COVID-19: Recommendations of the Spanish Agency for Data Protection in situations of mobility and telework

Due to the emergency situation caused by COVID-19, many companies have had to implement telework measures urgently and extraordinarily to adapt to these circumstances and continue their business activity. However, if these measures are not implemented correctly, they can lead to serious dangers for the security and confidentiality of the data, of which the company still remains the controller of their treatment.

The Spanish Data Protection Agency (AEPD) has published on its website a compilation of recommendations aimed at both companies and workers that we summarize below and that you can find here.

Recommendations for data controllers

The AEPD groups these guidelines under the need to collect these situations expressly in the privacy policies of the companies and in the preparation of the corresponding security protocols.

Likewise, it is recommended that trustworthy IT service providers are used and that they offer guarantees, avoiding the inappropriate exposure of personal data.

Access to information must not be unlimited, but must be articulated at different entry levels according to user profiles.

Companies should periodically review the equipment and devices at the level of antivirus, software, and installed applications, as well as it is highly recommended to install information encoding programs, among others.

Companies can monitor the activity of employed personnel in order to identify abnormal patterns of behavior in the use of the network in the framework of remote access. If these monitoring activities are also used to verify compliance with the work obligations of the staff, the employee staff or their legal representatives must be previously informed of this, always respecting the digital rights established in the LOPDGD, especially the right to privacy.

Finally, remind companies that the establishment of measures that tend to protect the personal data being processed and the potential risks to which they may be subjected due to remote accesses, must be done in a manner proportional to the benefits that precisely these inputs grant them.

Recommendations addressed to personnel participating in treatment operations

Recommendations to staff must be included in the company's Privacy Policy or in an express document that regulates teleworking. They basically refer to the need to maintain an optimal level of security comparable to that which would exist if the treatment were carried out on the business premises.

The staff employed must respect the Guidelines that the company has established in these areas, which aim to guarantee the protection of the devices used by the user against third parties outside the activity. There is also an impact on the use of secure connection networks and the custody of information in secure environments.

In the event of any suspicion of bankruptcy of the information security that the user may have, it is very important to immediately notify the person in charge.

For any questions, you can contact our Data Protection Department (


Keep reading

View all
April 16, 2020

We miss you, but we’re still with you

We have been in a situation for weeks, that we never would have imagined we would be in, let alone so suddenly. The current circumstances are not being easy for anyone, and many of us continue these weeks our working day confined to home, in improvised work spaces and adapted to new routines and new channels of communication with colleagues.

Read more