Telecommuting and data protection in the digital sphere

More than a year ago, the exceptional situation resulting from the COVID-19 pandemic laid on the table of all kinds of organisations the urgent need for an unscheduled change in traditional business models. One of the most important issues was the implementation of telecommuting policies. In a matter of a few weeks it was necessary to make short-term decisions and make intensive use of remote access, online platforms and virtualising working relationships. What was assumed to be temporary is here to stay, ushering in a new economic model dubbed "digitalisation".

At the beginning of the 2020 lockdown period, the AEPD provided a series of recommendations addressed to data controllers to adapt their telecommuting processing to comply with the GDPR. Several of organisations, such as the CCN or INCIBE, started to provide guidelines and advice on how to promote a cyber-safe working environment. In this regard, the Government, with the aim of providing legal certainty to this new reality, approved the Royal Decree-Law 28/2020 of 22 September, on telecommuting which, after being validated by the Congress of Deputies, has just been incorporated into our legal system as Law 10/2021, of 9 July, on telecommuting, with minimal changes with respect to its original wording.

However, in the face of a new dimension in the way of working, the solutions that were adopted at the time as a matter of urgency and in the short term need to be reviewed. Achieving economic and operational resilience requires strategy, planning and a cultural change within the organisation to ensure sustainability over time. This requires the implementation of a structured and consistent approach to improve the manager's ability to proactively identify, assess and manage risks in their processes.

Within the scope of the AEPD's competences, this management must be applied from a data protection perspective, which is perfectly in line with the GDPR compliance model.

In the context of telecommuting, the data subjects whose rights and freedoms must be guaranteed are both the organisation's own employees and the natural persons with whom the organisation deals and whose personal data are processed within its business activity. In this regard, it is necessary to ensure compliance with the GDPR in both dimensions, taking into account the particular circumstances determined by each of them.

In the case of the processing of employees' data under the telecommuting regime, when this entails an additional processing of data with respect to that which has been carried out in the face-to-face environment, the principle of lawfulness must be respected, and therefore, for the different processing operations that are carried out due to this type of remote work, it must be considered:

• Voluntary nature of telecommuting (Article 5 of Law 10/2021, of 9 July, on telecommuting).
• The non-applicability of consent as a legal basis, resorting, depending on the specific processing, to other more appropriate ones:
  • Processing legitimised by the existence of a contractual relationship (Art. 6.1.b) in relation to Art. 20.3 of Workers' Statute which establishes the employer's power to exercise the power of direction and control, always in compliance with the principle of proportionality.
  • Satisfaction of the employer's legitimate interest, provided that the interests or fundamental rights and freedoms of the worker do not prevail against it (Article 6(1)(f)), a matter to be assessed through a "balancing test" not to be confused with a DPIA.
  • Compliance with legal obligations (Article 6.1.c), such as the employer's obligation to establish a working day register, established in Article 34.9 of the Workers' Statute. This is imposed for a specific purpose, favourable to the worker, as reiterated in various paragraphs of the Preamble to RD-Law 8/2019, of 8 March, on urgent measures for social protection and the fight against precariousness in working hours. It must be assessed whether the register is to be used for the sole purpose of the provisions of Article 34.9 of the ET or whether it is also to be used as a control measure by the employer, taking into account the specific circumstances in which the remote work is to be carried out. In this case, the worker must be informed of the dual purpose.
• The lifting of the ban on the processing of special categories of data. For example, biometric data aimed at the unique identification of the employee could only be covered under Article 9(2)(b) of the GDPR where it is necessary for the performance of obligations and the exercise of specific rights of the controller or the data subject in the field of labour law, social security and social protection, in so far as this is authorised by law or by a collective agreement in accordance with law which provides adequate safeguards for the respect of the fundamental rights and interests of the data subject.
• Respect for rights related to the use of devices in the workplace such as, among others, the right to privacy and use of digital devices in the workplace and the right to digital disconnection.

With regard to processing operations already in progress and which are the object of the data controller's own business activity, the existence of a legal basis different from that which already legitimised it when it was being carried out in person is not required, and the means used do not imply a modification of the legitimisation thereof.

However, it should not be lost sight of the fact that the existence of a legitimate basis does not exempt from compliance with the rest of the processing principles set out in Article 5 of the GDPR, which are developed throughout the articles of the regulation, and it should be borne in mind that the modification of the means of access and processing of data due to the situation of telecommuting may generate the need to introduce greater guarantees in the application of these principles.

The Regulation establishes a compliance model based on the concept of data processing with an approach aimed at processing, an approach aimed at managing the risk that, with regard to the rights and freedoms of individuals, represents the processing of data, and on the implementation of management and governance models (data protection policies) aimed at ensuring and demonstrating the adequacy of processing operations according to their nature, scope, context, purposes and the risks to the rights and freedoms of data subjects.

Therefore, when considering the implementation of telecommuting processes in the organisation, it is necessary to go beyond the simple choice and implementation of a technological tool or solution. Decisions have to be taken to manage the change in the nature of the processing and the way it is implemented, to reassess the new risks introduced and to address them adequately to minimise their potential impact, as the Opinion 2/2017 of the Working Group on Article 29 on the processing of data in the workplace already warned that remote working posed an additional risk to the rights and freedoms of both workers and data subjects.

For managing the risk regarding rights and freedoms, the AEPD has published guides, aids and tools aimed at supporting those controllers in this task, without this implying that this support material can replace the obligations of controllers, their decisions and actions. It is not possible to apply automatisms, to limit oneself to checklists or predefined templates, or to transfer the results obtained without a critical assessment and adaptation to the specific and particular case of the controller Therefore, it is required to:

• Implement data protection policies, in particular for the application of data protection principles and rights.
• Implement risk management for rights and freedoms.
• Apply data protection principles by design, identifying new requirements and redesigning telecommuting processes, applying it to the tools used, increasing transparency and control over data, etc.
• Apply data protection principles by default, correctly configuring applications to minimise the personal data processed.
• Implement effective security measures aimed at protecting rights and freedoms.
• And finally, implement personal data breach management policies, in order to be, again, more resilient and effective.

These months of remote work have shown signs of sustainability problems in some digitisation implementations, with massive ramsonware attacks on public and private sector entities, which urgently need to be reviewed if we are to move towards resilient and sustainable digitisation in which citizens' rights and freedoms are guaranteed.

You can find more information about data protection and privacy on the telecommuting on this Agency's Innovation and Technology website and on our blog:

• Personal data breaches: Ransomware and risk management
• Personal data breaches: email and online productivity platforms
• Group Privacy
• Data governance and data protection policy
• Data protection and security
• Data protection in labour relations