TELEFÓNICA MÓVILES ESPAÑA, S.A. – €200,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
TELEFÓNICA MÓVILES ESPAÑA, S.A. was fined EUR 200,000 after a third party duplicated a customer's e-SIM without authorization, leaving the customer without service. This case matters because it shows the importance of strong security measures to protect customer data. Companies must ensure their processes prevent unauthorized access to personal information.
What happened
TELEFÓNICA MÓVILES ESPAÑA, S.A. processed a request to duplicate a customer's e-SIM from a third party without proper verification.
Who was affected
The customer who lost access to their mobile service was directly affected by this incident.
What the authority found
The authority ruled that the company violated GDPR by failing to implement adequate security measures to protect personal data.
Why this matters
This case highlights the need for companies to strengthen their security protocols to prevent unauthorized access to customer data. Businesses should regularly review and update their security practices to comply with data protection laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
TELEFÓNICA MÓVILES ESPAÑA, S.A. (the controller) is a telecommunications provider. One of the brands provided is O2, which the data subject has a contract with. On 16 January 2023, the controller received a request to duplicate the e-SIM card of the data subject by a third person. The controller processed the request, which left the data subject without service. The data subject contacted the controller and was informed of the e-SIM duplicate. After going to one of the controller’s physical stores, the data subject was also informed that a third person had requested the duplicate by e-mail. The controller argued that it had no record of the e-mail sent by the third person. In addition, the controller argued its security measures were sufficient at the time, and that it added measures following the unauthorised e-SIM duplication. Finally, the controller stated that its security measures were not followed by the sales agent, who was required to make a security call. The data subject filed a complaint with the DPA on 17 April 2023. The DPA began sanctioning proceedings against the controller on 21 May 2024. The controller objected to the DPA’s sanctioning proceedings, arguing that the incident is still subject to criminal proceedings. Under Spanish administrative law, the issue must first be resolved criminally before it is resolved administratively. The DPA first dismissed the controller’s objection to the proceedings. National administrative lawArticle 75 Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP, or Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas), https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565#a75 binds public bodies to facts declared proven by final criminal court rulings. However, the DPA considered that the criminal and administrative cases were separate enough: for example, the controller was responsible for violations of the GDPR and natio
Related Enforcement Actions (0)
No other enforcement actions found for TELEFÓNICA MÓVILES ESPAÑA, S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
21 May 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€200,000
About this data
Cite as: Cookie Fines. TELEFÓNICA MÓVILES ESPAÑA, S.A. - Spain (2025). Retrieved from cookiefines.eu
Last updated: