Vodafone Spain – €50,000 Fine (Spain, 2021)

€50,000Agencia Española de Protección de Datos14 September 2021Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Vodafone Spain was fined €50,000 for not verifying the identity of a person who fraudulently signed up for mobile lines using someone else's data. This matters because it highlights the importance of companies ensuring they have the right person's consent before processing their data.

What happened

Vodafone Spain processed personal data for mobile lines without verifying the identity of the person who signed up.

Who was affected

A person whose personal data was used without consent to sign up for mobile phone lines.

What the authority found

The Spanish data protection authority found Vodafone Spain failed to verify the identity of the contracting party, violating GDPR's requirement for a valid legal basis.

Why this matters

This case underscores the need for businesses to verify customer identities before processing their data. It serves as a reminder that companies must ensure they have a legitimate reason to use personal data, especially in cases of potential fraud.

GDPR Articles Cited

Art. 6(1) GDPR
Art. 83 GDPR
Art. 58(2) GDPR

National Law Articles

Article 65(4) LOPDGDD
Spain enforcementAgencia Española de Protección de Datos actionsAll Vodafone Spain actions
Full Legal Summary
Detailed

The complainant noticed a Vodafone charge on his bank account for the use of two mobile phone line. As he had not entered into any contracts with the company, he complained to the Police in Seville and the Consumers and Users Organisation. The company investigated the charges once they received the complaint. It found them to be fraudulent and disconnected the lines. It also cancelled the complainant's existing debt in its systems. The AEPD held that the complainant's personal data were "incorporated into the company's information systems, without him having accredited that he had legitimately contracted, had legitimacy for the collection and subsequent processing of his personal data, or that there was any other cause that would make the processing carried out lawful". It argued Vodafone Spain failed to perform the required due diligence to verify the contracting party was who they claimed to be, notably because the fraudulent contract that was established was unsigned and contained incorrect information (e.g. address, date of birth). It then assessed the degree of responsibility that should be attributed to Vodafone Spain for this breach, and found a clear link between the company's business practices and the breach. It nonetheless took into account that the company reacted with the necessary urgency to remedy the incident as a mitigating factor. Therefore, it fined the company €50,000.

Related Enforcement Actions (2)

Other enforcement actions involving Vodafone Spain in ES

Current
Sept 2021

Fine

€50K

Fine
Oct 2021· Agencia Española de Protección de Datos

An individual repeatedly received emails containing Vodafone invoices belonging to a third party. They tried reaching out to the company by email and ...

€40K
Fine
May 2024· Agencia Española de Protección de Datos

On the 14 December 2022, the data subject filed a complaint against Vodafone Spain with the Spanish DPA (AEPD). The data subject alleged that a third ...

€200K

Details

Fine Date

14 September 2021

Authority

Agencia Española de Protección de Datos

Fine Amount

€50,000

GDPRhub ID

gdprhub-4026

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Vodafone Spain - Spain (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: