AEPD (Spain) - PS-00456-2025

Holding === Holding ====== Holding === The DPA upheld the complaint and found an infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The Authority clarified that the necessity for the performance of a contract must be interpreted strictly and covers only processing that is objectively necessary, not merely useful or convenient.The DPA upheld the complaint and found an infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The DPA clarified that the necessity for the performance of a contract must be interpreted strictly and covers only processing that is objectively necessary, not merely useful or convenient. The Authority concluded that requiring employees to use their personal mobile phones as a double authentication factor in an employment relationship is unlawful, a position previously confirmed by the Spanish National Court (SAN 487/2024 ECLI:ES:AN2024:847). Employers should had been required to provide the necessary work tools and could not rely on employees’ personal device