Vodafone ESPAÑA, S.A.U. – €30,000 Fine (Spain, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Vodafone España was fined for sending a payment request for a contract that the complainant did not authorize. This is important because it emphasizes the need for companies to verify the identity of their customers before processing any transactions. Small businesses should implement better security measures to prevent unauthorized access to customer accounts.
What happened
Vodafone sent an SMS requesting payment for a contract that was not authorized by the complainant.
Who was affected
The complainant, who received an SMS for a fraudulent contract he did not recognize.
What the authority found
The Spanish DPA found that Vodafone processed the complainant's personal data without taking necessary precautions to verify the contracting party.
Why this matters
This ruling highlights the importance of customer verification in preventing fraud. Small businesses should enhance their security protocols to protect customer data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The complainant filed a complaint to the Spanish DPA in May 2019 because Vodafone requested from the complainant a payment of a bill for a contract performed without the complainant's consent. This request was done via SMS. The complainant subsequently visited the Vodafone store to get the receipt of this debt even though the address and bank account on the bill were not his. The Vodafone made the Spanish DPA aware of the fact that it had sent a letter to the claimant indicating that it taken action to resolve the issue and apologised. This letter outlined that it had now classified the service concerned in the SMS as fraudulent and erased any outstanding debt from the complainant's patrimonial solvency folder. It also outlined that after internal investigations by Vodafone, it became clear that although the contract was in fact correct, it has not been made by the complainant. The contracted service seemed correct since it passed Vodafone's security procedure. All services made in the name of the claimant that he did not recognise as valid were classified as fraud. Vodafone outlined to the Spanish DPA that the fraudulent contract was made through Vodafone's Online Shop in accordance to the security policy. All access details were correctly inputted to create and access an online profile in the client section. Therefore, Vodafone notified the agency to state that it was difficult to determine whether the third party was authorised to access the account from which the bill was sent and whether access to the personal data was done legally or not. Vodafone outlined that it was not made aware of the fraudulent action until the complainant filed a complaint. Did Vodafone violate Article 6(1) GDPR by sending an SMS asking for the payment of a fraudulent contract to the complainant? The Spanish DPA held that it was proven that Vodafone has processed the claimant's personal data. Vodafone did not take necessary precautions to authenticate the contracting party. Vodafo
Related Enforcement Actions (0)
No other enforcement actions found for Vodafone ESPAÑA, S.A.U. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
28 October 2020
Authority
Agencia Española de Protección de Datos
Fine Amount
€30,000
GDPRhub ID
gdprhub-2867About this data
Cite as: Cookie Fines. Vodafone ESPAÑA, S.A.U. - Spain (2020). Retrieved from cookiefines.eu
Last updated: