MAJOREL SP SOLUTIONS, S.A – €80,000 Fine (Spain, 2025)

MAJOREL SP SOLUTIONS, S.A. (the controller) entered into an agreement with a Chinese company and a third party, under which the controller would provide customer service activities for the Spanish market. On 15 January 2024, employees were informed of the existence of the agreement. However, the general contractual terms were not provided until 6 February 2024, when the contract was already being performed, and were signed only by the HR representative. The notice stated that employees´ personal data would be shared with the counterparties solely for the execution of the agreement. During training sessions, employees were asked to write down their personal mobile phone numbers and dates of birth on a blank sheet of paper. This information was required to receive authentication credentials for accessing the Client’s platform. No specific privacy notice or additional information regarding the data transfer was provided. Some employees subsequently received SMS messages directly from the Client on their personal phones, despite having given no explicit authorization. Union representatives suggested using corporate email addresses as an alternative authentication method, but this option was rejected, as the Client required the mobile phone number as a double authentication factor. In its response to the DPA, the data controller argued that the Client’s platform required two-factor authentication via mobile phone and that, due to the lack of corporate devices, employees’ personal phones were used on a temporary basis, despite the Data Protection Officer having advised against this practice. The DPA upheld the complaint and found an infringement of Article 6(1) GDPR. The DPA clarified that the necessity for the performance of a contract must be interpreted strictly and covers only processing that is objectively necessary, not merely useful or convenient. The DPA concluded that requiring employees to use their personal mobile phones as a double authentication factor in a