Global Data and Cyber Handbook

Spain

Select a Topic
Start Comparison
Data Processing in the Employment Context
Jump to
Data Processing in the Employment Context Start Comparison
Is an identified legal basis required in order to collect or process personal data or sensitive personal data in the employment context?

[Last reviewed: January 2025]

Yes.

The potential legal bases for data processing in the employment context are:

It would ultimately depend on the categories of personal data subject to the processing activities.

In any case, note that the following are potential legal bases for the processing of personal data:

  • the data subject provided consent to the processing for the identified purposes
  • the personal data is necessary to perform a contract with the data subject
  • the personal data is necessary to comply with a legal obligation
  • in very specific cases, the personal data is necessary to protect the vital interests of a natural person
  • the personal data is necessary to fulfill a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of their right to object)

The following are potential legal bases for the processing of sensitive personal data:

  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
  • in very specific cases, processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Can consent be validly obtained in the employment context?

[Last reviewed: January 2025]

☒   Yes, but this consent is typically more difficult to establish in an employment context (specify details below)

Pursuant to recital 43 of the GDPR, "consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller", which could be the case in the employment relationship. The Spanish Data Protection Authority also confirmed this.

Therefore, the employer must:

  • ensure that consent is only requested when there is no other appropriate legal basis that justifies the relevant processing operation; and
  • make the employee aware that the refusal to grant consent will not have negative consequences for them in the employment context.

Also, note that from a Spanish perspective, the use of consent as a legal basis for the processing of employees' sensitive personal data would be hardly acceptable.

Has the data privacy regulator issued guidance on use of artificial intelligence, automated decision making or profiling in an employment context – for example, relating to use in employee monitoring or hiring?

☒         Yes

Please refer to the EU Chapter for detailed information regarding EU-wide guidance.

In its guidelines for data protection in the employment context (https://www.aepd.es/documento/la-proteccion-de-datos-en-las-relaciones-laborales.pdf), the Spanish Data Protection Agency includes the reference to the provisions connected with the increased information requirements for works council when algorithms or artificial intelligence systems are used for the decision making processes that may have an impact on the employees (e.g. work conditions, access and maintenance of employment, including profiling).

{{ $store.state.loadingScreen.message }} ...