Data protection as a guarantee in cyberbullying prevention policies in the workplace: AEPD recommendations
We analyze the most important aspects included in the new AEPD recommendations guide: Data protection as a guarantee in cyberbullying prevention policies in the workplace.
Conduct constituting cyberbullying
The emergence of the Internet and the development of Information and Communication Technology (ICT) has led to the development of new criminal conduct and new forms of violence which, encouraged by social networks, the massive use of mobile devices, the existence of global search engines that offer instant information and the difficulty involved in removing it from the online environment, the possibility of this information traveling anywhere through instant messaging, anonymity with the creation of false profiles that encourage impunity, etc., have been proliferating and increasing in this environment over the years.
These threats and criminal behaviors have not only affected the social environments of an individual, but have also reached the workplace, where there are also forms of digital violence such as, for example, sexual harassment, workplace harassment, etc.
In this sense, behaviors related to sexual harassment, harassment based on gender, sexual orientation or gender identity, race, religion, etc., when these behaviors are carried out through online environments and digital media (i.e., for example, the recording, publication, and dissemination of videos and/or images/photographs that affect the intimate sphere or the freedom of a person) can be considered as cyberbullying in the workplace.
This type of cyberbullying conduct may occur between people with the same or different hierarchical level within the company or organization, and may or may not have a relationship of dependence in the performance of their duties between them, but always constitute harassment when there is a position of power of any kind on the part of one of the individuals with respect to the other.
It is understood that both when degrading content that violates the dignity of the affected person is sent to the person concerned, as well as the fact of disseminating this information of the person, especially videos or images, are both behaviors constituting cyberbullying, and this provided that an attack on the dignity and sexual freedom of the persons concerned can be deduced from its nature.
In addition, it is important to emphasize that not only is the commission of these acts of cyberbullying illegal, but the fact that the company or organization in which this case of cyberbullying has occurred knows of its existence and does not act accordingly to eradicate this fact would also be unlawful, as it contravenes the regulations on prevention of occupational hazards.
Mechanisms to address harassment situations in the workplace
The protection of the health and safety of workers was born with the entry into force of Law 31/1995, of November 8, 1995, on the prevention of occupational hazards, which established the obligation to safeguard workers in the development of their work within the company or organization, considering that harassment at work constitutes not only a psychophysical risk for the worker, but a real attack on health and safety at work.
Given the evident difference in the number of cases of harassment at work that existed in the case of women with respect to men, in 2007 Organic Law 3/2007, of March 22, for the effective equality of women and men came into force, so that companies with fifty or more workers must approve an equality plan, whose minimum content must include the prevention of sexual harassment and harassment for reasons of sex.
In short, both in private companies and in the field of Public Administrations, the development of new technologies and the appearance of new manifestations of workplace harassment and sexual harassment, it was advisable to address this dimension by incorporating in their protocols or prevention mechanisms specific measures aimed at safeguarding the fundamental right to data protection.
Therefore, in compliance with the functions attributed to it by Regulation (EU) 2016/679, and in particular Article 57 thereof, the Spanish Data Protection Agency makes a series of recommendations or provisions to be included in prevention policies, specifically aimed at eradicating workplace harassment and sexual or gender-based harassment, when the harassing conduct occurs through the processing of personal data that affects the privacy and intimacy of the persons affected.
Incorporating data protection into cyberbullying prevention policies. Recommendations
Declaration of commitment to the prevention and eradication of cyber-bullying
The company or organization may include in its internal protocols a statement by means of which it commits to develop policies for the prevention and eradication of cyberbullying, gender equality and data protection.
Likewise, this statement will reflect the rejection of the company or public entity to the use of personal data when its purpose is to engage in sexual harassment or any kind of harassment, as well as any use of such data that is contrary to the right to privacy and intimacy, or that involves an action that is intended to disrespect, degrade or humiliate its employees.
In other words, the entity must thus acquire the commitment to prevent, raise awareness and act in cases where it becomes aware of cyberbullying, whether sexual (sexual harassment through networks and/or dissemination of videos/images in relation to a person’s sex life), or labor (creation of a hostile environment for the employee).
An example of such a statement could be:
“(Name of the organization) expresses its profound rejection of workplace harassment and sexual or gender-based harassment and its commitment to the prevention and eradication of these behaviors. (Name of the organization) is strongly opposed to the use of personal data involving unlawful data processing, which could undermine the right to privacy and intimacy of employees.
(Name of the organization) is firmly committed to the protection of personal data, necessary to safeguard the fundamental right to honor and personal and family privacy of individuals. Consequently, (name of the organization) will respect the principles of Article 5 of the General Data Protection Regulation and will minimize the processing of personal data of its employees that may increase the risk of conduct constituting harassment. In any case, it shall take into account the possible impact in terms of gender of the processing operations it carries out”.
Measures aimed at the prevention of cyberbullying
As part of the duty to ensure occupational health and safety, it is understood that the company or organization has the obligation to train its personnel regarding conduct constituting workplace harassment and sexual or gender-based harassment, as well as the appropriate and respectful use of social networks and ICTs in accordance with the fundamental right to the protection of privacy.
That is why some of the prevention policies to be implemented within an organization would be: to have a cyberbullying prevention policy that includes a description of inappropriate conduct in the use of new technologies, and of conduct that may give rise to a situation of harassment at work or sexual or gender-based harassment, to provide information on the possible mechanisms for reacting to the processing of personal data that may involve a situation of harassment, etc.
Measures aimed at the eradication of cyberbullying
On the one hand, organizations have the duty to collaborate with the competent authorities for the eradication of these situations such as the AEPD, the FCSE, the judicial authorities, as well as the duty to report when they are aware of situations of cyberbullying within the scope of the company.
In addition, entities have the duty to implement the action mechanisms provided for in their harassment prevention policies, initiating the relevant disciplinary actions against workers who carry out these behaviors and informing them of the possible legal consequences and liabilities they may incur.