​Vodafone Spain fined record $9.72M for data protection failures

The penalty is the highest the Spanish Data Protection Agency (AEPD) has so far handed out, surpassing a €6 million fine against CaixaBank in January.

The €8.15 million is the sum of four fines, two of which—totaling €6 million (U.S. $7.16 million)—relate strictly to violations of the EU’s General Data Protection Regulation (GDPR). Another, at €2 million (U.S. $2.39 million), cited the GDPR and other Spanish laws on telecommunications and digital rights. The smallest of the fines, at €150,000 (U.S. $179,000), came under a Spanish law covering cookies.

The AEPD said the decision incorporates 191 complaints regarding the mobile phone company’s data-processing and consent practices. In its decision notice (quoted excerpts below translated from Spanish) released March 11, the regulator listed a catalogue of failings.

The company had approved an international data transfer without taking sufficient measures as required under the GDPR, and calls, emails, and SMS messages were sent to customers without their request or consent—even to people who had asked to be placed on a so-called “Robinson” list (a directory for those who do not want to receive marketing information).

The AEPD also held Vodafone does not have organizational or technical methods or means that verify the legality of the data being processed or its origin, nor does it have capability to identify whether people have opted out of marketing or third-party communications. This is because Vodafone had outsourced so much of its operations.

The data authority concluded Vodafone’s Spanish arm does not have “real, continuous, permanent and audited control” over how customer data is treated and added the company “does not provide detailed documentation on data protection guarantees” and “does not know” what guarantees the entities it has subcontracted for teleshopping have in place to protect customers.

In its decision notice, the AEPD says the combined fine is so hefty because Vodafone has been a repeat offender: between January 2018 and February 2020, the company has received a fine or warning more than 50 times. Vodafone has been subject to some 162 complaints and has carried out around 200 million marketing actions through phone calls despite having defective data protection controls in place, according to the regulator.

In an emailed statement, Vodafone said it intends to appeal the decision. It added, “Vodafone Spain wants to underline that protecting customer data and privacy is our top priority, and we have an experienced team of specialists dedicated to making sure that our processes offer the best guarantees for the protection of our customers’ data.”

Spain is not the only country to clamp down hard on Vodafone. Last November, the mobile operator’s Italian operation was fined €12.25 million under the GDPR for similarly aggressive practices.