AN - SAN 487/2024: Difference between revisions
Teresa.lopez (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Spain |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=AN |Court_Original_Name=Audiencia Nacional |Court_English_Name=National Audience |Court_With_Country=AN (Spain) |Case_Number_Name=SAN 487/2024 |ECLI=ECLI:ES:AN:2024:487 |Original_Source_Name_1=CENDOJ |Original_Source_Link_1=https://www.poderjudicial.es/search/AN/openDocument/39bddda1a78bb456a0a8778d75e36f0d/20240223 |Original_Source_Language_1=Spanish |Original_Sourc...") |
No edit summary |
||
Line 60: | Line 60: | ||
}} | }} | ||
Employer's mandate of personal phones for confirming identity during teleworking hours was ruled unlawful, breaching collective bargaining data protection safeguards. | |||
== English Summary == | == English Summary == | ||
Line 69: | Line 69: | ||
In response to the pandemic, some employees of the controller transitioned to telecommuting arrangements. The controller proposed a telecommuting agreement, which the Workers' Legal Representation did not accept, ending the negotiation process without consensus. The controller then entered into individual agreements with the employees regulating, among other topics, the use of personal devices of employees for 2-factor authentication purposes (2FA). | In response to the pandemic, some employees of the controller transitioned to telecommuting arrangements. The controller proposed a telecommuting agreement, which the Workers' Legal Representation did not accept, ending the negotiation process without consensus. The controller then entered into individual agreements with the employees regulating, among other topics, the use of personal devices of employees for 2-factor authentication purposes (2FA). | ||
The Worker’s Legal Representation brought proceedings before the court seeking annulment, among others, of the clause that mandated the | The Worker’s Legal Representation brought proceedings before the court seeking annulment, among others, of the clause that mandated the employees to provide their cell phone numbers for receiving SMS messages and/or accessing applications to confirm identity during established working hours. The controller justified this requirement based on cybersecurity reasons and their legitimate interest in ensuring information and system security as is reflected in [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. | ||
=== Holding === | === Holding === | ||
The court held that the clause was void since, according to Article 19.7 of the | The court held that the clause was void since, according to [https://www.boe.es/diario_boe/txt.php?id=BOE-A-2023-13741 Article 19.7 of the Collective Bargaining Agreement of State Scope for the Contact Center Sector], companies shall provide tools, applications, or devices especially in the event where a 2FA system is necessary. The controller should furnish the requisite tools and means, rather than relying on workers' personal devices. In exceptional cases and exclusively for this purpose, if the employee refuses the tool provided by the company, they may consent to use devices or tools of their own. | ||
This Article reflects Article 88 GDPR which allows Member States to provide for more specific rules to ensure the protection of rights and freedoms in respect of the processing of employee's personal data. | |||
== Comment == | == Comment == |
Revision as of 14:36, 29 February 2024
AN - SAN 487/2024 | |
---|---|
Court: | AN (Spain) |
Jurisdiction: | Spain |
Relevant Law: | 19.7 III Convenio colectivo de ámbito estatal del sector de contact center |
Decided: | 05.02.2024 |
Published: | |
Parties: | |
National Case Number/Name: | SAN 487/2024 |
European Case Law Identifier: | ECLI:ES:AN:2024:487 |
Appeal from: | |
Appeal to: | Not appealed |
Original Language(s): | Spanish |
Original Source: | CENDOJ (in Spanish) |
Initial Contributor: | Teresa.lopez |
Employer's mandate of personal phones for confirming identity during teleworking hours was ruled unlawful, breaching collective bargaining data protection safeguards.
English Summary
Facts
On 29 November 2023, the Spanish trade union CCOO initiated legal action against the controller concerning a collective labor dispute.
In response to the pandemic, some employees of the controller transitioned to telecommuting arrangements. The controller proposed a telecommuting agreement, which the Workers' Legal Representation did not accept, ending the negotiation process without consensus. The controller then entered into individual agreements with the employees regulating, among other topics, the use of personal devices of employees for 2-factor authentication purposes (2FA).
The Worker’s Legal Representation brought proceedings before the court seeking annulment, among others, of the clause that mandated the employees to provide their cell phone numbers for receiving SMS messages and/or accessing applications to confirm identity during established working hours. The controller justified this requirement based on cybersecurity reasons and their legitimate interest in ensuring information and system security as is reflected in Article 6(1)(f) GDPR.
Holding
The court held that the clause was void since, according to Article 19.7 of the Collective Bargaining Agreement of State Scope for the Contact Center Sector, companies shall provide tools, applications, or devices especially in the event where a 2FA system is necessary. The controller should furnish the requisite tools and means, rather than relying on workers' personal devices. In exceptional cases and exclusively for this purpose, if the employee refuses the tool provided by the company, they may consent to use devices or tools of their own.
This Article reflects Article 88 GDPR which allows Member States to provide for more specific rules to ensure the protection of rights and freedoms in respect of the processing of employee's personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The resolutions that make up this database are disseminated for the purposes of knowledge and consultation of the decision criteria of the Courts, in compliance with the competence granted to the General Council of the Judiciary by art. 560.1.10º of the Organic Law of the Judiciary. The user of the database may consult the documents as long as they do so for their own personal use. The use of the database for commercial uses, nor the massive downloading of information, is not permitted. The reuse of this information for the creation of databases or for commercial purposes must follow the procedure and conditions established by the CGPJ through its Judicial Documentation Center. Any action that contravenes the above indications may give rise to the adoption of appropriate legal measures.