Vodafone España, S.A.U. – €56,000 Fine (Spain, 2021)

€56,000Agencia Española de Protección de Datos14 September 2021Spain
reduced
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Vodafone España, S.A.U. was fined after mistakenly sharing another customer's contract details with a person who requested their own contract. This breach of confidentiality shows that companies must handle personal information carefully. It serves as a reminder for businesses to ensure they have proper security measures in place.

What happened

Vodafone shared a commercial contract of another customer with a person who requested their own contract.

Who was affected

The individual who requested their contract and received another customer's private information.

What the authority found

The Spanish data protection authority found that Vodafone violated GDPR by failing to protect personal data and not having adequate security measures.

Why this matters

This case highlights the need for companies to implement strict data protection practices to prevent unauthorized access to personal information. Businesses should regularly review their data handling procedures.

GDPR Articles Cited

AI-verified

Art. 6(1) GDPR
View original scraped data
Art. 6(1) GDPR

Original data from scraper before AI verification against source document.

Source verified 12 March 2026
national law identified
Spain enforcementAgencia Española de Protección de Datos actionsAll Vodafone España, S.A.U. actions
Full Legal Summary
Detailed

The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. for insufficient legal basis for data processing. The data subject stated that he received a call from Vodafone in which the latter requested him to pay for three telephone lines. In the call, he explained to Vodafone that the said lines had neither been ordered nor authorized by him, so he asked to send him the invoices. On the invoices, the data subject recognized that the telephone and account numbers did not match its own. During its investigation, the DPA found that an unauthorized third party had concluded the contracts for the lines in the name of the data subject. In addition, the DPA found that Vodafone failed to verify the identity of the person who concluded the contract and to take the necessary precautions to ensure that these incidents do not occur. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment.

Related Enforcement Actions (20)

Other enforcement actions involving Vodafone España, S.A.U. in ES

Fine
Jan 2019· Agencia Española de Protección de Datos

The company had charged a Netflix service that had not been solicited by the claimant. The claimant could prove that the service had been used by anot...

€40K
Fine
Jan 2019· Agencia Española de Protección de Datos

Vodafone had processed personal data of the claimant (bank details, name, surname and national identification number) years after the contractual rela...

€21K
Fine
Jan 2019· Agencia Española de Protección de Datos

Disclosure of customer personal data (i.a. purchase history) via an SMS to another customer. The initial fine of EUR 50.000 was reduced to EUR 30.000.

€30K
Fine
Oct 2019· Agencia Española de Protección de Datos

Vodafone sent an invoice history to the subscriber as part of the invoice complaint by the subscriber. The history also contained invoice data of an u...

€60K
Fine
Oct 2019· Agencia Española de Protección de Datos

The claimant, whose data had been provided to the company by his daughter, as authorised by him, received a call from the company offering its service...

€36K
Fine
Nov 2019· Agencia Española de Protección de Datos

Vodafone has sent the customer's invoice data to unauthorised third parties following a customer invoice complaint. Originally, a fine of EUR 75,000 w...

€60K
Fine
Jan 2020· Agencia Española de Protección de Datos

The company had sent a contract with personal data, including the applicant's name, address and telephone number, to the wrong recipient.

€44K
Fine
Jan 2020· Agencia Española de Protección de Datos

Failure to provide information to the AEPD within the required timeframe in violation of Article 58

€3K
Fine
Feb 2020· Agencia Española de Protección de Datos

The data subject, a former customer of the company, continued to receive invoice notifications, although at that time there was neither a contractual ...

€75K
Fine
Feb 2020· Agencia Española de Protección de Datos

The fine was preceded by a complaint from a data subject who argued that Vodafone España had sent invoices containing his personal data, such as name,...

€50K
Fine
Feb 2020· Agencia Española de Protección de Datos

The fine was preceded by a complaint from the data subject, who argued that he had received an e-mail from Vodafone España, which contained the billin...

€60K
Fine
Feb 2020· Agencia Española de Protección de Datos

The complainant had access to third party data in his personal Vodafone profile.

€42K
Fine
Feb 2020· Agencia Española de Protección de Datos

Vodafone España was unable to prove to the data protection authority that the data subject had given his consent to the processing of his personal dat...

€120K
Fine
Mar 2020· Agencia Española de Protección de Datos

According to the AEPD, the company sent two SMS to an clients mobile number informing about a rate change in its contract and confirming the purchase ...

€24K
Fine
Mar 2020· Agencia Española de Protección de Datos

According to the AEPD, the company sent an SMS to an clients mobile number confirming that a telephone contract with that number had been signed even ...

€40K
Fine
Mar 2020· Agencia Española de Protección de Datos

According to the AEPD, the company had not been able to demonstrate adequate measures to ensure information security, leading to unauthorized access t...

€42K
Fine
Mar 2020· Agencia Española de Protección de Datos

According to the AEPD, the data subject has received several SMS from a separate operator indicating the activation of a new contract. The reason for ...

€60K
Fine
Oct 2020· Agencia Española de Protección de Datos

Processing of personal data of a data subject without sufficient legal basis due to errors in the correct assignment of customer contracts.

€36K
Fine
Nov 2020· Agencia Española de Protección de Datos

Processing of personal data of a data subject without sufficient legal basis due to errors in the correct assignment of customer contracts. In this ca...

€30K
Fine
Nov 2020· Agencia Española de Protección de Datos

The company ported a telephone number of the data subject without their consent (missing signature on the porting contract).

€42K
Current
Sept 2021

Fine

€56K

Details

Fine Date

14 September 2021

Authority

Agencia Española de Protección de Datos

Fine Amount

€56,000

Enforcement Tracker ID

ETid-853

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Vodafone España, S.A.U. - Spain (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: