On September 14, 2021, the Spanish Data Protection Authority (‘AEPD’) fined Vodafone Spain, SAU €56,000 for processing the personal data of the complainant without having a legal basis for doing so, and thereby violating Article 6(1) of the General Data Protection Regulation (‘GDPR’).
In the present case, the complainant received a phone call from Vodafone demanding payment of arrears for three missed payments for a package deal that a third party had contracted into fraudulently using the claimant’s account.
The AEPD notes that it is proven that a third party had contracted on behalf of the claimant for a package of services with Vodafone and the invoices provided by the claimant shows that the bank account and address used were not that of the claimant. After perusal of the facts and circumstances of the case, AEPD stated that Vodafone did not verify the identity of the person who contracted the package deal and did not take the necessary precautions to prevent these events. Therefore, Vodafone held liable for fine of €56,000 for failure to verify customer identity.
Read the decision here.
