The AEPD has imposed a fine of €200.000 for the mandatory use of personal mobile phones in the workplace

1. The facts: mandatory use of personal mobile phones and excessive monitoring

The ruling, issued in case EXP2024114111, stems from a complaint filed by one of the drivers of Ares Capital (hereinafter, the "entity" or the "company"), who reported that the company required him to use his personal mobile phone for work and to download four necessary applications for service delivery.

The worker alleged that these applications continuously monitored his activity and that he had not been sufficiently informed about the nature, scope, and functioning of the data processing, a situation affecting the entire workforce.

During the investigation, the AEPD found that some of the required applications included particularly intrusive permissions, allowing access to, among other things:

• Continuous or precise geolocation.
• Photographs and videos.
• Audio recordings.
• Personally identifiable information.
• Health or fitness data.

The AEPD emphasizes that what matters is not whether the company actually uses all this data, but whether the technical permissions of the applications allow it and cannot be modified by the employee.

The company argued that the use of personal mobile phones was voluntary, as employees had the option to request a company-provided device or to use their own in exchange for financial compensation. However, the same company acknowledged that employees could not modify the settings or permissions of the applications and that the provision and distribution of corporate phones depended on resource availability and budget, and it committed to providing them gradually.

2. The penalties imposed by the AEPD

As a result of these facts, the AEPD has imposed three penalties that highlight the main risks arising from the use of personal mobile phones at work and their regulation —or lack thereof— through BYOD policies:

• Non-compliance with the data minimization principle (€100,000): The Agency considers that the required applications collected more data than necessary for the drivers to perform their jobs. Specifically, they could access information such as continuous location tracking, images, audio recordings, contacts, or even health data, which is excessive, especially since these are personal devices. The AEPD points out that, whenever possible, less intrusive alternatives, such as vehicle geolocation, should be used, and also takes into account the large number of affected workers (over 5,700) when classifying the violation as very serious.
• Lack of a valid legal basis (€80,000): Although the company relied on the consent of the workers, the AEPD considers that this was insufficient, as there was in practice no real alternative from the outset (the provision of company mobile phones depended on availability). In the employment context, consent is only valid if the worker can refuse it without consequences, which was not the case. Additionally, the Agency notes that other legal bases cannot be used if the collected data goes beyond what is necessary.
• Failure to inform duty (€80,000): The AEPD points out that employees did not receive clear and complete information about the data being collected or how to stop being monitored at the end of the workday. In this regard, providing the appropriate information entails explaining, for example, whether it is sufficient to log out, whether the applications continue running in the background or whether the device needs to be turned off, rather than simply including general clauses in the contract.

In addition to the penalty, the AEPD has given the company two months to rectify the situation and demands that it limit data collection to what is strictly necessary, establish a suitable legal basis for the use of personal mobile phones, and ensure that employees are adequately informed, including disconnection outside of working hours.

3. Conclusion

This ruling establishes a clear benchmark for companies, making it clear that the use of technological tools cannot transfer the risks of regulatory compliance to employees. In particular, the use of personal mobile phones at work requires greater caution: the employee's consent is not sufficient, and it is essential to oversee the permissions of the applications to avoid excessive data processing.

For companies operating under BYOD models, this ruling means they need to review their practices, thoroughly analyze the tools used, and ensure that data processing is strictly limited to what is necessary, providing clear and complete information to employees. In this scenario, it is essential to seek specialized advice to identify risks, adapt internal policies, and ensure that the use of technology aligns with the GDPR and the AEPD's guidelines, thereby minimizing potential risks.

Information note from the Data Protection Department of ECIJA Madrid.