The Agency for the Protection of Personal Data in Spain stated on March 11, 2021 conclusion that Vodafone in Spain is being fined EUR 8.15 million due to unauthorized collection and processing of personal data by end-users, for the sake of conducting the company’s commercial campaigns. In what way was this conducted?
It all started last year when the Spanish Agency for Personal Data Protection launched an investigation against Vodafone in Spain, based on the receipt of 191 complaints from end-users, regarding the receipt of advertising calls and messages by the mobile operator. The illegality in the mentioned calls and messages consisted in the fact that the users never gave the consent to send them advertising material, nor to be a part of the marketing campaign of the mobile operator.
Specifically, it was determined that the GDPR fine imposed on Vodafone is equivalent and appropriate to illegal conduct – through phone calls, sending e-mails, and SMS messages, they conducted marketing and research techniques and actions, contrary to the provisions of the GDPR.
This is not the first time for a British operator to decide to bypass the GDPR rules. As stated in the decision of the Spanish competent authorities, Vodafone violated the personal rights of its users on several occasions in the period from January 2018 to February 2020. Such a conclusion is a consequence of as many as 162 complaints about the work of Vodafone, in the context of approximately 200 million calls and messages that were sent to users without authorization, for the purpose of conducting Vodafone’s marketing campaigns.
At first glance, the question arises as to what was illegal there, what exact provisions of the GDPR were violated, to be followed by a record GDPR penalty. The AEPD ranked GDPR fines ranging from the “lowest” of 150 thousand euros, up to 4 million euros, depending on the rights that were violated, and thus the provisions of the GDPR. In the following text, we will present the GDPR penalties together with an explanation of what illegal steps have been taken, for the sake of the marketing goal.
This decision is not so surprising, having in mind that Vodafone is already generally known, both for its position among the leading telecommunications companies, but also as one of the companies that do not stop violating the provisions of the GDPR. Their specialty, as the Spanish supervisory body has determined on several occasions, is the illegal collection and use of personal data for marketing purposes, as indicated by a special part of the explanation of this decision, on violating the provisions of the GDPR, for two consecutive years.