Vodafone Spain fined £7 million for repeated GDPR breaches

The front of a Vodafone store
(Image credit: Shutterstock)

The Spanish data protection authority has fined Vodafone €8.15 million (approximately £7 million) for aggressive telemarketing tactics and repeated data protection failures.

The record-breaking fine for Spanish GDPR violations is the combination of four separate penalties, with the Spanish Data Protection Agency’s (AEPD) decision incorporating 191 claims regarding the firm’s data processing and consent practices.

Two fines, totalling €6 million (roughly £5.2 million) have been administered specifically due to GDPR violations, while the remaining two fines, including a smaller €150,000 (approximately £129,500) cite GDPR as well as local telecommunications laws.

The AEPD claims that Vodafone Spain had approved international data transfers without ensuring there were appropriate safeguards, and, on some occasions, Vodafone repeatedly contacted customers without their prior consent. People who had even explicitly indicated they didn’t want to be marketed to at all were contacted.

Vodafone Spain also doesn’t have the means, either technically or logistically, to verify the legality of the data it was processing, and neither does the firm have the capacity to identify whether customers have opted-out of marketing communications. AEPD claimed in its 97-page notice that this is because Vodafone had outsourced so much of its operations.

AEPD also concluded that the firm’s Spanish branch didn’t have appropriate controls or oversight over how customer data was handled. There is little documentation to outline data protection measures the company takes, as well as how its subcontractors might safeguard its customers’ data.

The regulator also stressed the scale of the fine was partially due to the fact that the company continued its marketing activities despite agreeing to resolutions with Vodafone, as well as administering sanctions. The company had been warned or received a smaller fine at least 50 times between January 2018 and February 2020, incurring 162 GDPR complaints during this period.

The fines administered by the Spanish data regulator mirrors the €12.25 million (roughly £10.6 million) penalty that Italian authorities levied against Vodafone for similar aggressive marketing practices towards the end of last year.

The fine came as a result of an investigation that was prompted by hundreds of complaints, with the regulator discovering a system that held up to 4.5 million contact lists purchased from third-parties without user consent.

Vodafone, at the time, justified the unsolicited communications by blaming human error, according to the law firm Hall Booth Smith, although these reasons weren’t accepted by Italian data protection authorities.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.