Vodafone España, S.AU – €60,000 Fine (Spain, 2020)

The decision is the consequence of a complaint submitted by a Spanish citizen stating he has contracted the data controller telecommunications services as a new customer, but an employee of the data controller used his information and falsified his signature in order to register into another telecommunications company (Llamaya) as if the claimant had requested his portability right; such complaint included screenshots of the text messages received by the second telecom company, as well as delivery notes by Llamaya. The data controller did not answer to any AEPD investigation requests, so the AEPD started the corresponding sanction procedure. In such procedure, the data controller alleged that the infringement was due to a illegal use of data by the employee (as the data controller effectively applied the security protocols with the consent of the claimant during the contracting of the services and, as soon as the data controller got news of the problem, it marked the as a fraud and deregister its contracting), so there would be no guilt nor intentionality by the data controller. Thus, the AEPD understood that not only there is a fraud in the contracting of the services and in using the name of the claimant without his consent, but also the data controller has infringed the lawfulness of processing principle (as it has not proved that it has even obtained the consent by the claimant for the contracting nor it carried out any due diligence in order to prove the identity of the claimant) and, after considering some aggravating circumstances [(i) the nature, severity and duration of the infringement, (ii) there is intentionality and or negligence by the data controller, (iii) personal identification data such as the name or the domicile have been affected, and (iv) the data controller has already committed other infringements], it decided to impose a fine of 60,000 € to the data controller.