Spain: AEPD fines Vodafone €48,000 for GDPR violations
The Spanish data protection authority ('AEPD') issued, on 28 February 2020, a resolution ('the Resolution') in proceedings PS/00212/2019, fining Vodafone ONO, S.A.U. €48,000 for violations of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the AEPD held that Vodafone’s negligent unintentional action in assigning two individuals the same security access code resulted in violations against Article 32 of the GDPR in failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In addition, the Resolution notes that aggravating factors included, negligent unintentional action related to significant data that allow the identification of a person and the involvement of basic personal identifiers.
You can read the Resolution, only available in Spanish, here.