Vodafone España, S.A.U. – €8,150,000 Fine (Spain, 2021)

€8,150,000

Agencia Española de Protección de Datos

11 March 2021

Spain

final

Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Vodafone España was fined over 8 million euros for making marketing calls and sending messages without getting people's permission first. This is important because it shows that companies must respect people's choices about how they want to be contacted. Vodafone had been fined before, which made this penalty even bigger.

What happened

Vodafone España made advertising calls and sent messages without getting prior consent from people.

Who was affected

People who received marketing calls and messages from Vodafone España without giving their consent.

What the authority found

The Spanish DPA found that Vodafone España violated several rules by contacting people without consent and ignoring their objections.

Why this matters

This case highlights that companies must respect people's communication preferences and that repeated violations can lead to larger fines. Businesses should ensure they have proper consent mechanisms in place to avoid similar penalties.

GDPR Articles Cited

AI-verified

Art. 48(1)(b) LGT GDPR

View original scraped data

Art. 28 GDPR

Art. 24 GDPR

Art. 44 GDPR

Art. 21 LSSI

Art. 48 (1) b) LGT

Art. 21 GDPR

Art. 23 LOPDGDD

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 21 LSSI

Art. 23 LOPDGDD

Source verified 4 March 2026

articles corrected

national law identified

Spain enforcement Agencia Española de Protección de Datos actions All Vodafone España, S.A.U. actions

Full Legal Summary

Detailed

Since 2018, the Spanish DPA (AEPD) had received a total of 191 complaints against Vodafone España, S.A.U. The data subjects complained about advertising calls and messages (e-mail and SMS) made on behalf of Vodafone España as part of marketing campaigns. The contact was made without the prior consent of the data subjects and continued even after they had exercised their right to object. Furthermore, many data subjects were contacted even though their numbers were on the Robinson list. The AEPD explains that aggravatingly, it took into account that Vodafone España had regularly received fines in more than 50 cases from January 2018 to February 2020, and the fact that there had been 162 complaints received by the AEPD in just under two years. The fine is composed as follows: EUR 4 million for a breach of Art. 28 GDPR and Art. 24 GDPR; EUR 2 million for a breach of Art. 44 GDPR; EUR 150,000 for a breach of Art. 21 LSSI; and EUR 2 million for a breach of Art. 48 (1) b) LGT, Art. 21 GDPR and Art. 23 LOPDGDD.

Show full summary

Violations (1)

Cookies Placed Before Consent

critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (20)

Other enforcement actions involving Vodafone España, S.A.U. in ES

Vodafone España, S.A.U. – €8,150,000 Fine (Spain, 2021)

Violations (1)

Related Enforcement Actions (20)

Similar Cases

Details

Sources

About this data