Vodafone España, S.A.U. – €120,000 Fine (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The claimant complained to the Spanish DPA (AEPD) that he/she was still receiving invoicing emails from Vodafone España, S.A.U. despite no longer being a client. The claimant had previously complained about receiving email communications from Vodafone and the DPA had also previously sanctioned Vodafone twice for breaches of Article 6(1) GDPR regarding these same facts ([https://lopdcumplimiento.es/biblioteca/RGPD/resoluciones/AEPD%202020-01-13%20PS-00278-2019%20sancion%20a%20Vodafone%20por%20incumplimiento%20licitud%20del%20tratamiento%20al%20enviar%20emails%20tras%20solicitar%20supresion%20datos.pdf PS/00278/2019] and [https://www.aepd.es/es/documento/ps-00186-2020.pdf PS/00186/2020]). Vodafone claimed that there was an error in the system that "hooked" the claimant's email address, however, this was supposedly fixed subsequent to the first two sanctions imposed by the Spanish DPA. After receiving yet another communications from Vodafone (despite claims that the error was fixed), the claimant asked Vodafone to delete all the information it had concerning him/her from their system and to stop sending email communications to him/her. The claimant also complained to the DPA a final time. Does the continuous sending of communications to a data subject that has already complained about these communications twice constitute a violation of Article 6(1) GDPR that requires a fine to be imposed? The Spanish DPA (AEPD) held that Vodafone was sending the data subject email communications without his/her consent. The DPA first outlined Article 6(1)(a) and (b) GDPR, Articles 4(11) GDPR on consent, as well as Article 6 of the Spanish Data Protection Law (LOPDGDD) on consent. The DPA therefore held that there was a clear violation of Article 6 GDPR as Vodafone processed the data subject's personal data without a legal basis. The data subject continued to receive email communications despite no longer being a client and despite having complained twice to the Spanish DPA on the
GDPR Articles Cited
National Law Articles
The claimant complained to the Spanish DPA (AEPD) that he/she was still receiving invoicing emails from Vodafone España, S.A.U. despite no longer being a client. The claimant had previously complained about receiving email communications from Vodafone and the DPA had also previously sanctioned Vodafone twice for breaches of Article 6(1) GDPR regarding these same facts ([https://lopdcumplimiento.es/biblioteca/RGPD/resoluciones/AEPD%202020-01-13%20PS-00278-2019%20sancion%20a%20Vodafone%20por%20incumplimiento%20licitud%20del%20tratamiento%20al%20enviar%20emails%20tras%20solicitar%20supresion%20datos.pdf PS/00278/2019] and [https://www.aepd.es/es/documento/ps-00186-2020.pdf PS/00186/2020]). Vodafone claimed that there was an error in the system that "hooked" the claimant's email address, however, this was supposedly fixed subsequent to the first two sanctions imposed by the Spanish DPA. After receiving yet another communications from Vodafone (despite claims that the error was fixed), the claimant asked Vodafone to delete all the information it had concerning him/her from their system and to stop sending email communications to him/her. The claimant also complained to the DPA a final time. Does the continuous sending of communications to a data subject that has already complained about these communications twice constitute a violation of Article 6(1) GDPR that requires a fine to be imposed? The Spanish DPA (AEPD) held that Vodafone was sending the data subject email communications without his/her consent. The DPA first outlined Article 6(1)(a) and (b) GDPR, Articles 4(11) GDPR on consent, as well as Article 6 of the Spanish Data Protection Law (LOPDGDD) on consent. The DPA therefore held that there was a clear violation of Article 6 GDPR as Vodafone processed the data subject's personal data without a legal basis. The data subject continued to receive email communications despite no longer being a client and despite having complained twice to the Spanish DPA on the
Related Enforcement Actions (20)
Other enforcement actions involving Vodafone España, S.A.U. in ES
Fine
€120K
Details
Fine Date
10 February 2021
Authority
Agencia Española de Protección de Datos
Fine Amount
€120,000
Enforcement Tracker ID
ETid-214
GDPRhub ID
gdprhub-3154About this data
Cite as: Cookie Fines. Vodafone España, S.A.U. - Spain (2021). Retrieved from cookiefines.eu
Last updated: