Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines Vodafone Spain €8.15M for commercial communications failures

The Spanish data protection authority ('AEPD') announced, on 11 March 2021, its decision, in proceeding PS/00059/2020, to fine Vodafone España, S.A.U. €8.15 million for carrying out marketing and commercial prospecting actions through telephone calls and by sending electronic commercial communications through emails and SMS messages. Specifically, the decision highlights that the AEPD imposed the following fines on Vodafone:

  • €4 million for violating Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') because the data processors used by Vodafone did not provide sufficient guarantees to implement appropriate technical and organisational measures, and there was no prior written authorisation from Vodafone Spain on the technical and organisational measures employed, among others;
  • €2 million for violating Article 44 of the GDPR because it had approved an international data transfer without taking sufficient measures as required under the GDPR;
  • €150,000 for violating Article 21(1) of Law No. 34/2002, of 11 July 2002, on Information Society Services and Electronic Commerce because it had performed marketing actions using random numbers and email addresses of prospects, without cross-referencing with internal lists of individuals who had opted out of receiving direct marketing, as well as the Robinson List; and
  • €2 million for violating Article 48(1)(b) of the General Law 9/2014, of 9 May 2014, on Telecommunications, in relation to Article 21 of the GDPR and Article 23 of the Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD') because it continued processing individuals' personal data through the sending of commercial communications, despite the individuals having objected to such processing.

In addition, the decision explains that, among the aggravators considered by the AEPD to impose the aforementioned fines, were, the continuous fines Vodafone Spain had received from January 2018 to February 2020, on more than 50 occasions, the fact that there had been 162 claims within just under two years as recorded by the AEPD, and the fact that approximately 200 million marketing actions through phone calls were carried out.

You can read the decision, only available in Spanish, here.