Spain: Data Protection Authority rejected Vodafone Spain appeal of ruling concerning alleged direct marketing violations

On 18 July 2025, the Spanish Data Protection Authority (APED) rejected Vodafone Spain's appeal of an AEPD ruling, which found the company liable for direct marketing violations. On 8 May 2025, Vodafone Spain appealed the ruling from the AEPD in which it issued fines totalling EUR 20'000 for sending unsolicited commercial emails and failing to include an opt-out mechanism in emails. Vodafone claimed that there was a recording error in which another client, who had opted into the emails, was listed as having the claimant's email address. The AEPD responded that a system allowing duplicate emails with conflicting consent preferences violates obligations under the Information Society Services Act, which forms the basis for the ruling. Moreover, the AEPD found that Vodafone’s internal screenshots do not sufficiently prove consent, and that three emails lacked opt-out mechanisms which also constituted a breach. The AEPD therefore upheld its decision to issue the fines of EUR 15'000 for sending unsolicited emails and EUR 5'000 for failing to include an opt-out mechanism. Vodafone must pay within the voluntary payment period or face enforcement.