Vodafone España S.A.U. fined EUR 120k

On 21/Feb/2020, Vodafone España S.A.U. received a privacy fine of EUR 120,000. The enforcement authority (Spanish Data Protection Agency) has cited these legal provisions in imposing the fine on Vodafone España S.A.U.: Article 5 GDPR/ Article 6 GDPR/ GDPR/


Date of enforcement action:
Jurisdiction: Fine imposed:
Spain Flag for Spain, which is the jurisdiction taking enforcement action EUR 120,000 (US$130,500)
Defendant company or entity: Industry segment:
Vodafone España S.A.U. Telecoms /

Case summary

In another consent case, Vodafone España S.A.U. could not demonstrate that it had the complainant’s consent for the installation of a phone line and associated service. Vodafone España S.A.U. also reported the complainant’s data to various credit bureaus. In doing so, Vodafone España S.A.U. had no legal basis for processing and had not complied with Article 6, which required that Vodafone España S.A.U. obtain the consent of the data subject for the provision of telephone services.

On 09/03/19, it was entered into this Agency in writing, submitted by D. B.B.B., in his capacity as representative and father of the claimant, in which he stated, among other things, the following: “In September 2018, my son, a minor, received a letter from Vodafone España S.A.U., informing him that he has contracted a debt of 93.77 euros with them and that in the event of non-payment, he will be included on a late [credit bureau] list. I contacted them to comment on the case, but far from it they continued to send me letters informing me that they were either paid or would be included in an ASNEF [credit bureau] file. I filed a complaint with the “Oficina de Atenciónal Usuario de Telecomunicaciones”, which gave me the reason (N/REF.: RC1020566/18)”. To this complaint, the documentation already detailed in the deed of initiation of the file and in the motion for resolution was provided.

The joint evaluation of the documentary evidence in the procedure brings to the attention of the AEPD a vision of the denounced action that has been reflected in the facts declared as proven above. However, in this case, and in response to the allegations presented by the claimed entity, the following points must be stressed again: The entity admits that, through the online store, a mobile line was registered under the name of the claimant and that it remained registered from 17/01/18 to 15/02/19. However, even the SEPAD, in its resolution dated 08/02/19, indicated that at no time had Vodafone been able to prove that the claimant or representative (in this case the father) had given his consent to the processing of personal data during the 13 months that the mobile line was active. However, on 12/02/18 (15 days later), the father calls the company indicating the error in the registration and his intention to terminate the services. In view of this, Vodafone offers him the possibility of changing the type of contract of the line, from postpaid to prepaid, and depending on the entity, the parent consents. On 17/10/18, the claimant receives a letter from ISGF Informes Comerciales SL, in which they claim a debt with Vodafone, informing them, among other things, that: “if I do not pay the debt within 10 days, Vodafone could incorporate their data in a file of asset solvency and credit”, before which, the father presents a complaint to the Secretary of State for Digital Advancement that resolves, on 08/02/19 estimating the claim. That same day, the father of the claimant contacted the entity to communicate the facts and cancel the line but not until 7 days later (15/02/19), when Vodafone proceeded to execute the request of the father.

Apart from the unauthorized processing of the claimant’s personal data indicated in the previous points, there is also an undue inclusion of his data in the ASNEF and DADEXCUG [credit bureau] solvency files, as the claimant received the previous payment request on 17/10/18, granting a period of 10 days to remedy the alleged failure to pay, but only one day later, Vodafone include the claimant’s personal data in the ASNEF file and 4 days later in the DADEXCUG file, without waiting for the 10 days granted.

A fine for EUR 120,000 was imposed, with the regulator viewing the matter as “very serious”.



The AEPD appears to have viewed this case as an exemplary one, and therefore imposed higher level of fine for the conduct. It was clear that the AEPD viewed the relevant conduct as negligent.

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Spanish Data Protection Agency Flag for Spain, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?

File or case number


Cite this fine in your work

Data Privacy Fines Index. (2020-02-21 10:42) Vodafone España S.A.U. fined EUR 120k. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/vodafone-espana-s-a-u-fined-eur-120k/

Entry last updated: 2020-04-28 11:03 GMT.