Including workers in WhatsApp groups: a risk that can be costly

14/10/25

Including workers in WhatsApp groups: a risk that can be costly

As various authorities and control bodies have already warned, the use of workers' personal telephone numbers to integrate them into WhatsApp groups or other instant messaging applications without their express consent violates data protection and labor rights regulations.

The Spanish Data Protection Agency (AEPD) reminds that the use of this messaging tool would only be possible if it is done through a corporate telephone number, provided by the company, and always in compliance with clear and transparent requirements, such as those included in the regulations and reference guides on the subject.

This data processing can generate important responsibilities for the employer, not only in terms of privacy, but also in terms of respecting the privacy and digital disconnection of employees.

It is the obligation of the employer as the person responsible for the processing of personal data of workers:

1. Ensure that the use of WhatsApp or other messaging platforms has a valid legal basis and is limited to the professional sphere.

2. Clearly and specifically inform employees about the purpose, conditions and limits of the use of these channels in the company's privacy policy and internal regulations.

3. Facilitate corporate media when digital communication is required, avoiding imposing the use of the employee's personal resources.

Did you know that the AEPD has already sanctioned companies for including workers in WhatsApp groups with their personal numbers without their consent?

Do you have the employee's signed consent to include him/her in the company's WhatsApp group, with all the guarantees established by the regulations?

Do you know the conditions that the company must comply with to be able to use this tool legally?

Do you have updated internal corporate communication and digital disconnection protocols?

At TOURISM & LAW we are at your disposal to advise you on the correct implementation of communication channels in the company, regulatory compliance in terms of data protection and labor rights, internal policies and prevention of possible sanctions.