THREATNOIR
Subscribe
Back to all lessons
Awareness Lessons
3 days ago
Regulatory ComplianceData Protection

Spanish Company Fined €200,000 for Excessive Employee Phone Monitoring

ARES CAPITAL, S.A. violated fundamental GDPR principles by requiring employees to install four intrusive monitoring applications on personal smartphones that tracked location, messages, calls, and activities without proper consent. The company failed to apply data minimization principles, collecting far more personal data than necessary for legitimate business purposes. This case demonstrates that mandatory employee monitoring programs must respect privacy rights and cannot rely on coerced consent when employees have no real choice but to comply.

Tactical Insight

Immediate actions

  • Conduct a comprehensive audit of all employee monitoring tools and data collection practices
  • Review and validate the legal basis for any personal data processing activities
  • Remove or disable monitoring applications that collect excessive personal data

Policy improvements

  • Implement data minimization principles in all monitoring systems to collect only necessary business data
  • Establish clear policies distinguishing between company-owned and personal devices
  • Create transparent employee privacy notices explaining what data is collected and why

Compliance measures

  • Train managers and HR staff on GDPR requirements for employee monitoring
  • Implement regular privacy impact assessments for any new monitoring technologies
  • Establish independent oversight mechanisms to ensure monitoring practices remain proportionate
Share LinkedIn X / Twitter Bluesky Email