AEPD (Spain) - PS-00201-2025

Summary

The Spanish Data Protection Agency (AEPD) has fined Vodafone España €1,050,000 for multiple GDPR violations. The violations include unlawfully registering an additional mobile phone line under a customer's name without sufficient proof of a valid legal basis, and disclosing a duplicate invoice containing personal data to a third party via an unauthorized email address. The AEPD found that Vodafone failed to implement adequate security measures, leading to the unauthorized disclosure.

Full text

Help AEPD (Spain) - PS-00201-2025: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 09:28, 18 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators88 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 09:28, 18 June 2026 AEPD - PS-00201-2025 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 32 GDPR Type: Complaint Outcome: Upheld Started: 13.03.2025 Decided: 17.06.2025 Published: Fine: 1.050.000 EUR Parties: Vodafone España, S.A.U National Case Number/Name: PS-00201-2025 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined Vodafone €1,050,000 for unlawfully registering a phone line, disclosing a duplicate invoice to a third party and failing to implement adequate security measures. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts In February 2021, the data subject entered into a contract with Vodafone España, S.A.U., the controller, for the portability of two mobile phone lines. The contract included personal data such as the data subject’s name, identification number, address, email address, date of birth and bank account details. In March 2022, the controller registered an additional mobile phone line under the data subject’s name. The controller argued that this line was validly contracted through an online signature process, involving an email and an SMS code sent to a phone number already linked to the data subject. However, the data subject denied having requested certain subsequent operations linked to that line. On 13 July 2022, a third party contacted the controller’s customer service and requested a duplicate invoice relating to the data subject’s services. The invoice contained personal data of the data subject, including her full name, postal address and identification number. The controller sent the invoice to an email address belonging to the third party, which was not registered as an authorised contact in the data subject’s customer file. The data subject became aware of the disclosure after receiving messages from the third party, who claimed to have obtained her personal data through the controller’s customer service. During a later call, an agent of the controller confirmed that the invoice had been sent to an email address not appearing as authorised in the customer record. The data subject had previously requested the activation of an additional personal security code because she feared that a third party could access her personal data. According to the data subject, the controller informed her that this was unnecessary because sufficient security measures were already in place. The controller argued that its agents were subject to a security policy and that, in principle, duplicate invoices were only sent after verification checks. However, in this case, the agent processing the request did not complete the final SMS verification step required to access the invoice through a URL link. The DPA initially archived the complaint. After the data subject appealed, the DPA upheld the appeal and initiated sanctioning proceedings against the controller. Holding Violation of Article 6(1) GDPR The DPA held that the controller violated Article 6(1) GDPR by registering an additional mobile phone line in the data subject’s name without sufficiently proving that the processing had a valid legal basis. The DPA noted inconsistencies in the documentation submitted by the controller, including different order numbers and different email addresses. It also considered that the controller had not demonstrated that the disputed line had been lawfully contracted by the data subject. The DPA further held that the controller violated Article 6(1) GDPR by modifying the data subject’s contact details and sending a duplicate invoice to a third party. The invoice contained personal data of the data subject and was sent to an unauthorised email address. The DPA considered that the controller had no valid legal basis for this disclosure. The fact that a third party may have impersonated the data subject did not release the controller from its obligation to ensure that personal data were processed lawfully. Violation of Article 32 GDPR The DPA also held that the controller violated Article 32 GDPR by failing to implement appropriate technical and organisational measures. The controller’s security policy was insufficient in practice, since it allowed a third party to modify contact details and obtain a duplicate invoice containing personal data. The DPA also stressed that the controller had not ensured the effective application of its own verification process, as the final SMS verification step was not completed. The DPA rejected the argument that the incident resulted only from the conduct of a third party or from an isolated mistake by a customer service agent. Given the controller’s business activity and the volume and nature of customer data processed, the DPA considered that the controller was required to apply a particularly high level of diligence. Fine and corrective measures The DPA imposed three administrative fines: €150,000 for the unlawful registration of the additional line, €150,000 for the unlawful modification of contact details and disclosure of the duplicate invoice, and €750,000 for the infringement of Article 32 GDPR. The total fine amounted to €1,050,000. In addition, under Article 58(2)(d) GDPR, the DPA ordered the controller to bring its processing operations into compliance within six months from the finality of the decision. In particular, the controller had to adopt appropriate measures to prevent third parties from contracting services in the name of customers, obtaining duplicate invoices or modifying customer contact details. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/20 • File No.: EXP202313830 RESOLUTION TERMINATING THE PROCEEDINGS BY ACKNOWLEDGMENT OF LIABILITY AND VOLUNTARY PAYMENT From the proceedings initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On May 21, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against SILVANERGIA 2022, S.L. (hereinafter, SILVANERGIA), by means of the agreement transcribed below: << File No.: EXP202313830 AGREEMENT TO INITIATE SANCTIONING PROCEEDINGS Based on the actions taken by the Spanish Data Protection Agency and on the following FACTS FIRST: On August 22, 2023, a complaint was filed with the Spanish Data Protection Agency regarding a possible infringement attributable to SILVANERGIA 2022, S.L., with Tax Identification Number B72658313 (hereinafter, SILVANERGIA or the respondent). The following facts are brought to the attention of this authority: The complainant states that on August 16, 2023, an agent of the company being sued contacted by telephone and informed her that they were calling from Bassols Energía, the energy supplier that manages her contract with Naturgy, to update her tariff according to the new regulations published by the government. The agent told her that the process was very quick because they already had all her information and only needed to confirm it. In fact, the agent listed her full name, national identity document number, address, CUP number, and the 12 digits of her bank account number. The agent indicated that, due to data protection regulations, the full account number could not be given over the phone and urged her to complete it, supposedly for verification pu

Entities