Court case SAN 487/2024 – Court Ruling (Spain, 2024)

On 29 November 2023, the Spanish trade union CCOO initiated legal action against the controller concerning a collective labor dispute. In response to the pandemic, some employees of the controller transitioned to telecommuting arrangements. The controller proposed a telecommuting agreement, which the Workers' Legal Representation did not accept, ending the negotiation process without consensus. The controller then entered into individual agreements with the employees regulating, among other topics, the use of personal devices of employees for 2-factor authentication purposes (2FA). The Worker’s Legal Representation brought proceedings before the court seeking annulment, among others, of the clause that mandated the employees to provide their cell phone numbers for receiving SMS messages and/or accessing applications to confirm identity during established working hours. The controller justified this requirement based on cybersecurity reasons and their legitimate interest in ensuring information and system security. The court held that the clause was void since, according to [https://www.boe.es/diario_boe/txt.php?id=BOE-A-2023-13741 Article 19.7 of the Collective Bargaining Agreement of State Scope for the Contact Center Sector], companies shall provide tools, applications, or devices especially in the event where a 2FA system is necessary. The controller should furnish the requisite tools and means, rather than relying on workers' personal devices. In exceptional cases and exclusively for this purpose, if the employee refuses the tool provided by the company, they may consent to use devices or tools of their own.