A Spanish employee decided to temporarily leave WhatsApp work groups during her vacation, but ended up being re-added by the company without authorization. The case ended up in court and ended with a heavy fine for the employer, for violating the General Data Protection Regulation (GDPR) and the right to digital disconnection at work.
According to the Spanish newspaper El Confidencial, the story began when the employee sent an email announcing that she would temporarily deactivate her work communications, refusing to use her personal cell phone for professional matters. He would only remain contactable in exceptional situations, related to specific clients or emergencies.
Despite the warning, a few days later she was added to the company’s WhatsApp group again, without having been informed or given her consent. The forced return to the group lasted until his subsequent expulsion from the company, at which point he decided to file a complaint with the Spanish Data Protection Agency (AEPD).
A clear violation of privacy
The AEPD analyzed the case and concluded that the company had violated the General Data Protection Regulation (GDPR), by having used the worker’s personal data, namely her mobile phone number, without valid consent.
According to the entity, re-addition to the group represented an improper use of its data and a direct infringement of the right to digital disconnection, recognized in Spain as an integral part of labor rights and the reconciliation of personal and professional life.
The company, in turn, claimed that it had acted in good faith and that there was no breach of privacy, since the worker never formalized the request for temporary removal. However, the argument did not convince the data protection authority.
Reference to a previous case
In justifying the decision that generated the fine, the AEPD cited a 2015 decision by the Spanish Supreme Court, which invalidated a contractual clause requiring workers to provide personal data, such as mobile phone numbers or email addresses, without explicit consent.
The agency considered that the current case fit the same principle: the use of personal information for work purposes cannot be imposed or presumed, even in seemingly harmless contexts, such as corporate message groups.
Based on this case law, the AEPD determined that the company had infringed two fundamental rights: data privacy and disconnection outside working hours.
Fine of 42 thousand euros
Initially, the fine imposed amounted to 70 thousand euros, but the amount ended up being reduced to 42 thousand, after the company recognized the infraction and cooperated with the investigation. The reduction followed the mitigation criterion provided for by European regulation, which allows adjustments through the admission of guilt and the adoption of corrective measures.
The employer also committed to reviewing its internal communication policies and implementing a clear protocol on the use of instant messaging applications in the workplace.
The right to digital disconnection
This case reignited the debate about the right of workers to completely disconnect from professional duties during the rest period. In both Spain and Portugal, this principle is legally recognized and aims to protect the mental health and personal balance of workers.
In Portugal, the Labor Code establishes that the employer must respect the employee’s rest time and refrain from contacting them outside working hours, except in situations of force majeure. Constant communication, even through digital means, can be considered a form of workplace harassment.
It is also likely that future decisions in Portugal may be inspired by this EDPS precedent, given the common framework of the European Union’s General Data Protection Regulation.
Boundaries between personal and professional life
Labor law experts warn that the popularization of platforms such as WhatsApp or Telegram has led many companies to exceed the limits of employees’ personal sphere. “The fact that the tool is informal does not mean that the employment relationship is informal too”, explains Spanish lawyer Marta Villanueva, quoted by the Spanish newspaper.
According to the lawyer, “any use of personal data outside the strictly professional context requires prior and explicit consent”, which includes a private telephone number or a social network profile.
An important precedent
For the AEPD, the case serves as a warning to all companies that use messaging groups to coordinate teams. Consent must be free and informed, and the worker can choose not to participate in these groups without suffering reprisals.
In addition to the fine, the decision has pedagogical value: it reinforces the importance of separating personal channels from professional ones and forces companies to review practices that have become commonplace with the accelerated digitalization of work.
In subsequent statements, the regulatory entity stated that it intends to continue monitoring compliance with the GDPR in the employment context and that similar cases are under analysis.
Also read:
