Spanish Data Protection Agency Issues Highest Ever Fine

Written by

Vodafone Spain has been hit with the highest ever fine to be issued by the Spanish Data Protection Agency (AEPD).

The telecommunications company was financially penalized in four separate fines totaling $9.72m over its use of aggressive telemarketing tactics and its failure to protect data. 

Two of the fines, which together total $7.16m, relate to the EU's General Data Protection Regulation (GDPR) violations. A third, for $2.39m, cited Spanish laws on digital rights and telecommunications as well as the GDPR. The final fine, for $179k, concerns violations of a Spanish law regarding cookies.

A total of 191 complaints about the telecommunications company's consent and data-processing practices were factored into the AEPD's decision. 

In a decision notice published March 11, the AEPD stated that Vodafone had targeted customers with unsolicited calls, emails, and SMS messages without first obtaining their consent. The communications were received even by customers who had specifically requested that their details be added to a directory listing people who do not want to receive marketing communications. 

Vodafone Spain was found to have approved an international data transfer that didn't meet the requirements of the GDPR. The company was further found to be operating without any means or methods to verify the origin or legality of the data being processed.

The AEPD found that after outsourcing a large proportion of its operations, Vodafone Spain was no longer able to identify which of its customers had opted out of receiving third-party communications or marketing messages.

Describing the company's grasp of its customers' information, the data authority said that Vodafone Spain lacks any “real, continuous, permanent and audited control” over how customer data is used and is unable to "provide detailed documentation on data protection guarantees."

Before the Vodafone Spain fine, the largest penalty handed out by the AEPD was a $7.14m fine imposed on CaixaBank in January 2021. The AEPD said that Vodafone's previous behavior had contributed to the fine's heftiness. 

From January 2018 to February 2020, Vodafone Spain has been warned or fined on more than 50 separate occasions. 

Vodafone is reportedly going to appeal the decision of the AEPD.

What’s hot on Infosecurity Magazine?