The Spanish Agency for Data Protection (AEPD) has recently imposed a hefty sanction of 70,000 euros on LVMH Iberia , a subsidiary of the French luxury cosmetics giant. This penalty was awarded for the unauthorized addition of an employee to a workplace WhatsApp group using her personal mobile number without prior consent . The details of this resolution, reported by Diario Sur , are indicative of a broader trend where companies unintentionally breach data protection laws through seemingly innocuous actions, such as group messaging.
Origin. The issue began when the employee was required to use her personal mobile for work-related tasks as she awaited the delivery of a new work phone, which, regrettably, never arrived. Other employees who had also been promised work phones reportedly received their devices quickly, creating a perception of unfairness. As the employee prepared to take her vacation, she communicated both via email and verbally her intention to withdraw from the work-related WhatsApp communications and to cease using her personal phone for work purposes. However, she indicated she would continue addressing client relationships that were already established.
<img alt="The Z generation has coined a new term for those who want to leave at their time and does not seek promotions: professional minimalism" width="375" height="142" src="https://i.blogs.es/1b9353/mushvig-niftaliyev-hqrreutbfau-unsplash/375_142.jpeg"/>Conflict. Despite the worker’s clear communication, someone from LVMH added her to the WhatsApp group without any notification. She remained in the group until several weeks later when she was mistakenly removed following her termination from the company. This prompted her to lodge a formal complaint with the AEPD, setting the stage for a significant legal confrontation over data violations .
The defense of the company. In their defense, LVMH Iberia claimed that the employee’s email did not specifically request a permanent removal from the WhatsApp groups, but merely intended to address her participation during her vacation . They contended that they respected her decision to refrain from participation during her time off and argued that the employee had expressed a willingness to continue using her personal phone for work matters—a claim that was, to say the least, contested.
The resolution. The AEPD concluded that LVMH had engaged in illegal treatment of personal data by failing to secure the employee’s prior consent, thereby violating the General Data Protection Regulation (GDPR) . Notably, the violation also encompassed the infringed right to digital disconnection , which is safeguarded by labor laws. After acknowledging their responsibility and benefiting from an agreed reduction, the company ultimately settled the fine at 42,000 euros —a significant yet lesser amount reached through negotiations with the agency.
What does legislation say. While the GDPR does not explicitly reference workplace WhatsApp groups, the AEPD has clarified that a telephone number is indeed a protected personal data element . As such, adding an employee to a messaging group without their consent constitutes a violation of data protection principles. The scenario transforms if a company provides a corporate phone; in this case, the device and its number belong to the company, allowing them to dictate usage through internal policies. For remote employees, corporate contracts may stipulate the necessity of providing contact information; however, any necessity for its use must be justified explicitly as urgent, and group additions cannot occur without the employee’s direct consent. This case underscores the fundamental right of employees to refuse the use of their personal devices for work-related communications.
Businesses must prioritize employee privacy in an increasingly digital workplace. As demonstrated by this case, even minor oversights can lead to serious legal consequences. The ongoing changes in data protection laws emphasize the importance of obtaining consent and respecting boundaries during this technology-driven era. Companies must educate their teams about these laws to avoid potential violations in the future.
Cover image | Israel Andrade and own assembly
In Xataka | The MIT has studied the impact of AI on companies. Its conclusion: only 5% of the time changes applied have truly made a difference.