CAE and data protection

CAE and data protection

The CAE generates numerous queries on data protection.

The CAE (acronym for Coordination of Economic Activities) generates a large number of queries regarding data protection, especially due to the doubts regarding the transfer of workers’ data that client companies are obliged to make in order to carry out certain works in their facilities, which is why we will resolve the most common doubts in this article.

What is the Coordination of Economic Activities (CAE)?

The CAE refers to the management and organization to be carried out by several companies working in the same workplace, being especially relevant in the context of occupational risk prevention and occupational safety.

It is common in sectors where there is a concurrence of several companies, such as construction, industry, logistics and services, and its objective is the prevention of occupational hazards through collaboration and effective coordination among all the companies involved.

Therefore, a CAE is regulated by Article 24 of Law 31/1995, of November 8, 1995, on Occupational Risk Prevention(LPRL).

Obligations to comply with the CAE

Prior to hiring:

The employer in charge of the work center must verify that the subcontracted company complies with the obligations established in labor matters, such as, for example, knowing whether the subcontractor is up to date with the obligations of occupational risk prevention with its workers (art. 42 of the Workers’ Statute).

The main contractor is jointly and severally liable for the salary and Social Security debts incurred by the contractors and subcontractors during the term of the contract, in accordance with the provisions of art. 168 of the revised text of the General Social Security Law.

According to the above, it is obvious that the owner company must be able to demonstrate compliance with the legal obligations of the subcontractor, which is why it is necessary to request the subcontracted company to transfer the data of its workers.

In these cases, it is not necessary to have the consent of the workers regarding the transfer of their data to the main contractor, since the legitimacy for such processing is found in art. 6.1 c) RGPD, where the processing is necessary for compliance with a legal obligation applicable to the data controller.

Documents that may be requested at this stage prior to outsourcing may include:

  • Contribution documents: RNT (Nominal List of Workers). It should be noted that the information will only be provided for those workers who are subcontracted, and not for the total personnel of the subcontracted company.
  • Payroll
  • Health data: here the processing would be legitimate according to art. 9.2 b) RGPD and art. 6.1 c) RGPD.
  • Data on union membership of personnel

Subsequent to subcontracting:

Since the principal employer is jointly and severally liable with the subcontractor for compliance with Social Security obligations during the time the subcontract is in force, the documents that may be requested at this stage after subcontracting are:

  • Quotation documents
  • Payroll

The transfer of personal data is covered at this stage by the revised text of the Workers’ Statute and the revised text of the General Social Security Law.

Data protection in the CAE

We must start by saying that each company is responsible for the processing of its employees’ data, when deciding the purpose of the processing, storage period, exercise of data protection rights, among others.

Based on this premise, in the use of tools to carry out CAE, it is very important that the necessary guarantees for the protection of personal data are respected and applied.

The principle that should permeate all data transfer in the case explained above is that of data minimization; that is to say, only those data that are strictly essential to comply with the obligations imposed on us by the labor field should be transferred, without thereby undermining the rights and freedoms of workers.

Data minimization, in addition to implying that only data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (art. 5.1 c) RGPD) are processed, also refers to the fact that it is only legitimate to process the data of those workers who are part of the subcontractor, and not of the rest of the personnel that make up the structure of the subcontracted company.

Business Adapter® at your service

If you are not sure what information you should provide to the CAE or main contractor, have doubts about how to comply with your data protection obligations in an outsourcing situation, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!