Skip to main content

Clifford Chance

Clifford Chance

Data

Talking Tech

AEPD tries to clarify previous decision on inclusion of worker in company's WhatsApp groups

Data Privacy Social Media 24 February 2023

On 18 January we reported on a decision issued by the Spanish Data Protection Agency (AEPD) shelving a complaint filed by an employee against his employer for having included him in two of the company's WhatsApp groups without his consent ( see our article: Spanish Data regulator shelves worker's claim against employer for inclusion without consent in two WhatsApp groups ).

This decision caused quite a stir in the Spanish data protection community, primarily because the AEPD offered only brief and generic reasoning in its decision, creating doubt as to the legal basis for this type of processing. This resulted in the AEPD receiving an enquiry from the privacy sector , asking it, , to identify the legitimate grounds for creating WhatsApp groups in the work environment.

AEPD's response to the enquiry

In response to the enquiry, the AEPD indicated, on a preliminary basis, that the resolution of one given case – referring, we understand, to the shelving decision that led to the enquiry – does not mean that the AEPD is establishing a precedent for all similar situations that may arise in the future. Therefore, the circumstances of each case  must be assessed on a case by case basis.

The AEPD went on to state that, in the shelving decision, the legal basis for the processing of the data was article 6.1 GDPR, though it again failed to clearly establish which specific section of that article it was referring to. It also reiterated that the data processing in the case in question was in line with the principles of proportionality and confidentiality.

Making reference to the information set out in the FAQs on its website, it then stated that, in general:

  • The processing of the data relating to employee personal emails and telephones is not covered by the performance of the employment contract under article 6.1(b) GDPR.
  • If it is necessary for an employee to be available outside their workplace or working hours due to the nature of the services provided to the company, a more moderate and equally effective measure to enable communication between the employer and the employee would be to provide the employee with a work mobile phone (work phone).
  • It is possible for employees to provide data concerning their personal email and telephone if done on a voluntary basis after the company has obtained the consent of the employees, who may subsequently oppose such processing by exercising their right of opposition or erasure.

Thus, according to the AEPD:

  • it is necessary to distinguish between a situation where a mobile phone (Work phone) is provided to an employee by an employer and where a personal mobile phone (personal phone) is used for some work purpose. The latter case is where the data subject's consent could come into play.
  • everything should be weighed on a case-by-case basis, which means that decisions isolated from their context might lead to conclusions that are not in line with the general criteria set by the supervisory authorities.

Conclusion

The AEPD's response does not offer much in the way of explanation as to the facts and reasoning behind the decision that led to the enquiry, though what it seems can be inferred is that the performance of a contract is not a legal basis for the processing of employees' data on their personal phones for the creation of company WhatsApp groups.

However, the number of disclaimers included by the AEPD in its decision is striking, when the fact is that the existence of precedents, such as the shelving decision, are relevant in the legal system - both from the perspective of the obligation to expressly state the reasons for deviating from them as well as from the perspective of the principles of protection of legitimate expectations and good administration.