Sharing an employee's personal telephone number without consent may result in a data protection penalty.
The use of an employee's personal data is prohibited unless there is valid consent from the individual.
In this case a female employee filed a claim against the entity where she works alleging that they had provided her personal data (including her personal cell phone number) to 18 people without her consent. But that was not all, she also claimed that the company had created an email account using her number and personal email as a recovery account without her consent.
For its part, the Respondent admitted in an e-mail that it had shared the telephone number on the understanding that it was the one it was going to use to carry out its work, alleging that the worker had not provided another means of contact to the entity and that they had not been able to locate her to coordinate the project activities. She also claimed that during the recruitment process, a protocol had been established whereby a consent form was provided to obtain consent, but that in this case it had not been returned signed and that, after the incident, the internal protocols were revised and a double-checking system was introduced.
Company fined €6,000 for sharing a private telephone number
The entity was imposed an administrative penalty of €6,000, which was later reduced to €3,600 for prompt payment, and an express order from the AEPD to review its internal processes to ensure that the use of personal data is based on a valid consent of the data subject and that, in addition, it is verifiable.
With this case we can draw a clear conclusion: even a good intention is not a lawful purpose for which personal data can be processed. You need a legal basis for it and that basis is in Article 6 of the GDPR.
