Clifford Chance

The Spanish Data Protection Agency (AEPD) has issued a decision in case no. 00050-2022, shelving a complaint filed by an employee against his employer for including him in two WhatsApp groups without his consent.

The Complaint

The employee's complaint indicated that the company – a small courier company – had included him without his consent in two WhatsApp groups. The groups were used to publish information on delivery routes, the people who carried them out, the location times of vans at the end of the working day and a variety of other work-related information. Since information needed for the performance of his job was published in these groups, the employee could not leave them. All members of the groups had access to each other's information.

The Response

In response to the employee's complaint, the company stated that the use of mobile devices and their tools (in this case the WhatsApp tool) as an internal means of communication between the company and its workers was essential for their work, as it was carried out outside the workplace, and that it had not received any complaints from any workers about their inclusion in the company's WhatsApp group to date.

The company also stated that it expressly informed its workers of the use of WhatsApp as a communication channel for matters related to employment contracts, working conditions, organisation and the performance of distribution tasks. The company also indicated that it requested express authorisation to avoid conflicts or undesired situations.

The AEPD resolution

When resolving the complaint, the AEPD, looked at two issues related to the General Data Protection Regulation (GDPR): Article 6: Legitimate interest and Article 5: which sets out the principles relating to processing of personal data.

With regard to the legitimacy for the processing of the data, in accordance with the provisions of Article 6 of the GDPR, the AEPD stated in the field of labour relations, the processing of data is mainly based on the execution of the employment contract, although certain data may also be processed to comply with requirements imposed by law or a collective agreement.

It then stipulated that data processing must comply with the principles of Article 5 GDPR, especially the principle of minimisation, i.e. that the data being processed should be adequate, relevant and limited to what is necessary in relation to the purpose pursued, and the principle of confidentiality, i.e. that the data will not be accessed by persons outside the group.

It went on to conclude that:

• the data processed was the minimum necessary to organise the work carried out by the company
• that the company had informed workers of the purpose of the processing in the WhatsApp groups created
• that it had kept such groups confidential.

As a result, the AEPD decided to dismiss the complaint.

The above conclusion follows from the absence, in this case, of any evidence proving the existence of an infringement falling within the competence of the AEPD.