Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD imposes €70,000 fine on Vodafone for processing without legal basis

The Spanish data protection authority ('AEPD') published, on 16 November 2021, its resolution in proceeding PS/00611/2021, as issued on 4 October 2021, in which it imposed a fine of €70,000 which was subsequently reduced to €56,000 to Vodafone España S.A.U., for violations of Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following receiving a complaint by a customer.

Background to the case

In particular, the decision states that the complaint was filed against Vodafone by a customer after a fraudulent third party brought an iPhone from Vodafone in the complainant's name, entered into an instalment plan and changed the complainant's contact details.

Moreover, the AEPD provided that the fraudster had posed as the complainant during the call and only provided the name and ID number of the complainant as proof of identity.

Findings of the AEPD

Against this background, the AEPD came to the conclusion that Vodafone had not properly verified the identity of the fraudster when signing the contract. Accordingly, the AEPD determined that the processing of the personal data of the data subject in connection with the contract had been unlawful pursuant to Article 6(1) of the GDPR.


Based on the aggravating factors, the AEPD deemed it appropriate to impose on Vodafone a penalty of €70,000, for the aforementioned violation, which was subsequently reduced to €58,000, following voluntary payment. 

You can read the decision, only available in Spanish, here.