Alberto Muñoz Hidalgo, lawyer with more than 20 years of experience, has been working in SENASA's Legal Services and Consultancy since 2008 and has been the company's Data Protection Officer (DPO) for more than two years. In this interview with MEET OUR TEAM Alberto Muñoz explains the importance of the protection of personal data in the workplace and the growing legislative relevance of this legal area of the company, since its compliance concerns all natural and legal persons.
What does the personal data covered by this protection relate to?
Personal data refers to any information relating to an identified or identifiable living natural person, i.e. it is inherent to human beings, not to companies. These include, but are not limited to, first and last name, address, national identity card number, internet protocol (IP) address, biometric data, date of birth, geolocation or identification of a person's face through a photograph or video.
Personal data in one form or another are present in our daily lives, whether in our work environment or outside it, manifesting themselves, as we see, in different ways.
To put this in context, how is such personal data legally protected?
PTo begin with, in Spain, personal data are protected in the Spanish Constitution itself, and not in any part of its articles, but in the part reserved for the so-called Fundamental Rights, which are those with maximum constitutional protection, as they are considered to have a higher legal value.
As a result of this classification of personal data as a fundamental right, its regulatory protection of development must necessarily be carried out through an organic law. In this regard, the 1982 Organic Law on the civil protection of the right to honour, personal and family privacy and one's own image stands out, in order of seniority.
A fundamental step in trying to harmonise the different European legislations through a common framework is the European data protection regulation of 2016, which came into force two years later. As it is mandatory in all European Union countries, in the case of Spain, Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) was enacted. Both regulations have been a milestone in this area due to the evolution they have entailed when it comes to facing the numerous challenges and risks that are increasingly latent in today's society. Some examples are the increase in cross-border flows of personal data, globalisation, the rise of the internet, technological evolution, social networks and the fact that any person nowadays has real-time access to a photo and video camera via their mobile phone, with the implications that this may entail if used too loosely.
The protection of personal data also extends to the criminal sphere, so it is important to note that our Criminal Code devotes a chapter to the discovery and disclosure of secrets. Therefore, depending on each particular case, the legal protection of the personal data breached may be determined in administrative, civil or even criminal proceedings.
Finally, another aspect that seems important to highlight is the publication, in February 2023, of the law regulating the protection of those who report regulatory infringements and the fight against corruption, known as the "Whistleblower Protection Act". Among other issues, it entails the need for the DPO - the figure of the Data Protection Officer in the organisation - to ensure that the company adopts effective measures to preserve the identity and consequent integrity of the worker who reports any irregularity, offence or crime committed within the company, against him/herself or third parties, by workers or the company's own management.
This has involved the internal reformulation of the internal reporting channel, through the creation of a mailbox to which reports, complaints, queries or suggestions can be sent (anonymously or not), with the company's obligation, through the Ethics and Compliance Committee (CEC), to investigate and resolve them proactively, taking the utmost care to scrupulously respect the personal rights of the people affected.
In order to comply with this regulation, what is the role of the Data Protection Officer at SENASA?
The DPO, as a mandatory figure for a company such as SENASA, is the natural person in charge of informing and advising on how the personal data of a company is treated, supervising and verifying compliance with the provisions of the legislation regarding the protection of the same. It is also the liaison point with the Spanish Data Protection Agency, which is the highest administrative authority on the matter at national level.
To this end, the DPO has a transversal function in the organisation; he/she must have access to the information requested from any department in order to ensure regulatory compliance in each area of the company, advise and issue recommendations for improvement or correction, as well as review all documentation requested or considered appropriate.
Given that to a greater or lesser extent all SENASA professionals manage personal data in their daily work, the DPO not only advises the company's managers and departments on personal data protection, but also each and every one of the people who make up the company. It is essential to know what can be done and what should not be done, the precautionary measures to be taken, and in each specific case how to combine the development of work, commercial or trade union activity with concepts such as privacy, secrecy, professional secrecy, confidentiality, intimacy...
The DPO is an independent figure within the organisation; rigour and objectivity must govern his actions when issuing reports, answering any queries or processing complaints or reports, and he must respect and collaborate with his supervision.
What is the current status of SENASA's personal data protection policy?
For months, both from SENASA's website and our internal portal ALDIA, is available the Protocol of Action to exercise the Rights of Protection of Personal Data, applicable to any person who has or has had some kind of contractual relationship (employment, commercial, training...) with SENASA, as the entity responsible for the processing of these personal data. We also regularly review and update the company's privacy policy.
Given its global importance, the protection of personal data is also present in the drafting of important documents such as the Information Security Strategy 2022-2026, the Information Security Policy, the SENASA Code of Ethics, the Criminal Risk Prevention Manual and in the Internal Information System (the aforementioned Management Procedure for the reports, Complaints, Queries and Suggestions Mailbox) as a result of the aforementioned "Whistleblower Protection Act", which also affects the labour field as protection for reporters of any irregularities, infractions or offences.
In addition to this, there is the preparation of the Security Document of the Personal Data Processor for the Aviation Safety and Security State Agency (AESA), SENASA's main client and for whom we act in the field of personal data protection as data processors, on the basis of the numerous annual contracts signed.
All this documentation is available on SENASA's website and on the intranet for its staff, accessible to everyone, as its compliance and observance concerns all the professionals who make up the company.
What possible developments could be expected in SENASA in terms of personal data protection policy?
In a near future, documents such as the Employee Information Security Standards or the Security Breach Protocol, currently under approval process, will be published. In this sense, SENASA's certification in the National Security Scheme, even more so as it is a public sector company, will be a very important milestone in terms of security and protection of information within our systems and scope.
Likewise, the number of queries I have received over the years has gradually increased. Different areas and employees are showing me their concern about working correctly from the point of view of personal data protection, they want to know what they can and should not do, how they can proceed to act, but in an appropriate way, as this is also in their interest.
However, it would be desirable to adopt an even greater collective awareness, at all levels of the organisation, to stop to ponder and assess before acting whether what is intended to be done affects in any way the protection of personal data and the security of information that may entail internal or external effects (information leakage / security breach). This is particularly important because of the possible legal implications and conflicts with different audiences (customers, students, suppliers, and even employees themselves), as we must not lose sight of the fact that behind concepts such as "personal data", "information security" or "security breach" there are people.
With regard to this awareness, it is essential that we all generate a climate and culture of personal data protection, both in terms of strictly work-related aspects and in our personal relationships. In this field, prevention and caution are more than advisable, and thankfully we are facing a legal area that is socially acquiring the importance of its own normative regulation.
Accessing all this is not complicated, since anyone who wishes to resolve doubts, or send a suggestion, query, complaint or report related to personal data, its processing and protection, can do so through various channels of communication available, very accessible and intuitive, both through the email of the DPO or from the Privacy Policy sectionPrivacy Policy section of the SENASA website and the internal portal. Likewise, even when all kinds of issues are reported to the CEC, anyone can be sure that the DPO himself will ensure that the procedural premises relating to the privacy and processing of their personal data are complied with, with the maximum confidentiality of such communications.