vodafone – €20,000 Fine (Spain, 2025)

Vodaphone España S.A.U (the controller), is a telecommunications company that sent 4 unsolicited emails to a data subject. The emails did not include any means to unsubscribe from electronic communications. The controller also sent 4 SMS despite the fact that the data subject had opted out of direct marketing. The data subject contacted the controller, and later filed a complaint with the DPA due to a lack of response from the controller. The controller claimed this was a one-time error that was corrected once they received the complaint. It also stated that it did not receive the complainant's letter. Furthermore, it indicated that the data subject changed preferences in the online environment and therefore consented to receiving commercial material via SMS. Finally, the data subject's email address was also listed for another customer, which is why they still received emails. The DPA found a violation of [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758#a21 Articles 21(1) and 21(2) of the ePrivacy national implementation law (LSSI)]. The DPA held that the telecommunications company violated the prohibition on sending unsolicited commercial communications without prior consent ([https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758#a21 Article 21(1) LSSI]). In the context of Article 7(1) GDPR and EDPB guidelines,EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020 (Version 1.1) margin 105. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en the controller should demonstrate consent including time, context, and the terms of consent. The controller's internal records from its own app fulfilled the conditions for this client. However, this type of internal mechanism is fully controlled by the company itself: therefore, a screenshot does not suffice as independent, verifiable evidence of consent. The controller also failed to include an unsubscribe mechanism for commercia