Spain: AEPD fines Vodafone €70,000 for processing without legal basis
On June 2, 2023, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS/00697/2022 in which it imposed a fine of €70,000, subsequently reduced to €56,000 on Vodafone Ono, S.A.U. for violations of the General Data Protection Regulation (GDPR), following a complaint submitted by an individual.
Background to the decision
The AEPD noted that the complainant claimed that Vodafone infringed Article 6(1) of the GDPR when processing the claimant's data specified in a query made to the National Association of Credit Financial Establishments (ASNEF).
Findings of the AEPD
The AEPD stated that, without prejudice to the result of the investigation, there was no indication that the processing carried out by Vodafone could be based on any of the legal bases provided in Article 6(1) of the GDPR. In particular, the AEPD explained that, based on the information provided by the claimant, processing based on Article 6(1)(a) and (f) of the GDPR could not be supported.
Specifically on Article 6(1)(f) of the GDPR, the AEPD noted that, as the claimant denied being a client of Vodafone, Article 20 of the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), which creates a presumption of the prevalence of the controller's legitimate interest, would not apply. This owes to the fact that it requires there to be a contract between the claimant and Vodafone that implied the payment of a pecuniary amount or that the claimant had requested the defendant to enter into a contract that involved financing, deferred payment, or periodic billing.
Consequently, the AEPD highlighted that, according to the declarations of the claimant, the processing could not be covered by any of the legal bases under Article 6(1) of the GDPR, and therefore violated the same.
In light of the above, the AEPD imposed a fine of €70,000, reduced to €56,000, on Vodafone.
You can read the decision, only available in Spanish, here.