Two recent resolutions from the Spanish Data Protection Agency (AEPD) —penalties of €2,000 and €70,000— confirm that including an employee in a corporate WhatsApp group or sending work-related messages to their private number constitutes data processing that requires a legitimate basis. Companies that ignore this requirement face heavy fines and the obligation to implement corrective measures.
Instant messaging has become the fast track to organizing shifts, distributing tasks or resolving incidents, but its use entails a legal risk that Spanish Data Protection Agency has just put it in black and white. In two cases made public in recent weeks, the authority has sanctioned two companies for adding employees' personal numbers to WhatsApp groups without prior permission:
- Andalusian Special Employment Center: fine of 2.000 € for creating an internal chat with the personal phone number of a newly hired teleoperator.
- Luxury retail company: fine of 70.000 € (reducible to €42,000 for early payment) after reinstating a worker in the group on her own day off, despite her repeated opposition and having requested a corporate terminal.
In both cases the AEPD concludes that the mobile number is a personal data; your treatment (inclusion in the chat) needs a basis of legitimacy Valid: express consent, fulfillment of a contract that clearly requires it, or a well-balanced legitimate interest. The agency reminds us that consent in the workplace must be free, something that is difficult to prove when the worker is in a subordinate position.
What companies should do to avoid sanctions
- Request formal and revocable authorization
Before using a private phone for work purposes, obtain written permission from the employee, informing them of the purposes and their right to withdraw it at any time. - Provide corporate devices
If the operation requires mobile messaging, the safest method is to provide a company-issued smartphone; the device is a corporate device, and chats are considered a work tool. - Create alternative channels
Internal newsletters, intranets, or proprietary apps minimize the need to access WhatsApp with personal data. - Limit shipping hours
Messages outside of business hours violate not only the GDPR but also the right to digital disconnection contemplated in the Workers' Statute and the Remote Work Law. - Internal communications policy
Define in writing who manages the groups, what information can be shared, and how the withdrawal of a member who revokes their consent is handled.
The precedent of the “urgent route” in teleworking
The Supreme Court (STS 2-4-2024) admitted that, in teleworking exceeding 30 %, the company can request the personal number only For duly accredited emergencies. The Spanish Agency for Data Protection (AEPD) and the Supreme Court agree: outside of this exceptional scenario, private mobile phones cannot be used.
More inspections in 2025-2026
The AEPD itself announced in its Strategic Plan that it will strengthen surveillance over Messaging apps in the workplace, just as it already does with video surveillance and geolocation. The exemplary sanctions aim to send a clear message: The “anything goes” on WhatsApp is over and companies must adapt their protocols to European data protection regulations.
Companies and HR departments have time to review practices and avoid financial scares that, as demonstrated by the record €70,000 fine, can seriously compromise their reputation and bottom line.
English 
Spanish