• Insights

Spain – The GDPR one year on

Written by
Sagardoy Abogados largest boutique firm focusing on HR law.
The GDPR became effective on 25 May 2018. This article reviews developments in Spain since that date, including enforcement action by the data protection authority, local legislation and court cases dealing with data protection in an employment law context.  

In its 2018 annual report, the Spanish DPA admitted that a radical change of mentality is absolutely necessary to achieve adequate implementation of GDPR. According to the Spanish DPA, this is a challenge not only for responsible individuals within organisations but also for the regulator, which has been forced to provide tools and guidelines to Data Protection Officers to facilitate GDPR compliance.

Some statistics from the first year: 34,000 data protection officers were appointed, almost 5,000 GDPR consultations were conducted and over 14,000 claims received. There have been almost 1,000 notifications of data breaches (a 30% increase).

This year has served to implement a change of culture in data handling by all players; for this reason the Spanish DPA has not yet imposed GDPR fines. However, there is a relevant case under the previous regulation from March 2018, regarding two severe infractions relating to personal data. A EUR 300,000 fine was imposed on WhatsApp (for communicating data to Facebook without valid consent) and Facebook (for using it for a purpose for which consent was not given).

The Organic Law 3/2018 of 5 December, on ‘Personal Data Protection and guarantee of Digital Rights’ gave rise to new articles in the Statutory Law (‘Workers´ Statute’), namely:

• right to privacy regarding use of electronic devices within employment relationships.

• right to privacy regarding video surveillance and sound recording in the workplace;

• right of privacy regarding the use of GPS tracking within employment relationships;

• employees’ right to digitally disconnect.


These new rights radically overhaul the way personal data is used and treated by employers, meaning internal policies must be drafted and followed to comply with them.

Individuals and therefore, employees are more concerned about their data and a wide range of cases have reached the courts. The proportionality principle is key when considering the legal validity of each practice.

GPS tracking installed and monitored in employees´ electronic devices is not allowed unless it is deemed adequate and necessary for a legitimate business goal, is not against any collectively agreed regulation and only after providing sufficient information on the measures to employees and their representatives, or after consulting or bargaining with them when required.

A clause in the employment contract by call centre employees consented to monitoring by webcams is valid since it was foreseen in the relevant Collective Bargaining Agreement and the employees knew about it when they were hired.

Lastly, the court disregarded evidence obtained in a breach of employees’ privacy. Two employees started a fight in the work parking area and were recorded by CCTV. Employees had not been informed of this video surveillance or its potential disciplinary use.

Jose Miguel Mestre
José Miguel Mestre Vázquez
Senior Associate - Spain
Sagardoy Abogados