AEPD (Spain) - EXP202411411

Summary

The Spanish Data Protection Authority (AEPD) imposed a €200,000 fine on ARES CAPITAL, S.A., a transport services company, for violating GDPR Articles 5(1)(c), 6(1), and 13. The company required employees to install four continuous monitoring applications on their personal smartphones that tracked location, messages, calls, and activity without obtaining valid consent or respecting data minimization principles. The DPA determined the processing was mandatory, not freely consented, and used apps that collected more data than necessary.

Full text

Help AEPD (Spain) - EXP202411411: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 08:43, 17 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators568 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 08:43, 17 April 2026 AEPD - EXP202411411 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(c) GDPR Article 6(1) GDPR Article 6(1)(a) GDPR Article 13 GDPR Type: Complaint Outcome: Upheld Started: 23.07.2024 Decided: 14.04.2026 Published: 14.04.2026 Fine: 200,000 EUR Parties: ARES CAPITAL, S.A. National Case Number/Name: EXP202411411 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: ap The DPA fined a transport services company €200,000 for obliging employees to use four tracking apps on their personal phones for work-related purposes. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts ARES CAPITAL, S.A. (the controller) is a company that offers transport services. In 2024, a data subject brought a complaint to the DPA. According to the data subject, the controller obliged the data subject to use four apps that continuously monitored their activity, including their location, messages and calls. These apps are used regardless of whether the data subjects use company phones or their personal phones for work related purposes. The controller claimed that data subjects had the choice of using company or personal phones. However, it also admitted that the availability of company phones was subject to budgetary restrictions, and that it encouraged data subjects to use their personal phones. The controller argued that data subjects were informed of the data processing through the mandatory apps. In addition, the controller argued that the processing was lawful as an essential part of the employment contract with the data subjects. Finally, the controller argued that the apps ceased processing data subjects’ data once they closed the apps. During its investigations, the DPA found that the apps processed data constantly. Two apps contained permissions to process additional data, such as location, information on the physical status of the data subject and photos and videos. Holding The DPA found a violation of Article 5(1)(c) GDPR. The DPA stated any app used in personal phones for work-related purposes must limit their data processing activities to those that are strictly necessary. The DPA found that the apps did not comply with this requirement, and therefore the controller did not comply with the principle of data minimisation. The DPA referred to case law from the Spanish High Court (SAN 136/2019 de 6 de febrero de 201), in which the court highlighted that such measures to track employees were not proportionate and the company’s objectives could be met through less intrusive means (particularly those that do not require an employee to provide personal data such as contact information). The DPA also found a violation of Article 6(1) GDPR. The DPA considered that the controllers did not obtain freely given consent from the data subjects, based on the fact that it did not provide company phones from the beginning (instead, the use of personal phones is the default). The DPA also noted the imbalance in the relationship between the controller and the data subject as a factor to take into account in determining whether consent was freely given, as stated in Recital 43 GDPR and EDPB Guidelines (5/2020). The DPA concluded that the data subjects did not freely consent to the data processing, as it was a mandatory condition to carry out their tasks. Therefore, the controller did not have a valid legal basis under Article 6(1)(a) GDPR to process the data. The DPA did not examine the other legal bases under Article 6(1) GDPR. Finally, the DPA found a violation of Article 13 GDPR. The DPA found that the controller failed to sufficiently inform the data subjects of the data processed through the mandatory apps. The DPA fined the controller €200,000 in total: €100,000 for the violation of Article 5(1)(c) GDPR, €80,000 for the violation of Article 6(1) GDPR, and €20,000 for the violation of Article 13 GDPR. In addition, the DPA ordered the controller demonstrate their compliance with data minimisation and information obligations, as well as a valid legal basis to process the data. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/33 • File No.: EXP202411411 RESOLUTION OF SANCTIONING PROCEEDINGS From the proceedings initiated by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: On July 23, 2024, a complaint was filed with the Spanish Data Protection Agency regarding a possible infringement attributable to ARES CAPITAL, S.A., with Tax Identification Number A80358955 (hereinafter, ARES CAPITAL). The facts brought to the attention of this authority were: The complainant states that ARES CAPITAL, the company for which he works as a ride-hailing driver, requires him to use his own mobile phone in the workplace and to download four applications that monitor his location, messages, calls, and other activity parameters, continuously and exhaustively, 24 hours a day. Furthermore, he states that he has not been sufficiently informed about the scope of the personal data collected on his personal mobile phone. He mentions that this situation also affects other drivers. The following was submitted with the document: - A screenshot dated April 30, 2024, showing four links: (…) - Screenshots of the following applications in ***APPLICATION.1: “***APPLICATION.2”, “***APPLICATION.3”, “***APPLICATION.4”, as well as a screenshot of the download of the application “***APPLICATION.5”. The following screenshots are included as evidence in the file: - A screenshot dated August 6, 2024, showing information provided by the developer of ***APPLICATION.3 on the Google Play app store. - Screenshot dated August 6, 2024, information provided by the developer of ***APPLICATION.4 on the Google Play app store. - Screenshot dated August 6, 2024, information provided by the developer of ***APPLICATION.5 on the Google Play app store. - Screenshot dated August 6, 2024, information provided by the developer of ***APPLICATION.6 on the Google Play app store. - Screenshot dated August 6, 2024, of the Privacy Policy for ***APPLICATION.3 from the website ***URL.1. C/ Jorge Juan 6 www.aepd.es 28001 - Madrid sedeaepd.gob.es 2/33 - Screenshot dated August 6, 2024, of the Privacy Policy of ***COMPANY.1 from the website ***URL.2. SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), this complaint was forwarded to ARES CAPITAL so that it could analyze it and inform this Agency within one month of the actions taken to comply with the requirements of the data protection regulations. The notification of the transfer of the claim, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was made on August 14, 2024, as evidenced by the acknowledgment of receipt included in the file. ... THIRD: On September 13, 2024, this Agency received a written response indicating the following: "(...) 1. Purpose of Personal Data Processing In accordance with clause 9.3 of the additional clauses to the Employment Contract, the personal data of employees is collected and processed for the following purposes: a) To manage the employment re

Entities