Spain's Supreme Court (Sala de lo Social) on March 12, 2026, issued a ruling that forces EasyJet Airlines Spain to publish cabin crew seniority lists on its corporate intranet using workers' real names, overturning a lower court decision that had allowed the airline to substitute names with 12-digit numeric codes. The judgment, numbered 278/2026 and carrying the reference STS 1215/2026 (ECLI:ES:TS:2026:1215), touches on a genuinely contested area: where the obligations of a collective bargaining agreement intersect with the data minimization principles of the General Data Protection Regulation.

The case began with a dispute between the Unión Sindical Obrera - Sector de Transporte Aéreo (USO-STA) and EasyJet Airlines Spain Sucursal en España. USO-STA filed a collective labor dispute at the Sala de lo Social of the Audiencia Nacional, case number 325/2024, demanding that the airline publish two seniority lists ("escalafones") as required under Article 12 of the II Collective Bargaining Agreement for EasyJet cabin crew - a general national list and a base-specific list. The Sindicato Independiente de Tripulantes de Cabina de Pasajeros (SITCPLA) subsequently joined the claim.

The pseudonymization problem

EasyJet had circulated seniority lists in April 2024 and again on December 2, 2024 - the day before the original hearing at the Audiencia Nacional - but replaced each worker's name with an internal 12-digit numeric code. The company argued this approach fulfilled the obligation while respecting data minimization requirements under Articles 5.1(c) and 25 of the GDPR, and that numeric identification allowed each Tripulante de Cabina de Pasajeros (TCP) to know their relative position in the list.

The Audiencia Nacional (sentencia 173/2024 of December 12, 2024) had accepted EasyJet's position, though only because it found the legal action lacked a live object by the time of the hearing. The lower court reasoned that since a list of some kind had been published the day before the trial, no genuine current conflict remained. USO-STA appealed.

The Supreme Court rejected that reasoning. According to the judgment, the controversy over the substance of the publication had been running for a prolonged period before the complaint was filed, and the principle of perpetuación de jurisdicción (perpetuation of jurisdiction) established by Article 411 of the Ley de Enjuiciamiento Civil (LEC) requires courts to assess the existence of a dispute at the moment the complaint was initiated - not at the later date of the hearing. Publishing a coded list on December 2, the day before the December 3 hearing, did not extinguish the underlying dispute.

What the collective agreement requires

Article 12 of the II Convenio Colectivo de TCPs de EasyJet, published in the BOE on August 3, 2023, requires the company to produce two seniority lists. The general list ranks cabin crew by entry date into an EasyJet group airline (with tiebreakers including seniority in Spain computed only from the opening of the Barcelona base on February 1, 2016), while the base list ranks crew by seniority at their assigned base. Both lists must include the worker's professional category, full name and surnames, and home base. The lists must be published annually in the intranet from December 1 onward, with workers given 14 days to challenge their position, followed by a maximum one-month resolution period, after which the list becomes definitive. The final lists must also be sent to workers' legal representatives.

The Supreme Court found that the coded list published on December 2, 2024 self-evidently failed this requirement. According to the judgment, names and surnames are explicitly listed among the mandatory data fields, and the specific data obligation in Article 12 takes precedence over the general data protection clause in Article 13 of the same agreement, since a specific provision prevails over a general one within the same normative body.

The GDPR analysis: dynamic concept of personal data

The more technically intricate part of the ruling concerns whether the seniority lists with real names are lawful under the GDPR at all. EasyJet cited the Court of Justice of the European Union's December 19, 2024 ruling in Case C-65/23 (MK v. KGmbH), which held that Article 88 RGPD - the provision permitting member states and collective agreements to establish more specific rules for workplace data processing - does not exempt those rules from complying with the full requirements of Articles 5, 6, and 9 of the GDPR. The company also invoked the Supreme Court's own November 21, 2024 ruling in case 1302/2024, rec 218/2023, which addressed data minimization in a workplace context.

The Supreme Court engaged with these arguments at length. It drew on the CJEU's September 4, 2025 judgment in Case C-413/23 (Supervisor Europeo de Protección de Datos v. SRB), which PPC Land covered when it was delivered, establishing that pseudonymized data may not constitute personal data for recipients who lack reasonable means of re-identification. The court applied what it called a "dynamic concept" of personal data: data is not personal or anonymous in absolute terms, but relative to the specific recipient's capacity to connect the data to an identified individual.

The coded list published by EasyJet - alphanumeric identifiers replacing names - falls within GDPR Article 4(5)'s definition of pseudonymization because the company retains the key linking codes to identities. For employees who can look at a code and recognize their own entry, or for management with access to the full HR database, the data remains personal. For general intranet users without that reference key, it may not. But this matters for the legal question of whether publishing the full names on the intranet would constitute a lawful data processing activity.

The court identified three potential legal bases under Article 6 RGPD for the processing. First, Article 6.1(c): the treatment is necessary for compliance with a legal obligation - in this case, a statutory collective agreement with binding normative force on both parties. Second, Article 6.1(b): the treatment is necessary for the execution of the employment contract. Third, Article 6.1(f): legitimate interest of the workers themselves in knowing who they are competing against for promotions, contract changes, base assignments, and secondments - since the seniority list is the tiebreaker for all those procedures when other criteria are equal.

On data minimization, the court ruled that this principle does not operate as a prohibition against fulfilling collective bargaining obligations, but as a proportionality criterion governing how those obligations are executed. Minimization cannot be invoked to empty a legal obligation of its content; it can only shape the manner of execution. The AEPD's May 2021 guide on personal data in the workplace, cited by the Ministerio Fiscal, was treated by the court as a "notorious fact" under Article 281.4 LEC - publicly accessible, widely known in the relevant community, and therefore admissible without formal proof. The EDPB's Dictamen 2/2017 (now superseded by the European Data Protection Board, EDPB) received similar treatment.

The court's conclusion on proportionality is specific: the data fields required by Article 12 - name, surname, professional category, base, entry date, and seniority - are general employment data not falling within the special categories of Article 9 GDPR. They carry a minor impact on the personal life of the individual. Publishing them to TCPs who may compete in the same procedures is legitimate; publishing them to the workers' legal representatives is also legitimate, supported by Articles 64 of the Workers' Statute and 10.3 of the Organic Law on Union Freedom, as well as the EU Framework Directive 2002/14 of March 11, 2002 on worker information and consultation, and Article 27 of the EU Charter of Fundamental Rights.

However, the court attached a critical condition. The GDPR is satisfied only if EasyJet restricts access to the full seniority list - inside its own intranet - exclusively to TCPs, workers' legal and union representatives, and any other person demonstrating a sufficient legitimate interest, with all those accessing the list informed of their duty of confidentiality. The judgment cites the AEPD guide's position that online publication of personal data must be confined to intranet environments accessible via username and password, never open internet publication.

The ruling and its scope

According to Sentencia 278/2026, the Supreme Court's final decision on March 12, 2026:

  1. Upheld USO-STA's appeal and set aside the Audiencia Nacional's December 12, 2024 judgment.
  2. Rejected the "falta de acción" (lack of cause of action) exception.
  3. Declared the right of all TCPs at EasyJet Airlines Spain to the publication on the corporate intranet of the seniority lists provided for in Article 12 of the II CBA, including the full name and surname of each worker.
  4. Ordered that intranet access to the complete lists be technically restricted to TCPs, legal representatives, union representatives, and other persons who can demonstrate legitimate interest.
  5. Made no order as to costs, each party bearing its own.

The bench that decided the case was composed of Magistrates Sebastián Moralo Gallego, Ignacio Garcia-Perrote Escartín, Rafael Antonio López Parada (rapporteur), and Luisa María Gómez Garrido. The deliberation took place on March 11, 2026, with the judgment dated the following day.

Background: the GDPR and collective agreements in European workplaces

This judgment is one of the first from a European Supreme Court to work through the full implications of the CJEU's C-65/23 ruling on Article 88 GDPR. That December 2024 judgment established that collective agreements can serve as the basis for specific workplace data processing rules under Article 88, but cannot override the core principles of Articles 5, 6, and 9. This means every collective agreement provision authorizing or mandating a particular form of data processing must independently satisfy the GDPR's necessity and proportionality tests. The Supreme Court found that EasyJet's obligation satisfied those tests, but with the access-restriction condition attached.

The broader regulatory environment for pseudonymization has been in flux. In January 2025, the EDPB published its Guidelines 01/2025 on pseudonymisation, the first comprehensive guidance on this measure since GDPR came into force. Those guidelines confirmed that pseudonymized data remains personal data under GDPR Article 4(5) even when different entities hold the linking key. The CJEU's September 4, 2025 ruling in C-413/23, which PPC Land reported as establishing the recipient-centric approach to pseudonymized data classification, is directly cited in the Spanish Supreme Court's analysis.

The tension between data minimization and workplace transparency obligations is not unique to aviation. France's Council of State reduced a €32 million Amazon GDPR fine to €15 million in December 2025 after finding some warehouse monitoring systems legally justified, while a smaller number of indicators violated data minimization rules. Both the Spanish and French decisions illustrate that data minimization does not prohibit all processing of detailed employee data; it requires calibration of the processing to what is genuinely needed for the legitimate purpose.

Germany's October 2025 proposal to the European Commission, documented by PPC Land, specifically called for legislative clarification of pseudonymization and anonymization standards. The European Commission's Digital Omnibus proposal subsequently sought to narrow the definition of personal data. European data protection authorities - the EDPB and EDPS - rejected that narrowing in their February 10, 2026 joint opinion, warning it would fundamentally undermine the right to privacy.

For organizations operating across the EU under collective agreements that require publication of employee data - whether seniority lists, skills registers, or shift rosters - the Spanish ruling provides a detailed framework: identify the legal basis, confirm the data is no more than necessary for the specific purpose, and implement technical access controls before publication.

Timeline

  • February 1, 2016 - EasyJet opens the Barcelona base, establishing the date from which seniority in Spain is computed under the collective bargaining framework.
  • September 14, 2022 - Negotiating commission of the II CBA discusses seniority list format; EasyJet agrees to include an escalafón but raises data protection questions.
  • August 3, 2023 - II Collective Bargaining Agreement for EasyJet cabin crew in Spain published in the Boletín Oficial del Estado.
  • April 2024 - EasyJet distributes seniority lists at base locations with identities replaced by 12-digit codes.
  • April 11, 2024 - Worker "Jose Daniel" emails EasyJet requesting a 12-month leave of absence to join Air Europa; EasyJet denies the request citing Article 43 of the CBA.
  • July 15, 2024 - Mediation attempt before SIMA (Servicio Interconfederal de Mediación y Arbitraje).
  • December 2, 2024 - EasyJet publishes a coded seniority list on its intranet, the day before the hearing.
  • December 3, 2024 - Hearing before the Audiencia Nacional's Sala de lo Social.
  • December 12, 2024 - Audiencia Nacional issues sentencia 173/2024, dismissing USO-STA's claim on the basis of lack of cause of action (SAN 6357/2024).
  • January 16, 2025 - EDPB publishes Guidelines 01/2025 on pseudonymisation, the first comprehensive GDPR guidance on the measure.
  • November 25, 2025 - Supreme Court issues related precedent sentencia 1121/2025, rec 201/2024, clarifying perpetuation of jurisdiction doctrine.
  • December 19, 2024 - CJEU issues ruling in Case C-65/23 (MK v. KGmbH) on Article 88 GDPR and collective agreements.
  • September 4, 2025 - CJEU delivers judgment in C-413/23 (EDPS v. SRB), establishing recipient-centric pseudonymization framework; PPC Land coverage.
  • December 23, 2025 - France's Council of State reduces Amazon GDPR fine to €15 million in a ruling on worker monitoring data minimization; PPC Land coverage.
  • February 10, 2026 - EDPB and EDPS publish joint opinion rejecting European Commission's Digital Omnibus proposal to narrow the definition of personal data; PPC Land coverage.
  • March 11, 2026 - Supreme Court (Sala de lo Social) deliberates and votes.
  • March 12, 2026 - Supreme Court issues Sentencia 278/2026 (STS 1215/2026), ordering EasyJet to publish seniority lists with full worker names under restricted intranet access.

Summary

Who: Spain's Supreme Court (Tribunal Supremo, Sala de lo Social), Magistrate Rafael Antonio López Parada (rapporteur), ruling in a dispute between Unión Sindical Obrera - Sector de Transporte Aéreo (USO-STA) and EasyJet Airlines Spain Sucursal en España. SITCPLA joined USO-STA's position. Ministerio Fiscal supported the appeal.

What: The court ruled that EasyJet must publish seniority lists (escalafones) for its cabin crew on its corporate intranet including the full name and surname of each worker, as explicitly required by Article 12 of the II Collective Bargaining Agreement. The court rejected EasyJet's use of 12-digit pseudonymous codes as a substitute, finding this failed to satisfy the CBA obligation and that the data processing required by the CBA is compatible with the GDPR provided intranet access is technically restricted to TCPs, legal representatives, and other parties with legitimate interest.

When: The Supreme Court judgment (Sentencia 278/2026, STS 1215/2026) was dated March 12, 2026. The underlying dispute had been running since at least April 2024. The original hearing before the Audiencia Nacional took place on December 3, 2024; the lower court issued its dismissal on December 12, 2024. The Supreme Court's deliberation and vote occurred on March 11, 2026.

Where: The judgment was issued in Madrid by the Tribunal Supremo, Sala de lo Social, Section 1. It concerns EasyJet's operations in Spain, covering bases in Barcelona (the only year-round base), and seasonal bases in Palma de Mallorca, Alicante, and Málaga.

Why: Workers' union USO-STA argued that publishing anonymized codes rather than names prevented TCPs from verifying their seniority position relative to colleagues, monitoring competitive procedures for promotions and contract changes, and organizing their professional lives. The court found that the purpose of the seniority list under the CBA is specifically to create transparent competitive procedures, and that the legitimate interest of cabin crew in knowing who they are ranked against is a valid legal basis for the data processing under GDPR Articles 6.1(b) and 6.1(f), subject to controlled access.

Share this article
The link has been copied!