vodafone – €20,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Vodafone was fined for sending unsolicited marketing messages without proper consent. This is important because it shows that companies must respect users' preferences regarding marketing communications. Businesses should ensure they have clear consent before sending promotional messages to avoid penalties.
What happened
Vodafone sent unsolicited emails and SMS messages to a customer who had opted out of marketing communications.
Who was affected
A customer who opted out of receiving marketing messages was affected by this violation.
What the authority found
The Spanish DPA ruled that Vodafone violated the law by sending commercial communications without prior consent, breaching ePrivacy regulations.
Why this matters
This case highlights the importance of respecting customer preferences in marketing. Companies must ensure they have valid consent before contacting users with promotional material.
National Law Articles
Vodaphone España S.A.U (the controller), is a telecommunications company that sent 4 unsolicited emails to a data subject. The emails did not include any means to unsubscribe from electronic communications. The controller also sent 4 SMS despite the fact that the data subject had opted out of direct marketing. The data subject contacted the controller, and later filed a complaint with the DPA due to a lack of response from the controller. The controller claimed this was a one-time error that was corrected once they received the complaint. It also stated that it did not receive the complainant's letter. Furthermore, it indicated that the data subject changed preferences in the online environment and therefore consented to receiving commercial material via SMS. Finally, the data subject's email address was also listed for another customer, which is why they still received emails. The DPA found a violation of [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758#a21 Articles 21(1) and 21(2) of the ePrivacy national implementation law (LSSI)]. The DPA held that the telecommunications company violated the prohibition on sending unsolicited commercial communications without prior consent ([https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758#a21 Article 21(1) LSSI]). In the context of Article 7(1) GDPR and EDPB guidelines,EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020 (Version 1.1) margin 105. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en the controller should demonstrate consent including time, context, and the terms of consent. The controller's internal records from its own app fulfilled the conditions for this client. However, this type of internal mechanism is fully controlled by the company itself: therefore, a screenshot does not suffice as independent, verifiable evidence of consent. The controller also failed to include an unsubscribe mechanism for commercia
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for vodafone in ES
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
31 March 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€20,000
GDPRhub ID
gdprhub-9487About this data
Cite as: Cookie Fines. vodafone - Spain (2025). Retrieved from cookiefines.eu
Last updated: