TELEFÓNICA MÓVILES ESPAÑA, S.A.U. – €75,000 Fine (Spain, 2021)

A data subject filed a complaint with the Spanish DPA (AEPD) stating that Telefonica – a telecommunications company – was still using their phone number and accessing their records to do trials in their call centres and shops. The data subject claimed that the controller had called them 247 calls in a span of two days, even after the controller had assured in previous proceedings that it had implemented adequate measures to prevent this from happening. The data subject continued to receive such calls after filing the complaint from a different number. The data subject had exercised their right to object in 2017, what was confirmed by the controller in a letter that stated that they had taken adequate measures to prevent it. The Spanish DPA concluded that the controller had violated Article 6 GDPR, as it had processed the personal data of the data subject without their consent, after they objected to such processing. The controller acknowledged the facts and stated that they were implementing measures to prevent it from happening in the future. The AEPD noted, however, that the controller had still made calls to the data subject after they filed the complaint. The DPA took into account the recidivism, as well as the continuous nature of the infringement, the basic categories of personal data affected, and the link between the infringement and its business core activity as aggravating factors. Following this, the DPA fined Telefonica €75,000, that were reduced to €45,000 for acknowledgement of responsibility and early payment.