AEPD (Spain) - PS/00249/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...")
 
mNo edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 44: Line 44:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Carmen Villarroel
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Carmen.villarroel Carmen Villarroel]
|
|
}}
}}


The Spanish DPA fined Vodafone €80,000 (reduced to €64,000) for contracting with a data subject, using their personal data, without consent and without verifying their identity.
The Spanish DPA fined Vodafone €80,000 (reduced to €64,000) for allowing a third party to enter a contract with the personal data of another data subject, without their knowledge or consent, since Vodafone did not have a system in place to verify their identity.


== English Summary ==
== English Summary ==
Line 60: Line 60:
The AEPD deemed that Vodafone was responsible for these facts, since they did not have a system in place that allowed to verify the identity of the contracting person, so any person could use others' personal data to enter a contract with Vodafone.  
The AEPD deemed that Vodafone was responsible for these facts, since they did not have a system in place that allowed to verify the identity of the contracting person, so any person could use others' personal data to enter a contract with Vodafone.  


This led to the situation that allowed a third person to use the data subject's personal data to enter the contract without their consent. Therefore, Vodafone was processing personal data of the data subject without their consent.
This led to the situation that allowed a third person to use the data subject's personal data to enter the contract without their consent. Therefore, Vodafone was processing personal data of the data subject without a legal ground.


For this, the AEPD fined Vodafone €80,000, that were reduced to €64,000 for voluntary payment, for a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]].
For this, the AEPD fined Vodafone €80,000, that were reduced to €64,000 for voluntary payment, for a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]].

Latest revision as of 14:27, 24 November 2022

AEPD (Spain) - PS/00249/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 26.10.2021
Fine: 80000 EUR
Parties: VODAFONE ESPAÑA, S.A.U.
National Case Number/Name: PS/00249/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined Vodafone €80,000 (reduced to €64,000) for allowing a third party to enter a contract with the personal data of another data subject, without their knowledge or consent, since Vodafone did not have a system in place to verify their identity.

English Summary

Facts

A data subject filed a complaint with the Spanish DPA (AEPD) alleging that Vodafone had contracted with them services that they had not requested with their personal data, and that they had received an invoice for those services that they had not contracted. The AEPD launched an investigation.

Holding

The AEPD discovered that a third person had contracted Vodafone's services using the data subject's personal data, since the data subject had an associated phone line at Vodafone that included the data of the third person. Vodafone had issued a invoice to the data subject for such phone line and other non-contracted services.

The AEPD deemed that Vodafone was responsible for these facts, since they did not have a system in place that allowed to verify the identity of the contracting person, so any person could use others' personal data to enter a contract with Vodafone.

This led to the situation that allowed a third person to use the data subject's personal data to enter the contract without their consent. Therefore, Vodafone was processing personal data of the data subject without a legal ground.

For this, the AEPD fined Vodafone €80,000, that were reduced to €64,000 for voluntary payment, for a violation of Article 6(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.