ARES CAPITAL, S.A. – €200,000 Fine (Spain, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
ARES CAPITAL, S.A. was fined for forcing employees to use apps that tracked their activity without proper limits. This matters because it highlights the importance of respecting privacy when using personal devices for work. Companies should ensure that any monitoring is necessary and transparent to their employees.
What happened
ARES CAPITAL, S.A. required employees to use apps that continuously monitored their location, messages, and calls without proper limitations.
Who was affected
Employees who were required to use the monitoring apps, whether on company or personal phones, were affected.
What the authority found
The Spanish Data Protection Authority found that ARES CAPITAL did not limit data processing to what was necessary, violating GDPR's requirement for data minimization.
Why this matters
This ruling emphasizes that companies must be careful about how they monitor employees, especially when using personal devices. It sets a precedent for ensuring that employee privacy is respected in the workplace.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
ARES CAPITAL, S.A. (the controller) is a company that offers transport services. In 2024, a data subject brought a complaint to the DPA. According to the data subject, the controller obliged the data subject to use four apps that continuously monitored their activity, including their location, messages and calls. These apps were used regardless of whether the data subjects used company phones or their personal phones for work related purposes. The controller claimed that data subjects had the choice of using company or personal phones. However, it also admitted that the availability of company phones was subject to budgetary restrictions, and that it encouraged data subjects to use their personal phones. The controller argued that data subjects were informed of the data processing through the mandatory apps. In addition, the controller argued that the processing was lawful as an essential part of the employment contract with the data subjects. Finally, the controller argued that the apps ceased processing data subjects’ data once they closed the apps. During its investigations, the DPA found that the apps processed data constantly. Two apps contained permissions to process additional data, such as location, information on the physical status of the data subject and photos and videos. The DPA found a violation of Article 5(1)(c) GDPR. The DPA stated any app used in personal phones for work-related purposes must limit their data processing activities to those that are strictly necessary. The DPA found that the apps did not comply with this requirement, and therefore the controller did not comply with the principle of data minimisation. The DPA referred to case law from the Spanish High Court,See SAN 136/2019 de 6 de febrero de 2019 (p. 15), ECLI:ES:AN:2019:136 https://www.poderjudicial.es/search/AN/openDocument/8ed60e51766c4e3e/20190219 in which the court highlighted that such measures to track employees were not proportionate and the company’s objectives could be
Related Enforcement Actions (0)
No other enforcement actions found for ARES CAPITAL, S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
14 April 2026
Authority
Agencia Española de Protección de Datos
Fine Amount
€200,000
GDPRhub ID
gdprhub-9940About this data
Cite as: Cookie Fines. ARES CAPITAL, S.A. - Spain (2026). Retrieved from cookiefines.eu
Last updated: