Vodafone – €10,000 Fine (Greece, 2023)

After requesting the provision of mobile telephony service to Vodafone (the controller), the data subject received a package with product samples at home. The package was sent by one of the controller's partner advertising company. Dissatisfied, the data subject filed a complaint with the DPA, claiming that they had explicitly opposed the use of their personal data for advertising purposes. In response, the controller argued that the package was not sent for advertising purposes, but rather as an additional service to the mobile telephony requested by the data subject. According to the controller, the purpose of this extra service would be to reward new customers, who receive gifts regardless of their preferences in terms of promotions. In addition, the controller alleged that its customers are informed about this extra service through banner on its website. The DPA dismissed the controller's allegations and held that the transfer of personal data to the partner company had advertising purposes. It highlighted that consumers, when providing their personal data to contract a telephone service, do not expect that such data will be used for other purposes. In the case under analysis, such an expectation was explicitly expressed, as the data subject opposed the use of his data for advertising purposes. For this reason, the DPA found a violation of the principle of lawfulness, fairness and transparency established in Article 5(1)(a) GDPR. Moreover, the DPA found a violation of Article 13 GDPR, since the controller did not correctly inform data subjects that the simple request for a telephone service would imply the contracting of additional services. As part of the exercise of its powers, the DPA imposed a fine of €10,000 on the data controller and ordered it to adapt its practice accordingly.