The Spanish Data Protection Authority (i.e. “AEPD”) initiated sanction proceedings against a Spanish company belonging to an international group, following a complaint filed by a former employee.

The employee alleged that the company had added her personal mobile phone number to a corporate WhatsApp group, without her consent, for work-related purposes while waiting to receive a company phone – which she never actually received. Before taking a holiday, the employee had expressly notified the company by email that she would stop using her private number for work matters and had left the corporate WhatsApp group. However, only a few days later, her number was added again to a company group chat. The company argued that the inclusion was temporary, pending delivery of the business phone, and that WhatsApp groups were used solely for internal work communications among employees.

The AEPD, however, found that the use of the employee’s personal number without consent violated Article 6, paragraph 1, of the GDPR, which requires a lawful basis for any processing of personal data.

Legal basis and decision of the Authority

The Spanish Authority recalled that a personal mobile phone number is a personal data item, and that its use to include an employee in a corporate messaging group constitutes data processing which must rely on one of the legal bases set out in Article 6, paragraph 1, of the GDPR.

• The GDPR requires that personal data be processed lawfully – Article 5 (1)(a).
• For processing to be lawful, one of the following conditions must be met – Article 6 (1):
• the data subject has given consent to the processing of their personal data for one or more specific purposes;
• the processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the data subject’s request prior to entering into a contract;
• the processing is necessary for compliance with a legal obligation to which the controller is subject;
• [omitted].

In the case under review, there was no consent from the data subject, nor any contractual necessity or other legitimate ground for processing. Moreover, the Spanish Authority stated that the existence of an internal company policy on the use of mobile devices does not exempt the employer from the obligation to establish a proper legal basis for processing.

The company was therefore fined €70,000, reduced to €42,000 after it acknowledged the violation and opted to pay the reduced amount. The AEPD also ordered the company to adopt corrective measures to ensure future compliance with the GDPR.

Bring Your Own Device

BYOD (Bring Your Own Device) policies are corporate rules governing the use of personal devices – such as smartphones, laptops, or tablets – for work-related purposes.

In practice, a BYOD policy sets out how employees may use their personal devices to access corporate data, emails, or applications, and defines the relevant security measures.

It is always preferable for companies to provide corporate devices and maintain a clear separation between personal and business tools. However, if the employer decides to allow employees to use personal devices for business purposes, a documented internal policy should be adopted, regulating:

• cybersecurity requirements,
• limits on use,
• measures to protect employee privacy,
• procedures for deletion of corporate data,
• information and consent obligations (where applicable).

Other related insights:

• Social media profiles and private chats of employees: What are the limits of using such data in disciplinary proceedings? The position of the Italian Data Protection Authority