Vodafone has been fined a total of €8.15m ($9.80m), the highest amount ever handed out by Spain’s data protection authority AEPD, for mishandling personal data during marketing campaigns between 2018 and 2020.

The multi-national telecommunications company disputes the findings and says it will appeal.

The agency opened an investigation last year after receiving 191 complaints about calls and messages made on behalf of Vodafone to individuals who had not requested or authorised them, and in some cases had opted out of receiving such communications. The AEPD looked into 162 of those complaints.

The authority concluded the company, which outsourced many of its operations, does not have the organisational or technical means to verify legality of the data being processed nor its origin.

Neither does it have the capability of identifying whether people have opted out of marketing or third-party communications, according to media reports.

The data authority found Vodafone’s Spanish arm does not have continuous, audited control over how customer data is treated, nor does it provide detailed documentation on data protection guarantees and is unaware what guarantees entities it subcontracts for teleshopping have in place to protect customers.

The €8.15m financial penalty is the sum of four fines: two totalling €6m for violations of the EU’s General Data Protection Regulation (GDPR), €2m for beaching GDPR and Spanish laws on telecommunications and digital rights, and €150,000 for offences under a Spanish law covering cookies.

The AEPD says the total fine is so high because Vodafone is a repeat offender: between January 2018 and February 2020, the company was fined or received a warning more than 50 times.

Vodafone said it intends to appeal the decision and described the level of fine as disproportionate.

“Vodafone Spain wants to underline that protecting customer data and privacy is our top priority, and we have an experienced team of specialists dedicated to making sure that our processes offer the best guarantees for the protection of our customers’ data,” a company spokesperson said.

PrivSec Global, a live streaming event, takes place on 23-25 March featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.