Vodafone, BBVA and Mercadona, at the top of the millionaire fines for violating the protection of personal data in 2021

When, in 2018, the ‘Organic Law on the Protection of Personal Data and guarantee of digital rights’ was approved, its article 76.4 established the obligation to compile and publish in the BOE all those sanctions imposed by the AEPD (Spanish Agency for Data Protection) when they exceed the amount of one million euros and the recipient of them is a ‘legal person’ (companies, associations, political parties, etc. ).

So, at the request of said law, yesterday’s BOE echoes all those sanctions imposed by the AEPD over the past year, identifying the offender, infraction and amount. A total of five large companies appear on the list: Vodafone, BBVA, Mercadona, and the two Spanish subsidiaries of EDP (Energías de Portugal)


Vodafone: 8.15 million

The AEPD fined Vodafone Spain, in March 2021, 8.15 million euros for breaching not only the RGPD, but also the LSSICE (Law on Services of the Information Society and Electronic Commerce), as well as the General Telecommunications Law.

The sanction was largely due to the commercial marketing actions carried out by the telephone operator: the AEPD estimated that the company had not been able to explain the reason why the claimed events occur and continue to occur, nor ” the reason why certain users have requested not to receive marketing actions and, nevertheless, continue to receive commercial actions“.

That, the recidivism in said practices by Vodafone (there were a total of 162 claims in a period of less than two years, and the company had continued its marketing actions after resolutions in tutela urging that they be canceled) and the fact that it was financially favored by them, determined the enormous amount of the fine imposed.

How to consult the BOE online and find what you are looking for

How to consult the BOE online and find what you are looking for

BBVA: 5 million

In mid-December 2020 (although it was not final until 2021), the AEPD imposed a fine of 5 million euros against Banco Bilbao Vizcaya Argentaria (BBVA), as a result of five claims from different users that received phone calls from BBVA, despite the fact that they had denied the transfer of their data for advertising purposes.

BBVA was accused of not making its privacy policy clear enough, assuming that by not checking a box, consent was offered to manage some personal data. Something that goes against the provisions of the General Data Protection Regulation.

The AEPD considered that the bank not only ignored the need for consent by the user (article 13), but also failed to correctly inform the user of how their data would be collected (article 14).

Mercadona: 2.5 million

Although smaller than the previous ones, the sanction of 2,520,000 euros to Mercadona stands out for being the one that violated the most GDPR articles: a total of seven.

The sanction was imposed last July, a year after Mercadona announced that it would begin to use a facial recognition system in its supermarkets to detect people with a final sentence and a precautionary measure of restraining order to establishments.

Following the controversy unleashed, the AEPD initiated an investigation that ended with a resolution that said measures suppose, for practical purposes, “that all citizens are treated as convicted” for being “subjected to the same treatment than the subject to whom the security measure was imposed”.

16 tips from the AEPD to better protect ourselves against being tracked on the Internet

16 tips from the AEPD to better protect ourselves against the monitoring of our steps on the Internet

Previously, the company had tried to have the sanctioning file filed wielding a shocking argument: that it did not need a “legal basis” to carry out data processing, because “the [facial] pattern of a person does not constitute personal data“.

EDP: 1.5 + 1.5 million

Last June, the AEPD had already imposed a sanction against EDP Energía and against its marketing company, for a total sum of 3 million euros. The sanctioning procedures had begun two years earlier, as a result of repeated complaints made by users.

The AEPD found EDP Energía/Comercializadora guilty of violating the principle of privacy by design (its website allowed its services to be contracted through a representative… without verifying the prior existence of authorization by the represented) and the principle of information (because the user was not informed of the possibility or the channel to exercise their rights).