Training companies and data protection
Training companies and data protection
In this post we analyze the relationship between training companies and data protection.
Outsourcing employee training to a training company is an attractive option for companies due to several factors, mainly because it allows companies to focus on their core activities while the responsibility for training is delegated to experts ensuring training success and thus improving the overall efficiency and performance of the organization.
In addition, by outsourcing training, companies can reduce operating costs by avoiding the need to maintain an in-house training department, while enjoying greater flexibility to adapt to the changing needs of the market and their workforce.
Regulatory Compliance of Training Companies
In the digital era, where information is an invaluable asset, the application of personal data protection regulations has become a primary concern, both for training companies, for the participants of the training actions (the employees) and for the client companies that contract training for their employees.
In this context, training companies are in a particularly sensitive position, since they handle the personal data of employee-pupils, sometimes processing special category data. sometimes special category data.
Compliance with data protection regulations is crucial for training companies. In Spain, these organizations must ensure that their practices comply with the provisions set out in the General Data Protection Regulation(GDPR) and the Data Protection Law(LOPD).
This involves adopting appropriate technical and organizational measures to ensure the security of employee data and that all processes are fully compliant with data protection and other sectoral regulations, as in the case of:
Law 30/2015, of September 9, which regulates the Vocational Training System for employment in the workplace.
Royal Decree 694/2017, of July 3, which develops Law 30/2015, of September 9, which regulates the Vocational Training System for Employment in the labor field, in relation to the training offer of the competent administrations and its financing, and establishes the regulatory bases for the granting of public subsidies aimed at its financing.
Order TMS/368/2019, of March 28, which develops Royal Decree 694/2017, of July 3, which develops Law 30/2015, of September 9, which regulates the Vocational Training System for Employment in the workplace, in relation to the training offer of the competent administrations and its financing, and establishes the regulatory bases for the granting of public subsidies aimed at its funding
Figures existing in a formation
In the area of worker training, there are different actors, mainly the following:
The company
It is responsible for planning and managing employee training.
The company may provide the training itself or through a third party (specialized training company).
In the case of contracting a training company, the company will assume the coordination of the training.
Employee representation
They are entitled to exercise the legally established rights of participation and information.
Workers
The participants of the training actions.
Training company
Who provides training to employees
FUNDAE
Fundación Estatal para la Formación en el Empleo, in charge of promoting and coordinating the implementation of public policies on Vocational Training, in the field of employment and labor relations (e.g. training subsidies).
Role of the Training Company
If the training Company is the one that collects the personal data of the workers itself, it will act as the Data Controller.
If the Company transfers its employees’ data to the Training Company, this is a case of data transfer, therefore the Company is the Transferor and the Training Company the Transferee, but both will act as Data Controllers.
This position is also defended by the AEPD in response to a query from a training company, resulting in the publication of Report 0143/2010, prior to the adoption of the current LOPD, but whose legal basis may still be fully applicable.
With regard to the Company’s provision of training, this Report states textually:
“In the present case, the consulting company, insofar as it has to carry out the training action and, consequently, the delivery of the training courses object of the public aid, will be responsible for the file referring to the workers to whom said action is addressed, deciding, in relation to the purpose of the said delivery, on the content and use of the treatment.“
In the same way, it is manifested when the training company manages the bonus of the courses requested by the company for its employees:
“The grouped companies make the transfer of the personal data of the workers necessary for the organizing entity to carry out the management and processing of the bonuses in their respective contribution bulletins, so that such communication of data could be included in Article 11.2 c) of the LOPD.
This leads us to the conclusion that we are dealing with a communication of data and that the consulting center will assume the condition of data controller“.
The Report also warns that training companies do not act only under the guidelines of the Company that contracts the training services to a third party, but can be considered to go beyond that, transcending such instructions, so they would be equally responsible for the treatment.
In the event that the Company hires the services of a third party (it could be a training company), only for the processing of training subsidies before FUNDAE, i.e., it will not provide the training, whoever manages these subsidies will have the status of Data Processor, being necessary to regulate the relationship, as established in Article 28.3 of the RGPD.
Other issues to be taken into account by the training company:
Data protection regulations also oblige training companies to review and adjust their data collection and storage practices, ensuring that they only collect information that is necessary and relevant to their operations, limiting the amount of personal data they handle and thereby minimizing the risks to the security of the data processed and complying with the guidelines legally established in these regulations.
In addition, they must implement robust security measures to protect this information against unauthorized access, loss or alteration of data. This implies the development of security policies by the management body of these training companies.
Worker-students
A fundamental part of data protection law is the right of trainees to control their personal data and training companies must obtain explicit consent from trainees to collect, process and store their data.
If employee data is transferred to the trainer by the Training Company, such transfer should be done with the prior consent of the employees, mainly because disability data may need to be communicated.
To take into account prior and express consents to publish their images, record training sessions for third parties to view, etc.
In addition, they must provide mechanisms for students to exercise their data protection rights, as stipulated by law, and all this requires the implementation of management systems for the correct information on data protection and legally accepted procedures for obtaining the consent of students.