AEPD

The AEPD fine with 42,000 euros to a company

by

The Spanish Agency for Data Protection (AEPD) has imposed a sanction of 70,000 euros to LVMH Iberia, a subsidiary of the French giant of the luxury cosmetics, to add a worker to a group of work WhatsApp using their personal telephone number without prior consent. The resolution, to which Diario Sur It has had accessIt is not an isolated case, and reflects how companies can violate the Data Protection Law With something as simple as put someone in a WhatsApp group. Origin. The employee had to use her personal mobile for labor matters for the demand of the company, while waiting for a new mobile phone to work that was never delivered. According to declaredother incorporated partners after they received these devices. At the beginning of his vacation, he warned by email and verbally that he would leave the WhatsApp groups work and stop using his personal mobile for work, although he would maintain contact with the clients he already had. Conflict. During his vacation, a person from the company adds his number to the WhatsApp group without prior notice or communication. The worker remained in that group until, weeks later, the same person eliminated her when she was fired from the company. It was then that he decided to denounce the facts before the AEPD. The defense of the company. According to account Diario Sur, LVMH Iberia claimed to have adopted a “guarantee” position and defended that the employee’s mail did not request a permanent elimination of the groups, but temporary during the holidays. The company claimed to have respected its decision not to participate during that period and argued that the worker expressed her willingness to continue using the personal mobile for labor purposes. The resolution. The AEPD considered that there had been an illegal treatment of personal data by not collecting prior consent of the employee, violating the General Data Protection Regulation (GDPR). The sanction also takes into account the violation of the right of digital disconnection, protected by labor regulations. After assuming its responsibility and receiving reductions by recognition of the facts, the company finally contributed a total of 42,000 euros, a figure agreed between the agency and the company. What does legislation say. Although the GDPR does not specifically add the WhatsApp work groups, The AEPD has established That the telephone number is a protected personal fact, so adding an employee to a group without their consent constitutes an illicit data treatment. The situation changes when the company provides a corporate phone, since in that case the device and the number belong to the company, which can establish its use in internal policies. For those who telework, the obligation to provide contact data can appear in the contract, although its use It must be justified as urgent and does not allow the employee to be added to groups without direct consent. Likewise, as this last case has reflected, the worker has full right to refuse to use his personal device for labor communications. Cover image | Israel Andrade and own assembly In Xataka | The MIT has studied the impact of AI on companies. Its conclusion: only 5% of the time changes some really

Spanish universities controlled online exams with facial recognition. AEPD has decided that it is enough

by

The Spanish Agency for Data Protection (AEPD) has reached a clear conclusion about the use of biometric systems with artificial intelligence in online university evaluation. There is no possibility that they can be used legally, at least without a specific enabling law. The trigger. The AEPD has presented A complaint against the International University of Valencia. The VIU had been using a system that combined use of artificial intelligence tools with double camera recording (which the student must contribute) to monitor online tests. It is a practice that It has been doing for more than three yearsand that the agency has sanctioned rejecting the legitimacy of this data processing. Viu is not alone. The International University of Valencia is not an isolated case. Some of the most prestigious in Spain, such as University of BurgosUniversity Isabel I, European University, or the University of La Rioja have been implementing this system for years. It is a solution to the growing demand for 100% online training, with tools that allow the student to monitor without the need for the exams in person. The main objective, according to universities, is to avoid fraud and impersonations of identity during evaluations. The culprit. Smowl, this is the name of The online exam supervision tool. This solution, designed for both business and academic use, allows monitoring with webcam, extra camera, browser block, eyelashes control and, ultimately, replaces human role in exam supervision. In the case of the UIV, it was guaranteed that these data were pseudo and eliminated “quickly”, although it recognized that the processing of these data meant “a very high impact risk for the rights and freedoms of the affected people” The universities are covered in which it is the student who gives their consent to the use of these tools by accepting the general conditions of the course in which it has enrolled. The AEPD has another opinion. There is no legislation that covers its use. Universities are shielding that it is the student who gives their consent to the use of these tools by accepting the general conditions of the course in which it has enrolled. The AEPD has another opinion. “The consent cannot be considered valid because there was no real and effective alternative to students as the software used is the only method allowed to perform online exams. Their rejection by students involved losing their right to evaluation. Nor is the mandatory acceptance of general conditions to enroll when enrolled.” These data are of special category and are regulated by Article 9 of the General Data Protection Regulation (RGPD) Since 2022. According to the agency, there is currently no legitic exception in said article or a specific legal framework that enables these practices. It is also rejected that students can give consent, having no alternative available. But it doesn’t close the door. Data protection does not close the door completely to these types of systems. Specifies that it is necessary to develop specific regulations to determine “in what cases, conditions and under what guarantees this biometric treatment can be carried out”. “ Currently, without frame in which to protect yourself, the use of these tools will be subject to sanction for breach of the GDPR. A deep modification of the regulation would not be necessary, it would suffice with an exception that specifically reflect these scenarios of use. Facial recognition in Spain. It is not the first time that Spain calls into question the use of this type of systems. The OBERTA UNIVERSIDAD DE CATALUÑA was sanctioned In 2022 with 20,000 for using facial recognition in their exams. Outside the educational field, one of the most popular cases was that of Mercadona, fined 2.5 million euros for a pilot project in which they tested a facial verification system in their supermarkets. At a lower level, local companies have also faced large fines for breaching the regulations of the GDPR in the workday registry through biometry. Despite this, it is a technology used in video surveillance systems, Like Renfeor that of Madrid in its streets with hundreds of cameras with AI to reinforce the security of the capital. Images | Pexels (Andrea Piacquadio), Unspash (Dom Fou) In Xataka | Pau is approaching: here you have all the degrees related to technology and science with its cutting notes

If the question is whether your company can include you in a work WhatsApp group, the AEPD leaves no doubt: it depends on who pays

by

In many companies, WhatsApp groups or from any other social network, they have adopted the role of a communication board, from which the company or those responsible for employees They organize shiftsroutes or vacations of its employees from a single channel. However, despite being very convenient for the organization of the company, adding employees to These groups It is an exhibition of your private data. Is it legal that the company includes you in one of these Work groups of work? The answer: depends d. Use of WhatsApp on personal mobiles The Spanish Agency for Data Protection, supported by a sentence of the 2019 National Court established the pillars of the use of mobile devices in the workplace, indicating that employees are not obliged to use or install applications for professional use. That is, if the mobile in which the line that will be included in the WhatsApp group is personal, or the line itself is, is installed, or The company cannot force the worker to be part of the group. Including that number in a WhatsApp group without the express consent of the employee would violate article 5 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rightsviolating the right to individual privacy. The legal protection of this assumption was reinforced with the arrival of the Teleworking 10/2021that in its article 17.2 it indicates that it is the company who must provide any material or device that employees may need to develop their work. If to develop that work, the employee needs a mobile with line for communications with the company, or for the time registrationyou must facilitate it. Use of WhatsApp in the company’s mobile The scenario changes completely when the mobile or line is owned by the company, not the employee. In that case, the company can use that resource as it creates convenient and may include those lines in a WhatsApp group, without the employee being able to refuse to it. This use is part of the organization of work by the company according to the Workers Statute. However, the company must justify the group’s need, assume the cost of the line and establish clear rules on its use. Right to digital disconnection In any case, whether the mobile is personal and has the employee’s consent, as if it is a corporate mobile, The right to digital disconnection must be respectedas established in article 20 bis of the Statute of Workers and in article 18 of the Teleworking Law. This section specifically indicates: “Workers have the right to privacy in the use of digital devices made available to the employer, to digital disconnection and intimacy in the use of video surveillance and geolocation devices in the established terms in current legislation on personal data protection and guarantee of digital rights. “ This means that, in any of the cases, the worker is not obliged to answer Out of your working hours, unless it is subject to any of the exceptions due to justified urgency. This right is protected by various labor laws and their breach would result in economic sanctions for the company that could range between 751 euros and 7,500 euros. In Xataka | Signing with the fingerprint at work was legal. In Europe they have decided that they are no longer and threaten to fine Image | Unspash (Dimitri Karastelev)

Log In

Forgot password?

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

Add to Collection

No Collections

Here you'll find all collections you've created before.