Spanish DPA Fines Company €200K for Excessive Employee Phone Monitoring
ARES CAPITAL deployed four monitoring apps on employees' personal phones that continuously tracked location, messages, and calls without proper consent or data minimization. The Spanish DPA found this violated GDPR principles because the monitoring was excessive for work purposes, employees had no real choice due to budget constraints, and less intrusive alternatives weren't considered. This case demonstrates that employers cannot circumvent privacy laws by claiming employee 'consent' when practical circumstances make refusal impossible. The €200,000 fine highlights how data protection authorities will enforce strict requirements for workplace monitoring, especially on personal devices.
Tactical Insight
Immediate actions
- Conduct legal review of all employee monitoring practices with privacy counsel
- Implement data minimization assessments for any tracking or monitoring tools
- Establish clear policies distinguishing personal vs. company device monitoring rights
Policy improvements
- Develop legitimate interest assessments for workplace monitoring that consider less intrusive alternatives
- Create transparent consent mechanisms that allow genuine opt-out without employment consequences
- Implement regular privacy impact assessments for employee monitoring technologies
Compliance measures
- Train HR and IT teams on GDPR requirements for workplace surveillance
- Establish data protection officer oversight of employee monitoring programs
- Document business necessity justifications for any personal device monitoring