XFERA MÓVILES, S.A. – €70,000 Fine (Spain, 2025)

XFERA MÓVILES, S.A. (also known as Yoigo, the controller) is a telecommunications company. On 15 April 2022, a data subject presented a complaint to the DPA. The data subject received several advertising calls related to the controller’s services despite being included in an Advertising Exclusion List (the Robinson ListFor more information, see https://www.listarobinson.es/que-es). During its investigation, the DPA found no contractual relationship between the controller and the owners of the telephone lines from which the calls were made. The DPA dismissed the case on 22 July 2022 on the basis that it had not found a violation of data protection laws. The data subject filed an internal appeal in August 2022. The DPA carried out an investigation and began a sanctioning procedure for an alleged violation of the principle of data accuracy (Article 5(1)(d) GDPR) in April 2024. The DPA requested information from the controller on the holders of the phone lines that had called the data subject. After further investigation, the DPA found that the data provided by the controller was not accurate, as the ID documents did not match with information from the Tax Authority (and one of the IDs was proven to be false). The controller argued that the calls came from prepaid accounts, and therefore it did not have the responsibility to identify them. According to the controller, it only had the obligation to retain data in accordance with obligations under national data retention laws. The controller also argued that the DPA had no competence, as the case related to national data retention lawsLaw 25/2007, of October 18, on the conservation of data relating to electronic communications and public communications networks (Ley 25/2007, de 18 de octubre, de conservación de datos relativos a las comunicaciones electrónicas y a las redes públicas de comunicaciones), 251, de 19/10/2007. Available at https://www.boe.es/buscar/act.php?id=BOE-A-2007-18243&p=20140510&tn=1 and not the GDPR