Employment 2025

SPAIN Law and Practice Contributed by: José Antonio Segovia, A&O Shearman

cies, involve employee representatives, and inform staff explicitly. If personal use is permitted, specific safeguards must be in place to protect privacy and ensure compliance with data protection regulations. Geolocation Systems in the Workplace Employers may process data collected through geolo - cation systems to supervise employees as explained above. The employer must expressly, clearly and unequivocally inform employees and, where appro - priate, their representatives about the use of geoloca - tion systems. They shall also inform employees about their right to access and rectify data gathered through geolocation systems and restrictions on the process - ing and erasure of that data. The legal basis for geolocation monitoring lies not in employee consent, but in the employment contract and the employer’s legitimate right to supervise work performance. However, this right is not unlimited. The use of geolocation must go through a proportionality test, ensuring that the measure is appropriate, neces - sary and balanced. This means that data collection must be limited to specific, justified purposes and must not result in continuous or excessive surveil - lance. Furthermore, employers are required to implement robust security measures to protect the data obtained through geolocation. Employees must also be given the option to disable tracking when using company devices for personal purposes. Transparency and respect for privacy are essential, and both employees and their representatives must be fully informed of the monitoring practices in place. Whistle-Blowing Systems Since 2023 employers have been able to process data to facilitate the reporting of cases of misconduct com - mitted within the company or through the actions of third parties. The employees and relevant third par - ties must be informed of the existence of such sys - tems. Access to the data contained in these systems shall be limited exclusively to those who, whether or not employed by the entity, carry out internal control and compliance functions and are in charge of the processing that may be designated for that purpose. However, access by other persons, even their com -

munication with third parties, shall be lawful when it is necessary for the adoption of disciplinary measures or for the processing of legal proceedings. Without prejudice to the notification to the competent authority of acts constituting criminal or administrative wrongdoing, it is only when disciplinary measures are to be taken against an employee that access to the systems shall be granted to personnel with managerial and HR functions. Necessary measures must be taken to preserve the anonymity and guarantee the confi - dentiality of the data relating to the persons affected by the information supplied, in particular the person who brought the facts to the attention of the entity. The data relating to the complainant, and of employ - ees and third parties, shall be kept in the complaints system only for as long as is necessary to decide whether it is appropriate to initiate an investigation into the alleged facts. Recently, the Spanish government approved the Whistle-Blower Statute, aiming to establish a dedi - cated, independent authority to safeguard whistle- blowers: Autoridad Independiente de Protección del Informante (AAI). The AAI will operate with full legal personality and public-private capacity, structured around a Presidency, a Consultative Commission, and three departments: (i) Whistle-Blower Protec - tion, (ii) Oversight and Sanctions, and (iii) General Management. Its core objectives include ensuring whistle-blower protection, combating fraud and cor - ruption, and co-ordinating with oversight bodies. The authority will issue annual reports to Parliament and may produce special reports on significant cases. Its functions include sanctioning violations and promot - ing awareness and best practices in whistle-blower management. However, it is explicitly prevented from performing judicial, prosecutorial or police functions and must defer to competent authorities when such bodies are involved. Data Storage and Removal The data shall be removed from the system after a period of three months has elapsed, unless it is being kept for evidential purposes. Thereafter, the data may be investigated by the appropriate body. Complaints that have not been dealt with may only be recorded

596 CHAMBERS.COM

Powered by