Vodafone Not Complying with the Rules Again – GDPR Fine for Vodafone in Spain in the Amount of 8.15 Million Euro

One of the leading global telecommunications did not pay enough attention to compliance with GDPR provisions and was again fined for the GDPR breach.

Since the General Data Protection Regulation (hereinafter: GDPR) came into force on May 25, 2018, numerous violations of the provisions by leading companies in the world have been imposed. The first GDPR penalty was imposed on Google in France, in the amount of € 50 million, and in the last year, violations of the GDPR were proven, which resulted in a GDPR penalty for Hennes & Mauritz (H&M), and again for Google LLC and Google Ireland, with a staggering € 100 million fine.

Although the penalty for non-compliance with the GDPR, which was imposed on Vodafone on March 11, 2021, by the Spanish Agency for the Protection of Personal Data (AEPD), cannot be compared to the record-breaking fines that these companies had to pay, Vodafone certainly did not intend to comply with the provisions on the protection of personal data.

A common denominator for “big players” who had to pay high GDPR penalties is neglecting the GDPR and improper implementation of the provisions in practice. Multinational companies, which are both employers and service providers, have failed in both roles. In this way, on several occasions, data on the identity of employees (a blatant example of H&M), but also on end-users, were collected without authorization.

The Agency for the Protection of Personal Data in Spain stated on March 11, 2021 conclusion that Vodafone in Spain is being fined EUR 8.15 million due to unauthorized collection and processing of personal data by end-users, for the sake of conducting the company’s commercial campaigns. In what way was this conducted?

It all started last year when the Spanish Agency for Personal Data Protection launched an investigation against Vodafone in Spain, based on the receipt of 191 complaints from end-users, regarding the receipt of advertising calls and messages by the mobile operator. The illegality in the mentioned calls and messages consisted in the fact that the users never gave the consent to send them advertising material, nor to be a part of the marketing campaign of the mobile operator.

Specifically, it was determined that the GDPR fine imposed on Vodafone is equivalent and appropriate to illegal conduct – through phone calls, sending e-mails, and SMS messages, they conducted marketing and research techniques and actions, contrary to the provisions of the GDPR.

This is not the first time for a British operator to decide to bypass the GDPR rules. As stated in the decision of the Spanish competent authorities, Vodafone violated the personal rights of its users on several occasions in the period from January 2018 to February 2020. Such a conclusion is a consequence of as many as 162 complaints about the work of Vodafone, in the context of approximately 200 million calls and messages that were sent to users without authorization, for the purpose of conducting Vodafone’s marketing campaigns.

At first glance, the question arises as to what was illegal there, what exact provisions of the GDPR were violated, to be followed by a record GDPR penalty. The AEPD ranked GDPR fines ranging from the “lowest” of 150 thousand euros, up to 4 million euros, depending on the rights that were violated, and thus the provisions of the GDPR. In the following text, we will present the GDPR penalties together with an explanation of what illegal steps have been taken, for the sake of the marketing goal.

This decision is not so surprising, having in mind that Vodafone is already generally known, both for its position among the leading telecommunications companies, but also as one of the companies that do not stop violating the provisions of the GDPR. Their specialty, as the Spanish supervisory body has determined on several occasions, is the illegal collection and use of personal data for marketing purposes, as indicated by a special part of the explanation of this decision, on violating the provisions of the GDPR, for two consecutive years.

By analyzing the reason behind a GDPR fine imposed upon Vodafone once again, in 2021, even if it is just on a territory of one country where GDPR is implemented, we found the following:

• the amount of 150 thousand euros for a GDPR fine, for violating the Spanish Law on Services Of The Society Of Information And Electronic Commerce [1], while conducting activities for the purposes of marketing, Vodafone has sent advertising materials, by choosing random phone numbers and email addresses of users, without checking whether these individuals have chosen not to receive advertising material directly, as well as without checking the Robinson list (contacts on that list may not be used for this purpose) [2], which is of extreme importance;

• the amount of 2 million euros for a GDPR fine for violating Article 44 of GDPR, since they have allowed international exchange and use of personal data, without respecting all procedures and measures prescribed by the GDPR;

• GDPR fine in the amount of 2 million euros for violating the Spanish law in the field of telecommunications, regarding Article 21 of GDPR, and Article 23 of the Spanish Law on Personal Data Protection and Digital Rights Guarantee, because Vodafone has continued to process personal data of users, even though users have objected to such processing, and explicitly stated that they do not wish to receive any advertising material;

• and best for last – fine in the amount of astounding 4 million euros for violating Article 28 of GDPR, because processors whom Vodafone in Spain has used during processing, had not satisfied the standards prescribed by the GDPR, regarding appropriate technical and organizational measures – no prior written notice was given as prescribed by the GDPR.

As multinational companies who conduct business on the territory of the European Union have to respect GDPR so as to avoid GDPR fines, all companies who process personal data of individuals on the territory of the Republic of Serbia (whether they have a business presence in Serbia or not), have to respect the Law on Personal Data Protection (hereinafter: LPDP). LPDP has been implemented based on GDPR, to the extent that some of its parts represent a clear translation from English into the Serbian language. However, that does not diminish the obligation to respect the provisions of the Law. Companies are obliged to coordinate their business with the relevant legal provisions. In case you are not sure what to do in order to comply with the Law, take a look at our blog dedicated to that topic – Tic-Toc… Is Your Company Compliant with the New Law on Personal Data Protection in Serbia?

All companies should keep in mind that in case they do not wish to comply with the rules, they can always end up like the “big players” with the GDPR fines, which can completely annul the profit and affect your company’s reputation. Surely, you do not wish to get imposed with a fine for violating GDPR and personal rights for one wrong move, which can amount to even 2 million dinars for a single violation.

In any case, if this happens, you better learn from being fined for violating the provisions of GDPR and learn how to adequately and properly deal with personal data, which are significantly exposed, especially now in the times of internet expansion and online shopping, in order to avoid paying the astounding fines in Serbia, which are modelled after the GDPR fines.

[1] Law 34/2002, of 11 July, Services Of The Society Of Information And Electronic Commerce

[2] The Robinson List (Mail Preference Service – MPS) represents a list of people who do not wish to receive advertising material via email or phone.