Before developing the issue in question, it is important to mention that in Guatemala there is no law that specifically regulates the protection of personal data. The Law on Access to Public Information[i] establishes certain important parameters related to the matter (personal data, habeas data, confidential information, treatment and access to personal data, among others), however, such content refers from the perspective of the treatment of personal data by public or state registries. Thus, there is currently a legal vacuum in the absence of a law regulating the processing of personal data by private parties and, consequently, with regard to the right to data protection[ii].
In labor matters, personal data constitute valuable information for employers during the work relationship and daily labor activities, since the data obtained about workers and those who will apply for a certain job tend to support the selection of candidates, comply with legislation, support the information and promotion of personnel, quality control, among others.
In this regard, even though Guatemala does not have a law regulating data protection, there is sensitive information[iii] that can be used in this regard, both of the worker and of the job candidate. For this reason, for a proper treatment of personal data, it is necessary to know the specific case and the job, position or commission to be performed, and to know whether the data collected from the candidate are suitable, proportional or whether they violate the rights of the worker and/or candidate.
During the pre-contractual stage, candidates’ data tend to be of a sensitive nature, since the racial or ethnic origin, present or future state of health, religious beliefs, political opinions, sexual orientation, among others, are usually consulted. However, the collection of this data only takes place under certain circumstances that are fully justified, depending on the type of work involved, the position or the context. In such a way that it is necessary that the candidate can provide express authorization and consent to the processing of their data, which must be intended solely and exclusively for the purpose for which they were collected.
In case the personal data of workers are collected by third parties outside the employer, the worker must be informed, who must also give his explicit consent. The statement authorizing the employer or another organization to collect personal data must be drafted in simple terms, with specific mention as to who will be the organization or person collecting the data, the data to be collected, the purpose and preferably the period of time for which the data may be used.
Now then, during the development of the work relationship, the personal data of the workers may be subject to changes, so those changes that affect the treatment of personal data must be informed to the workers and likewise, the worker has the right to consult what data the employer has about him/her, to rectify or update any data as well as to the exclusion of sensitive information that may affect his/her privacy and in which he/she has not given his/her express consent.
Among the responsibilities that the employer acquires when dealing with sensitive data of the workers is to have a system (preferably electronic) that allows that the data will not be used or disclosed by persons other than those who have such responsibility. The above, in order to prevent the information from being used by a third party who is not authorized to process it and to prevent it from being used for a purpose other than that for which it was obtained. Likewise, the persons in charge of the processing of personal data must periodically receive training to enable them to understand the process of obtaining and processing personal data and, consequently, to acquire the obligation of confidentiality.
Finally, in the conservation of workers’ personal data at the time of termination of the employment relationship, these must be used for the purpose for which they were intended and the same must not be communicated to third parties without the express consent of the workers, unless so required or authorized by law, or the continuation of the employment relationship. As for the time of conservation, the personal data of the workers must be kept only for a justifiable period; unless the worker gives his express manifestation to be included in the list of candidates for upcoming job opportunities within the company.
Consequently, the employer must ensure that the processing of workers’ personal data before, during and upon termination of the employment relationship can be carried out in a fair and lawful manner and be limited exclusively to matters directly related to the worker’s employment, and must obtain the express consent of the worker. In such a way that the employer must make sure that the personal data are not used for a different purpose, adopt the necessary measures for the protection and treatment and custody of these and ensure that the personnel who directly treat the data keep strict confidentiality.
In order to avoid misuse of the processing of workers’ personal data, it is advisable that a data protection policy be prepared to regulate the procedure from obtaining the worker’s consent, the conservation of data, to delimiting who is the personnel responsible for the processing of such data, who, if they do not keep the required confidentiality, may be subject to sanctions in order to protect the sensitive information provided by the worker.
[i] Decree number 57-2008. Congress of the Republic of Guatemala. “Law of Access to Public Information”.
[ii] Diana De Mata Ruiz. “La privacidad de datos en Guatemala y los derechos fundamentales que se derivan de la misma según la jurisprudencia de la Corte de Constitucionalidad” (Data privacy in Guatemala and the fundamental rights derived from it according to the jurisprudence of the Constitutional Court). Availability and access at https://consortiumlegal.com/en/la-privacidad-de-datos-en-guatemala-y-los-derechos-fundamentales-que-se-derivan-de-la-misma-segun-la-jurisprudencia-de-la-corte-de-constitucionalidad/
[iii] Article 03 of the Law on Access to Public Information defines “sensitive data or sensitive personal data” as personal data referring to the physical or moral characteristics of individuals or to facts or circumstances of their private life or activity, such as personal habits, racial origin, ethnic origin, political ideologies and opinions, religious beliefs or convictions, physical or mental health, sexual preference or life, moral and family situation or other intimate matters of a similar nature.