Vodafone España, S.A.U. – €100,000 Fine (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A data subject filed a complaint with the Spanish DPA (AEPD) against Vodafone as they received a phone call with commercial purposes from the company after signing up for the Robinson list. The AEPD launched an investigation and discovered that the call had been made from Xfera Móviles, who acted on behalf of Vodafone on marketing activities (as a processor, as determined by the DPA). Xfera alleged that there had been an error when filtering the phone numbers of the Robinson list. Additionally, it was proven that the agreements carried out between Vodafone and Xfera, there was no indication on how to process the data so it was in line with the Robinson list and included phone numbers were not used for commercial purposes. Firstly, the AEPD concluded that, according to Article 23(4) of the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Spanish Data Protection Act], controllers have the obligation to consult exclusion lists, such as the Robinson list, before carrying out any commercial communications, to ensure that they are effective for their purposes. Secondly, the AEPD concluded that Vodafone is undoubtedly a controller, as they determine the purposes and means of the data processing that Xfera carries out on their behalf. In this regard, the AEPD remarked that the data controller must have absolute control over the data processing operations carried out by the processor, and must not only previously check the organisational and technical means that they have implemented, but also carry out the necessary subsequent audits in order to guarantee that the rights and freedoms of data subjects in the processing operations carried out in the name and on behalf of the data controller are respected. Thus, it is a continuous obligation, that is alive during the whole duration of the agreement and data processing. Vodafone is therefore, as a controller, responsible of ensuring that the processing activities carried out by Xfera, the processor, comply with the GDP
GDPR Articles Cited
A data subject filed a complaint with the Spanish DPA (AEPD) against Vodafone as they received a phone call with commercial purposes from the company after signing up for the Robinson list. The AEPD launched an investigation and discovered that the call had been made from Xfera Móviles, who acted on behalf of Vodafone on marketing activities (as a processor, as determined by the DPA). Xfera alleged that there had been an error when filtering the phone numbers of the Robinson list. Additionally, it was proven that the agreements carried out between Vodafone and Xfera, there was no indication on how to process the data so it was in line with the Robinson list and included phone numbers were not used for commercial purposes. Firstly, the AEPD concluded that, according to Article 23(4) of the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Spanish Data Protection Act], controllers have the obligation to consult exclusion lists, such as the Robinson list, before carrying out any commercial communications, to ensure that they are effective for their purposes. Secondly, the AEPD concluded that Vodafone is undoubtedly a controller, as they determine the purposes and means of the data processing that Xfera carries out on their behalf. In this regard, the AEPD remarked that the data controller must have absolute control over the data processing operations carried out by the processor, and must not only previously check the organisational and technical means that they have implemented, but also carry out the necessary subsequent audits in order to guarantee that the rights and freedoms of data subjects in the processing operations carried out in the name and on behalf of the data controller are respected. Thus, it is a continuous obligation, that is alive during the whole duration of the agreement and data processing. Vodafone is therefore, as a controller, responsible of ensuring that the processing activities carried out by Xfera, the processor, comply with the GDP
Related Enforcement Actions (20)
Other enforcement actions involving Vodafone España, S.A.U. in ES
Fine
€100K
Details
Fine Date
17 May 2021
Authority
Agencia Española de Protección de Datos
Fine Amount
€100,000
Enforcement Tracker ID
ETid-1584
GDPRhub ID
gdprhub-3510About this data
Cite as: Cookie Fines. Vodafone España, S.A.U. - Spain (2021). Retrieved from cookiefines.eu
Last updated: