VODAFONE ESPAÑA S.A.U. – €42,000 Fine (Spain, 2020)

On 9 July 2019, a citizen filed a complaint with the AEPD because he continued to receive emails from Vodafone regarding payments despite the existence of an Arbitration Award prohibiting him from continuing with these communications. On April 2, 2018, the Galician Institute of Consumer Affairs issued an Arbitration Award stating that Vodafone must stop issuing invoices and that the complainant had caused the definitive cancellation of any type of activated service and that Vodafone must eliminate the complainant's data from any type of database. On 25 September 2019, the claimant once again sent a letter to the AEPD stating that Vodafone continued to violate its rights by failing to comply with the arbitration award and the order of execution of the arbitration award dated 25 March 2019, issued by the Court of First Instance No. 3 of Pontevedra. On February 24, 2020, the respondent (Vodafone) stated that the measures set forth in the Arbitration Award were fully executed. Nevertheless, due to a computer error, they continued to send invoice notifications. Is it a breach of Article 6 (1) GDPR to send out invoice mails when the obligation to cease this conduct has been laid down in an Arbitration Award? The AEDP considered that the documentation provides evidence that Vodafone infringed Article 6 (1) GDPR since it processed the complainant's personal data without having any legitimacy to do so. Aggravating circumstances were taken into account when setting the amount of the penalty: -this is an unintentional but significant negligent action identified (Art. 83 (2) (b) GDPR). -basic personal affected (Art. 83 (2) (g) GDPR). -Actions previously committed, as this is not an isolated case as Vodafone had committed similar offences previously (Art. 83 (2) (e) GDPR) -The continuous nature of the infringement attributed to the defendant (Art. 76 (2) (k) LOPDGDD) For all the circumstances described, the amount of the penalty was set at € 70000.