The main employer is responsible for solidarity together with the subcontractor, of social and wage obligations of this on their workers, and therefore, access to this information is already covered in the Statute of workers, and does not imply a breach of data protection rules. However, the customer who receives the work or service for your use or enjoyment, not bears such responsibility solidarity and, consequently, it has no legitimacy to access any salary data or social security of employees (whether they are those of the main employer or subcontractor) Notwithstanding the foregoing, us continues to demonstrate the reality through many of our customers, which in many cases large companies that do not support negotiation or discussion, remain more concerned about responsible labor than by the responsibility in terms of data protection, and are still demanding all sorts of certifications and assurances, causing the following effects: oblige the supplier to incurring a serious infringement of the LOPD (according to its new sanctioning regime) by transfer of data without consent, or they themselves 3 infractions incur very serious if there is health in social insurance or trade union affiliation in payroll data serious to treat excessive data, without consent of those affected, and certainly without having them informed as provided in article 5 of the data protection act in the period of 3 months since they received the data. Ultimately, injured great is the small businessman, that either loses the project (by allege breach of the data protection Act), or you risk receiving a strong sanction. If any of us had to choose between a reality (losing the project) and a possibility (AEPD fine), both undesirable situations, I believe that everyone would choose the possibility. Hopefully the AEPD saw it the same way. Jose Carlos Moratilla legal Departamento Audea information security