VODAFONE ESPAÑA SAU – €120,000 Fine (Spain, 2020)

In January 2018, Mr A.A.A. contacted Vodafone to open an account. By mistake, his 14-year old son was subscribed for the services offered by Vodafone. Mr A.A.A. tried to rectify the data soon after the subscription. In September 2018, Mr A.A.A.'s son received a letter from Vodafone informing that his son had entered into a debt of 93,77 EUR and that, in the event of non-payment, his son would be included in the debtors' records. In the absence of payment, the reference was finally made in the debtors' records in October 2018. In February 2019, Mr A.A.A. attempted to withdraw his son from the services since the processing of his son's personal data was unlawful and lasted for 13 months. According to the AEPD, the processing was unlawful. Neither the complainant nor his son have given consent to the processing of the personal data by Vodafone. The processing has therefore violated Articles 6(1)(a) and 5(1)(a) GDPR. Moreover, the AEPD stated that apart from the unlawful processing of the complainant’s personal data Vodafone has included unduly the complainant's son's personal data in the ASNEF and DEXCUUG debtors' records. The complainant received the prior payment order giving him 10 days to remedy the alleged non-payment, but Vodafone included the complainant's personal data in the ASNEF file already one day later, and in the FIDEXCUG file 4 days later without waiting for the 10-day period granted. After conducting the investigation, the AEPD decided that Vodafone has seriously violated Articles 6(1)(a) and 5(1)(a) GDPR and the relevant provisions of the national law. The AEPD decided to impose a fine of 120,000 Eur on the Controller, VODAFONE ESPAÑA SAU.