Vodafone Spain – €40,000 Fine (Spain, 2021)

An individual repeatedly received emails containing Vodafone invoices belonging to a third party. They tried reaching out to the company by email and telephone to resolve this issue, but were never properly helped. Thus, they filed a complaint to the Spanish DPA (AEPD), which informed Vodafone of the issue. The company assured the DPA it had both dealt with the problem and communicated the resolution to the complainant. The complainant nonetheless kept receiving invoices. The DPA communicated this to the company, which then provided evidence the complainant's email address had been deleted from its systems. It claimed the problem was caused by the customer (that the invoices were actually intended for) entering the complainant's email address instead of their own. The Spanish DPA held that Vodafone Spain unlawfully processed the complainant's personal data, as the company had no lawful basis to send them invoices belonging to one of its customers. It found this to constitute a severe and negligent violation (Article 83(2)(a) and (b) GDPR) of Articles 5(1)(f) and 32 GDPR, as the complainant's data was neither processed with integrity and confidentiality nor appropriately safeguarded. It originally imposed a fine of €30,000 for the violation of Article 5(1)(f) GDPR and €20,000 for the violation of Article 32 GDPR, but this was reduced to a total fine amounting to €40,000 because Vodafone Spain made use of a reduction procedure proposed by the DPA.