AN - SAN 487/2024: Difference between revisions
No edit summary |
No edit summary |
||
| Line 13: | Line 13: | ||
|Original_Source_Name_1=CENDOJ | |Original_Source_Name_1=CENDOJ | ||
|Original_Source_Link_1=https:// | |Original_Source_Link_1=https://gdprhub.eu/images/6/63/SAN_487_2024.pdf | ||
|Original_Source_Language_1=Spanish | |Original_Source_Language_1=Spanish | ||
|Original_Source_Language__Code_1=ES | |Original_Source_Language__Code_1=ES | ||
Revision as of 15:04, 29 February 2024
| AN - SAN 487/2024 | |
|---|---|
 | |
| Court: | AN (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | 19.7 III Convenio colectivo de ámbito estatal del sector de contact center |
| Decided: | 05.02.2024 |
| Published: | |
| Parties: | |
| National Case Number/Name: | SAN 487/2024 |
| European Case Law Identifier: | ECLI:ES:AN:2024:487 |
| Appeal from: | |
| Appeal to: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | CENDOJ (in Spanish) |
| Initial Contributor: | Teresa.lopez |
Employer's mandate of personal phones for confirming identity during teleworking hours was ruled unlawful, breaching collective bargaining data protection safeguards.
English Summary
Facts
On 29 November 2023, the Spanish trade union CCOO initiated legal action against the controller concerning a collective labor dispute.
In response to the pandemic, some employees of the controller transitioned to telecommuting arrangements. The controller proposed a telecommuting agreement, which the Workers' Legal Representation did not accept, ending the negotiation process without consensus. The controller then entered into individual agreements with the employees regulating, among other topics, the use of personal devices of employees for 2-factor authentication purposes (2FA).
The Worker’s Legal Representation brought proceedings before the court seeking annulment, among others, of the clause that mandated the employees to provide their cell phone numbers for receiving SMS messages and/or accessing applications to confirm identity during established working hours. The controller justified this requirement based on cybersecurity reasons and their legitimate interest in ensuring information and system security as is reflected in Article 6(1)(f) GDPR.
Holding
The court held that the clause was void since, according to Article 19.7 of the Collective Bargaining Agreement of State Scope for the Contact Center Sector, companies shall provide tools, applications, or devices especially in the event where a 2FA system is necessary. The controller should furnish the requisite tools and means, rather than relying on workers' personal devices. In exceptional cases and exclusively for this purpose, if the employee refuses the tool provided by the company, they may consent to use devices or tools of their own.
This Article reflects Article 88 GDPR which allows Member States to provide for more specific rules to ensure the protection of rights and freedoms in respect of the processing of employee's personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The resolutions that make up this database are disseminated for the purposes of knowledge and consultation of the decision criteria of the Courts, in compliance with the competence granted to the General Council of the Judiciary by art. 560.1.10º of the Organic Law of the Judiciary. The user of the database may consult the documents as long as they do so for their own personal use. The use of the database for commercial uses, nor the massive downloading of information, is not permitted. The reuse of this information for the creation of databases or for commercial purposes must follow the procedure and conditions established by the CGPJ through its Judicial Documentation Center. Any action that contravenes the above indications may give rise to the adoption of appropriate legal measures.
