Date of final decision: 05/10/2021
Controller: VODAFONE ESPAÑA, S.A.U.
Legal Reference: Confidentiality (Article 5.1.f), Security of processing (Article 32)
Decision: Infringement of the GDPR, Order to comply
Key words: Loss of confidentiality
Summary of the Decision
Origin of the case
The claim is based on the sending by the telephone company of third-party invoices to the claimant. After repeatedly communicating this to the telephone company, the claimant did not receive a response. According to the above, another customer had activated notifications to send invoices to the claimant's email account; for this reason, he/she was receiving the invoice availability notices in his/her email.
This situation lasted for about a year and eight months.
The facts constitute a violation of Article 5.1.f) and Article 32 of the GDPR, for which the telephone company is responsible.
The company has provided access to information relating to the personal data of one customer to another.
The controller must apply appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The liability of the controller is determined by the unauthorized transfer of personal data that implies the loss of confidentiality, and also a lack of adequate technical and organisational measures.
The AEPD imposed a total fine of 50,000 euros for both violations considering mainly the duration and the negligent character of the infringement, and also the linking of the activity of the telephone company with the processing of personal data of its customers.
For further information: https://www.aepd.es/es/documento/ps-00111-2021.pdf
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned