Spain: Sanctions process against Vodafone for breaches of Arts 6, 17 of GDPR concluded by AEPD

On 30 July 2021, the Spanish Data Protection Authority (Agencia Española de Protección de Datos - AEPD) has concluded its sanctions process against Vodafone España. It has found breaches of Art.6(1) (lawfulness of processing) and Art.17(1) (right to erasure of data) of the EU General Data Protection Regulation (GDPR) and has ordered Vodafone España to pay a fine of €96,000. Specifically, Vodafone processed personal data despite lacking legitimization and then in turn did not delete the data after being asked to do so.