Vodafone España, S.A.U A.A.A. – €100,000 Fine (Spain, 2019)

The complainant filed a complaint against Vodafone España, S.A.U. (respondent) with the Spanish Data Protection Agency (AEPD) on 16 May 2019. On 20 February 2019 the complainant received an email with an invoice for an alleged contracted telephone line from Vodafone España, S.A.U. Despite the efforts to clarify the situation, the claimant had not received a response from the respondent. In view of the facts denounced in the complaint and the documents provided by the complainant, the AEPD initiated an investigation pursuant to Article 57(1) GDPR to clarify the facts. Th AEPD has transferred the complaint to the respondent, but the latter had not responded to the requests. As a result of the investigation, the AEPD found that that the person responsible for the processing is the one who is being claimed. According to the documentation in the file, the AEPD decided that Vodafone España, S.A.U. processed the personal data of the claimant without their consent. The claimant's personal data were recorded in the files and were treated for the issuance of invoices for services associated with the person claimed. When making a decision in this case, the AEPD considered the following aggravating factors: - the present case is dealing with an unintentional negligent action, but was identified as significant (Article 83(2)(b) GDPR). - basic personal identifiers were affected (name, identification number, the line identifier) (Article 83(2)(g) GDPR). The fine was therefore set to the amount of 100.000 euros for the infringement of Article 6(1) GDPR.