AEPD (Spain) - PS/00249/2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...") |
No edit summary |
||
Line 48: | Line 48: | ||
}} | }} | ||
The Spanish DPA fined Vodafone €80,000 (reduced to €64,000) for | The Spanish DPA fined Vodafone €80,000 (reduced to €64,000) for allowing a third party to enter a contract with the personal data of another data subject, without their knowledge or consent, since Vodafone did not have a system in place to verify their identity. | ||
== English Summary == | == English Summary == |
Revision as of 10:10, 6 November 2021
AEPD (Spain) - PS/00249/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 26.10.2021 |
Fine: | 80000 EUR |
Parties: | VODAFONE ESPAÑA, S.A.U. |
National Case Number/Name: | PS/00249/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Carmen Villarroel |
The Spanish DPA fined Vodafone €80,000 (reduced to €64,000) for allowing a third party to enter a contract with the personal data of another data subject, without their knowledge or consent, since Vodafone did not have a system in place to verify their identity.
English Summary
Facts
A data subject filed a complaint with the Spanish DPA (AEPD) alleging that Vodafone had contracted with them services that they had not requested with their personal data, and that they had received an invoice for those services that they had not contracted. The AEPD launched an investigation.
Holding
The AEPD discovered that a third person had contracted Vodafone's services using the data subject's personal data, since the data subject had an associated phone line at Vodafone that included the data of the third person. Vodafone had issued a invoice to the data subject for such phone line and other non-contracted services.
The AEPD deemed that Vodafone was responsible for these facts, since they did not have a system in place that allowed to verify the identity of the contracting person, so any person could use others' personal data to enter a contract with Vodafone.
This led to the situation that allowed a third person to use the data subject's personal data to enter the contract without their consent. Therefore, Vodafone was processing personal data of the data subject without their consent.
For this, the AEPD fined Vodafone €80,000, that were reduced to €64,000 for voluntary payment, for a violation of Article 6(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.