Including workers in WhatsApp groups: a risk that can be expensive

14/10/25

Including workers in WhatsApp groups: a risk that can be expensive

As various authorities and supervisory bodies have already warned, the use of personal telephone numbers of workers to integrate them into WhatsApp groups or other instant messaging applications without their express consent violates regulations on data protection and labor rights.

The Spanish Data Protection Agency (AEPD) recalls that the use of this messaging tool would only be possible if it is done using a corporate telephone number, provided by the company, and always subject to compliance with clear and transparent requirements, such as those contained in regulations and reference guides on the subject.

This data processing can create important responsibilities for the employer, not only in terms of privacy, but also in respect for the privacy and digital disconnection of workers.

It is the employer's obligation as Data Controller for the processing of workers' personal data:

1. Ensure that the use of WhatsApp or other messaging platforms has a valid legal basis and is limited to the professional sphere.

2. Clearly and specifically inform workers about the purpose, conditions and limits of the use of these channels in the company's privacy policy and internal regulations.

3. Facilitate corporate media when digital communication is required, avoiding requiring the employee's use of personal resources.

Did you know that the AEPD has already sanctioned companies for including workers without consent in WhatsApp groups with their personal number?

Do you have the worker's signed consent to include them in the company's WhatsApp group, with all the guarantees established by the regulations?

Do you know the conditions that the company must meet to be able to use this tool legally?

Do you have up-to-date internal corporate communication and digital disconnection protocols?

At TOURISM & LAW, we are at your disposal to advise you on the correct implementation of communication channels in the company, regulatory compliance with data protection and labor rights, internal policies and the prevention of possible sanctions.