{"id":121598,"date":"2025-06-11T17:57:24","date_gmt":"2025-06-11T15:57:24","guid":{"rendered":"https:\/\/aseryde.com\/?p=121598"},"modified":"2025-06-11T18:13:43","modified_gmt":"2025-06-11T16:13:43","slug":"la-aepd-advierte-las-empresas-deben-recabar-consentimiento-expreso-antes-de-anadir-moviles-personales-a-grupos-de-whatsapp","status":"publish","type":"post","link":"https:\/\/aseryde.com\/en\/la-aepd-advierte-las-empresas-deben-recabar-consentimiento-expreso-antes-de-anadir-moviles-personales-a-grupos-de-whatsapp\/","title":{"rendered":"The Spanish Data Protection Agency (AEPD) warns: companies must obtain express consent before adding personal mobile phones to WhatsApp groups."},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Two recent resolutions from the Spanish Data Protection Agency (AEPD) \u2014<\/span>penalties of \u20ac2,000 and \u20ac70,000<\/b>\u2014 confirm that including an employee in a corporate WhatsApp group or sending work-related messages to their private number constitutes data processing that requires a legitimate basis. Companies that ignore this requirement face heavy fines and the obligation to implement corrective measures.\u00a0<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Instant messaging has become the fast track to organizing shifts, distributing tasks or resolving incidents, but its use entails a legal risk that <\/span>Spanish Data Protection Agency<\/b> has just put it in black and white. In two cases made public in recent weeks, the authority has sanctioned two companies for adding employees' personal numbers to WhatsApp groups without prior permission:<\/span><\/p>\n

    \n
  • Andalusian Special Employment Center<\/b>: fine of <\/span>2.000 \u20ac<\/b> for creating an internal chat with the personal phone number of a newly hired teleoperator.<\/span><\/li>\n
  • Luxury retail company<\/b>: fine of <\/span>70.000 \u20ac<\/b> (reducible to \u20ac42,000 for early payment) after reinstating a worker in the group on her own day off, despite her repeated opposition and having requested a corporate terminal.<\/span><\/li>\n<\/ul>\n

    In both cases the AEPD concludes that the mobile number is a <\/span>personal data<\/b>; your treatment (inclusion in the chat) needs a <\/span>basis of legitimacy<\/b> Valid: express consent, fulfillment of a contract that clearly requires it, or a well-balanced legitimate interest. The agency reminds us that consent in the workplace <\/span>must be free<\/b>, something that is difficult to prove when the worker is in a subordinate position.<\/span><\/p>\n

    \u00a0<\/p>\n

    What companies should do to avoid sanctions<\/b><\/h4>\n
      \n
    1. Request formal and revocable authorization<\/b>
      <\/b> Before using a private phone for work purposes, obtain written permission from the employee, informing them of the purposes and their right to withdraw it at any time.<\/span>

      <\/span><\/li>\n
    2. Provide corporate devices<\/b>
      <\/b> If the operation requires mobile messaging, the safest method is to provide a company-issued smartphone; the device is a corporate device, and chats are considered a work tool.<\/span>

      <\/span><\/li>\n
    3. Create alternative channels<\/b>
      <\/b> Internal newsletters, intranets, or proprietary apps minimize the need to access WhatsApp with personal data.<\/span>

      <\/span><\/li>\n
    4. Limit shipping hours<\/b>
      <\/b> Messages outside of business hours violate not only the GDPR but also the <\/span>right to digital disconnection<\/b> contemplated in the Workers' Statute and the Remote Work Law.<\/span>

      <\/span><\/li>\n
    5. Internal communications policy<\/b>
      <\/b> Define in writing who manages the groups, what information can be shared, and how the withdrawal of a member who revokes their consent is handled.<\/span>

      <\/span><\/li>\n<\/ol>\n

      The precedent of the \u201curgent route\u201d in teleworking<\/b><\/h4>\n

      The Supreme Court (STS 2-4-2024) admitted that, in teleworking exceeding 30 %, the company can request the personal number <\/span>only<\/b> For duly accredited emergencies. The Spanish Agency for Data Protection (AEPD) and the Supreme Court agree: outside of this exceptional scenario, private mobile phones cannot be used.<\/span><\/p>\n

      \u00a0<\/h4>\n

      More inspections in 2025-2026<\/b><\/h4>\n

      The AEPD itself announced in its Strategic Plan that it will strengthen surveillance over <\/span>Messaging apps in the workplace<\/b>, just as it already does with video surveillance and geolocation. The exemplary sanctions aim to send a clear message: <\/span>The \u201canything goes\u201d on WhatsApp is over<\/b> and companies must adapt their protocols to European data protection regulations.<\/span><\/p>\n

      \u00a0<\/p>\n

      Companies and HR departments have time to review practices and avoid financial scares that, as demonstrated by the record \u20ac70,000 fine, can seriously compromise their reputation and bottom line.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"

      Two recent resolutions from the Spanish Data Protection Agency (AEPD)\u2014penalties of \u20ac2,000 and \u20ac70,000\u2014confirm that including an employee in a corporate WhatsApp group or sending work-related messages to their private number constitutes data processing that requires a legitimate basis. Companies that ignore this requirement will be [\u2026]<\/p>","protected":false},"author":2,"featured_media":121600,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-121598","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sin-categoria"],"_links":{"self":[{"href":"https:\/\/aseryde.com\/en\/wp-json\/wp\/v2\/posts\/121598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aseryde.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aseryde.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aseryde.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/aseryde.com\/en\/wp-json\/wp\/v2\/comments?post=121598"}],"version-history":[{"count":7,"href":"https:\/\/aseryde.com\/en\/wp-json\/wp\/v2\/posts\/121598\/revisions"}],"predecessor-version":[{"id":121606,"href":"https:\/\/aseryde.com\/en\/wp-json\/wp\/v2\/posts\/121598\/revisions\/121606"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aseryde.com\/en\/wp-json\/wp\/v2\/media\/121600"}],"wp:attachment":[{"href":"https:\/\/aseryde.com\/en\/wp-json\/wp\/v2\/media?parent=121598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aseryde.com\/en\/wp-json\/wp\/v2\/categories?post=121598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aseryde.com\/en\/wp-json\/wp\/v2\/tags?post=121598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}