The meeting had the participation of Mar Spain, director of the AEPD, and José María Campos, director of the Legal department of CEOE, as well as with several experts from the AEPD who have offered guidance and answers to the questions previously raised by CEOE: Jesus Ruby (coordinating member of the Support and Institutional Relations Unit), Julián Prieto (deputy director of the General Registry of Data Protection), Manuel Villaseca (deputy deputy director of the General Data Protection Registry), Andrés Calvo (Division of Technological Innovation) and Lourdes Hernández (Head of service for Canal Informa).
In his presentation, Mar España highlighted the willingness of the AEPD to work on those issues that may arise from the business sphere in terms of data protection to improve information and respond to legal questions raised.
First of all, some general issues related to aspects such as the concept of personal data, the principle of proactivity in compliance with regulations, the causes of legitimation, the information provided to employees in the field of data protection, the right of access, particularly in cases of treatment of images and audios, or the transfer of data in cases of fraud prevention.
In another block of questions, questions were answered about the delimitation of the responsibilities of those responsible, jointly responsible and those in charge of data processing, as well as their position in various areas of activity. Regarding the data intended for marketing and commercial use, mention was made of the digital advertising modalities that regulate current legislation, the rights that it guarantees and the requirements that it demands.
The meeting tried to resolve some questions regarding the regulation of "cookies". In this regard, it was indicated that the AEPD will soon publish a new updated guide that guarantees clear information regarding the express consent of the user. It was mentioned that the provision of services cannot be denied if cookies are rejected, and there must be an alternative. Clarifications were also made regarding the responsibility of advertising "cookies" and the tendency to impose conditions.
In the chapter on labor relations and data protection, various issues were addressed, most of them focused on the access to information of workers by unions and their legitimization, and the criteria of the AEPD regarding what type of Personal data of the workers can be communicated and which ones cannot. For example, in the field of risk prevention and regarding the occupational health of workers. Regarding COVID-19, it was indicated that the company has the right to know if an employee is infected or not to establish the necessary contingency plans. Other aspects of interest were the retention time of the data related to the presence and the hourly record, and the biometric data and its use in the entry and exit control systems.
According to the taking of temperature in the access to the work centers To prevent the entry of people infected with COVID-19, it was recalled that this is an action related to health surveillance and, therefore, must be carried out by health personnel. However, if it is carried out under sanitary protocols established by the PRL service, it may be carried out by access control personnel.
The AEPD offered answers to various questions about the processing of biometric data and their consent, as well as questions about the obligation to appoint a data protection officer, which organizations should have them, the criteria for their appointment and the incompatibility assumptions for their appointment. .
Another issue that was addressed was the judgment of the Court of Justice of the EU, that overrides the US privacy shield decision and that affects the data handled by exporters and importers. It was noted that this matter is being evaluated by the European Data Protection Committee.
The meeting concluded with a round of questions from the attendees, who raised some doubts about aspects such as the exercise of access rights, digital disconnection, the right of opposition, the legal limits on the dissemination of data by workers or the concept analog product for advertising shipments in loyalty programs.
Finally, the AEPD recalled the importance of the information resources available on the Agency's website to solve many of the questions that may arise, highlighting that there is a FAQ section on various areas of data protection regulations and a section with technical reports of interest.
