Personal data in the workplace in Andorra
Data protection is regulated in the Principality of Andorra by Law 29/2021 and its implementing regulation (Decree 391/2021). The data protection agency has developed a guide to guarantee compliance with the Principality’s legal framework and promote the responsible and secure processing of personal data in the workplace in Andorra.
The guide is intended for all players involved in the employment relationship. Apart from safeguarding people’s privacy rights and protecting their data, it also makes several recommendations for fundamental principles such as confidentiality, consent or the notification of security breaches.
The guide distinguishes among the different types of data: what is considered personal data, what is not, and whether it is subject to data protection law. For example, the identifying personal data of employees that is not considered professional data will be governed by the data protection regulations. Data that is used and processed within a professional context is not subject to the same privacy requirements as personal data, although its correct use must be ensured.
Professional data must only be used for the intended professional purposes, and any unauthorised or business-related use must be avoided.
The definition of processing is very broad, and includes any action carried out with or on personal data, where its mere collection already constitutes data processing. The guide of the Andorran Data Protection Agency focuses on the processing of data due to the employment relationship between employer and employee, distinguishing the processing that will be conducted by the company due to its activity.
The ADPA guide makes it clear that the controller must determine the most appropriate lawful basis for each of the purposes pursued, attaching an indicative table to identify this lawful basis according to the purpose.
In employment, the execution of the employment contract and the legitimate interest are the main lawful bases for the processing of personal data, and the data must be adequate, relevant and limited to the purpose of executing an employment contract.
Therefore, the employer is entitled to know the personal data necessary for the employment relationship to follow its normal course, as the characteristics of the employment relationship will determine which data is necessary. It must be remembered that the data collected cannot be used for purposes other than those for which it was collected.
However, the employer must clearly inform his employees of the data processing performed. This duty to inform is part of the essential content of the right to data protection and constitutes a guarantee for the data subject, as it enables them to know which data is being processed, with whom it is shared, their rights, and how to exercise them: the right of objection, the right of access, rectification and erasure, the right of restricted processing and the right of portability.
In principle, the inclusion of informative data protection clauses in employment contracts or in an annex thereto is an adequate means of complying with employees’ right to inform, as long as the intended processing activities are not based on the employee’s consent.
Personal data in the workplace in Andorra: selection processes
The ADPA guide also refers to the key aspects to be taken into account in personnel selection processes. The five main points are:
- Information on the processing of data.
- The lawful basis.
- The personal data to be processed.
- The information on the rights of the candidates regarding the processing of their data.
- The confidentiality of processing: the company can only keep personal data for the duration of the selection process. Once complete, the data must be deleted or blocked, preventing further use.
Employees or candidates do not have to allow the employer to search their social network profiles, either during the selection process or during the execution of the contract. This search is only justified if it is related to professional purposes.
In the case of third-party involvement in the selection and recruitment process, these third parties will act as processors when they have previously signed a contract with the company seeking employees. If there is no previous contract, the third party will be considered responsible for processing the candidate’s data.
Finally, the candidate’s consent will be required for the third party to transfer their data to the hiring company. The consent of the employee or candidate will also be necessary to communicate data between companies in a group, as each company has its own legal identity. As always, the existence of a legitimate interest is required.
Employee relations may be subject to changes brought about by both the employer and the employee, applying the principles of minimisation and proportionality in the management of human resources. The employer must sign a processing commission contract whenever they outsource the management of the employment relationship, human resources or payroll management to external consultants or management companies.
Personal data in the workplace in Andorra: sensitive and biometric data
Video surveillance at work is also mentioned: this is allowed, but images from cameras cannot be used to control employee activity.
Generally, the processing of special categories of personal data is forbidden, although there are specific circumstances in accordance with the provisions of Article 9.2 of the LQPD. Even so, no company is legitimised to demand that the employee communicates personal data such as: trade union affiliation, political ideology, sexual orientation or religious beliefs, with some exceptions.
In relation to biometric data, a distinction must be made between identification and biometric verification. There is no legal obligation and, in any case, the balance between the position of the employee and the employer and the proposal of alternatives in case of objection by the employee would be necessary. Under no circumstances is the forced collection of data permitted. For the collection of this type of data, the employee must be informed of the processing of the data, its protection, storage, security and erasure.
The processing of health data at work for the prevention of occupational risks is justified by the existence of a contractual relationship between employer and employee. Access to information by the employer is restricted and, in practice, is limited to determining the employee’s suitability or unsuitability for the job.
Likewise, the relationship between the company and the prevention service also involves the processing of data, although this communication of the employee’s data does not require their consent, as it is a legal obligation. In this case, the prevention service will be considered the controller.
Personal data about working hours and contract termination
Registering working hours and the use of work tools also involves data processing, as it allows a specific person to be identified. Therefore, the right to data protection must also be taken into account.
At the time of termination of the employment relationship, different considerations must be made, as data protection regulations still apply:
- The letter of dismissal contains personal data and, therefore, appropriate security measures must be implemented.
- Once the employment relationship is terminated, the data must be blocked.
- The employee’s consent is required to keep their contact details in the future or to share the data with a future employer.
Guaranteeing total confidentiality is of utmost importance in the management of prevention services. In the event of a change of prevention service provider, the data must be communicated between the different services, and the preservation of the data by the former provider will be in line with the provisions of labour regulations.
Katia Carneiro
If you need more information about any aspect of personal data in the workplace in Andorra, contact us!
Information on data protection
Company name
LEGAL IT GLOBAL 2017, SLP
Purpose
Providing the service.
Sending the newsletter.
Legal basis
Compliance with the service provision.
Consent.
Recipients
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
Rights
You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
Further information
See the Privacy Policy.