Vodafone España, S.A.U. – €136,000 Fine (Spain, 2023)

€136,000Agencia Española de Protección de Datos15 March 2023Spain
reduced
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Vodafone España was fined for allowing unauthorized changes to a customer's account without verifying the person's identity. This matters because it highlights the importance of securing customer data and verifying requests to prevent fraud. The fine was reduced from EUR 170,000 to EUR 136,000 after Vodafone admitted responsibility.

What happened

Vodafone España allowed unauthorized changes to a customer's account without verifying the identity of the requester.

Who was affected

Vodafone customers whose accounts were accessed and altered by fraudsters.

What the authority found

The Spanish DPA found Vodafone violated GDPR by not ensuring proper identity verification before processing requests, breaching data protection rules.

Why this matters

This case underscores the need for companies to implement strong identity verification processes to protect customer data. It serves as a reminder that businesses must be vigilant about security measures to avoid similar penalties.

GDPR Articles Cited

AI-verified

Art. 32 GDPR
Art. 6(1) GDPR
View original scraped data
Art. 6 GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 65.4 LOPDGDD
Source verified 6 March 2026
articles corrected
national law identified
Spain enforcementAgencia Española de Protección de Datos actionsAll Vodafone España, S.A.U. actions
Full Legal Summary
Detailed

The Spanish DPA (AEPD) has imposed a fine on Vodafone España, S.A.U. A data subject had filed a complaint against the data controller as unauthorized fraudsters managed to access their Vodafone account and make changes to their contract. During its investigation, the DPA found that Vodafone had carried out the changes without verifying the identity of the person requesting them and determining whether they were actually requested by the data subject. The original fine of EUR 170,000 was reduced to EUR 136,000 due to voluntary payment and admission of responsibility.

Related Enforcement Actions (20)

Other enforcement actions involving Vodafone España, S.A.U. in ES

Fine
Jan 2019· Agencia Española de Protección de Datos

Vodafone had processed personal data of the claimant (bank details, name, surname and national identification number) years after the contractual rela...

€21K
Fine
Oct 2019· Agencia Española de Protección de Datos

The claimant, whose data had been provided to the company by his daughter, as authorised by him, received a call from the company offering its service...

€36K
Fine
Jan 2020· Agencia Española de Protección de Datos

The company had sent a contract with personal data, including the applicant's name, address and telephone number, to the wrong recipient.

€44K
Fine
Feb 2020· Agencia Española de Protección de Datos

The fine preceded the complaint by the data subject, who argued that Vodafone España had signed a contract for the transfer of a telephone subscriptio...

€75K
Fine
Mar 2020· Agencia Española de Protección de Datos

According to the AEPD, the company sent two SMS to an clients mobile number informing about a rate change in its contract and confirming the purchase ...

€24K
Fine
Jan 2021· Agencia Española de Protección de Datos

The data subject had concluded a contract with the controller (Vodafone España, S.A.U.). However, the products provided under this contract were not d...

€54K
Fine
Feb 2021· Agencia Española de Protección de Datos

The claimant complained to the Spanish DPA (AEPD) that he/she was still receiving invoicing emails from Vodafone España, S.A.U. despite no longer bein...

€120K
Fine
Mar 2021· Agencia Española de Protección de Datos

Since 2018, the Spanish DPA (AEPD) had received a total of 191 complaints against Vodafone España, S.A.U. The data subjects complained about advertisi...

€8.2M
Fine
Mar 2021· Agencia Española de Protección de Datos

The Spanish DPA (AEPD) imposed a fine of EUR 60,000 on Vodafone Spain. The data subject had been a customer of the controller several years ago. After...

€60K
Fine
Apr 2021· Agencia Española de Protección de Datos

The Spanish DPA (AEPD) has imposed a fine of EUR 150,000 on Vodafone España S.A.U.. Three data subjects had filed complaints with the AEPD against the...

€90K
Fine
May 2021· Agencia Española de Protección de Datos

A data subject filed a complaint with the Spanish DPA (AEPD) against Vodafone as they received a phone call with commercial purposes from the company ...

€100K
Fine
May 2021· Agencia Española de Protección de Datos

Failure to provide information to the Spanish DPA (AEPD) within the required timeframe in violation of Art. 58 GDPR. The original fine of EUR 5,000 wa...

€3K
Fine
Aug 2021· Agencia Española de Protección de Datos

The Spanish DPA (AEPD) has imposed a fine on Vodafone España, S.A.U.. A data subject had filed a complaint with the DPA against the controller for fai...

€96K
Fine
Sept 2021· Agencia Española de Protección de Datos

The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. for insufficient legal basis for data processing. The data subject stated that two te...

€40K
Fine
Oct 2021· Agencia Española de Protección de Datos

The case involved unsolicited promotional emails sent without consent, not related to cookies or consent banners.

€70K
Fine
Oct 2021· Agencia Española de Protección de Datos

The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. due to insufficient legal basis for data processing. The data subject had filed a com...

€64K
Fine
Feb 2022· Agencia Española de Protección de Datos

The Spanish DPA has fined Vodafone España, S.A.U. EUR 3.94 million. Nine Vodafone customers had filed complaints with the DPA. In the course of its in...

€3.9M
Fine
May 2022· Agencia Española de Protección de Datos

The Spanish DPA (AEPD) has imposed a fine on Vodafone España S.A.U.. A data subjects had filed a complaint with the AEPD against the controller. The d...

€42K
Current
Mar 2023

Fine

€136K

Fine
Apr 2023· Agencia Española de Protección de Datos

The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate o...

€112K
Fine
Sept 2023· Agencia Española de Protección de Datos

The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate o...

€80K

Details

Fine Date

15 March 2023

Authority

Agencia Española de Protección de Datos

Fine Amount

€136,000

Enforcement Tracker ID

ETid-1695

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Vodafone España, S.A.U. - Spain (2023). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: