Vodafone Spain fined £7 million for repeated GDPR breaches

The firm had either been warned or fined smaller amounts on at least 50 occasions between January 2018 and February 2020

The front of a Vodafone store

The Spanish data protection authority has fined Vodafone €8.15 million (approximately £7 million) for aggressive telemarketing tactics and repeated data protection failures.

The record-breaking fine for Spanish GDPR violations is the combination of four separate penalties, with the Spanish Data Protection Agency’s (AEPD) decision incorporating 191 claims regarding the firm’s data processing and consent practices.

Two fines, totalling €6 million (roughly £5.2 million) have been administered specifically due to GDPR violations, while the remaining two fines, including a smaller €150,000 (approximately £129,500) cite GDPR as well as local telecommunications laws.

The AEPD claims that Vodafone Spain had approved international data transfers without ensuring there were appropriate safeguards, and, on some occasions, Vodafone repeatedly contacted customers without their prior consent. People who had even explicitly indicated they didn’t want to be marketed to at all were contacted.

Vodafone Spain also doesn’t have the means, either technically or logistically, to verify the legality of the data it was processing, and neither does the firm have the capacity to identify whether customers have opted-out of marketing communications. AEPD claimed in its 97-page notice that this is because Vodafone had outsourced so much of its operations. 

AEPD also concluded that the firm’s Spanish branch didn’t have appropriate controls or oversight over how customer data was handled. There is little documentation to outline data protection measures the company takes, as well as how its subcontractors might safeguard its customers’ data.

The regulator also stressed the scale of the fine was partially due to the fact that the company continued its marketing activities despite agreeing to resolutions with Vodafone, as well as administering sanctions. The company had been warned or received a smaller fine at least 50 times between January 2018 and February 2020, incurring 162 GDPR complaints during this period. 

The fines administered by the Spanish data regulator mirrors the €12.25 million (roughly £10.6 million) penalty that Italian authorities levied against Vodafone for similar aggressive marketing practices towards the end of last year. 

The fine came as a result of an investigation that was prompted by hundreds of complaints, with the regulator discovering a system that held up to 4.5 million contact lists purchased from third-parties without user consent. 

Vodafone, at the time, justified the unsolicited communications by blaming human error, according to the law firm Hall Booth Smith, although these reasons weren’t accepted by Italian data protection authorities. 

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Ubiquiti insider says the company downplayed the severity of a major breach
data breaches

Ubiquiti insider says the company downplayed the severity of a major breach

31 Mar 2021
Forex broker FBS leaves millions of customer records exposed
data breaches

Forex broker FBS leaves millions of customer records exposed

25 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021