Vodafone España, S.A.U – €36,000 Fine (Spain, 2020)

The complainant filed a complaint before the Spanish DPA (AEPD) against Vodafone España, S.A.U. The complaint was based on the fact that a contract was concluded with Vodafone by someone impersonating the complainant. The contract bills were in her name but the address and bank account were not hers. The contract with Vodafone did not have the claimant's signature. However, when the bills were left unpaid, Vodafone assigned a debt in the claimant's name. Once aware of this alleged debt, the complainant notified Vodafone's Customer Service of the potential error. Vodafone was also warned by the OMIC (consumer association) that the complainant had alleged (to OMIC) that this could be a case of identity theft. Does the creation of a contract in the complainant's name, despite it being initiated by a third party, breach Article 6(1) GDPR? The Spanish DPA (AEPD) referred to the principle of lawfulness, fairness and transparency (Article 5(1)(a)), as well as Article 6(1) on the obligation to process data with a legal basis. With these Articles in mind, the DPA held that Vodafone processed the complainant's personal data (name, surname and NIF) without taking necessary measures to ensure the legitimacy of the contract. The contract in question was not signed by the claimant. There was therefore no legal basis for the processing, in violation of Article 6(1) GDPR. The DPA also mentioned that Vodafone had failed to comply with its obligation to be diligent when identifying a legal basis for the processing in line with the principle of accountability (although not directly quoted by the DPA, this passage refers to Article 5(2)). The Spanish DPA therefore proposed a fine of €60000 on Vodafone for infringing Article 6(1) GDPR. This was then reduced to €36000 as Vodafone accepted responsibility and made a voluntary early payment.