Processing personal data of vulnerable employees: lessons from the Spanish AEPD

Reading Time: 3 minutes
AdobeStock 18158194


Sandra Moran | Senior Data Protection Advisor

Date: 24 November 2021

The Spanish Data Protection Agency (AEPD) has released its Guidance on data protection and employment relationships, which aims to provide practical advice to employers on the processing of the personal data generated during the different phases of the employment relationship. Although the guidance focuses on the Spanish context, companies based in other jurisdictions may find it helpful too, since it refers to the basic aspects within the GDPR to be considered when processing employees’ personal data. Furthermore, the Guidance (Report 149 – 2019) provides useful insights and practical advice for employers regarding two sensitive topics: the processing of personal data related to victims of gender-based violence and the processing related to victims of harassment in the workplace, with their consideration as Special Categories of Personal Data as a basis.

This article uses the AEPD guidance to extract good practice lessons for all employers regarding the processing of vulnerable employee’s personal data.

Processing of personal data – victims of gender-based violence

As per the Spanish specific regulations regarding gender-based violence, victims of this kind of violence have several rights concerning employment relationships. These include rights connected to the modification or rearrangement of working time, transfer, suspension or termination of the contract. Therefore, the Employer may have access to and process the personal data of a worker [1], when this is necessary for the fulfilment of the relevant legal obligations arising from these rights. In such circumstances, the AEPD recommends that, to protect the personal data, the Employer should consider the following:

  • Only process these personal data in compliance with its legal obligations.
  • The source of the personal data should be always the victim. The employer may not require any information other than the accreditation of the consideration of victim of this type of violence.
  • The Company records should use a code or any other reference that does not reveal to other persons or departments the employee’s situation as victim of this type of violence.
  • Special measures regarding the confidentiality of the personal data should be taken.
  • The victim is entitled to request, at any time, the right to erasure, regarding this personal data.

 Processing of personal data – victims of harassment in the workplace

Under Spanish law, companies are required to detect and prevent any harassment practices and to ensure that any situations of harassment in the company are eradicated. Consequently, appropriate measures regarding the alleged harasser and the person experiencing harassment should be taken. This means that employers must also process personal data relating to those persons in accordance with data protection law, and the AEPD highlights the following:

  • The main legal basis for the processing of personal data regarding the implementation of disciplinary proceedings in the company against the alleged harasser would be “Compliance with a legal obligation”; but it will be required as well to obtain the consent of the individual allegedly harassed where testifying during disciplinary proceedings against the alleged harasser.
  • Only relevant information to clarify the facts may be requested from the person allegedly harassed during the internal investigation, and the information should be processed only within the disciplinary proceeding; notwithstanding any other legal obligations which could arise from the investigation, (i.e., if it is required, according to the Law, the involvement of any authority who can investigate any alleged criminal offence).
  • In order to protect their identities, an identification code should be assigned to the individual allegedly harassed and the alleged harasser.
  • The right to erasure cannot be exercised if the Company decides to impose any sanctions on the alleged harasser, since the legal basis for the processing is not consent, but the processing is necessary for compliance with a legal obligation and for the performance of the employment contract, which includes the power to impose disciplinary measures.


Although this guidance is focused on Spain, it contains lessons for any organisation processing data of vulnerable employees, including any necessary processing of special categories of personal data. Using these recommended steps proactively can help an organisation to prevent and avoid future headaches, comply with data protection requirements, and minimise the risks for the employees or for the Company itself. Therefore, when processing vulnerable employees’ data, it is important for the organisations to:

  • Review the local context and the applicable laws, in order to be aware of the responsibilities and duties that can arise from them.
  • Keep track of the decisions, guidance and reference documents raised by the Supervisory Authorities.
  • Define the purpose of the processing and determine the appropriate legal basis accordingly.
  • Map the type of personal data being processed, with special attention to the aspects that could lead the organisation to process special categories of personal data where it may not have been initially anticipated.
  • Conduct regular reviews to ensure continued compliance.


Trilateral’s Data Governance and Cyber Risk Team has extensive experience supporting organisations undertaking complex projects to comply with their data protection obligations. We offer a range of data governance services, including compliance support and updates regarding opinions published by the Data Protection Supervisory Authorities. Please feel free to contact our advisors, who would be more than happy to help.


[1] NB: A particularity of Spanish law is that it only recognises women as victims of gender-based violence.


Related posts