AEPD impose a fine to a telephone company for a loss of confidentiality and a lack of adequate technical and organisational measures

3 November 2021 Spain

Background information

Date of final decision: 05/10/2021
National case                 
Controller: VODAFONE ESPAÑA, S.A.U.
Legal Reference: Confidentiality (Article 5.1.f), Security of processing (Article 32)
Decision: Infringement of the GDPR, Order to comply                  
Key words: Loss of confidentiality

Summary of the Decision

Origin of the case

The claim is based on the sending by the telephone company of third-party invoices to the claimant. After repeatedly communicating this to the telephone company, the claimant did not receive a response. According to the above, another customer had activated notifications to send invoices to the claimant's email account; for this reason, he/she was receiving the invoice availability notices in his/her email.

This situation lasted for about a year and eight months.

Key Findings

The facts constitute a violation of Article 5.1.f) and Article 32 of the GDPR, for which the telephone company is responsible.

The company has provided access to information relating to the personal data of one customer to another. 

The controller must apply appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The liability of the controller is determined by the unauthorized transfer of personal data that implies the loss of confidentiality, and also a lack of adequate technical and organisational measures.

Decision

The AEPD imposed a total fine of 50,000 euros for both violations considering mainly the duration  and the negligent character of the infringement, and also the linking of the activity of the telephone company with the processing of personal data of its customers.

For further information: https://www.aepd.es/es/documento/ps-00111-2021.pdf

 

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned