Vodafone España, S.A.U. – €100,000 Fine (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Vodafone España made a marketing call to a person who had signed up to avoid such calls. The Spanish data protection authority found that Vodafone didn't properly check the list of people who opted out of commercial calls. This ruling highlights the importance of companies ensuring they respect people's choices about marketing communications.
What happened
Vodafone España called a person for commercial purposes despite them being on the Robinson list.
Who was affected
Individuals who signed up for the Robinson list to avoid commercial calls were affected.
What the authority found
The authority ruled that Vodafone failed to ensure compliance with the Robinson list, violating data protection obligations.
Why this matters
This case emphasizes that companies must actively verify opt-out lists before making marketing calls. It serves as a reminder for businesses to maintain strict control over their marketing practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject filed a complaint with the Spanish DPA (AEPD) against Vodafone as they received a phone call with commercial purposes from the company after signing up for the Robinson list. The AEPD launched an investigation and discovered that the call had been made from Xfera Móviles, who acted on behalf of Vodafone on marketing activities (as a processor, as determined by the DPA). Xfera alleged that there had been an error when filtering the phone numbers of the Robinson list. Additionally, it was proven that the agreements carried out between Vodafone and Xfera, there was no indication on how to process the data so it was in line with the Robinson list and included phone numbers were not used for commercial purposes. Firstly, the AEPD concluded that, according to Article 23(4) of the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Spanish Data Protection Act], controllers have the obligation to consult exclusion lists, such as the Robinson list, before carrying out any commercial communications, to ensure that they are effective for their purposes. Secondly, the AEPD concluded that Vodafone is undoubtedly a controller, as they determine the purposes and means of the data processing that Xfera carries out on their behalf. In this regard, the AEPD remarked that the data controller must have absolute control over the data processing operations carried out by the processor, and must not only previously check the organisational and technical means that they have implemented, but also carry out the necessary subsequent audits in order to guarantee that the rights and freedoms of data subjects in the processing operations carried out in the name and on behalf of the data controller are respected. Thus, it is a continuous obligation, that is alive during the whole duration of the agreement and data processing. Vodafone is therefore, as a controller, responsible of ensuring that the processing activities carried out by Xfera, the processor, comply with the GDP
Related Enforcement Actions (20)
Other enforcement actions involving Vodafone España, S.A.U. in ES
Fine
€100K
Details
Fine Date
17 May 2021
Authority
Agencia Española de Protección de Datos
Fine Amount
€100,000
About this data
Cite as: Cookie Fines. Vodafone España, S.A.U. - Spain (2021). Retrieved from cookiefines.eu
Last updated: