Spanish Data Protection Regulator Imposes Its Highest Fines

Media Centre

Spanish Data Protection Regulator Imposes Its Highest Fines

17 March 2021

Technology & eCommerce Regulation in the Spotlight

In the last couple of months, the Spanish data protection authority (“AEPD“) issued three sanctioning decisions, imposing fines more than thirty times higher than the previous top three fines it imposed under the GDPR. The importance of these enforcement decisions, beyond the significant amount of the fines, is the stricter regulatory standard imposed by the AEPD in the decisions.

At the end of 2020, the AEPD fined Banco Bilbao Vizcaya Argentaria, SA (“BBVA“) €5M for GDPR transparency and consent related violations. According to the AEPD’s resolution (Spanish), the BBVA used vague terminology to describe its processing activities in its privacy policy and failed to obtain valid consents before sending marketing communications, as required under the GDPR. In January 2021, the AEPD issued another resolution (Spanish) imposing €6M fine over CaixaBank on similar grounds.

In its resolutions, the AEPD stated that various common wording and expressions, that are used by many companies in their policies, do not provide the data subject with a clear understanding of the purpose and the processing activities involved. By way of example, the phrases “personalize your experience“, “improve the quality of products and services” or “communicate your data to third parties with whom we have an agreement” are considered by the APED as vague and unclear and are even viewed as a “marketing tool” rather than a notice.

In addition to its claims regarding the companies’ privacy policies, the AEPD requires companies to make clear differentiation in their privacy policies between marketing activities based on legitimate interests and marketing activities based on data subjects’ consent. In this regard, the AEPD concluded that only where these are clearly separated, a data subject will be able to provide its unambiguous consent. More on consent, the AEPD emphasized that “global consents” are not valid under the GDPR and that different purposes of processing activities cannot be grouped under one consent, specifically stating that sharing of personal data within a group of companies requires separate consent.

It should be noted that apart from the economic sanctions referred to above, the AEPD imposed an additional non-economic sanction, requiring both entities to align their privacy documents, procedures and practices with the GDPR within six months, and to demonstrate compliance to the AEPD within that deadline.

Also recently, Vodafone Spain was fined €8.15M for commercial communication failures and the violation of several GDPR provisions. In its resolution (Spanish) the AEPD concluded that Vodafone was performing marketing communications without obtaining the recipients’ consent, and even sent commercial content to individuals who objected to such processing. Moreover, Vodafone failed to ensure the adequacy of technical and organizational measures implemented by its processors as required under Article 28 of the GDPR. According to the AEPD, Vodafone also failed to comply with the requirement of Article 44 of the GDPR, when it approved international data transfers without implementing sufficient measures.

In light of the above, the AEPD seems to be taking a strict approach, prohibiting very common privacy related practices. Given these high standards adopted by the AEPD, it is advisable to undertake a comprehensive review of existing privacy policies, consent mechanisms and used practices, to ensure all legal requirements are met.


Feel free to contact us if you have any questions regarding these resolutions and their potential effects on your company’s compliance efforts.

Kind regards,

Ariel Yosefi, Partner

Head of Technology & eCommerce Regulation

Herzog Fox & Neeman

Search by +