Transactions September 2019

The renewable energy boom and the “saturation” of the electricity network

Combination of the obligation for recording of the working day and protecting the personal data of employees.

The renewable energy boom and the “saturation” of the electricity network.

By David Diego

In recent years, renewable energies have emerged strongly in the Spanish electricity market, highlighting the boost in solar energy which, due to its low implementation cost compared to other sources of electricity production and its reduced environmental impact, has positioned itself as one of the fastest-growing sources of electricity production in Spain.

But this revival of renewable energy in Spain has not only brought positive effects, it has also resulted in a renewables “boom” and blatant speculation on renewable electricity production projects. This speculation is obvious to see in the number of megawatts (“MW”) for which permits have been requested in order to access and connect to the electricity network; in the words of the National Commission on Markets and Competition (“CNMC”), the requests to access and connect to the electricity network in 2019 are growing at a rate of 15 gigawatts (“GW”) per month.

In line with this, REE [the Spanish Electricity Network] announced on its website that 26.3 GW of renewable energy had not been granted access and connection to the electricity network, either because there is no capacity in the requested node, or because access is requested to an unplanned substation.

It all indicates that there really is a speculative market on connection points to the electricity network, where sponsors request connection points to the electricity network without having made a real business plan on the projects in question, with the sole intention of selling these connection points, which, if the trend is not stopped, may lead to a renewables “bubble”. This speculation makes it difficult to obtain connection points to the electricity network for well-established renewables projects, for which a viable business plan has been developed and which are bankable.

In order to try to limit the aforementioned speculation on the connection points to the electricity network, the CNMC has developed a draft circular that establishes the methodology and conditions of access and connection to the transport and distribution networks of electricity production facilities. In the explanatory report to its proposed circular, the CNMC indicates that in April 2019 there were nearly 50,000 MW with access granted to the electricity transport network, corresponding to uncommissioned installation projects.

Once the aforementioned CNMC circular is approved, it will be possible to analyse whether it succeeds in its objective or whether instead it will be necessary to adopt additional regulations limiting the current renewables speculation in the Spanish electricity market.

Combination of the obligation for recording of the working day and protecting the personal data of employees.

By Alejandro Ferreiro

Following the entry into force on 12 May 2019 of Royal Decree-Law 8/2019, of 8 March, on urgent measures for social protection and against precarious work in the working day, which modified Article 34 of the Workers’ Statute Act, all companies are obliged to ensure there is a daily record of their employees’ day, including the specific times at which their day started and ended, without prejudice to existing time flexibility.

This new piece of legislation has meant that all companies and entities that were not recording their employees’ working day have now had to implement new recording systems in order to comply with the mentioned obligation. However, one aspect that many companies are still ignoring is what employee data protection implications may entail from the implementation of this type of recording system.

Given that the regulation does not stipulate a specific way of recording the employee’s day, requiring only the reliability and invariability of the data, businesses are free to decide which system to use, whether they are manual, analogue or digital systems. In this sense, and depending on the system used, the monitoring and recording of the day may involve the processing of sensitive personal data, such as fingerprint or facial recognition. Furthermore, and since companies shall be obliged to retain documentation relating to the controls for 4 years and make them available to the workers themselves, to the Workers’ Legal Representation and to the Labour Inspectorate, the legal obligation to record the day must be combined with the principles of protecting employees’ privacy by protecting their personal data.

In May this year, the Spanish Data Protection Agency (“AEPD”) itself issued a statement asking companies to ensure that the systems used to perform the control of the working day should be as unintrusive as possible to the privacy of their employees. In this sense, the AEPD was keeping in mind that companies are not obliged to ask their employees’ consent to conduct the time control, but they do have to inform them diligently about the processing of their personal data and the purpose for which they are to be used.

Therefore, and in order that this type of working day recording system does not conflict with the Data Protection regulations, the following factors should be considered:

• As the AEPD said in its statement, it is not necessary to obtain the employee’s consent to install and use the working day recording systems as the company can rely on its compliance with a legal obligation to process such data. However, that does not mean that the company is not obliged to inform its employees of the existence of the recording system, of the type of data it collects and of how that data will be used. Therefore, employees must be informed in advance of the new day recording obligation, individually, detailing what type of data will be provided, how it will be collected, and how the data will be processed.

• The data collected must respect the minimisation or proportionality principle established in both the European Union General Data Protection Regulation (“GDPR”) and in the Organic Law on the Protection of Personal Data and Digital Rights. In this sense, only data that is strictly necessary to fulfil the intended purpose should be collected and must be justified. That’s why the control system that the company decides to install must be the least intrusive with respect to employees’ privacy and rights.

In this sense, it will be necessary to perform an analysis of the new processing of personal data to be performed and, eventually, conduct an assessment of the impact it may have on the privacy of employees. In this analysis, special attention should be paid to, amongst other aspects, the type of data used (e.g. biometric data), the contracts agreed with the suppliers of the working day recording system or the possible installation of working day recording systems on the employees’ work devices, especially in relation to the policy on using the company’s technological resources that each company has approved.

• In this sense, the AEPD indicates that the use of biometric systems for recording the working day is permitted, but only provided certain guarantees are met. It should be noted that a fingerprint is an example of biometric data (as is the iris of the eye, detected through an eye scanner), classed as “special category” data in the GDPR. Personal data encompassed in “special categories of data” is data that, by its nature, is particularly sensitive in relation to fundamental rights and freedoms and, therefore, deserves special protection as the context of processing it may entail risks to fundamental rights and freedoms. This means that it is personal data for which more intense protection should be applied (other examples of special data are political ideology or sexual orientation). As biometric data is specially protected, it is necessary to strictly comply with the principles of legitimacy and minimisation. If biometric data is processed, the safeguards that must be applied to protect such data are:

  • Encryption of data.
  • Storage of data in non-centralised systems.
  • Biometric data may not be used for other purposes than those for which it was collected.

• Finally, and in case a mobile application is used to undertake the working day recording, in addition to the aforementioned, the right to the digital disconnection of employees must be permitted. In this sense, if employees are no longer within their working day, geolocation of employees by these apps should be avoided.

It should be noted that in the event of improper use or installation of the company’s time control recording or subsequent processing of the data, employees may file a complaint with the AEPD, and the company may be sanctioned in accordance with the Law on the Protection of Personal Data and Digital Rights. Therefore, we encourage all companies to review their working day recording mechanisms to verify their compatibility with data protection legislation.