[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEPjVyF_VM9s8FOL0CecR9fS24rqbQqX7HZlaCJTaVxo":3},{"article":4,"iocs":42},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"93c1d1b1-030b-4cf5-ab8d-3e96db1eda46","AEPD (Spain) - PS-00201-2025","aepd-spain-ps-00201-2025-927723","← Older revision Revision as of 09:33, 18 June 2026 (One intermediate revision by the same user not shown) Line 22: Line 22: |Outcome=Upheld |Outcome=Upheld |Date_Started=13.03.2025 |Date_Started=13.03.2025 |Date_Decided=17.06.2025 |Date_Decided= |Date_Published= |Date_Published=17.06.2025 |Year=2025 |Year=2025 |Fine=1.050.000 |Fine=1.050.000 Line 85: Line 85: === Holding === === Holding === Violation of [[Article 6 GDPR#1|Article 6(1) GDPR]] '''Violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]''' The DPA held that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] by registering an additional mobile phone line in the data subject’s name without sufficiently proving that the processing had a valid legal basis. The DPA held that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] by registering an additional mobile phone line in the data subject’s name without sufficiently proving that the processing had a valid legal basis. Line 95: Line 95: The invoice contained personal data of the data subject and was sent to an unauthorised email address. The DPA considered that the controller had no valid legal basis for this disclosure. The fact that a third party may have impersonated the data subject did not release the controller from its obligation to ensure that personal data were processed lawfully. The invoice contained personal data of the data subject and was sent to an unauthorised email address. The DPA considered that the controller had no valid legal basis for this disclosure. The fact that a third party may have impersonated the data subject did not release the controller from its obligation to ensure that personal data were processed lawfully. Violation of [[Article 32 GDPR|Article 32 GDPR]] '''Violation of [[Article 32 GDPR]]''' The DPA also held that the controller violated [[Article 32 GDPR|Article 32 GDPR]] by failing to implement appropriate technical and organisational measures. The DPA also held that the controller violated [[Article 32 GDPR]] by failing to implement appropriate technical and organisational measures. The controller’s security policy was insufficient in practice, since it allowed a third party to modify contact details and obtain a duplicate invoice containing personal data. The DPA also stressed that the controller had not ensured the effective application of its own verification process, as the final SMS verification step was not completed. The controller’s security policy was insufficient in practice, since it allowed a third party to modify contact details and obtain a duplicate invoice containing personal data. The DPA also stressed that the controller had not ensured the effective application of its own verification process, as the final SMS verification step was not completed. Line 103: Line 103: The DPA rejected the argument that the incident resulted only from the conduct of a third party or from an isolated mistake by a customer service agent. Given the controller’s business activity and the volume and nature of customer data processed, the DPA considered that the controller was required to apply a particularly high level of diligence. The DPA rejected the argument that the incident resulted only from the conduct of a third party or from an isolated mistake by a customer service agent. Given the controller’s business activity and the volume and nature of customer data processed, the DPA considered that the controller was required to apply a particularly high level of diligence. Fine and corrective measures '''Fine and corrective measures''' The DPA imposed three administrative fines: €150,000 for the unlawful registration of the additional line, €150,000 for the unlawful modification of contact details and disclosure of the duplicate invoice, and €750,000 for the infringement of [[Article 32 GDPR|Article 32 GDPR]]. The total fine amounted to €1,050,000. The DPA imposed three administrative fines: €150,000 for the unlawful registration of the additional line, €150,000 for the unlawful modification of contact details and disclosure of the duplicate invoice, and €750,000 for the infringement of [[Article 32 GDPR]]. The total fine amounted to €1,050,000. In addition, under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA ordered the controller to bring its processing operations into compliance within six months from the finality of the decision. In particular, the controller had to adopt appropriate measures to prevent third parties from contracting services in the name of customers, obtaining duplicate invoices or modifying customer contact details. In addition, under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA ordered the controller to bring its processing operations into compliance within six months from the finality of the decision. In particular, the controller had to adopt appropriate measures to prevent third parties from contracting services in the name of customers, obtaining duplicate invoices or modifying customer contact details.","Spain's data protection authority (AEPD) has fined a company €1.05 million for multiple GDPR violations. The violations include registering a mobile phone line without a valid legal basis, disclosing personal data in an invoice to an unauthorized email address, and failing to implement adequate security measures. The company was ordered to bring its processing operations into compliance within six months.","Spain's AEPD fines a company €1.05M for GDPR violations.","Help AEPD (Spain) - PS-00201-2025: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 09:28, 18 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators88 edits Tag: submission [1.0] Latest revision as of 09:33, 18 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators88 editsTag: Visual edit (One intermediate revision by the same user not shown)Line 22: Line 22: |Outcome=Upheld|Outcome=Upheld |Date_Started=13.03.2025|Date_Started=13.03.2025 |Date_Decided=17.06.2025|Date_Decided= |Date_Published=|Date_Published=17.06.2025 |Year=2025|Year=2025 |Fine=1.050.000|Fine=1.050.000 Line 85: Line 85: === Holding ====== Holding === Violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]'''Violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]''' The DPA held that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] by registering an additional mobile phone line in the data subject’s name without sufficiently proving that the processing had a valid legal basis.The DPA held that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] by registering an additional mobile phone line in the data subject’s name without sufficiently proving that the processing had a valid legal basis. Line 95: Line 95: The invoice contained personal data of the data subject and was sent to an unauthorised email address. The DPA considered that the controller had no valid legal basis for this disclosure. The fact that a third party may have impersonated the data subject did not release the controller from its obligation to ensure that personal data were processed lawfully.The invoice contained personal data of the data subject and was sent to an unauthorised email address. The DPA considered that the controller had no valid legal basis for this disclosure. The fact that a third party may have impersonated the data subject did not release the controller from its obligation to ensure that personal data were processed lawfully. Violation of [[Article 32 GDPR|Article 32 GDPR]]'''Violation of [[Article 32 GDPR]]''' The DPA also held that the controller violated [[Article 32 GDPR|Article 32 GDPR]] by failing to implement appropriate technical and organisational measures.The DPA also held that the controller violated [[Article 32 GDPR]] by failing to implement appropriate technical and organisational measures. The controller’s security policy was insufficient in practice, since it allowed a third party to modify contact details and obtain a duplicate invoice containing personal data. The DPA also stressed that the controller had not ensured the effective application of its own verification process, as the final SMS verification step was not completed.The controller’s security policy was insufficient in practice, since it allowed a third party to modify contact details and obtain a duplicate invoice containing personal data. The DPA also stressed that the controller had not ensured the effective application of its own verification process, as the final SMS verification step was not completed. Line 103: Line 103: The DPA rejected the argument that the incident resulted only from the conduct of a third party or from an isolated mistake by a customer service agent. Given the controller’s business activity and the volume and nature of customer data processed, the DPA considered that the controller was required to apply a particularly high level of diligence.The DPA rejected the argument that the incident resulted only from the conduct of a third party or from an isolated mistake by a customer service agent. Given the controller’s business activity and the volume and nature of customer data processed, the DPA considered that the controller was required to apply a particularly high level of diligence. Fine and corrective measures'''Fine and corrective measures''' The DPA imposed three administrative fines: €150,000 for the unlawful registration of the additional line, €150,000 for the unlawful modification of contact details and disclosure of the duplicate invoice, and €750,000 for the infringement of [[Article 32 GDPR|Article 32 GDPR]]. The total fine amounted to €1,050,000.The DPA imposed three administrative fines: €150,000 for the unlawful registration of the additional line, €150,000 for the unlawful modification of contact details and disclosure of the duplicate invoice, and €750,000 for the infringement of [[Article 32 GDPR]]. The total fine amounted to €1,050,000. In addition, under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA ordered the controller to bring its processing operations into compliance within six months from the finality of the decision. In particular, the controller had to adopt appropriate measures to prevent third parties from contracting services in the name of customers, obtaining duplicate invoices or modifying customer contact details.In addition, under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA ordered the controller to bring its processing operations into compliance within six months from the finality of the decision. In particular, the controller had to adopt appropriate measures to prevent third parties from contracting services in the name of customers, obtaining duplicate invoices or modifying customer contact details. Latest revision as of 09:33, 18 June 2026 AEPD - PS-00201-2025 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 32 GDPR Type: Complaint Outcome: Upheld Started: 13.03.2025 Decided: Published: 17.06.2025 Fine: 1.050.000 EUR Parties: Vodafone España, S.A.U National Case Number\u002FName: PS-00201-2025 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined Vodafone €1,050,000 for unlawfully registering a phone line, disclosing a duplicate invoice to a third party and failing to implement adequate security measures. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts In February 2021, the data subject entered into a contract with Vodafone España, S.A.U., the controller, for the portability of two mobile phone lines. The contract included personal data such as the data subject’s name, identification number, address, email address, date of birth and bank account details. In March 2022, the controller registered an additional mobile phone line under the data subject’s name. The controller argued that this line was validly contracted through an online signature process, involving an email and an SMS code sent to a phone number already linked to the data subject. However, the data subject denied having requested certain subsequent operations linked to that line. On 13 July 2022, a third party contacted the controller’s customer service and requested a duplicate invoice relating to the data subject’s services. The invoice contained personal data of the data subject, including her full name, postal address and identification number. The controller sent the invoice to an email address belonging to the third party, which was not registered as an authorised contact in the data subject’s customer file. The data subject became aware of the disclosure after receiving messages from the third party, who claimed to have obtained her personal data through the controller’s customer service. During a later call, an agent of the controller confirmed that the invoice had been sent to an email address not appearing as authorised in the customer record. The data subject had previously requested the activation of an additional personal security code because she feared that a third party could access her personal data. According to the data subject, the controller informed her that this was unnecessary because sufficient security measures w","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_PS-00201-2025&diff=51914&oldid=51912","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F5\u002F59\u002FLogoES.jpg","2026-06-18T09:33:17+00:00","2026-06-18T10:00:20.677177+00:00",7,[18],{"name":19,"type":20},"AEPD","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,37],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":38},{"id":39,"icon":23,"name":40,"slug":41},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]