Digital Rights & Data Protection
Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights
Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales
Spain
RET-ES-NA-ORGANIC-2018
Organic Law 3/2018 (LOPDGDD) is Spain's primary legislation adapting its legal system to the EU's General Data Protection Regulation (GDPR). Enacted in 2018, it establishes a comprehensive framework for personal data protection and introduces new digital rights for citizens, particularly employees. This law governs how employers collect, process, store, and manage all personal data, including sensitive remuneration information, directly impacting how pay equity initiatives must be conducted while upholding employee privacy and data security.
Overview
Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales, LOPDGDD) represents a cornerstone of Spain's legal framework for data privacy. It was enacted to fully adapt the Spanish legal system to the stringent requirements of the European Union's General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which came into effect on May 25, 2018. The LOPDGDD was approved by the Cortes Generales on December 5, 2018, published in the Official State Gazette (BOE) on December 6, 2018, and entered into force on December 7, 2018. This pivotal legislation repealed the previous Organic Law 15/1999 on Data Protection, establishing a modernized and comprehensive framework for the protection of personal data and introducing a set of new digital rights for citizens, reflecting the increasing digitalization of society and the workplace.
The LOPDGDD holds significant implications for employment law and, by extension, for pay equity considerations. It meticulously governs how employers collect, process, store, and manage all personal data pertaining to their employees. This includes a wide array of sensitive information such as remuneration details, performance evaluations, attendance records, health data, and other data that might be directly or indirectly relevant for assessing pay equity or identifying potential disparities. While not a direct pay equity law itself, its foundational provisions on data protection principles—such as lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity, and confidentiality—directly dictate the permissible scope and methodology for any pay equity initiatives, including pay gap reporting, equal pay audits, or internal compensation analyses. Employers must ensure that any data processing for these purposes strictly adheres to the LOPDGDD's requirements, prioritizing employee privacy and data security.
Beyond mere compliance with the GDPR, the LOPDGDD innovatively introduces specific digital rights for employees in the workplace, which underscore the importance of protecting employee data and privacy in an increasingly digital work environment. These rights include the right to privacy in the use of digital devices provided by the employer, the right to digital disconnection outside working hours to ensure respect for rest time and personal and family life, and the right to privacy against video surveillance, sound recording, and geolocation systems in the workplace. These provisions reinforce the broader framework of employee privacy and control over personal information, thereby indirectly influencing how data related to compensation, employment conditions, and work-life balance can be handled, processed, and disclosed, even in the context of promoting pay equity and non-discrimination.
Definitions
The LOPDGDD, in close alignment with the GDPR, establishes several key definitions that are fundamental to understanding its scope and application, particularly in the context of employment and pay equity data. The term Personal data is defined broadly as any information relating to an identified or identifiable natural person (the 'data subject'). This encompasses a vast range of information, including but not limited to, names, identification numbers (like DNI/NIE), location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. In an employment context, this definition unequivocally covers all employee information, including salary, benefits, job title, performance reviews, disciplinary records, and any other data linked to an individual's employment, making it crucial for pay equity analyses.
A data subject is the identified or identifiable natural person to whom the personal data relates. This means that every employee is considered a data subject with specific rights under the law, empowering them with control over their personal information. The data controller is defined as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In most employment scenarios, the employer acts as the data controller for employee data, including remuneration data, and thus bears primary responsibility for compliance. A data processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, such as a third-party payroll service provider or an HR software vendor. The law clearly delineates the responsibilities of both controllers and processors, often requiring specific contractual agreements between them.
The law also defines consent as any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. While consent is one of the lawful bases for processing, in employment, processing is often based on the necessity for the performance of a contract (the employment contract) or compliance with a legal obligation (e.g., tax, social security, or specific pay equity reporting). Special categories of data, which include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation, receive heightened protection. While direct pay data is not a special category, information related to gender, disability, or ethnicity, often used in comprehensive pay equity analysis, could be linked to special categories or require careful handling under these provisions, necessitating explicit consent or another robust legal basis.
Covered Employers
Organic Law 3/2018, as the national implementation of the GDPR, applies broadly to virtually all employers in Spain, regardless of their size, sector, or legal form, that process personal data of their employees. The law's extensive scope is determined by the act of processing personal data, not by the number of employees an organization has. Consequently, both small and medium-sized enterprises (SMEs) and large corporations, public sector bodies, and private entities are subject to its provisions if they collect, store, or use any information related to their workforce. This universal applicability means that any employer conducting pay equity analyses, collecting pay gap data, managing employee remuneration information, or simply maintaining employee records must comply with the LOPDGDD's stringent requirements.
Unlike some specific pay equity laws that might apply only to companies above a certain employee count for reporting obligations, the LOPDGDD itself does not introduce specific size thresholds for general data protection compliance. However, the law does introduce nuances regarding certain obligations. For instance, the obligation to appoint a Data Protection Officer (DPO) is mandatory for specific types of organizations, including all public sector bodies and those private entities whose core activities involve large-scale processing of special categories of data or regular and systematic monitoring of data subjects. While not all employers are required to appoint a DPO, all must ensure full compliance with data protection principles, which may involve designating an internal contact person for data protection matters and implementing robust internal policies and procedures.
Exemptions from certain provisions of the LOPDGDD are generally limited and typically relate to specific contexts such as national security, defense, or the prevention, investigation, detection, or prosecution of criminal offenses, as well as purely personal or household activities. These exemptions do not typically apply to the processing of employee data by employers in the normal course of business. Therefore, any employer in Spain, when handling employee data—including that related to compensation, benefits, performance, and other employment conditions—must adhere to the strict requirements of the LOPDGDD. This ensures that all data processing is lawful, fair, and transparent, and that employee rights are consistently upheld, providing a fundamental layer of protection for sensitive information used in pay equity assessments.
Employee Rights
Under Organic Law 3/2018, employees, as data subjects, are granted a comprehensive set of rights regarding their personal data, which are directly applicable to their employment records, including remuneration information. These rights, largely mirroring those in the GDPR, empower individuals to control their data and ensure its proper handling. Key among these are the rights of access, rectification, erasure ('right to be forgotten'), restriction of processing, data portability, and objection to processing. Employees have the fundamental right to know what personal data an employer holds about them, to request corrections of inaccurate or incomplete data, and to request the deletion of data under certain circumstances, such as when it is no longer necessary for the purpose for which it was collected or when consent is withdrawn.
Specifically concerning pay equity, employees can exercise their right of access to understand how their remuneration data is processed, the categories of data involved (e.g., base salary, bonuses, benefits), the recipients of such data (e.g., payroll providers, HR department, tax authorities), and the period for which it will be stored. While the LOPDGDD does not grant a direct right to compare salaries with colleagues, it ensures that employees can access their *own* salary data and understand the legal basis and purposes of its processing. This transparency in data handling is a foundational element that supports broader pay transparency initiatives, as it enables employees to verify the accuracy and legitimacy of their own pay data, and to identify potential inconsistencies that might warrant further investigation or a complaint.
Beyond these general data protection rights, the LOPDGDD also introduces specific digital rights for employees in the workplace, reflecting the modern digital environment. These include the right to privacy in the use of digital devices provided by the employer, meaning employers must establish clear rules for their use and cannot indiscriminately monitor them. Employees also have the right to digital disconnection outside working hours, ensuring respect for their rest time and personal life, which requires employers to implement policies to limit work-related communications during non-working hours. Furthermore, employees have the right to privacy against video surveillance, sound recording, and geolocation systems in the workplace, with strict conditions for their implementation. Employers are obliged to establish clear policies for the use of digital devices and the exercise of the right to digital disconnection, often in consultation with workers' representatives. These provisions, while not directly about pay, reinforce the overall framework of employee privacy and control over personal information, which is critical when handling sensitive employment data like compensation and performance.
Pay Transparency Requirements
While Organic Law 3/2018 is not a dedicated pay transparency law in the sense of mandating salary range disclosures in job postings or public pay gap reporting, it establishes fundamental principles of data transparency that are highly relevant to how pay-related information is handled and communicated within an organization. The LOPDGDD requires that any processing of personal data, including remuneration data, must be conducted in a transparent manner. This means that data subjects (employees) must be informed about the identity of the data controller, the specific purposes of the processing, the legal basis for the processing (e.g., employment contract, legal obligation, legitimate interest), the categories of recipients of the data, and their rights (e.g., access, rectification, erasure). This information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
In the context of pay, this translates to employers being transparent with employees about how their salary data is collected, why it is processed (e.g., for payroll administration, tax compliance, internal compensation analysis, or compliance with specific pay equity reporting obligations), who has access to it (e.g., HR, finance, managers), and for how long it will be retained. Although the LOPDGDD does not compel employers to publish pay scales or salary ranges externally or to disclose individual salaries of colleagues, it ensures that employees have the right to access their *own* personal data, including their salary history, components of their remuneration, and any performance-related pay data. This internal data transparency is a crucial prerequisite for employees to identify potential pay disparities and to effectively exercise their data protection rights, forming a bedrock for broader pay equity efforts.
Furthermore, the principle of transparency under the LOPDGDD would apply rigorously to any internal or external pay equity initiatives. If an employer conducts a pay gap analysis or an equal pay audit, they must be transparent with employees about the data being collected for these specific purposes, the methodology used (to the extent it involves personal data), and the outcomes that affect their individual data or the collective workforce. While the law does not dictate the *content* of pay transparency (e.g., specific salary bands or job evaluation criteria), it strictly governs the *process* of data handling to ensure fairness, accountability, and respect for individual privacy. Any communication about pay structures, remuneration policies, or pay equity findings that involves personal data must adhere to these transparency requirements, ensuring employees are fully informed about how their pay data is utilized and protected.
Reporting & Audit Obligations
Organic Law 3/2018, in conjunction with the GDPR, imposes significant reporting and audit obligations on data controllers, which are directly relevant to how employers manage employee data, including remuneration information. While the LOPDGDD does not mandate specific pay gap reporting or equal pay audits in itself (these are covered by other Spanish laws like Royal Decree 902/2020), it requires that any processing activities that are likely to result in a high risk to the rights and freedoms of natural persons undergo a Data Protection Impact Assessment (DPIA). This would be particularly pertinent for large-scale processing of sensitive employee data, systematic monitoring of employees, or comprehensive pay analysis across an organization that involves profiling or evaluating personal aspects, ensuring risks are identified and mitigated before processing begins.
Employers are also obliged to maintain detailed records of all processing activities under their responsibility (Article 30 GDPR). These records must include the purposes of the processing, categories of data subjects and personal data (e.g., employees, salary, job title), categories of recipients to whom the personal data have been or will be disclosed, transfers of personal data to a third country or international organization, where possible, the envisaged time limits for erasure of the different categories of data, and a general description of the technical and organizational security measures. For pay equity purposes, this means that any data collected for salary analysis, pay gap calculations, or equal pay audits must be meticulously documented, demonstrating compliance with data protection principles and providing an auditable trail of data handling practices.
Furthermore, in the event of a personal data breach, the data controller (employer) has a strict obligation to report it to the Spanish Data Protection Agency (AEPD) without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must also communicate the breach to the data subject without undue delay. These reporting obligations underscore the critical importance of robust data security measures, incident response plans, and regular audits of data processing systems for all employee data, including sensitive remuneration information, to prevent unauthorized access, disclosure, alteration, or destruction.
Governance & Enforcement Bodies
The primary governance and enforcement body for Organic Law 3/2018 in Spain is the **Spanish Data Protection Agency (Agencia Española de Protección de Datos - AEPD)**. The AEPD is an independent public authority, established under the LOPDGDD and operating within the framework of the GDPR, responsible for ensuring compliance with data protection legislation across all sectors. Its extensive functions include supervising the application of the law, handling complaints filed by data subjects (including employees), conducting investigations into alleged infringements, imposing administrative sanctions for non-compliance, and providing guidance, advice, and public awareness campaigns to both data controllers and data subjects. The AEPD serves as the central authority for data protection matters in Spain, playing a critical role in upholding the rights guaranteed by the LOPDGDD.
The AEPD plays a crucial role in safeguarding employee data privacy. Employees who believe their data protection rights have been violated by their employer, including in relation to their pay data, can file a complaint with the AEPD. The Agency has the power to investigate these complaints thoroughly, which may involve requesting detailed information from employers, conducting on-site inspections, and interviewing relevant personnel. Upon concluding an investigation, the AEPD can issue binding decisions, order corrective measures (such as requiring an employer to delete data or improve security), and impose significant administrative fines for non-compliance. Its authority extends to all organizations processing personal data within Spain, ensuring that the provisions of the LOPDGDD are effectively enforced across all sectors, including those related to the handling of sensitive pay equity data.
In addition to the AEPD, judicial bodies also play a vital role in the enforcement of data protection rights. Individuals who suffer material or non-material damage as a result of an infringement of the LOPDGDD have the right to pursue legal action through the civil courts to seek remedies and compensation. This means employees could seek compensation if their personal data, including sensitive pay information, is mishandled, leading to harm. The interaction between the AEPD, which handles administrative complaints and sanctions, and the courts, which address more complex legal disputes and award compensation, ensures a multi-layered and comprehensive enforcement mechanism. This robust governance structure ensures that the provisions of the LOPDGDD, which indirectly but significantly impact the handling of pay equity data, are effectively enforced and that individuals have avenues for redress.
Monitoring & Evaluation
The monitoring and evaluation of compliance with Organic Law 3/2018 are primarily carried out by the Spanish Data Protection Agency (AEPD), which employs a multi-faceted approach to ensure adherence to the LOPDGDD and GDPR. The AEPD's mechanisms include proactive inspections, reactive investigations based on complaints, and the issuance of detailed guidelines, recommendations, and resolutions. The AEPD has the statutory authority to conduct on-site inspections of organizations, including employers, to verify their data processing practices, assess the adequacy of their technical and organizational security measures, and review their documentation related to personal data, which explicitly includes employee remuneration data and other HR records.
When a complaint is filed by an employee regarding the processing of their personal data, the AEPD initiates a formal investigation process. This process typically involves requesting comprehensive information from the employer, examining relevant internal policies, procedures, and data processing agreements, and potentially interviewing key personnel responsible for data handling. The AEPD meticulously evaluates whether the data processing complies with fundamental principles such as lawfulness, fairness, transparency, data minimization, and accuracy. For instance, if an employer is collecting extensive pay data for an internal analysis or a pay equity audit, the AEPD would assess if the collection is proportionate to the stated purpose, if employees were adequately informed about the processing, if a valid legal basis exists, and if appropriate security measures are in place to protect the sensitive nature of the data.
Furthermore, the AEPD actively monitors the implementation of Data Protection Impact Assessments (DPIAs) for high-risk processing operations and regularly reviews records of processing activities that data controllers are mandated to maintain. While the LOPDGDD does not mandate specific equal pay audits, any data collection or analysis undertaken for pay equity purposes would fall under the AEPD's scrutiny regarding data protection compliance. The evaluation criteria for the AEPD focus on strict adherence to data protection principles, the effectiveness of implemented security measures, the respect for data subject rights, and the overall accountability of the data controller in demonstrating compliance. This robust monitoring framework ensures that even indirect impacts of the LOPDGDD on pay equity data handling are subject to rigorous oversight, promoting responsible and lawful data practices.
Enforcement & Penalties
Organic Law 3/2018, in strict alignment with the GDPR, establishes a robust and deterrent system of enforcement and penalties for infringements of data protection provisions. The Spanish Data Protection Agency (AEPD) is empowered to impose significant administrative fines, which are categorized based on the severity and nature of the infringement. Minor infringements, such as failure to provide adequate information to data subjects, can result in fines up to €40,000. Serious infringements, which include processing data without a lawful basis or failing to implement appropriate security measures, can lead to fines up to €300,000. Very serious infringements, such as violations of core data protection principles or data subject rights, can incur fines of up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. These substantial penalties underscore the critical importance of compliance for all organizations, including employers handling employee data.
Infringements related to the processing of employee data, including sensitive remuneration information, can arise from various actions. These include unlawful processing (e.g., collecting data without a valid legal basis), failure to obtain valid consent where required, inadequate technical and organizational security measures leading to data breaches, non-compliance with data subject rights (e.g., denying access, rectification, or erasure requests), or failure to conduct a necessary Data Protection Impact Assessment for high-risk processing. When determining the appropriate penalty, the AEPD considers a range of factors, including the nature, gravity, and duration of the infringement, the intentional or negligent character of the infringement, any actions taken by the data controller to mitigate damage, the categories of personal data affected (e.g., sensitive pay data), and any previous infringements by the organization. This ensures that penalties are proportionate and effective.
Beyond administrative fines, individuals who suffer material or non-material damage as a result of an infringement of the LOPDGDD have the right to receive compensation from the data controller or processor. This means employees could seek compensation through civil courts if their personal data, including sensitive pay information, is mishandled, leading to harm such as discrimination, financial loss, or reputational damage. While criminal liability is not typically associated with standard data protection breaches under the LOPDGDD, severe cases involving malicious intent, large-scale data theft, or unauthorized access to highly sensitive data could potentially lead to criminal charges under other relevant Spanish laws. Data controllers have the right to appeal AEPD decisions through the administrative and judicial systems, ensuring due process and the possibility of judicial review of the Agency's rulings and imposed sanctions.
Relationship to Other Laws
Organic Law 3/2018 operates within a complex and interconnected legal landscape, primarily serving to adapt Spanish law to the overarching **General Data Protection Regulation (GDPR)** (Regulation (EU) 2016/679). The LOPDGDD complements the GDPR by providing specific national provisions and clarifications where the GDPR allows for Member State derogations or specifications. This means that while the GDPR sets the overarching framework and directly applicable rules for data protection across the EU, the LOPDGDD details how these principles are applied in Spain, particularly concerning digital rights and certain aspects of data processing, including those in the employment context. Therefore, any employer operating in Spain must comply with both the GDPR and the LOPDGDD, ensuring a comprehensive approach to data privacy.
The LOPDGDD also interacts significantly with other fundamental Spanish laws. It draws its constitutional basis from the **Spanish Constitution** (Article 18.4), which guarantees the fundamental right to data protection. Furthermore, it directly influences and is influenced by the **Workers' Statute (Estatuto de los Trabajadores)**, which sets out fundamental labor rights and obligations. While the Workers' Statute may permit employer monitoring under certain conditions (e.g., for productivity or security), the LOPDGDD specifies the stringent privacy safeguards, transparency requirements, and proportionality principles that must be adhered to for such monitoring, including the use of video surveillance, sound recording, or geolocation systems in the workplace. This ensures that employer prerogatives are balanced with employee privacy rights, particularly when sensitive data is involved.
Crucially, the LOPDGDD forms the foundational data protection framework for any specific pay equity legislation in Spain. This includes **Royal Decree-Law 6/2019, of March 1, on urgent measures for the guarantee of equal treatment and opportunities between women and men in employment and occupation**, and more specifically, **Royal Decree 902/2020, of October 13, on equal pay for women and men**. While these pay equity laws mandate actions like pay gap reporting, equal pay audits, and the creation of remuneration registers, the LOPDGDD dictates *how* the personal data required for these activities must be collected, processed, stored, and protected. It ensures that pay equity initiatives are conducted in a manner that respects employees' fundamental right to data protection, emphasizing principles such as data minimization (collecting only necessary data), purpose limitation (using data only for specified purposes), and the security and confidentiality of sensitive remuneration information. The LOPDGDD thus provides the essential legal guardrails for implementing pay equity measures responsibly.
International Context
Organic Law 3/2018 is deeply rooted in the international context of data protection, primarily serving as the national implementation of the **General Data Protection Regulation (GDPR)**, a landmark piece of legislation by the European Union. The GDPR established a harmonized and high-standard framework for data protection across all EU Member States, setting robust requirements for the processing of personal data and granting extensive rights to individuals. By adapting to the GDPR, Spain aligns its data protection regime with the most comprehensive and influential data protection law globally, ensuring consistency and facilitating secure data flows within the European Economic Area. This alignment means that the principles, definitions, and rights enshrined in the LOPDGDD reflect international best practices in data privacy and are consistent with a broader European approach to digital rights.
Beyond the immediate EU framework, the LOPDGDD and GDPR principles resonate with broader international human rights instruments and labor standards. The protection of personal data is increasingly recognized as a fundamental human right, often linked to the right to privacy, as enshrined in documents like the Universal Declaration of Human Rights (Article 12) and the International Covenant on Civil and Political Rights (Article 17). In the context of employment, the principles of data protection are also relevant to **ILO Conventions C100 (Equal Remuneration Convention, 1951)** and **C111 (Discrimination (Employment and Occupation) Convention, 1958)**, which advocate for non-discrimination and equal treatment in the workplace. While these ILO conventions do not directly address data protection, the LOPDGDD ensures that any data collection or analysis undertaken to monitor and promote equal pay and non-discrimination in employment is conducted with due respect for individual privacy and data security. This indirect support ensures that efforts to achieve pay equity are carried out ethically and legally, safeguarding sensitive employee information in line with global human rights and labor principles.
Implementation Timeline
| Date | Milestone | Status |
|---|---|---|
| December 5, 2018 | Organic Law 3/2018 approved by Cortes Generales | Adopted |
| December 6, 2018 | Published in the Official State Gazette (BOE) | Published |
| December 7, 2018 | Entered into force | In Force |
| Ongoing | Issuance of AEPD guidelines and resolutions | In Force (Amended/Interpreted) |
| Ongoing | Enforcement and investigations by AEPD | In Force |
Compliance Checklist
| Requirement | Action Required | Deadline |
|---|---|---|
| Lawful Basis for Processing | Identify and document a lawful basis (e.g., contract, legal obligation, legitimate interest, consent) for all employee data processing, including remuneration data. | Ongoing |
| Transparency & Information | Inform employees about data processing activities, purposes, legal basis, recipients, and their rights (Articles 13 & 14 GDPR/LOPDGDD) in a clear and accessible manner. | Prior to data collection/processing |
| Data Minimization | Ensure only necessary, relevant, and adequate personal data, including pay data, is collected and processed for specified purposes. | Ongoing |
| Purpose Limitation | Process employee data, including remuneration, only for the explicit, legitimate purposes for which it was collected and not further processed in a manner incompatible with those purposes. | Ongoing |
| Accuracy | Maintain accurate and up-to-date employee data; establish clear procedures for employees to rectify inaccuracies or update their information. | Ongoing |
| Storage Limitation | Establish clear, documented retention periods for different categories of employee data, including pay records, and securely delete or anonymize data when no longer needed for its original purpose. | Ongoing |
| Security Measures | Implement appropriate technical and organizational measures (e.g., encryption, access controls, pseudonymization) to ensure the security, integrity, and confidentiality of all employee data, including remuneration, against unauthorized or unlawful processing and accidental loss, destruction, or damage. | Ongoing |
| Data Protection Officer (DPO) | Appoint a DPO if required (e.g., public authorities, organizations whose core activities involve large-scale processing of special categories of data, or systematic monitoring of data subjects). | Ongoing |
| Data Protection Impact Assessment (DPIA) | Conduct DPIAs for high-risk processing activities involving employee data (e.g., new surveillance systems, large-scale pay analysis, new HR systems involving sensitive data) before commencing processing. | Prior to high-risk processing |
| Data Subject Rights | Establish clear, accessible procedures and mechanisms for employees to exercise their rights (access, rectification, erasure, restriction, portability, objection) and respond to requests within statutory timeframes (typically one month). | Ongoing |
| Digital Rights in Workplace | Implement clear policies for digital device use, the right to digital disconnection, and privacy in surveillance (video, audio, geolocation), developed in consultation with workers' representatives. | Ongoing |
| Data Breach Notification | Have a robust protocol for detecting, managing, reporting (to AEPD within 72 hours), and communicating (to data subjects if high risk) personal data breaches. | Ongoing |
Sources and References
© RewardsET.com / Smitteck GmbH — created on 22-Jan-2026 using Gemini 2.5 Flash