ANRO Privacy Logo
close

AEPD Resolution: EXP202511836

Resolution Signed: 10/01/2026

AEPD Reference Number: EXP202511836

Sanction Procedure Number: PD-00313-2025 

Fine Amount: €0

Full Description

The Incident: A.A.A. (the claimant) contracted services with Movistar (Telefónica Móviles España, S.A.) in 2024 and discovered upon receiving invoices that the registered address was incorrect. The claimant exercised their right of rectification on March 17, 2025, requesting correction of the address data.

Telefónica's Response:

  • April 4, 2025: Telefónica responded extending the response deadline
  • May 14, 2025: Telefónica provided a final response denying the rectification request
  • Telefónica's Justification: The company claimed the address format must align with Spain's official administrative division published by the National Statistics Institute (INE) and the Organic Regulation of Districts of the Municipality of Lorca, which requires including the district/neighborhood ("núcleo de población") as part of the address

The Claimant's Evidence: The claimant provided compelling proof that Telefónica's own practices contradicted their stated policy:

  • The claimant's National Identity Document (DNI) shows the address without the district designation
  • Two letters sent by Telefónica to the claimant (dated June 26 and July 29, 2025) used the simplified address format without the territorial division
  • Yet Telefónica continued including the district designation on invoices

The AEPD's Ruling: The AEPD UPHELD the claim and ordered Telefónica to rectify the address, ruling that:

  1. The Municipal District Regulation only defines internal territorial divisions - it does not mandate how private companies must record postal addresses
  2. The valid address is what appears in official documents: Municipal Census (Padrón Municipal), Cadastre, or the individual's official identification documents
  3. Telefónica must align data with the claimant's official documentation (DNI), which shows the address without the district
  4. Companies cannot impose address formats beyond what appears in citizens' official identification

The AEPD ordered Telefónica to rectify the data within 10 business days or provide motivated denial, warning that non-compliance could constitute a very serious infraction under Article 72.1.m) LOPDGDD.

Articles Infringed

Article 16 GDPR (Right of Rectification): Telefónica violated the claimant's right to obtain rectification of inaccurate personal data without undue delay. The company unjustifiably refused to correct address data to match the claimant's official identification documents.

Actionable Steps

This resolution establishes critical precedent regarding data accuracy requirements and corporate discretion over personal data formats:

1. The "Official Documentation" Standard

Rule: When individuals request rectification of personal data, the authoritative source is their official identification documents (DNI, passport, residence permit), NOT corporate preferences or internal formatting standards.

Action:

  • Accept address formats exactly as they appear on official ID documents
  • Do not require customers to include administrative subdivisions (districts, neighborhoods, parishes) if these don't appear on their DNI/passport
  • Your internal database standards cannot override official documentation

2. The "Practice What You Preach" Principle

Critical Failure: Telefónica undermined its own legal defense by:

  • Claiming administrative divisions were "necessary"
  • Yet simultaneously sending official correspondence to the claimant using the simplified address format

Action: Ensure consistency between:

  • Your stated data policies
  • Your actual operational practices
  • Data formats across all customer touchpoints (invoices, correspondence, account portals)

Hypocrisy is evidence against you in GDPR proceedings.

3. Limits of "Data Accuracy" Defenses

What Telefónica Got Wrong: Companies cannot argue data is "accurate" simply because it conforms to:

  • Statistical databases (INE)
  • Geographic information systems
  • Municipal administrative divisions
  • Internal formatting preferences

The Standard: Data is accurate when it matches what the data subject declares in their official documentation, regardless of whether alternative formats might be more "administratively complete."

Action: When a customer says "my DNI shows X," you cannot respond "but the INE database shows Y" as justification for keeping Y.

4. Right of Rectification Cannot Be Denied Based on Format Preferences

Key Principle: Article 16 GDPR grants individuals the right to rectify inaccurate data. Companies cannot transform this into a debate about:

  • Preferred address formats
  • Database normalization standards
  • Geographic coding systems
  • Municipal boundaries

Action: If customer's official ID shows "Calle Mayor 5, Lorca," you cannot insist on "Calle Mayor 5, Distrito (...), Lorca" and claim this is "more accurate."

5. The 10-Day Compliance Clock

Protocol: When the AEPD orders rectification:

  • You have 10 business days from notification
  • You must either: (a) rectify the data, or (b) provide motivated denial explaining why the request cannot legally be fulfilled
  • Non-compliance = very serious infraction under Article 72.1.m) LOPDGDD
  • Potential sanctions under Article 58.2 GDPR

6. Geographic Data and Postal Standards

Important Distinction:

  • Postal delivery addresses: May require specific formats for mail routing
  • Personal identification data: Must match official documents

Action: If you need detailed geographic data for logistics:

  • Explain this need transparently to customers
  • Store the "official ID version" as the primary record
  • Maintain delivery-optimized versions separately with clear labels
  • Allow customers to control which version appears on invoices and correspondence

7. Response Obligations Remain Absolute

Even if Telefónica believed its position was legally sound, failure to provide proper response to rectification requests violates Article 12 GDPR.

Required Response Elements:

  • Express acknowledgment of the request
  • Clear decision (grant or deny)
  • If denied: specific legal reasons why rectification cannot proceed
  • Information about complaint mechanisms
  • Response within one month (extendable by two months with notice)

You cannot simply ignore requests or provide circular justifications.

8. Municipal Regulations ≠ Data Controller Obligations

Critical Clarification: The AEPD explicitly stated that municipal territorial regulations (Reglamento Orgánico de Distritos) define internal administrative boundaries but do not impose formatting requirements on private companies.

Action: Do not cite:

  • Municipal bylaws
  • Regional administrative codes
  • Geographic nomenclature standards

...as justification for refusing to use the address format on someone's official ID.

Summary of Business Risk

Zero Fine but Mandatory Compliance: While no monetary sanction was imposed, Telefónica received a binding order to rectify the data within 10 days. Key takeaways:

  1. Official ID documents trump corporate database standards - you cannot impose address formats that contradict what appears on DNI/passports
  2. Internal inconsistency destroys legal defenses - if you use simplified addresses in correspondence but detailed addresses on invoices, you've proven the detailed format isn't "necessary"
  3. "Administrative completeness" is not a valid reason to deny rectification - Article 16 GDPR protects accuracy as defined by the data subject's official documentation
  4. Non-compliance with AEPD rectification orders triggers very serious infraction classification with substantial penalties

Compliance Deadline: 10 business days from notification to rectify or face potential Article 83.6 GDPR sanctions.

Link to Official AEPD PDF

https://www.aepd.es/documento/pd-00313-2025.pdf

Legal Disclaimer

Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.

No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.

No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.

Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.

Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.

Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.

ANRO Privacy Logo
Providing clear, reliable information on GDPR and data privacy standards to help you navigate the digital landscape securely.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram