XFERA MÓVILES – €60,000 Fine (Spain, 2020)

Ms Y subscribed a contract with Xfera Moviles for the provision of an internet connection. After a few months, the company interrupts the service. Following a phone request, Ms Y learned that she was no longer a party to the contract. In fact, although she was still paying for it, the service was being provided to another person, who had requested such change few weeks earlier. Notwithstanding the clear incongruence of the information provided by the third party, Xfera operators accepted the request, changed the contract without Ms Y's consent and sent invoices to the new billing address. Moreover, such invoices still contained details of Ms Y, such as email address and bank account, which she had never agreed to disclose.= According to the AEPD, the controller violated Art. 6(1)(a) GDPR. The data subject had never authorized, amongst the others, the contractual changes, the linking of her data with a new name and the disclosure of such information. On that subject, the Agency refers to a long-established, consistent national case-law which requires the controller to prove the existence of a consent in case it intends to use it for justifying a processing operation. In the present case, such proof was missing and the company was found responsible of a violation of Art. 6 GDPR.