The AEPD sanctioned the inclusion of a worker's personal number in a work WhatsApp group for data protection

A former employee of LVMH IBERIA, S.L. (hereinafter, LVMH) complained to the Spanish Data Protection Agency (AEPD) that, during the employment relationship, the company added her personal number to a WhatsApp group, without her consent, and that she was required to use that personal telephone number.

The data subject expressly informed her employer, via email, that she would stop using her personal number for work purposes and that, when she went on holiday, she would leave all the company's WhatsApp groups.

Despite that express communication from the employee, and just at the end of her holiday, her personal telephone number was reinstated by LVMH in a work WhatsApp group, from which she was subsequently removed when she was dismissed.

Thus, the former employee filed a complaint with the AEPD for a possible infringement by LVMH of data protection regulations. LVMH's defence, among others, was that its actions were "prudent and protective", since the WhatsApp groups only included employees and that the use of personal devices was an exceptional and temporary situation, and that participating in these groups was necessary and indispensable for their work.

The director of the AEPD decided to reject the complaint, which was the subject of an appeal for reconsideration by the complainant. The AEPD allowed the appeal to proceed and the company ratified what it had previously stated before the Agency.

The AEPD qualified the conduct as a very serious infringement, as it violated the principle of lawfulness of processing, a principle that requires that the processing of personal data be based on consent, the performance of a contract, a legal obligation, vital interests, public interest or overriding legitimate interest.

The AEPD concluded that the company did not have valid consent from the data subject, who had moreover expressly objected, excluding any tacit consent, declaring the breach of the GDPR and confirming the sanction.

With this, the AEPD proposed a fine of €70,000 (approximately 77 million pesos), which was reduced to €42,000 (approximately 46 million pesos) by virtue of the voluntary payment and the acknowledgement of the unlawful act. In addition, the Agency required LVMH to prove, within one month, the adoption of appropriate organisational measures to ensure the lawfulness of the processing carried out in the context of the use of messaging groups.

And what will happen in Chile?

The case suggests that the crossover between labour law and personal data protection will become more and more frequent. Common practices in Chile, such as creating WhatsApp groups with personal numbers, sending messages outside working hours or using private devices for corporate purposes, will have to be urgently reviewed. The technological informality that used to facilitate communication can now become a source of legal and reputational risk.

With the early entry into force of Law No. 19.628, amended by Law No. 21.719 on Personal Data Protection, the processing of workers' personal information - such as telephone numbers, addresses or contact details - always requires a clear basis of lawfulness and proportionality to the purpose pursued. The regulation imposes principles of minimisation, accountability and transparency that also reach the working environment, obliging companies to review their daily practices and to ensure that personal data are used only to the extent strictly necessary for the employment relationship. This is not to mention the guidelines that the Directorate of Labour has given on the matter.

The central lesson is clear: no processing of personal data in the workplace is exempt from compliance with the Personal Data Protection Act. Companies should design policies, hand over corporate accounts/numbers when necessary, ensure opt-out mechanisms and always document the legal basis justifying the use of their workers' data.

In short, workers' privacy becomes an essential dimension of labour compliance. The challenge for employers will be to reconcile operational efficiency with respect for the personal sphere, in a framework where data protection is no longer a technological add-on, but a structural component of modern labour relations.

ECIJA Chile Personal Data Protection Area

Ghislaine Abarca