AEPD (Spain) - EXP202411411
Spain's AEPD fines transport company €200K for mandatory employee monitoring apps violating GDPR data minimization and
Summary
Spain's Data Protection Authority (AEPD) fined ARES CAPITAL, S.A. €200,000 for deploying four mandatory monitoring apps on employees' personal phones that continuously tracked location, messages, and calls without valid consent or data minimization. The DPA found violations of GDPR Articles 5(1)(c) (data minimization), 6(1) (lawful basis/consent), and 13 (transparency), determining that the employer's claim of employee choice was illusory given budgetary constraints favoring personal phone use. The decision emphasizes that work-related monitoring on personal devices must be strictly necessary and freely consented to, with less intrusive alternatives preferred.
Full text
Help AEPD (Spain) - EXP202411411: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 08:43, 17 April 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators568 edits Tag: submission [1.0] Latest revision as of 08:50, 17 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators568 editsmTag: Visual edit Line 72: Line 72: === Facts ====== Facts === ARES CAPITAL, S.A. (the controller) is a company that offers transport services. In 2024, a data subject brought a complaint to the DPA. According to the data subject, the controller obliged the data subject to use four apps that continuously monitored their activity, including their location, messages and calls. These apps are used regardless of whether the data subjects use company phones or their personal phones for work related purposes.ARES CAPITAL, S.A. (the controller) is a company that offers transport services. In 2024, a data subject brought a complaint to the DPA. According to the data subject, the controller obliged the data subject to use four apps that continuously monitored their activity, including their location, messages and calls. These apps were used regardless of whether the data subjects used company phones or their personal phones for work related purposes. The controller claimed that data subjects had the choice of using company or personal phones. However, it also admitted that the availability of company phones was subject to budgetary restrictions, and that it encouraged data subjects to use their personal phones. The controller argued that data subjects were informed of the data processing through the mandatory apps. In addition, the controller argued that the processing was lawful as an essential part of the employment contract with the data subjects. Finally, the controller argued that the apps ceased processing data subjects’ data once they closed the apps. During its investigations, the DPA found that the apps processed data constantly. Two apps contained permissions to process additional data, such as location, information on the physical status of the data subject and photos and videos.The controller claimed that data subjects had the choice of using company or personal phones. However, it also admitted that the availability of company phones was subject to budgetary restrictions, and that it encouraged data subjects to use their personal phones. The controller argued that data subjects were informed of the data processing through the mandatory apps. In addition, the controller argued that the processing was lawful as an essential part of the employment contract with the data subjects. Finally, the controller argued that the apps ceased processing data subjects’ data once they closed the apps. During its investigations, the DPA found that the apps processed data constantly. Two apps contained permissions to process additional data, such as location, information on the physical status of the data subject and photos and videos. === Holding ====== Holding === The DPA found a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA stated any app used in personal phones for work-related purposes must limit their data processing activities to those that are strictly necessary. The DPA found that the apps did not comply with this requirement, and therefore the controller did not comply with the principle of data minimisation. The DPA referred to case law from the Spanish High Court (SAN 136/2019 de 6 de febrero de 201), in which the court highlighted that such measures to track employees were not proportionate and the company’s objectives could be met through less intrusive means (particularly those that do not require an employee to provide personal data such as contact information).The DPA found a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA stated any app used in personal phones for work-related purposes must limit their data processing activities to those that are strictly necessary. The DPA found that the apps did not comply with this requirement, and therefore the controller did not comply with the principle of data minimisation. The DPA referred to case law from the Spanish High Court,<ref>See SAN 136/2019 de 6 de febrero de 2019 (p. 15), ECLI:ES:AN:2019:136 https://www.poderjudicial.es/search/AN/openDocument/8ed60e51766c4e3e/20190219</ref> in which the court highlighted that such measures to track employees were not proportionate and the company’s objectives could be met through less intrusive means (particularly those that do not require an employee to provide personal data such as contact information). The DPA also found a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The DPA considered that the controllers did not obtain freely given consent from the data subjects, based on the fact that it did not provide company phones from the beginning (instead, the use of personal phones is the default). The DPA also noted the imbalance in the relationship between the controller and the data subject as a factor to take into account in determining whether consent was freely given, as stated in Recital 43 GDPR and EDPB Guidelines (5/2020). The DPA concluded that the data subjects did not freely consent to the data processing, as it was a mandatory condition to carry out their tasks. Therefore, the controller did not have a valid legal basis under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] to process the data. The DPA did not examine the other legal bases under [[Article 6 GDPR#1|Article 6(1) GDPR]].The DPA also found a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The DPA considered that the controllers did not obtain freely given consent from the data subjects, based on the fact that it did not provide company phones from the beginning (instead, the use of personal phones is the default). The DPA also noted the imbalance in the relationship between the controller and the data subject as a factor to take into account in determining whether consent was freely given, as stated in Recital 43 GDPR and EDPB Guidelines.<ref>See EDPB Guidelines 05/2020 on consent under Regulation 2016/679 (Version 1.1), 4 May 2020, p. 13, https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf</ref> The DPA concluded that the data subjects did not freely consent to the data processing, as it was a mandatory condition to carry out their tasks. Therefore, the controller did not have a valid legal basis under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] to process the data. The DPA did not examine the other legal bases under [[Article 6 GDPR#1|Article 6(1) GDPR]]. Finally, the DPA found a violation of [[Article 13 GDPR|Article 13 GDPR]]. The DPA found that the controller failed to sufficiently inform the data subjects of the data processed through the mandatory apps. Finally, the DPA found a violation of [[Article 13 GDPR]]. The DPA found that the controller failed to sufficiently inform the data subjects of the data processed through the mandatory apps. The DPA fined the controller €200,000 in total: €100,000 for the violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], €80,000 for the violation of [[Article 6 GDPR#1|Article 6(1) GDPR]], and €20,000 for the violation of [[Article 13 GDPR|Article 13 GDPR]]. In addition, the DPA ordered the controller demonstrate their compliance with data minimisation and information obligations, as well as a valid legal basis to process the data.The DPA fined the controller €200,000 in total: €100,000 for the violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], €80,000 for the violation of [[Article 6 GDPR#1|Article 6(1) GDPR]], and €20,000 for the violation of [[Article 13 GDPR]]. In addition, the DPA ordered the controller demonstrate their compliance with data minimisation and information obligations, as well as a valid le