Vodafone ESPAÑA, S.A.U. – €30,000 Fine (Spain, 2020)

The complainant filed a complaint to the Spanish DPA in May 2019 because Vodafone requested from the complainant a payment of a bill for a contract performed without the complainant's consent. This request was done via SMS. The complainant subsequently visited the Vodafone store to get the receipt of this debt even though the address and bank account on the bill were not his. The Vodafone made the Spanish DPA aware of the fact that it had sent a letter to the claimant indicating that it taken action to resolve the issue and apologised. This letter outlined that it had now classified the service concerned in the SMS as fraudulent and erased any outstanding debt from the complainant's patrimonial solvency folder. It also outlined that after internal investigations by Vodafone, it became clear that although the contract was in fact correct, it has not been made by the complainant. The contracted service seemed correct since it passed Vodafone's security procedure. All services made in the name of the claimant that he did not recognise as valid were classified as fraud. Vodafone outlined to the Spanish DPA that the fraudulent contract was made through Vodafone's Online Shop in accordance to the security policy. All access details were correctly inputted to create and access an online profile in the client section. Therefore, Vodafone notified the agency to state that it was difficult to determine whether the third party was authorised to access the account from which the bill was sent and whether access to the personal data was done legally or not. Vodafone outlined that it was not made aware of the fraudulent action until the complainant filed a complaint. Did Vodafone violate Article 6(1) GDPR by sending an SMS asking for the payment of a fraudulent contract to the complainant? The Spanish DPA held that it was proven that Vodafone has processed the claimant's personal data. Vodafone did not take necessary precautions to authenticate the contracting party. Vodafo