Vodafone Spain fined £7 million for repeated GDPR breaches

The firm had either been warned or fined smaller amounts on at least 50 occasions between January 2018 and February 2020

The front of a Vodafone store

The Spanish data protection authority has fined Vodafone €8.15 million (approximately £7 million) for aggressive telemarketing tactics and repeated data protection failures.

The record-breaking fine for Spanish GDPR violations is the combination of four separate penalties, with the Spanish Data Protection Agency’s (AEPD) decision incorporating 191 claims regarding the firm’s data processing and consent practices.

Two fines, totalling €6 million (roughly £5.2 million) have been administered specifically due to GDPR violations, while the remaining two fines, including a smaller €150,000 (approximately £129,500) cite GDPR as well as local telecommunications laws.

The AEPD claims that Vodafone Spain had approved international data transfers without ensuring there were appropriate safeguards, and, on some occasions, Vodafone repeatedly contacted customers without their prior consent. People who had even explicitly indicated they didn’t want to be marketed to at all were contacted.

Vodafone Spain also doesn’t have the means, either technically or logistically, to verify the legality of the data it was processing, and neither does the firm have the capacity to identify whether customers have opted-out of marketing communications. AEPD claimed in its 97-page notice that this is because Vodafone had outsourced so much of its operations. 

AEPD also concluded that the firm’s Spanish branch didn’t have appropriate controls or oversight over how customer data was handled. There is little documentation to outline data protection measures the company takes, as well as how its subcontractors might safeguard its customers’ data.

The regulator also stressed the scale of the fine was partially due to the fact that the company continued its marketing activities despite agreeing to resolutions with Vodafone, as well as administering sanctions. The company had been warned or received a smaller fine at least 50 times between January 2018 and February 2020, incurring 162 GDPR complaints during this period. 

The fines administered by the Spanish data regulator mirrors the €12.25 million (roughly £10.6 million) penalty that Italian authorities levied against Vodafone for similar aggressive marketing practices towards the end of last year. 

The fine came as a result of an investigation that was prompted by hundreds of complaints, with the regulator discovering a system that held up to 4.5 million contact lists purchased from third-parties without user consent. 

Vodafone, at the time, justified the unsolicited communications by blaming human error, according to the law firm Hall Booth Smith, although these reasons weren’t accepted by Italian data protection authorities. 

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Tens of thousands of Pennsylvanians health data exposed following data breach
data protection

Tens of thousands of Pennsylvanians health data exposed following data breach

4 May 2021
Cost of a data breach report 2020
Whitepaper

Cost of a data breach report 2020

30 Apr 2021
Reverb exposes 'millions' of customer records on unsecured server
data protection

Reverb exposes 'millions' of customer records on unsecured server

27 Apr 2021
BigID launches freemium privacy management tool for SMBs
data protection

BigID launches freemium privacy management tool for SMBs

26 Apr 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021