The AEPD ruled that it is valid to include employees in company WhatsApp groups without the need to obtain their consent.
On 9 January, the AEPD’s resolution was published, by virtue of which the inclusion of workers in company WhatsApp groups for work purposes was legitimised without the need to obtain their prior consent.
In this resolution, the AEPD closed a case initiated by the complaint of an employee of a delivery company who had been included in two WhatsApp groups with other members of the company without his consent. In these groups, information is provided, among other things, about the delivery routes, the people who carry them out, the timetables and the location of the vans at the end of the day.
According to the employee’s account, he does not leave the groups because all the information necessary for the performance of his work is published in the groups.
For its part, the company stated that the use of personal mobile devices and WhatsApp in this case “as a means of internal communication between the company and its workers, is essential for their work“, due to the fact that the nature of the activity (delivery and delivery of parcels), this took place outside the workplace.
Likewise, in response to the AEPD’s request for information, the company expressly informed the workers of the use of the instant messaging application as a means of professional communication, including the name, surname and telephone number of the employees.
These allegations made by the delivery company seemed sufficient for the Agency to close the case and, therefore, to consider the processing of the employees’ data under the aforementioned conditions to be legitimate, which represents a paradigm shift, as the AEPD had always been very restrictive with regard to the processing of employees’ personal telephones. The arguments put forward by the AEPD to validate the company’s conduct are summarised in just three paragraphs in the conclusions section of the resolution, which, moreover, are not free of controversy.
As for the legitimate basis for including employees in WhatsApp groups, it attributes it to article 6.1.b) RGPD, mentioning that in “employment relationships, the processing of personal data is legally based, primarily, on the performance of the employment contract, although certain data may also be processed to comply with the requirements imposed by law or by a collective agreement” The argumentation is so vague that it practically allows the processing of any personal data of an employee by the employer under the employment contract.
The next controversial point was whether the company’s actions were in breach of the principles set out in Article 5 GDPR, expressly mentioning the principle of data minimisation and the principle of confidentiality.
In this regard, the AEPD stated the following: “In the present case, the data subject to processing are the minimum necessary for the organisation of the particular work carried out by the respondent, which has informed the workers of the purpose of the processing in the WhatsApp groups created for the purpose of using this means of communication in matters related to the employment contract, working conditions, organisation and development of work tasks and distribution and maintaining confidentiality over them.”
It seems very debatable to state that the data are the “minimum necessary” and that there were no alternative means to the use of WhatsApp as a means of communication with the employees available to the company that would require the processing of less personal data, since by including the workers in the group, the personal telephone number, name and surname and, where appropriate, profile photo are already being revealed with respect to the rest of the members.
It seems reasonable to think that the company could have chosen to enable a professional email or any other instant messaging application that would not involve such a level of processing of employees’ personal data.
Finally, in case the resolution itself was not already controversial in itself, the AEPD itself published a new resolution the day after the one discussed in this article, in which it sanctioned the employer of a woman hired to carry out cleaning work and the community of owners in which she provided such services.
The reason for the sanction was the transfer of the employee’s personal data (telephone number) without her consent when she was included in a WhatsApp group to “monitor her work activity“.
We at AddVANTE – Baker Tilly will continue to monitor developments in the AEPD’s criteria.