The Spanish Data Protection Agency has imposed a sanction of 48,000 euros on a contact center company that provided services for a client managed from China, after verifying the improper use of its employees' personal phones to receive work access credentials.
Collection of personal data without accredited legal basis
The investigation was initiated after a complaint related to the request for phone numbers and dates of birth from the workers during an internal training. These data were collected on a blank sheet, without offering information about the processing nor accrediting a valid legal basis. Of the 364 active employees, 203 provided their personal mobile phone to receive authentication tokens via SMS.
The company alleged that this practice was necessary to execute the employment contract and that the use of the personal mobile phone was a provisional solution. However, the AEPD has determined that there was no valid legal basis to process and communicate the personal phone for work authentication purposes, according to Article 6 of the GDPR.
Internal warnings and less intrusive alternatives
The company's Data Protection Officer had expressly warned about the unlawfulness of using personal phones for this purpose, but the organization continued with the practice. The resolution emphasizes that the execution of the contract does not justify the transfer of the personal phone number to a third party, especially when less intrusive alternatives exist, such as the use of corporate means.
"Essential is not the same as convenient, fast or cheap" - Resolution of the AEPD
The Agency also reminds that in the employment context, the consent of workers is not usually considered free if there is no real alternative for the processing of their personal data.
Resolution and economic sanction
The resolution (PS-00456/2025) concludes that the company violated the principle of lawfulness in the processing of personal data. The initial sanction of 80,000 euros has finally been reduced to 48,000 euros due to recognition of responsibility and voluntary payment.