New record fine from the Spanish Data Protection Agency (AEPD) to Vodafone, with 8.15 million euros. This is the third major sanction in recent months for companies operating in Spain, after the one that fell on BBVA in December and the six million on Caixabank in January.
Far away are minor penalties considered very large at the time, such as the 600,000 euros to WhatsApp or the 1.2 million euros to Facebook. The General Data Protection Regulation (RGPD or GDPR) has had a lot to do with it, as we will now see.
Penalties for violating RGPD, LOPDGDD and LGT
The AEPD has once again communicated a sanction with a very long document, although less than on other occasions, with 97 pages. It states that the Director of the institution has decided to impose four fines divided into: a fine of four million euros for violating article 28 of the RGPD in relation to article 24, and another of two million for violating article 44.
There is also the Penalty of two million for violating article or 48.1.b of the General Tax Law (LGT) which refers to 21 of the RGPD and 23 of the LOPDGDD. Finally, the Agency considers that Vodafone has infringed article 21 of the Law on Information Society Services (LSSICE), for which it is sanctioned with 150,000 euros.
It is a record sanction in Spain, but it is far from the largest sanctioned: 50 million to Google in France and 35.2 million to H&M in Germany
Articles 24 and 28 regulate the action of data controllers. Article 44 regulates the transfer of data to other countries or international organizations.
The 21, related to the 23 of the LOPDGG, regulates the right of opposition of individuals to have their data receive treatment, such as by marketing, which is part of what the AEPD denounces, that is, despite the fact that some People have opposed receiving communications from Vodafone, they have not stopped.
In this sense, the AEPD recalls in the background that they have received 191 claims against Vodafone since the second quarter of 2018, in which marketing actions have been reported through calls, SMS and emails. In that period, Vodafone has received more than 50 sanctions.
The AEPD explains that, for example, Vodafone has continued to make communications to clients who have registered on the Robinson List (Internal Robinson List and Robinson Adigital), or that after resolutions of the institution itself, the operator has not stopped carrying out commercial actions already sanctioned. The AEPD argues that Vodafone has been able to benefit financially from these actions, and gives it six months to prove that they have stopped the sanctioned behaviors.
Vodafone considers the sanction disproportionate and does not accept the breaches attributed to them
Vodafone has communicated that the resolution issued by the AEPD is actionable, and that, in that sense, after seeing what the AEPD decides after filing an appeal, they leave open the possibility of doing the same with an administrative dispute in the National Court.
They also state that "we understand that the responsibility attributed to Vodafone does not correspond to us"while considering that" the amount of the proposed penalty is disproportionate. "
More information | AEPD