AEPD (Spain) - PS/00249/2021

From GDPRhub
Revision as of 10:08, 6 November 2021 by Carmen.villarroel (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD (Spain) - PS/00249/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 26.10.2021
Fine: 80000 EUR
Parties: VODAFONE ESPAÑA, S.A.U.
National Case Number/Name: PS/00249/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined Vodafone €80,000 (reduced to €64,000) for contracting with a data subject, using their personal data, without consent and without verifying their identity.

English Summary

Facts

A data subject filed a complaint with the Spanish DPA (AEPD) alleging that Vodafone had contracted with them services that they had not requested with their personal data, and that they had received an invoice for those services that they had not contracted. The AEPD launched an investigation.

Holding

The AEPD discovered that a third person had contracted Vodafone's services using the data subject's personal data, since the data subject had an associated phone line at Vodafone that included the data of the third person. Vodafone had issued a invoice to the data subject for such phone line and other non-contracted services.

The AEPD deemed that Vodafone was responsible for these facts, since they did not have a system in place that allowed to verify the identity of the contracting person, so any person could use others' personal data to enter a contract with Vodafone.

This led to the situation that allowed a third person to use the data subject's personal data to enter the contract without their consent. Therefore, Vodafone was processing personal data of the data subject without their consent.

For this, the AEPD fined Vodafone €80,000, that were reduced to €64,000 for voluntary payment, for a violation of Article 6(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.