WhatsApp, SMS, Telegram, Signal or personal email accounts are often used to deal with work-related matters. For companies, that is no longer just an internal organisation issue. It can also become a legal, privacy and compliance risk.
In its judgments of 3 June 2026 in the Vivendi/Commission and Lagardère/Commission cases, the General Court of the European Union confirmed that the European Commission may, under certain conditions, request documents kept in personal tools used for professional purposes.
Therefore, the key message for companies is clear: a communication is not automatically outside the scope of an investigation simply because it is stored on a personal phone or in a private app. However, that does not mean that an authority can access employees’ or directors’ private lives without limits.
The practical conclusion: if a company allows or tolerates professional matters being handled through personal channels, it needs clear policies, protocols and criteria before a formal request arrives.
In this article we will discuss...
What the EU General Court decided
The case arose in the context of a European Commission investigation into a possible early implementation of a concentration between Vivendi and Lagardère.
In particular, the Commission requested certain documents and communications from specific people, for a defined period and using previously established search criteria. The request covered communications made through professional tools and also personal tools, provided that those tools had been used at least once for professional purposes.
Vivendi and Lagardère challenged those requests, arguing, among other points, that they infringed the right to respect for private life.
Ultimately, the General Court dismissed the actions.
Why personal tools used for professional purposes matter now
Importantly, the Court recognised that a request of this kind may amount to a serious interference with the right to private life. This is particularly relevant when it affects personal devices, private applications or communications that may contain information unrelated to the company’s activity.
However, the Court considered that such interference may be justified where specific conditions are met.
1. There must be a clear legal basis
The request for information must be based on a rule that allows the authority to request the documents it needs to carry out its functions. In this case, the Commission acted under its investigative powers in merger control matters.
For a company, this means that not all requests are the same. The legal basis, scope and purpose of the request should always be reviewed carefully.
2. The request must be limited
In practice, one important point in the ruling is that the request was not a general and indiscriminate access to all data.
According to the Court, the request was limited by several elements:
- specific people affected;
- a defined time period;
- specific topics and search terms;
- a link with a specific investigation;
- personal tools only where they had been used for professional purposes.
As a result, this delimitation was essential for assessing the proportionality of the measure.
3. The purpose must be legitimate
In addition, the Court took into account that the investigation pursued an objective of general interest: ensuring the effective application of EU competition rules.
In other words, the authority was not seeking to investigate private life as such, but to obtain commercially relevant information to determine whether an infringement may have occurred.
Therefore, this distinction matters: private data may appear incidentally, but the purpose must be linked to the investigation and not to a general review of employees’ or directors’ personal lives.
4. Safeguards are required
The Court assessed the existence of safeguards designed to protect sensitive data, confidential information and, in the specific case, journalistic sources.
For example, those safeguards included mechanisms such as separate and encrypted delivery of certain documents, identification of sensitive data and specific procedures to protect especially delicate information.
Consequently, for companies, the practical conclusion is that it is not enough to “send everything”. The response must be managed with legal, technical and documentary control.
What this means for companies
The ruling does not mean that a company can freely review employees’ personal phones. Nor does it mean that any authority can request any private conversation.
But it does send a clear warning: when personal channels are used to deal with professional matters, they can generate obligations and risks for the company.
In practice, this is especially relevant for companies where directors, middle managers, commercial teams or sensitive business areas use informal channels to make decisions, coordinate operations or discuss strategic matters.
Common risks when personal and professional channels are mixed
In many cases, companies detect the problem too late, usually when there is already an investigation, an audit, an internal dispute or a request for information.
Common risks include:
- relevant decisions being taken through channels not controlled by the company;
- lack of clear policies on the use of personal messaging;
- difficulty preserving or locating professional communications;
- processing personal data without an adequate legal basis or protocol;
- conflicts between employee privacy and the company’s legal obligations;
- incomplete or disorganised responses to an authority.
As a result, the issue is not only technological. It is legal, organisational and compliance-related.
What companies should review now
Following this ruling, companies should review how they manage professional communications in personal or informal channels.
Device and application use policy
First, the company should define which channels may be used for professional communications and which should be avoided.
If the use of personal tools is allowed in certain cases, clear limits should be established: for which matters, with which security measures, for how long and under what conditions.
Information retention protocols
Communications that are relevant to business activity should not remain scattered across personal accounts or devices without control.
In addition, the company needs criteria for retention, filing, traceability and deletion, especially in risk areas such as management, corporate operations, competition, compliance, human resources and data protection.
Information and transparency with employees
If the company may need to access or request certain professional communications in a specific legal context, this should be explained in advance in a transparent and proportionate way.
For that reason, prior information for employees and directors is essential to reduce conflicts and strengthen the legitimacy of any later action.
Coordination between legal, DPO, compliance and IT
Finally, a response to an authority should not be improvised. Several functions need to be coordinated:
- legal, to analyse the scope of the request;
- DPO or privacy, to assess the personal data processing involved;
- compliance, to organise the internal response;
- IT/security, to preserve integrity, traceability and security;
- management, to make fast and documented decisions.
What this ruling does not allow
However, it is important not to draw excessive conclusions.
The ruling does not authorise unlimited corporate control over personal devices. It does not remove the right to privacy of employees, directors or third parties. And it does not turn every private message into accessible corporate documentation.
At the same time, what it does confirm is that, under strict conditions, an authority may request professional information kept in personal tools where those tools have been used for work purposes.
Therefore, the difference lies in the context, purpose, proportionality, safeguards and delimitation of the request.
Conclusion: compliance starts before the request arrives
For this reason, the main lesson for companies is not to wait until they receive a request for information to decide what to do with WhatsApp, Telegram, Signal or SMS messages used for work.
In short, the lesson is to anticipate the issue.
Ultimately, a clear communications policy, a document retention protocol and proper management of workplace privacy can make the difference between an orderly response and a much larger compliance problem.
At Auratech Legal, we help companies review their data protection policies, use of digital tools, DPO function and compliance protocols to reduce risks before they appear in an investigation or formal request.
Frequently asked questions
Can a company review an employee’s personal phone?
Not generally or indiscriminately. Any access or request must have a legal basis, a legitimate purpose, proportionality, adequate information and safeguards.
Can an authority request messages from a personal app used for work?
According to the ruling analysed, it may do so under certain conditions if the personal tool was used for professional purposes and the request is properly limited.
Does using WhatsApp for work create legal risks?
Yes. It can create issues around document retention, privacy, security, data protection and responses to investigations or formal requests.
What should a company do now?
Review communication policies, personal device use, information retention criteria and response protocols for requests from authorities.
Leave a Reply
Want to join the discussion?Feel free to contribute!