

May a company require employees to use their personal mobile phone for work-related applications? Spanish Data Protection Agency (AEPD), Decision in sanctioning proceedings, file no. EXP202411411
The AEPD imposed a fine of EUR 200,000 on a company in the VTC (ride-hailing) sector for requiring its drivers to use mobile devices — whether personal or company-issued — with applications necessary for the provision of the service, after finding that these applications allowed the collection of data exceeding what was strictly necessary, including geolocation data, personal information, contacts, voice recordings, photographs, videos, and information on the employees' physical condition.
The Agency further considers that the information provided as to what data is collected, how the applications operate, and how disconnection should take place at the end of the working day was insufficient — issues that are especially sensitive where the digital tool is installed on a personal device.
The practical recommendation is to carry out, in advance, a review of the actual permissions granted to the applications, the proportionality of the data processed, the applicable legal basis, and the information provided to staff, before implementing or maintaining technological solutions linked to the performance of work, particularly where these affect personal devices or may operate outside working time.
|