IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Vodafone Spain fined £7 million for repeated GDPR breaches

The firm had either been warned or fined smaller amounts on at least 50 occasions between January 2018 and February 2020

The front of a Vodafone store

The Spanish data protection authority has fined Vodafone €8.15 million (approximately £7 million) for aggressive telemarketing tactics and repeated data protection failures.

The record-breaking fine for Spanish GDPR violations is the combination of four separate penalties, with the Spanish Data Protection Agency’s (AEPD) decision incorporating 191 claims regarding the firm’s data processing and consent practices.

Two fines, totalling €6 million (roughly £5.2 million) have been administered specifically due to GDPR violations, while the remaining two fines, including a smaller €150,000 (approximately £129,500) cite GDPR as well as local telecommunications laws.

The AEPD claims that Vodafone Spain had approved international data transfers without ensuring there were appropriate safeguards, and, on some occasions, Vodafone repeatedly contacted customers without their prior consent. People who had even explicitly indicated they didn’t want to be marketed to at all were contacted.

Vodafone Spain also doesn’t have the means, either technically or logistically, to verify the legality of the data it was processing, and neither does the firm have the capacity to identify whether customers have opted-out of marketing communications. AEPD claimed in its 97-page notice that this is because Vodafone had outsourced so much of its operations. 

AEPD also concluded that the firm’s Spanish branch didn’t have appropriate controls or oversight over how customer data was handled. There is little documentation to outline data protection measures the company takes, as well as how its subcontractors might safeguard its customers’ data.

The regulator also stressed the scale of the fine was partially due to the fact that the company continued its marketing activities despite agreeing to resolutions with Vodafone, as well as administering sanctions. The company had been warned or received a smaller fine at least 50 times between January 2018 and February 2020, incurring 162 GDPR complaints during this period. 

The fines administered by the Spanish data regulator mirrors the €12.25 million (roughly £10.6 million) penalty that Italian authorities levied against Vodafone for similar aggressive marketing practices towards the end of last year. 

The fine came as a result of an investigation that was prompted by hundreds of complaints, with the regulator discovering a system that held up to 4.5 million contact lists purchased from third-parties without user consent. 

Vodafone, at the time, justified the unsolicited communications by blaming human error, according to the law firm Hall Booth Smith, although these reasons weren’t accepted by Italian data protection authorities. 

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
Microsoft finally adds Power BI integrations to PowerPoint and Outlook
business intelligence (BI)

Microsoft finally adds Power BI integrations to PowerPoint and Outlook

25 May 2022