OASIP SERVICIO INTEGRAL DE COMUNICACIONES S.L. – €20,000 Fine (Spain, 2021)

A data subject filed a complaint with the Spanish DPA (AEPD) for receiving unsolicited commercial calls on behalf of Vodafone. The complainant was registered on the Robinson list, an advertising exclusion system regulated in Article 23 of the Spanish Data Protection Act (LOPDGDD). The calls were carried out by the subcontractor Oasip on behalf of Vodafone. The agreement between both companies included the obligation of filtering the list of numbers against the Robinson list, to avoid making calls to the people registered. The AEPD hold that Oasip is a controller and considered them aware of the problem with filtering the phone-numbers, since it happened seven times in two months without them implementing necessary measures to prevent it from happening again. The DPA concluded that the company acted for their own benefit, and held them responsible of the infringement. Therefore, and since sending unsolicited commercial communications is forbidden by Article 48(1)(b) of the Spanish Telecommunications Act (LGT) the DPA fined the controller €20,000. The DPA also noted that it would initiate a different investigation into Vodafone in relation to the same events, in order to determine whether Vodafone had acted appropriately.