Last week, the Spanish data protection authority – Agencia Española de Protección de Datos (AEPD) – imposed its largest ever financial penalty on a company for violations of the General Data Protection Regulation (GDPR). Vodafone Spain has been ordered to pay fines totaling €8.15 million ($9.72 million) to resolve data protection failures and its aggressive telemarketing practices.
The penalty is a combination of four separate fines. A €4 million ($4.78 million) fine was imposed for violations of Article 28 of the GDPR. Vodafone failed to provide sufficient guarantees to implement appropriate technical and organizational measures to protect data and there was no prior written authorization on the technical and organizational measures employed. A €2 million fine ($2.39 million) was imposed for violations of Article 44 of the GDPR related to the international transfer of data without appropriate safeguards.
A further €2 million ($2.39 million) fine was imposed for violations of the GDPR (Article 21) and Spanish law, related to the continued processing of personal data (sending marketing communications) after data subjects had opted out. The fourth fine of €150,000 ($179,000) was imposed solely for violations of Spanish law. Vodafone had used random numbers and email address of prospects for marketing purposes without cross checking against a Robinson (opt-out) list.
The action against Vodafone Spain incorporates 191 complaints related to data processing and user consent. Consent-related violations included many cases of contacting customers via the telephone, email, and SMS message without consent and in some cases contacting individuals who had opted out of receiving marketing communications.
Vodafone was found to have transferred customer data internationally without implementing sufficient safeguards to ensure the data were protected and AEPD found the company lacked the appropriate organizational and technical methods to verify the legality of the data it processed, to identify the origin of data, to determine whether consent had been given, and whether individuals had opted out of receiving marketing communications.
The large financial penalty reflects the seriousness of the violations and that fact that the company repeatedly violated the GDPR and Spanish law. Between January 2018 and February 2020, the company received over 50 warnings or fines and more than 162 complaints had been made about Vodafone Spain. Even though the company lacked appropriate data protection measures, more than 200 million marketing communications were made. Part of the problem was the fact that Vodafone Spain had outsourced many of its operations and did not have the visibility or controls to ensure personal data were protected. Vodafone plans to appeal the financial penalties.