data breaches in the country.

This tool helps data controllers as well as data protection officers to decide whether they should notify a personal data breach to the supervisory authority and how the breach itself can be avoided. Specifically, the functions include:

  • Who has to notify the supervisory authority
  • Which situations correspond to a data breach and which not
  • Which is the competent authority

The tool was described as free and easy to use. It was also added to the Decalogue of AEPD help resources in order to promote and facilitate compliance with the GDPR. In regard to the principle of storage limitation, the tool itself is GDPR compliant. Once the procedure is complete, all the provided data are automatically deleted.

However, the Spanish DPA clearly stated that the use of “Asesora Brecha” does not automatically imply that the obligations imposed by the GDPR are fulfilled. The responsible figure needs to fill out the relevant documentation and, if needed, report the data breach to the authorities.

(Update) Processing of COVID-19 immunization data of employees in EEA countries

21. January 2022

With COVID-19 vaccination campaigns well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

Below, we discuss whether employers in different European Economic Area (EEA) countries are permitted to process COVID-19-related data about their employees.

Austria: The processing of health data in context of the COVID-19 pandemic can be based on Article 9 (2) (b) of the GDPR in conjunction with the relevant provisions on the duty of care (processing for the purpose of fulfilling obligations under labor and social law). Under Austrian labor law, every employer has a duty of care towards its employees, which also includes the exclusion of health hazards in the workplace. However, this only entitles the employer to ask the employee in general terms whether he or she has been examined, is healthy or has been vaccinated. Therefore, if the legislator provides for two other equivalent methods to prove a low epidemiological risk in addition to vaccination, the current view of the data protection authority is that specific questioning about vaccination status is not possible from a data protection perspective. An exception to this is only to be seen in the case of an explicit (voluntary) consent of the employee (Art. 9 (2) a) GDPR), but a voluntary consent is not to be assumed as a rule due to the dependency relationship of the employee.
As of November, employees will be obliged to prove whether they have been vaccinated, recovered from a COVID-19 infection or recently tested negative if they have physical contact with others in enclosed spaces, such as the office.

Austria was the first EU country to introduce mandatory Corona vaccination. From the beginning of February, Corona vaccination will be mandatory for all persons over 18 years of age, otherwise they will face fines of up to 3,600 euros from mid-March.

Belgium: In Belgium, there is no legal basis for the processing of vaccination information of employees by their employer. Article 9 (1) GDPR prohibits the processing of health data unless an explicit exception under Article 9 (2) GDPR applies. Such an exception may be a legal provision or the free and explicit consent of the data subject. Such a legal provision is missing and in the relationship between employee and employer, the employee’s consent is rarely free, as an employee may be under great pressure to give consent. The Belgian data protection authority explicitly denies the employer’s right to ask.

The Belgian government plans to make vaccination mandatory for health workers from April 2022.

Finland: The processing of an employee’s health data is only permitted if it is directly necessary for the employment relationship. The employer must carefully assess whether this necessity exists. It is not possible to deviate from this necessity by obtaining the employee’s consent. The employer may process an employee’s health data if this is necessary for the payment of sick pay or comparable health-related benefits or to establish a legitimate reason for the employee’s absence. The processing of health data is also permitted if an employee expressly requests that his or her ability to work be determined on the basis of health data. In addition, the employer is entitled to process an employee’s health data in situations expressly provided for by law. The employer may require occupational health care to provide statistical data on the immunization coverage of its employees.

France: In general employers may not require their employees to disclose whether they have been vaccinated, unless specific circumstances determined by law apply.

In France, mandatory vaccination has been in effect since mid-September for healthcare workers, i.e., employees of hospitals, retirement and nursing homes, care services, and employees of emergency services and fire departments.

Since July 21st, 2021, a “health passport” is mandatory for recreational and cultural facilities with more than 50 visitors, such as theaters, cinemas, concerts, festivals, sports venues. The health passport is a digital or paper-based record of whether a person has been vaccinated, recovered within 11 days to 6 months, or tested negative within 48 hours. Due to the Health Crisis Management Law No 2021-1040 of August 5, 2021 there are several workplaces where the health pass is mandatory for employees since August 30th, 2021. These include bars, restaurants, seminars, public transport for long journeys (train, bus, plane The health passport is also mandatory for the staff and visitors of hospitals, homes for the elderly, retirement homes, but not for patients who have a medical emergency.Visitors and staff of department stores and shopping malls need to present a health pass in case the prefect of the department decided this necessary. In these cases, the employer is obliged to check if his employees meet their legal obligations. However, the employer should not copy and store the vaccination certificates, but only store the information whether an employee has been vaccinated. Employers who do not fall into these categories are not allowed to process their employees’ vaccination data. In these cases, only occupational health services may process this type of information and the employer may not obtain this information under any circumstances. At most, he may obtain a medical opinion on whether an employee is fit for work.

Germany: Processing of COVID-19-related information is generally only allowed for employers in certain industries. Certain employers named in the law, such as in §§ 23a, 23 Infection Protection Act (IfSG), employers in certain health care facilities (e.g. hospitals, doctors’ offices, rescue services) and § 36 (3) IfSG, such as day care centers, outpatient care services, schools, homeless shelters or correctional facilities, are allowed to process the vaccination status of their employees.

Other employers are generally not permitted to inquire about the vaccination status of employees. But since §28b IfSG came into force on November 24, 2021, employees may only be granted access to company premises if they can prove that they have either been vaccinated, recently recovered or tested negative (so-called “3G status”). In this context, employers may require employees to provide proof of one of the three statuses but may not specifically ask about vaccination status. When it comes to processing and storing information obtained during access control, for data protection reasons, this information must be limited to the fact that employees have access to the premises (taking into account their documented status) and how long this access authorization has existed.

Under current law, while “vaccinated” status does not expire, the information may only be stored for 6 months. “Recently recovered” status is only valid for three months. After that, they must provide other proof that they meet one of the 3G criteria. A negative test is valid for either 24 or 48 hours, depending on the type of test.

Since November 2021, employers are required to verify whether an employee who has been sanctioned with a quarantine for COVID-19 infection was or could have been vaccinated prior to the infection. Under the fourth sentence of Section 56 (1) of the IfSG, an employee is not entitled to continued payment for the period of quarantine if the employee could have avoided the quarantine, e.g., by taking advantage of a vaccination program. The employer must pay the compensation on behalf of the competent authority. As part of this obligation to make an advance payment, the employer is also obliged to check whether the factual requirements for granting the benefits are met. The employer is therefore obliged to obtain information on the vaccination status of its employee before paying the compensation and to decide on this basis whether compensation can be considered in the individual case. The data protection law basis for this processing activity is Section 26 (3) of the German Federal Data Protection Act (BDSG), which permits the processing of special categories of personal data – if this is necessary for the exercise of rights or the fulfillment of legal obligations under labor, social insurance and social protection law and there is no reason to assume that the interests of the data subjects worthy of protection in the exclusion of the processing outweigh this. The Data Protection Conference, an association of German data protection authorities, states that processing the vaccination status of employees on the basis of consent is only possible if the consent was given voluntarily and thus legally valid, Section 26 (3) sentence 2 and (2) BDSG. Due to the relationship of superiority and subordination existing between employer and employee, there are regularly doubts about the voluntariness and thus the legal validity of the employees’ consent.

If employers are allowed to process the vaccination status of their employees, they should not copy the certificates, but only check to see if an employee has been vaccinated.

A mandatory vaccination for all german citizens is being discussed.

Greece: Corona vaccination became mandatory for nursing home staff in mid-August and for the healthcare sector on September 1. Since mid-September, all unvaccinated professionals have had to present a negative Corona rapid test twice a week – at their own expense – when they go to work.

Italy: Since October 15, Italy has become the first country in the EEA to require all workers to present a “green passport” at the workplace. This document records whether a person has been vaccinated, recovered, or tested. A general vaccination requirement has been in effect for health care workers since May, and employees in educational institutions have been required to present the green passport since September. In mid-October, mandatory vaccination was extended to employees of nursing homes.

Netherlands: Currently, there is no specific legislation that allows employers to process the vaccination data of their employees. Government guidelines for employers state that neither testing nor vaccination can be mandated for employees. Only occupational health services and company physicians are allowed to process vaccination data, for example, when employees are absent or reinstated. The Minister of Health, Welfare and Sport has announced that he will allow the health sector to determine the vaccination status of its employees. He also wants to examine whether and how this can be done in other work situations. Currently, employers can only offer voluntary testing in the workplace, but are not allowed to document or enforce the results of such tests.

Spain: Employers are allowed to ask employees if they have been vaccinated, but only if it is proportionate and necessary for the employer to fulfill its legal obligation to ensure health and safety in the workplace. However, employees have the right to refuse to answer this question. Before entering the workplace, employees may be asked to provide a negative test or proof of vaccination if the occupational health and safety provider deems it necessary for the particular workplace.

Processing of COVID-19 immunization data of employees in EEA countries

27. October 2021

As COVID-19 vaccination campaigns are well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information (vaccinated, recovered, test result) and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

The following discusses whether employers in various European Economic Area (EEA) countries are permitted to process COVID-19-related information about their employees.

Austria: The processing of health data in context of the COVID-19 pandemic can be based on Article 9 (2) (b) of the GDPR in conjunction with the relevant provisions on the duty of care (processing for the purpose of fulfilling obligations under labor and social law). Under Austrian labor law, every employer has a duty of care towards its employees, which also includes the exclusion of health hazards in the workplace. However, this only entitles the employer to ask the employee in general terms whether he or she has been examined, is healthy or has been vaccinated. Therefore, if the legislator provides for two other equivalent methods to prove a low epidemiological risk in addition to vaccination, the current view of the data protection authority is that specific questioning about vaccination status is not possible from a data protection perspective. An exception to this is only to be seen in the case of an explicit (voluntary) consent of the employee (Art. 9 (2) a) GDPR), but a voluntary consent is not to be assumed as a rule due to the dependency relationship of the employee.
As of November, employees will be obliged to prove whether they have been vaccinated, recovered from a COVID-19 infection or recently tested negative if they have physical contact with others in enclosed spaces, such as the office.

Belgium: In Belgium, there is no legal basis for the processing of vaccination information of employees by their employer. Article 9 (1) GDPR prohibits the processing of health data unless an explicit exception under Article 9 (2) GDPR applies. Such an exception may be a legal provision or the free and explicit consent of the data subject. Such a legal provision is missing and in the relationship between employee and employer, the employee’s consent is rarely free, as an employee may be under great pressure to give consent. The Belgian data protection authority also explicitly denies the employer’s right to ask.

Finland: The processing of an employee’s health data is only permitted if it is directly necessary for the employment relationship. The employer must carefully verify whether this necessity exists. It is not possible to deviate from this necessity by obtaining the employee’s consent. The employer may process an employee’s health data if this is necessary for the payment of sick pay or comparable health-related benefits or to establish a justified reason for the employee’s absence. The processing of health data is also permitted if an employee expressly requests that his or her ability to work be determined on the basis of health data. In addition, the employer is entitled to process an employee’s health data in situations expressly provided for elsewhere in the Act. The employer may request from occupational health care statistical data on the vaccination protection of its employees.

France: Since July 21st, 2021, a “health passport” is mandatory for recreational and cultural facilities frequented by more than 50 people, such as theaters, cinemas, concerts, festivals, sports venues. The health passport is a digital or paper-based record of whether a person has been vaccinated, recovered within 11 days to 6 months, or tested negative within 48 hours. There are several workplaces where vaccination has been mandatory for workers since August 30th, 2021. These include bars, restaurants, seminars, public transport for long journeys (train, bus, plane). The health passport is also mandatory for the staff and visitors of hospitals, homes for the elderly, retirement homes, but not for patients who have a medical emergency. Also, visitors and staff of department stores and shopping malls need to present a health pass in case the prefect of the department decided this necessary. In these cases, the employer is obliged to check if his employees meet their legal obligations. However, the employer should not copy and store the vaccination certificates, but only store the information whether an employee has been vaccinated. Employers who do not fall into these categories are not allowed to process their employees’ vaccination data. In these cases, only occupational health services may process this type of information, but the employer may not obtain this information under any circumstances. At most, he may obtain a medical opinion on whether an employee is fit for work.

Germany: Processing of COVID-19 related information is generally only permitted for employers in certain sectors. Certain employers named in the law, such as in §§ 23a, 23 Infection Protection Act (IfSG), employers in certain health care facilities (e.g. hospitals, doctors’ offices, rescue services, ) and § 36 (3) IfSG, such as day care centers, outpatient care services, schools, homeless shelters or correctional facilities, are allowed to process the vaccination status of their employees. Other employers are generally not permitted to inquire about the vaccination status of employees. If allowed to process their employee’s vaccination status, employers should not copy the certificates but only check whether an employee is vaccinated. Although there has been an ongoing discussion in the federal government for several weeks about introducing a legal basis that would allow all employers to administer vaccination information. From November 2021, employers must check whether an employee who has been sanctioned with a quarantine due to a COVID-19 infection was or could have been vaccinated prior to the infection. According to Section 56 (1) sentence 4 IfSG, there is no entitlement to continued payment of remuneration for the period of quarantine if the employee could have avoided the quarantine, e.g. by taking advantage of a vaccination program. The employer must pay the compensation on behalf of the competent authority. As part of this obligation to pay in advance, the employer is also obliged to check whether the factual requirements for the granting of benefits are met. The employer is therefore obliged to obtain information on the vaccination status of its employee before paying compensation and, on this basis, to decide whether compensation can be considered in the individual case. The data protection basis for this processing activity is Section 26 (3) of the German Federal Data Protection Act (BDSG), which permits the processing of special categories of personal data – if this is necessary for the exercise of rights or the fulfillment of legal obligations arising from labor law, social security law and social protection law, and if there is no reason to assume that the data subjects’ interest in the exclusion of the processing, which is worthy of protection, outweighs this. The Data Protection Conference, an association of German data protection authorities, states that processing the vaccination status of employees on the basis of consent is only possible if the consent was given voluntarily and therefore legally effective, Section 26 (3) sentence 2 and (2) BDSG. Due to the relationship of superiority and subordination existing between employer and employee, there are regularly doubts about the voluntariness and thus the legal validity of the employees’ consent.

Italy: Since October 15, Italy has become the first country in the EEA to require all workers to present a “green passport” at the workplace. This document records whether a person has been vaccinated, recovered, or tested. A general vaccination requirement has been in effect for health care workers since May, and employees in educational institutions have been required to present the green passport since September.

Netherlands: Currently, there is no specific legislation that allows employers to process employee immunization data. Only the occupational health service and company doctors are allowed to process immunization data, for example when employees are absent or reintegrated. The Minister of Health, Welfare and Sport has announced that he will allow the health sector to determine the vaccination status of its employees. He also wants to examine whether and how this can be done in other work situations. Currently, employers can only offer voluntary testing in the workplace, but are not allowed to document the results of such tests or force

Spain: Employers are allowed to ask employees if they have been vaccinated, but only if it is proportionate and necessary for the employer to fulfill its legal obligation to ensure health and safety in the workplace. However, employees have the right to refuse to answer this question. Before entering the workplace, employees may be asked to provide a negative test or proof of vaccination if the occupational health and safety provider deems it necessary for the particular workplace.

AEPD issues highest fine for GDPR violations

5. March 2021

The Spanish Data Protection Authority, the Agencia Española de Protección de Datos (AEPD), imposed a fine of EUR 6.000.000 on CaixaBank, Spain’s leading retail bank, for unlawfully processing customers’ personal data and not providing sufficient information regarding the processing of their personal data. It is the largest financial penalty ever issued by the AEPD under the GDPR, surpassing the EUR 5.000.000 fine imposed on BBVA in December 2020 for information and consent failures.

In the opinion of the AEPD, CaixaBank violated Art. 6 GDPR in many regards. The bank had not provided sufficient justification of the legal basis for the processing activities, in particular with regard to those based on the company’s legitimate interest. Furthermore, deficiencies had been identified in the processes for obtaining customers’ consent to the processing of their personal data. The bank had also failed to comply with the requirements established for obtaining valid consent as a specific, unequivocal and informed expression of intention. Moreover, the AEPD stated that the transfer of personal data to companies within the CaixaBank Group was considered an unauthorized disclosure. According to Art. 83 (5) lit. a GDPR, an administrative fine of EUR 4.000.000 EUR was issued.

Additionally, the AEPD found that CaixaBank violated Art. 13, 14 GDPR. The bank had not complied with the information obligations since the information regarding the categories of personal data concerned had not been sufficient and the information concerning the purposes of and the legal basis for the processing had been missing entirely. What’s more, the information provided in different documents and channels had not been consistent. The varying information concerned data subjects’ rights, the possibility of lodging a complaint with the AEPD, the existence of a data protection officer and his contact details as well as data retention periods. Besides, the AEPD disapproved of the use of inaccurate terminology to define the privacy policy. Following Art. 83 (5) lit. b GDPR, a fine of EUR 2.000.000 was imposed.

In conclusion, the AEPD ordered CaixaBank to bring its data processing operations into compliance with the legal requirements mentioned within six months.

Spanish DPA imposes fine on Spanish football league

13. June 2019

The Spanish data protection authority Agencia Española de Protección de Datos (AEPD) has imposed a fine of 250.000 EUR on the organisers of the two Spanish professional football leagues for data protection infringements.

The organisers, Liga Nacional de Fútbol Profesional (LFP), operate an app called “La Liga”, which aims to uncover unlicensed performances of games broadcasted on pay-TV. For this purpose, the app has recorded a sample of the ambient sounds during the game times to detect any live game transmissions and combined this with the location data. Privacy-ticker already reported.

AEPD criticized that the intended purpose of the collected data had not been made transparent enough, as it is necessary according to Art. 5 paragraph 1 GDPR. Users must approve the use explicitly and the authorization for the microphone access can also be revoked in the Android settings. However, AEPD is of the opinion that La Liga has to warn the user of each data processing by microphone again. In the resolution, the AEPD points out that the nature of the mobile devices makes it impossible for the user to remember what he agreed to each time he used the La Liga application and what he did not agree to.

Furthermore, AEPD is of the opinion that La Liga has violated Art. 7 paragraph 3 GDPR, according to which the user has the possibility to revoke his consent to the use of his personal data at any time.

La Liga rejects the sanction because of injustice and will proceed against it. It argues that the AEPD has not made the necessary efforts to understand how the technology works. They explain that the technology used is designed to produce only one particular acoustic fingerprint. This fingerprint contains only 0.75% of the information. The remaining 99.25% is discarded, making it technically impossible to interpret human voices or conversations. This fingerprint is also converted into an alphanumeric code (hash) that is not reversible to the original sound. Nevertheless, the operators of the app have announced that they will remove the controversial feature as of June 30.

Spain publishes new data protection law

11. December 2018

On December 6, 2018, the new Spanish data protection law was published in the “Boletín Oficial Del Estado”. The “Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales” (Organic Law on Data Protection and Digital Rights Guarantee) has been approved with 93% parliamentary support and implements the GDPR into national law.

The new law contains a number of regulations that will affect data processing operations. For example that the consent of a data subject is not enough to legitimate the processing of special categories of data if the main purpose is e.g. to identify an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or genetic data.

The law also includes a list of cases in which entities must appoint a data protection officer for example entities that operate networks and provide electronic communications services, education centres and public and private universities. All businesses have up to 10 days after (mandatory or voluntary) appointing a data protection officer to notify the Spanish Data Protection Authority of that fact.

However, one of the biggest changes is the introduction of new digital rights such as the right to universal access to the internet; the right to digital education; the right to privacy and use of digital devices in the workplace; the right to digital disconnection in the workplace; the right to privacy in front of video surveillance devices and sound recording at work; the right to digital will.

Spanish Football League app uses microphones and GPS to detect illegal broadcasting

11. June 2018

The official smartphone app of the Spanish football league (La Liga) can activate the microphone to search for unlicensed public broadcasts of league matches. Those responsible have admitted that the app activates the microphone during the league games in order to find out whether a public broadcast is taking place approximately to the smartphone. In addition, the app uses GPS to determine the exact location where the audio clip was recorded. If an unlicensed, public transmission is determined, the operators of the app receive a notification and can take action against those establishments.

Similar to other countries, Spanish establishments can only show pay-tv broadcasts of football matches in their restaurants with a special license. According to the league, unlicensed performances result in losses amounting to 150 million euros per year and the data obtained will only be used to fight piracy. With the help of the app the fans are to be acquired as “informers” in order to get to the scammers. The app is quite popular and was downloaded at least 10 million times.

The practice was revealed because of the General Data Protection Regulation (GDPR) which entered into force on May 25th 2018. The fact that the microphone authorisation is used for this purpose had not been explained in the terms of use. It merely said that the microphone was used for analysis of the audience. Due to the GDPR, in the newly data protection declaration it says that the app tries to find out via microphone whether the user is watching football and is searching for fraud. However, users in Spain have the possibility to revoke the permission to access the microphone at any time (iOS and Android), but must do so in the settings of their smartphone.

Spanish Constitutional Court legitimates employee monitoring without prior information

17. March 2016

In March 2016, the Spanish Constitutional Court rectified the existing Spanish jurisprudence regarding employee monitoring. This rectification is based on a constitutional appeal from an employee of a well-known fashion store, who was dismissed due to misappropriation of money from the cash register.

The company found out this conduct through the video surveillance cameras that it had installed in its premises. A distinctive sign was placed at a visible place of the shop window. However, the employees were not informed about the use of the surveillance cameras.

According to Art. 5.1 and Art. 6.1 of the Spanish Data Protection Act, the data subject must be informed about the processing of his/her personal data and give his/her unambiguous consent to this processing.

In this sentence, the Spanish Constitutional Court declares that the prior information and consent of the employee to video recording is not required in this case because a video surveillance system aims at contributing to the control and security of employees. Additionally, as a visible distinctive sign had been placed at the premises, the employer was exempted from informing each employee individually. Furthermore, Art. 20 of the Spanish Statute of Rights for Workers allows the employer to control and monitor its employees, in order to ensure that they fulfill their obligations. In this sense, the monitoring cannot violate the employee´s dignity.