VODAFONE ESPAÑA, S.A.U. – €56,000 Fine (Spain, 2023)

On 21 August 2021 the data subject filed a complaint against Vodafone España, S.A.U., the controller, for violating their right of access. The data subject requested VODAFONE to provide a copy of their commercial telephone contract, since the company was, allegedly, not applying the contracted tariff. After several unsuccessful attempts to receive their contract, the controller sent an email containing contract of another customer as well as an audio recording of that customer's data. The DPA ('AEPD') highlighted the breach of confidentially and security by VODAFONE for sharing a commercial contract of another individual with the data subject, violating Article 5(1)(f) GDPR. According to the evidence presented, the data subject acquired access to name, ID number and telephone number of an unknown person without any authorization to disclose their data to third parties. The AEPD, therefore, found a violation of Article 32 GDPR for not implementing the appropriate technical and organization measures to prevent such incident. The AEPD fined VODAFONE €50,000 for violating Article 5(1)(f) GDPR and €20,000 for violating Article 32 GDPR. However, in this case, the AEPD gave two possibilities to VODAFONE to either acknowledge the liability, leading to a greater reduction in the final amount, totaling €42,000 or to pay a fine of €56,000 and renounce any form of appeal against the sanction. VODAFONE opted for a voluntary payment option, paying a fine of €56,000. This payment utilized the reduction offered in the initial agreement for early payment, indicating a renunciation of any form of administrative appeal against the sanction.