AN - SAN 487/2024

From GDPRhub
AN - SAN 487/2024
Courts logo1.png
Court: AN (Spain)
Jurisdiction: Spain
Relevant Law:
19.7 III Convenio colectivo de ámbito estatal del sector de contact center
Decided: 05.02.2024
National Case Number/Name: SAN 487/2024
European Case Law Identifier: ECLI:ES:AN:2024:487
Appeal from:
Appeal to: Not appealed
Original Language(s): Spanish
Original Source: CENDOJ (in Spanish)
Initial Contributor: Teresa.lopez

A court held that an employer cannot process their employees’ personal phone numbers for 2-factor authentication purposes, as Spanish law imposes on the controller an obligation to provide working devices for the said purpose.

English Summary


On 29 November 2023, the Spanish trade union CCOO initiated legal action against the controller concerning a collective labor dispute.

In response to the pandemic, some employees of the controller transitioned to telecommuting arrangements. The controller proposed a telecommuting agreement, which the Workers' Legal Representation did not accept, ending the negotiation process without consensus. The controller then entered into individual agreements with the employees regulating, among other topics, the use of personal devices of employees for 2-factor authentication purposes (2FA).

The Worker’s Legal Representation brought proceedings before the court seeking annulment, among others, of the clause that mandated the employees to provide their cell phone numbers for receiving SMS messages and/or accessing applications to confirm identity during established working hours. The controller justified this requirement based on cybersecurity reasons and their legitimate interest in ensuring information and system security.


The court held that the clause was void since, according to Article 19.7 of the Collective Bargaining Agreement of State Scope for the Contact Center Sector, companies shall provide tools, applications, or devices especially in the event where a 2FA system is necessary. The controller should furnish the requisite tools and means, rather than relying on workers' personal devices. In exceptional cases and exclusively for this purpose, if the employee refuses the tool provided by the company, they may consent to use devices or tools of their own.


”Legitimate interest” to which the controller refers to process personal phone numbers seems to be legitimate interest under Article 6(1)(f) GDPR – in particular, guarantee security measures linked to Article 32 GDPR. However, Spanish national law, due to the opening clause under Article 88 GDPR, sets specific rules conflicting with the controller’s practice.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

The resolutions that make up this database are disseminated for the purposes of knowledge and consultation of the decision criteria of the Courts, in compliance with the competence granted to the General Council of the Judiciary by art. 560.1.10º of the Organic Law of the Judiciary. The user of the database may consult the documents as long as they do so for their own personal use. The use of the database for commercial uses, nor the massive downloading of information, is not permitted. The reuse of this information for the creation of databases or for commercial purposes must follow the procedure and conditions established by the CGPJ through its Judicial Documentation Center. Any action that contravenes the above indications may give rise to the adoption of appropriate legal measures.