Vodafone España, S.A.U. – €40,000 Fine (Spain, 2021)

€40,000Agencia Española de Protección de Datos13 October 2021Spain
reduced
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Vodafone España, S.A.U. faced a fine after a woman received phone bills meant for someone else in her email. The company failed to respond to her concerns, which led to the investigation. This case serves as a reminder for businesses to handle personal data carefully and respond to customer inquiries promptly. The fine was reduced to €40,000 due to voluntary payment.

What happened

Vodafone España, S.A.U. sent telephone bills belonging to a third party to a woman's email address without her consent.

Who was affected

The woman who received the incorrect bills was affected by the company's mishandling of personal data.

What the authority found

The Spanish DPA found that Vodafone violated GDPR rules by not ensuring the integrity and confidentiality of personal data.

Why this matters

This case underscores the need for companies to implement strong security measures and respond to customer complaints effectively. Businesses should regularly assess their data handling practices to prevent similar incidents.

GDPR Articles Cited

AI-verified

Art. 32(GDPR)
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1) f) GDPR
Art. 32(GDPR)

Original data from scraper before AI verification against source document.

Source verified 12 March 2026
national law identified
Spain enforcementAgencia Española de Protección de Datos actionsAll Vodafone España, S.A.U. actions
Full Legal Summary
Detailed

The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A woman filed a complaint against the controller based on the fact that the controller had sent telephone bills belonging to a third party to her e-mail address. After bringing this to the attention of the controller, she received no response. Thereupon, she contacted the controller by telephone in this regard. However, none of the employees were able to help her with this concern. The DPA concluded that the controller had violated the principle of integrity and confidentiality set out in Art. 5 (1) f) GDPR, and that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.

Related Enforcement Actions (20)

Other enforcement actions involving Vodafone España, S.A.U. in ES

Fine
Jan 2019· Agencia Española de Protección de Datos

The company had charged a Netflix service that had not been solicited by the claimant. The claimant could prove that the service had been used by anot...

€40K
Fine
Jan 2019· Agencia Española de Protección de Datos

Vodafone had processed personal data of the claimant (bank details, name, surname and national identification number) years after the contractual rela...

€21K
Fine
Jan 2019· Agencia Española de Protección de Datos

Disclosure of customer personal data (i.a. purchase history) via an SMS to another customer. The initial fine of EUR 50.000 was reduced to EUR 30.000.

€30K
Fine
Oct 2019· Agencia Española de Protección de Datos

Vodafone sent an invoice history to the subscriber as part of the invoice complaint by the subscriber. The history also contained invoice data of an u...

€60K
Fine
Oct 2019· Agencia Española de Protección de Datos

The claimant, whose data had been provided to the company by his daughter, as authorised by him, received a call from the company offering its service...

€36K
Fine
Nov 2019· Agencia Española de Protección de Datos

Vodafone has sent the customer's invoice data to unauthorised third parties following a customer invoice complaint. Originally, a fine of EUR 75,000 w...

€60K
Fine
Jan 2020· Agencia Española de Protección de Datos

The company had sent a contract with personal data, including the applicant's name, address and telephone number, to the wrong recipient.

€44K
Fine
Jan 2020· Agencia Española de Protección de Datos

Failure to provide information to the AEPD within the required timeframe in violation of Article 58

€3K
Fine
Feb 2020· Agencia Española de Protección de Datos

The fine preceded the complaint by the data subject, who argued that Vodafone España had signed a contract for the transfer of a telephone subscriptio...

€75K
Fine
Feb 2020· Agencia Española de Protección de Datos

The fine was preceded by a complaint from a data subject who argued that Vodafone España had sent invoices containing his personal data, such as name,...

€50K
Fine
Feb 2020· Agencia Española de Protección de Datos

The fine was preceded by a complaint from the data subject, who argued that he had received an e-mail from Vodafone España, which contained the billin...

€60K
Fine
Feb 2020· Agencia Española de Protección de Datos

The complainant had access to third party data in his personal Vodafone profile.

€42K
Fine
Feb 2020· Agencia Española de Protección de Datos

Vodafone España was unable to prove to the data protection authority that the data subject had given his consent to the processing of his personal dat...

€120K
Fine
Mar 2020· Agencia Española de Protección de Datos

According to the AEPD, the company sent two SMS to an clients mobile number informing about a rate change in its contract and confirming the purchase ...

€24K
Fine
Mar 2020· Agencia Española de Protección de Datos

According to the AEPD, the company sent an SMS to an clients mobile number confirming that a telephone contract with that number had been signed even ...

€40K
Fine
Mar 2020· Agencia Española de Protección de Datos

According to the AEPD, the company had not been able to demonstrate adequate measures to ensure information security, leading to unauthorized access t...

€42K
Fine
Mar 2020· Agencia Española de Protección de Datos

According to the AEPD, the data subject has received several SMS from a separate operator indicating the activation of a new contract. The reason for ...

€60K
Fine
Oct 2020· Agencia Española de Protección de Datos

Processing of personal data of a data subject without sufficient legal basis due to errors in the correct assignment of customer contracts.

€36K
Fine
Nov 2020· Agencia Española de Protección de Datos

Processing of personal data of a data subject without sufficient legal basis due to errors in the correct assignment of customer contracts. In this ca...

€30K
Fine
Nov 2020· Agencia Española de Protección de Datos

The company ported a telephone number of the data subject without their consent (missing signature on the porting contract).

€42K
Current
Oct 2021

Fine

€40K

Details

Fine Date

13 October 2021

Authority

Agencia Española de Protección de Datos

Fine Amount

€40,000

Enforcement Tracker ID

ETid-870

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Vodafone España, S.A.U. - Spain (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: