Vodafone Spain fined £7 million for repeated GDPR breaches

The firm had either been warned or fined smaller amounts on at least 50 occasions between January 2018 and February 2020

The front of a Vodafone store

The Spanish data protection authority has fined Vodafone €8.15 million (approximately £7 million) for aggressive telemarketing tactics and repeated data protection failures.

The record-breaking fine for Spanish GDPR violations is the combination of four separate penalties, with the Spanish Data Protection Agency’s (AEPD) decision incorporating 191 claims regarding the firm’s data processing and consent practices.

Two fines, totalling €6 million (roughly £5.2 million) have been administered specifically due to GDPR violations, while the remaining two fines, including a smaller €150,000 (approximately £129,500) cite GDPR as well as local telecommunications laws.

The AEPD claims that Vodafone Spain had approved international data transfers without ensuring there were appropriate safeguards, and, on some occasions, Vodafone repeatedly contacted customers without their prior consent. People who had even explicitly indicated they didn’t want to be marketed to at all were contacted.

Vodafone Spain also doesn’t have the means, either technically or logistically, to verify the legality of the data it was processing, and neither does the firm have the capacity to identify whether customers have opted-out of marketing communications. AEPD claimed in its 97-page notice that this is because Vodafone had outsourced so much of its operations. 

AEPD also concluded that the firm’s Spanish branch didn’t have appropriate controls or oversight over how customer data was handled. There is little documentation to outline data protection measures the company takes, as well as how its subcontractors might safeguard its customers’ data.

The regulator also stressed the scale of the fine was partially due to the fact that the company continued its marketing activities despite agreeing to resolutions with Vodafone, as well as administering sanctions. The company had been warned or received a smaller fine at least 50 times between January 2018 and February 2020, incurring 162 GDPR complaints during this period. 

The fines administered by the Spanish data regulator mirrors the €12.25 million (roughly £10.6 million) penalty that Italian authorities levied against Vodafone for similar aggressive marketing practices towards the end of last year. 

The fine came as a result of an investigation that was prompted by hundreds of complaints, with the regulator discovering a system that held up to 4.5 million contact lists purchased from third-parties without user consent. 

Vodafone, at the time, justified the unsolicited communications by blaming human error, according to the law firm Hall Booth Smith, although these reasons weren’t accepted by Italian data protection authorities. 

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Cryptocurrency: Should you invest?
cryptocurrencies

Cryptocurrency: Should you invest?

27 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021