The AEPD has imposed a fine of €200 for the mandatory use of personal mobile phones at the workplace

The Spanish Agency for Data Protection (AEPD) has fined Ares Capital, S.A. a total of €200,000 for requiring its employees to install corporate applications on their mobile phones, including privately owned ones, and for processing personal data excessively, without a valid legal basis and with deficiencies in the information provided.

1. The facts: mandatory use of personal mobile phones and excessive surveillance

The decision, issued in case EXP202411411[1], stems from a complaint made by one of Ares Capital's drivers (hereinafter, the “entity” or the “company”), who reported that the company required him to use his personal mobile phone for work and download four necessary applications to provide the service.

The worker claimed that these applications continuously monitored his activity and that he had not been adequately informed about the nature, scope, and functioning of the data processing, a situation that affected the entire staff.

During the investigation, the AEPD found that some of the required applications included particularly intrusive permissions, allowing access to, among other things:

• Continuous or precise geolocation.
• Photos and videos.
• Audio recordings.
• Personally identifiable information.
• Health or fitness data.

The AEPD emphasizes that what matters is not whether the company actually uses all this data, but that the technical permissions of the applications allow it and cannot be adjusted by the employee.

Although the company claimed that the use of personal mobile phones was voluntary, the AEPD noted that the option of a company-provided mobile phone was not guaranteed from the outset, as it depended on availability and budget, which practically forced employees to use their own devices. Furthermore, the applications could remain active outside working hours, which poses direct risks regarding the right to digital disconnection and the separation between professional and personal spheres.

2. The sanctions imposed by the AEPD

As a result of these findings, the AEPD has imposed three sanctions that highlight the main risks arising from the use of personal mobile phones at work and their regulation—or lack thereof—through BYOD policies:

• Non-compliance with the principle of data minimization (€100,000): The Agency considers that the required applications collected more data than was necessary for drivers to carry out their work.

Specifically, they could access information such as continuous location data, images, audio recordings, contacts, or even health data, which is excessive, especially since these are personal devices.

The AEPD points out that, whenever possible, less intrusive alternatives should be used, such as vehicle geolocation, and also takes into account the large number of affected workers (over 5,700) when qualifying the infringement as very serious.

• Lack of a valid legal basis (€80,000): Although the company relied on the employees' consent, the AEPD considers this insufficient, as in practice there was no real alternative from the outset (the provision of company mobile phones depended on availability).

In the labour context, consent is only valid if the worker can refuse it without consequences, which was not the case. Moreover, the Agency states that other legal bases cannot be used if the data collected goes beyond what is necessary.

• Non-compliance with the duty to inform (€80,000): The AEPD notes that employees did not receive clear and complete information about the data being collected or how to stop being monitored at the end of the working day.

In this regard, providing the appropriate information involves explaining, for example, whether it is sufficient to simply log out, whether the applications continue running in the background, or whether the device needs to be turned off, rather than merely including general clauses in the contract.

In addition to the sanction, the AEPD has given the company two months to rectify the situation, requiring it to limit data collection to what is strictly necessary, establish a valid legal basis for the use of personal mobile phones, and ensure that employees are properly informed, including about disconnection outside working hours.

3. Labour implications and risk of non-compliance

Beyond the data protection sanction, the ruling has a direct impact on the workplace, as it highlights that these practices may involve:

• An unlawful intrusion into the worker's private life when accessing data unrelated to work.
• A violation of the right to digital disconnection if the applications remain active outside working hours.
• Issues regarding the validity of consent, specific to the employment relationship and its structural imbalance.
• Additional risks of labour inspections, collective conflicts, or individual challenges.

In this sense, the ruling aligns with the labour law doctrine that questions the imposition of workers' own devices when less intrusive alternatives exist.

4. Practical guidelines for companies

By adopting a preventive approach in both areas, companies, in light of the AEPD's criteria, should consider, among other recommendations, the following:

1. Prioritize the use of corporate devices, managed through MDM solutions and with separate environments, avoiding the obligation for the worker to use their personal mobile phone.
2. If opting for BYOD models, configure them as a genuine and voluntary option, adequately regulated by a specific internal policy, with a record of consent and no access to the personal information of the device.
3. Conduct a prior data protection impact assessment to identify and eliminate unnecessary access to data (such as photos, contacts, health data, or continuous geolocation), ensuring the measure is proportional.
4. Correctly define the legal basis for processing, avoiding reliance on consent and, when necessary to request it, ensuring that it is genuinely free, informed, and without consequences for the employee.
5. Strengthen the duty to inform by clearly explaining what data is being processed, how the applications work, and how disconnection is guaranteed outside working hours.
6. Promote training and awareness measures for both management and staff regarding the responsible use of devices and data protection, accompanied by internal channels to resolve queries or manage incidents.

5. Conclusion

This ruling establishes a clear reference point for companies, making it clear that the use of technological tools cannot transfer compliance risks onto working individuals. In particular, the use of personal mobile phones at work requires more caution: the consent of the working person is not sufficient, and it is essential to supervise the permissions of the applications to prevent excessive processing.

For companies operating with BYOD models[2], this ruling means they must revise their practices, thoroughly analysing the tools used and ensuring that data processing is strictly limited to what is necessary, providing clear and complete information to employees.

In this scenario, it is essential to seek specialized advice to identify risks, adapt internal policies, and take proactive measures through a combined approach to data protection and labour compliance.