200,000 penalty from the AEPD for the use of corporate apps on employees' personal mobiles
The AEPD (File EXP202411411) has fined a company €200,000 for forcing its employees to install mobile applications on the terminals they use for work, including those of personal ownership, and for processing personal data beyond what is necessary (principle of data minimisation), without a valid legitimate basis and with insufficient information (hereinafter the "Resolution").
The Ruling is particularly relevant in the employment and compliance field, because it touches on the limits of BYOD policies, the criteria for the validity of consent in subordinate employment relationships and the need for proportionate alternatives when the employer intends to use Apps that access data from the personal device of employees.
I. Facts and scope of the decision
The AEPD found that the company required the mandatory installation of several operational Apps (internal communication, vehicle opening/closing, service platform and geolocation), both on corporate mobiles and personal mobiles when these were not available, with permissions that enabled access to continuous geolocation, photos and videos, contacts, audio and fitness data.
The Resolution classifies the conduct as an infringement of articles 5.1.c) (minimisation), 6.1 (lawfulness) and 13 (duty to inform) of the GDPR and orders, in addition to the fine of 200,000 €, the adoption within two months of corrective measures to demonstrate minimisation, a valid legitimate basis and compliance with the duty to inform.
II. Legal basis and applicable doctrine (consent in employment, proportionality and BYOD)
In subordinate environments, consent, as the AEPD points out, is rarely "free", so it cannot serve as a basis for accessing data from the employee's personal device or for activating intrusive App permissions.
In relation to the concept of consent, the AEPD points out that the lawfulness of the processing requires that the data subject (in this case, the employee) must be informed about the purposes for which the data are intended, through the so-called "informed consent", which must be freely given. In this sense, it is understood that "consent is not free when the data subject does not have a genuine or free choice or cannot refuse or withdraw his consent without prejudice; or when he is not allowed to give separate consent to the different personal data processing operations although it is appropriate in the specific case, or when the performance of a contract or provision of a service is dependent on consent, even if it is not necessary for such performance". These situations arise, for example, where consent is included as a non-negotiable part of the general terms and conditions, or where an obligation to agree to the use of personal data additional to those strictly necessary is imposed.
Particularly in the employment sphere, this requirement takes on special relevance due to the different position of the employer and the employee, and it is necessary to prove that the non-provision of consent by the employee will not entail any negative consequences for him/her, in such a way that his/her free provision of consent is guaranteed. As the AEPD has pointed out in various resolutions, "without these conditions, the provision of consent would not offer the data subject real control over his or her personal data and the destination of the same, and this would make the processing activity unlawful.
In the Resolution analysed, the AEPD reasons that the initial absence of a corporate mobile phone and the mandatory nature of the Apps invalidate the consent and shift the burden to other bases of art. 6.1 RGPD, which, in this case, do not legitimise the mass collection of data either.
In addition, the Court finds a breach of the principle of data minimisation (art. 5.1.c RGPD) by setting up permissions that go beyond what is strictly necessary to provide the service (e.g., access to photos/videos or health metrics) and a breach of the duty to provide information (art. 13 RGPD).
This approach is consistent with the judicial doctrine of the social order that denies the validity of "voluntary" clauses to provide data or own means (STS 21-9-2015) and with the case law that considers unjustified the imposition of Apps on personal mobiles when there are organisational alternatives (STSJ Galicia, 31-1-2022) and with recent pronouncements on digital disconnection and limits on teleworking (STS, 2-4-2025). In particular, the STS of 8-2-2021, confirmed the nullity of the system that obliged delivery drivers to provide their own smartphone and install a geolocation App for real-time tracking of orders, as well as the associated contractual clauses (including disciplinary and termination provisions for not providing or not "repairing" the terminal). The Court held that location data are personal data and that the measure, while pursuing legitimate aims, does not pass the proportionality test because there are less intrusive alternatives that do not require the use of the personal mobile phone and the transfer of associated data (e.g. in-vehicle devices or equivalent solutions).
III. Impact and main labour compliance risks
From an employment perspective, imposing the installation of Apps on personal devices may constitute:
- an illegitimate interference in the private sphere if the Apps' permissions allow access to non-necessary or non-work-related information;
- a breach of the right to digital disconnection if the Apps remain active outside working hours; and
- processing without a valid legal basis when it relies on unfettered consent.
All this exposes the company to sanctions, not only in terms of data protection, but also by the Labour Inspectorate, as well as legal contingencies arising from possible individual or collective challenges and conflicts with the legal representation of employees, arising from failures in the compliance model (absent or insufficient EIPD, lack of BYOD policies, incomplete processing records and deficient commissioning contracts with App providers).
IV. Practical recommendations
With a preventive approach to labour compliance, companies, in light of this latest AEPD sanctioning Resolution, should take into account, among others, the following recommendations:
(1) always favour corporate devices with MDM management and separate containers, over personal devices;
(2) if BYOD is allowed, do so as a "real and reversible option", with a specific policy regulating these uses, with a record of informed consent and without access to personal data in the private area;
(3) carry out a prior Impact Assessment to rule out non-essential permissions and telemetry (e.g. access to photos/videos, contacts or health, constant geolocation, etc.), justifying the proportionality of the measure;
(4) define a basis of lawfulness other than consent for necessary processing and, where it is unavoidable to ask for consent, ensure that it is free, specific, informed and unambiguous, with organisational alternatives without prejudice to the worker;
(5) comply with the reinforced and transparent duty of information (internal channels, processing sheets by App, and effective disconnection controls outside working hours); and
(6) training actions for managers and staff on responsible use of devices, privacy and digital disconnection, enabling an internal channel for queries and possible complaints.
Information note from ECIJA Madrid's Employment Law Department.
