On 07/Jan/2020, Vodafone Espana S.A.U. received a privacy fine of EUR 44,000. The enforcement authority (Spanish Data Protection Agency) has cited these legal provisions in imposing the fine on Vodafone Espana S.A.U.: Article 5(1)(f) GDPR/ GDPR/
|Date of enforcement action:|
|Spain||EUR 44,000 (US$48,400)|
|Defendant company or entity:||Industry segment:|
|Vodafone Espana S.A.U.||Telecoms /|
The Spanish Data Protection Agency imposed a fine of EUR 44,000 on Vodafone Espana S.A.U. for mistakenly sending a contract for services to the wrong person. The contract contained numerous fields of personal data. Reportedly, the envelope containing the contract was misaddressed to the wrong person. This invoked the liability of Vodafone Espana S.A.U. under the GDPR, with reference to Article 5(1)(f).
“Vodafone acknowledges its responsibility in the face of the reported facts, which have been motivated by a human error when sending the contract to Mrs. AAA [a third party], entering on the envelope the wrong address belonging to another person. As can be understood, there is no deliberate intention in any case but the circumstances arose by human error.”
The company stated that: “although my representative acknowledges the events that have occurred and the error that motivated them in accordance with article 85 of Law 39/2015 of October 1, [Vodafone] wants to highlight that, according to the AEPD’s own doctrine, it is necessary to relate the existence of a human error with the absence of guilt that should
govern any disciplinary action”. In essence, the company argued that the case should not result in a fine, or if it does, that the fine should be mitigated by the human error factor.
The Spanish Data Protect Agency rejected these arguments, pointing out that legal liability may attach for mistakes or errors, and that – as a corporation – a level of minimum diligence is required.
In determining that a fine of EUR 44,000 should be set, the Agency noted:
The relatively contained nature of the data processing involved, i.e. processing to complete necessary fields on a contract;
That only two persons were affected;
Damage to the affected persons has not been significant;
The lack of diligence evidenced by the respondent company was “mild”, it was not due to inaccuracy of data held on its files but due to simple human error in addressing envelopes.
(Spanish Data Protection Agency)
|Enforcement authority:||Type of enforcement action:|
|Spanish Data Protection Agency||Penalty notice|
|Subject to appeal?|
|Yes (an administrative appeal can be filed)|
Cite this fine in your work
Data Privacy Fines Index. (2020-01-07 11:03) Vodafone Espana S.A.U. fined EUR 44k. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/vodafone-espana-sau-fined-eur-44k/
Entry last updated: 2020-01-19 11:12 GMT.