Vodafone España, S.A.U. – €200,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 20 September 2022, a data subject filed a complaint with the Spanish DPA (AEPD). The data subject had received numerous advertising calls from Vodafone España, S.A.U. (the controller) on various dates, from various phone numbers. This occurred despite the data subject being listed on no-call lists. The controller noted that it has partners who carry out calls on its behalf. However, it claimed that there was no record in its database associating the phone numbers that called the data subject with the controller. It noted that its calling partners are subject to contractual requirements that ensure they will not use non-Vodafone phone numbers, and that the controller has stopped working with partners that failed to comply with contractual obligations including data protection standards. The AEPD dismissed the complaint in part because some calls could not be tied to the controller (see [https://www.aepd.es/documento/ai-00421-2022.pdf EXP202210932]). However, it requested further information from the controller with regard to certain calls from third parties made by Vodafone partners on behalf of the controller. However, the controller failed to respond or to provide the AEPD with the requested information. On 19 September 2023, the AEPD initiated sanctioning procedures against the controller for a presumed infraction of Article 58(1) GDPR. In October 2023, the controller affirmed that it had not provided the requested documents or facilitated the investigation. Nonetheless, it argued that it had collaborated with the AEPD at all times and had no intention of hindering the investigation. It claimed that it could not provide the requested information without proper judicial authorisation and without breaching data protection obligations. It also argued that the calls were not affiliated with Vodafone but instead with a new customer of the former partner, which Vodafone had ended its contract with. Finally, it claimed that even if it had provided the requested infor
GDPR Articles Cited
On 20 September 2022, a data subject filed a complaint with the Spanish DPA (AEPD). The data subject had received numerous advertising calls from Vodafone España, S.A.U. (the controller) on various dates, from various phone numbers. This occurred despite the data subject being listed on no-call lists. The controller noted that it has partners who carry out calls on its behalf. However, it claimed that there was no record in its database associating the phone numbers that called the data subject with the controller. It noted that its calling partners are subject to contractual requirements that ensure they will not use non-Vodafone phone numbers, and that the controller has stopped working with partners that failed to comply with contractual obligations including data protection standards. The AEPD dismissed the complaint in part because some calls could not be tied to the controller (see [https://www.aepd.es/documento/ai-00421-2022.pdf EXP202210932]). However, it requested further information from the controller with regard to certain calls from third parties made by Vodafone partners on behalf of the controller. However, the controller failed to respond or to provide the AEPD with the requested information. On 19 September 2023, the AEPD initiated sanctioning procedures against the controller for a presumed infraction of Article 58(1) GDPR. In October 2023, the controller affirmed that it had not provided the requested documents or facilitated the investigation. Nonetheless, it argued that it had collaborated with the AEPD at all times and had no intention of hindering the investigation. It claimed that it could not provide the requested information without proper judicial authorisation and without breaching data protection obligations. It also argued that the calls were not affiliated with Vodafone but instead with a new customer of the former partner, which Vodafone had ended its contract with. Finally, it claimed that even if it had provided the requested infor
Related Enforcement Actions (20)
Other enforcement actions involving Vodafone España, S.A.U. in ES
Fine
€200K
Details
Fine Date
24 March 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€200,000
Enforcement Tracker ID
ETid-2293
GDPRhub ID
gdprhub-8150About this data
Cite as: Cookie Fines. Vodafone España, S.A.U. - Spain (2024). Retrieved from cookiefines.eu
Last updated: