VODAFONE ESPAÑA, S.A.U. – €50,000 Fine (Spain, 2021)

A data subject filed a complaint with the Spanish DPA (AEPD) stating that he had received more than 250 unsolicited commercial calls from Vodafone after having exercised his right to object in 2017. The AEPD launched an investigation and discovered that Vodafone, that was determined to be the controller, was using subcontracted companies to carry out commercial activities on their behalf. They either used their own databases, or used the databases provided by Vodafone, which did not contain any exclusion list, nor was such list provided at any point in time. The AEPD first noted the fact that the data subject has exercised their right to object under Article 21 GDPR. In the same way, Article 48(1)(b) of the Spanish General Telecommunications Act grants users the right to object to undesired commercial communications. Not complying with such obligation entails a fine up to €2,000,000. The DPA concluded that Vodafone, as a controller, was responsible for the commercial activities that had been carried out on its behalf. Given that the data subject had exercised their right to object that was uncontested, and continued to receive commercial calls, the DPA determined that Vodafone had violated Article 48(1)(b) of the [https://www.boe.es/buscar/act.php?id=BOE-A-2014-4950 Spanish General Telecommunications Act], and therefore fined Vodafone €50,000. The AEPD took into account, as aggravating circumstances: * the seriousness of the infringement * the benefit obtained by the controller through such actions * the harm caused * the continuation of the infringement during the sanctioning proceedings