Digital rights at work: what Article 88 of the LOPDGDD requires

·

Since the entry into force of the Organic Law 3/2018, of 5 December, on Personal Data Protection and Digital Rights Guarantee (LOPDGDD), Spanish law explicitly recognises a catalogue of digital rights in employment relationships. Articles 87 to 91 of that law require companies to precisely regulate how corporate devices are used, how workers' rest time is protected, under what conditions their geographical position may be tracked, and what limits apply to video surveillance in the workplace.

This article analyses each of those provisions with full regulatory rigour, explains what employers must specifically do to comply, and highlights the most common mistakes we encounter when helping organisations with their GDPR and LOPDGDD compliance. This is not an academic exercise: each section ends with a concrete action.

The legal framework: arts. 87–91 of the LOPDGDD

The LOPDGDD (LO 3/2018) did not repeal Regulation (EU) 2016/679 (GDPR — General Data Protection Regulation) — which is directly applicable EU law — but complemented it at national level and added a Title X devoted entirely to digital rights. Within that title, Articles 87 to 91 refer exclusively to the employment context:

The repealed LO 15/1999 (LOPD — Organic Law on Data Protection) did not include any of these rights. It is the current LOPDGDD that introduces them for the first time with the rank of organic law, reinforcing the guarantees of Article 18.4 of the Spanish Constitution (limiting the use of computing to preserve citizens' honour and personal and family privacy) in the digital and employment context.

Article 87: privacy in the use of corporate digital devices

Article 87 of the LOPDGDD recognises workers' right to protection of their privacy when using digital devices made available by the employer. It establishes three essential requirements:

  1. The employer may access the contents of devices provided to the worker only to monitor compliance with employment obligations and to ensure the integrity of the company's information systems.
  2. The employer must establish usage criteria for those devices through collective bargaining or consultation with worker representatives, or unilaterally in the absence of such representation. Those criteria must specify, in particular, whether devices may be used for personal purposes and under what conditions.
  3. Workers must be informed clearly and precisely about the scope of the monitoring the employer may carry out and the means it may use. This information must be provided before any monitoring takes effect.

Case law from the European Court of Human Rights (Bărbulescu v. Romania, Grand Chamber, 2017) and the Spanish Supreme Court requires workers to have been warned in advance of the possibility of monitoring. Without that prior warning, evidence obtained through device monitoring may be declared null in disciplinary or judicial proceedings.

Concrete action: draft or update the corporate device usage policy, notify workers with acknowledgement of receipt, and retain proof of notification.

Article 88: the right to digital disconnection

Article 88 of the LOPDGDD is the most cited provision of Title X and, at the same time, the most frequently violated in practice. It recognises workers' right to digital disconnection to ensure, outside statutory or collectively agreed working time, respect for their rest periods, leave and holidays, as well as their personal and family privacy.

The article imposes two specific obligations on the employer:

What the internal digital disconnection policy must include

The LOPDGDD does not set an exhaustive minimum content, but the AEPD (Spanish Data Protection Authority — Agencia Española de Protección de Datos) and best-practice guides identify the elements an effective policy should cover:

The policy must be approved with the participation of worker representatives (works council, staff delegates or trade union section, as applicable), although the absence of legal representation does not remove the obligation: in that case, the employer must adopt the policy unilaterally and communicate it to all staff.

At Summum Consultoría we support companies in drafting and implementing their digital disconnection policy, including negotiations with representatives and integration with applicable collective agreements, across our five offices in Castilla y León and the Canary Islands.

Article 90: geolocation of workers

Article 90 of the LOPDGDD regulates the use of geolocation systems — GPS in vehicles, tracking applications on mobile devices, telematic route-monitoring systems — in the employment context. Location data processing is specifically mentioned in Article 4.1 of the GDPR as personal data, and large-scale processing may require a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR.

Article 90 of the LOPDGDD requires employers that use geolocation systems to:

  1. Inform workers in advance, expressly, clearly and unambiguously, about the existence and characteristics of the geolocation system.
  2. Inform them of their right to exercise the rights of access, rectification, restriction of processing and erasure in relation to the data processed (Articles 15 to 22 of the GDPR), within the framework of the monitoring functions provided for in Article 20.3 of the Workers' Statute.

Prior information is a validity requirement for the processing, not a mere formality. If a worker discovers they are being geolocated without having been informed, they may exercise the rights recognised in Articles 15 to 22 of the GDPR against the company and, if no satisfactory response is obtained, file a complaint with the AEPD.

Common mistake: installing a GPS in a company vehicle without including an information clause in the employment contract or in the vehicle handover protocol. The clause must state the purpose of the processing (monitoring professional activity, route optimisation, vehicle security), the data controller, the data retention period and the data subject's rights.

Article 89: video surveillance and sound recording in the workplace

Article 89 of the LOPDGDD allows employers to process images obtained through video surveillance systems to exercise worker monitoring functions, subject to the same limits and safeguards as Article 20.3 of the Workers' Statute. That ET provision authorises the employer to adopt whatever monitoring and control measures it considers most appropriate to verify that the worker fulfils their obligations, while respecting their dignity.

Article 89 introduces a specific rule on information: employers are relieved of the obligation to inform workers individually about video surveillance processing when the devices are installed in common areas of the workplace and the informative notice has been placed in a sufficiently visible location, identifying the existence of the processing, the identity of the controller and the possibility of exercising GDPR rights. This notice is the well-known «video-monitored area» sign.

However, the provision contains an important exception: this relief from prior individual notification does not extend to covert video surveillance (hidden cameras). Covert video surveillance is only permissible where there is well-founded suspicion of serious unlawful conduct by the worker, and always within the limits of the principle of proportionality. The AEPD and the courts have consistently required the measure to be appropriate, necessary and proportionate to the aim pursued.

Article 89 also expressly prohibits the installation of sound-recording systems and video surveillance in places designated for workers' rest or recreation, such as changing rooms, toilets, canteens or rest areas.

Article 91: digital rights in collective bargaining

Article 91 of the LOPDGDD recognises the right of workers and their representatives to participate in the negotiation of collective agreements that regulate the exercise of digital rights in the employment context. The provision entrusts social partners with the task of developing and adapting — through collective bargaining — the rights recognised under Title X to the specific characteristics of each sector and company, in particular those relating to device use, digital disconnection and monitoring systems.

Separately, it should be noted that working-time recording — mandatory since Royal Decree-Law 8/2019 amended Article 34.9 of the Workers’ Statute — generates personal data that must be processed in accordance with the GDPR. Attendance monitoring systems — physical timesheets, mobile applications, biometric readers — must rest on a legitimate legal basis (Article 6.1.c GDPR, compliance with a legal obligation) and the data collected must not be used for purposes other than those communicated to workers, who retain the right to access their records under Articles 15 to 22 of the GDPR.

Comparative table: employer obligations under arts. 87–91 LOPDGDD

Article Right recognised Main employer obligation Minimum document/action
Art. 87 Privacy in device use Regulate and communicate the scope of monitoring over corporate devices Digital device usage policy (notified and signed)
Art. 88 Digital disconnection Draw up an internal disconnection policy, after consulting representatives Digital disconnection policy (approved with representatives)
Art. 89 Privacy in relation to video surveillance and sound recording Display visible informative notice; prohibition of cameras in rest areas «Video-monitored area» sign per AEPD model + clause if audio is recorded
Art. 90 Privacy in relation to geolocation systems Inform workers in advance of the existence and characteristics of the GPS/telematic system Information clause in contract or annex + records of processing activities
Art. 91 Digital rights in collective bargaining Develop and adapt digital employment rights under Title X through collective bargaining Clause in collective agreement or company agreement on digital rights

The internal device usage policy: recommended minimum content

Articles 87 and 88 of the LOPDGDD converge on the need for companies to have an internal policy that coherently regulates both the use of digital devices and the right to disconnection. Although both obligations can be addressed in separate documents, many organisations opt for an integrated document covering both aspects.

The minimum content we recommend including — based on AEPD guidance and our accumulated experience supporting companies in their GDPR compliance — is as follows:

The policy must be permanently accessible to all workers (intranet, employee portal, digital notice board) and updated whenever the technology used changes, new applicable legislation comes into force, or worker representatives request a review.

Applicable penalty regime

Failure to comply with the employment digital rights regulated in Articles 87–91 of the LOPDGDD may give rise to liability on two distinct levels:

Under employment law, the employer's conduct may constitute a violation of the worker's fundamental rights (arts. 18 and 20 of the Spanish Constitution in conjunction with the Workers' Statute), which entitles the worker to bring proceedings for the protection of fundamental rights before the Social Courts.

Under data protection law, infringements are subject to the penalty regime of Article 83 of Regulation (EU) 2016/679 and Articles 70 to 77 of the LOPDGDD. Serious infringements (art. 83.4 GDPR) may be sanctioned with fines of up to EUR 10,000,000 or 2% of total annual worldwide turnover; very serious infringements (art. 83.5 GDPR), with fines of up to EUR 20,000,000 or 4% of total annual worldwide turnover, whichever is higher. The LOPDGDD, in its Article 74, classifies as a minor infringement the processing of personal data without complying with information principles where this does not affect fundamental rights, with fines of up to EUR 40,000.

The AEPD has published resolutions on covert video surveillance and geolocation of workers that illustrate how this regime is applied in practice. It is advisable to consult the AEPD's resolution search tool before deploying any digital system for monitoring work activity.

Frequently asked questions

Can the company read a worker's emails on a corporate phone?

Yes, provided the worker has been informed in advance of the scope of monitoring and the conditions of use of the device, in accordance with Article 87 of the LOPDGDD. Without that prior information, evidence obtained from corporate email content may not be admissible in disciplinary proceedings. If the worker was permitted to use the device for personal purposes, the employer may not access personal content without violating the right to privacy, unless there is well-founded suspicion of serious unlawful conduct and the measure taken is proportionate.

Does the digital disconnection policy require workers to reply to messages outside working hours?

No: the digital disconnection policy has precisely the opposite effect. Article 88 of the LOPDGDD recognises workers' right not to respond to professional communications outside their working hours. The internal policy must make clear that failure to respond outside working hours may not be sanctioned or assessed negatively. Line managers must receive specific training to avoid generating expectations of permanent availability, as an organisational culture that implicitly pressures workers to stay connected may be considered a violation of the statutory right, even if the company has formally adopted a disconnection policy.

Is it mandatory to display the video surveillance notice even if only the outside of the building is monitored?

Yes. Article 89 of the LOPDGDD requires the informative notice to be placed in a sufficiently visible location whenever cameras are in use, regardless of whether they point to the interior or exterior of the building. If exterior cameras can capture images of workers at the entrance, car park or surroundings of the workplace, data processing occurs in any case and workers must be informed. The notice must identify at a minimum the existence of the processing, the identity of the controller, and the link or reference where further information on exercisable rights can be obtained.

What happens if the company has no worker representatives and cannot negotiate the disconnection policy?

Article 88 of the LOPDGDD requires «prior consultation» with worker representatives, but does not make the validity of the policy conditional on the existence of such representation. Where the company has no works council or staff delegates, the employer may — and must — draw up and adopt the policy unilaterally and communicate it individually to all workers. It is advisable to document that consultation was attempted and to record the process followed. Some sector collective agreements already regulate the right to disconnection, in which case the company must at minimum comply with those conditions.