- Media report suggests German OpCo could incur fines over data privacy violations.
- Whistleblower said to have demanded €900,000 in exchange for non‑publication of data.
- German case follows privacy incidents involving third‑party agencies in Italy and Spain.
Vodafone Germany revealed it has taken legal action against a number of external sales partners as it continues to investigate potentially fraudulent activity.
The OpCo said it had so far filed 15 criminal charges, disassociated itself from ten partners, and closed 53 shops. Vodafone operated about 1,500 retail stores in Germany at the end of 2019, and subsequently indicated some partner stores could be closed as part of Group plans to shutter 15% of stores within two years.
In the cases brought to date, Vodafone said it was able to prove fraudulent actions that affected both the OpCo and customers. It said contracts had been sold with criminal intent, while sales tactics such as commissions, discounts, and incentives had also been misused. Reports in the German media said that almost all cases took place in North Rhine-Westphalia and that thousands of Vodafone customers had been victims of fraud.
Furthermore, Vodafone said there are indications that sales partners violated data protection regulations. The OpCo has reported a “proven data protection violation” to the Bundesbeauftragten für Datenschutz und Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information/BfDI) and said it is in regular contact with the authority.
The matter has been building up over several months, with a number of twists to the tale. For example, it appears that a whistleblower was initially responsible for bringing some of the cases to the attention of Vodafone, although not all.
A report from Der Spiegel said Vodafone had offered the whistleblower a sum of €200,000 (£170,595) in exchange for information about the misuse of customer data by sales partners. The person in question, described as a former shop manager from Gladbeck, apparently then demanded €900,000 and threatened to publish sensitive customer data and trade secrets if they did not receive payment.
Vodafone said it had filed charges against the whistleblower “some time ago” with the Düsseldorf public prosecutor over extortion and the unauthorised disclosure of personal data and internal business matters. The OpCo also said the majority of the information provided by the whistleblower was not ultimately confirmed and indicated that further cases were under investigation.
Meanwhile, Vodafone is in the process of revising commission practices and tightening control systems. It is also building up additional resources to improve education and prevention measures.
While the German OpCo presents itself and its customers as victims of attempted blackmail and extortion, reports nevertheless suggest that Vodafone could be penalised for inadequate protection of sensitive customer data such as account details and signatures.
Der Spiegel said the OpCo had not implemented sufficiently robust data protection measures, and reported that the BfDI is investigating whether Vodafone violated GDPR rules. The report noted that, in theory, Vodafone could face a fine of up to 4% of sales, equating to about €460m, but such a high sum is deemed unlikely.
Vodafone claims to have a strong culture of data privacy, but was forced to admit it paid a combined €20m for “separate data privacy issues” in Italy, Romania, and Spain during the FY20–21 financial year.
In Italy and Spain, the fines also related to Vodafone’s use of third‑party marketing agencies, “some of which had conducted direct marketing activities towards people who had opted out”, the Group said in its Annual Report for the twelve months.
“These activities were in violation of existing supplier agreements. In limited instances, there were also delays and issues in adding people to opt‑out lists as a result of human and system errors, as well as related fraudulent activities, which Vodafone reported to the relevant authorities”, the report stated.
In Italy, data protection authority Garante per la protezione dei dati personali recently ordered Vodafone Italy to pay a fine of €12.25m “on account of having unlawfully processed the personal data of millions of users for telemarketing purposes”. Vodafone Spain has been fined €8.15m for similar offences.
Partner behaviour: Vodafone tidying house
The Annual Report disclosed that Vodafone had conducted a review of its telesales rules and strengthened “assurance and monitoring” of compliance. “Where necessary, improved controls have been introduced to monitor and enforce suppliers’ compliance. Such measures include, for example, introduction of tools to automatically prevent or detect calls to opted-out customers, verification that commission is only paid for authorised calls, enforcement of contractual penalties for non‑compliance, and discontinuation of contracts with a number of suppliers”, it added.
In July, Vodafone Spain and its main rivals agreed to improve telemarketing best practices in a bid to preserve self‑regulation. A newly updated Code of Ethics will see deeper auditing of agencies and stronger data protection measures, as well as other initiatives designed to combat sharp practice. So far, Vodafone Spain, Euskaltel, MÁSMÓVIL, Orange Spain, and Telefónica España have signed up to the document, which represents an update to the previous Code agreed in 2010.