XFERA MÓVILES, S.A. – €200,000 Fine (Spain, 2022)

€200,000Agencia Española de Protección de Datos1 February 2022Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

XFERA MÓVILES, S.A. was fined for not properly verifying the identity of customers, which allowed fraudsters to steal SIM cards. This is important because it shows how companies must take steps to protect customer information and prevent identity theft. Small businesses should implement strong identity verification processes to avoid similar issues.

What happened

XFERA MÓVILES, S.A. failed to verify the identity of individuals requesting SIM cards, leading to fraudulent contracts.

Who was affected

Two customers of XFERA MÓVILES, S.A. whose identities were impersonated by fraudsters.

What the authority found

The authority determined that XFERA did not meet the GDPR requirement for ensuring the security of personal data by failing to verify identities.

Why this matters

This ruling highlights the need for companies to have robust identity verification measures in place. It serves as a warning to small businesses to prioritize customer data security to prevent fraud.

GDPR Articles Cited

AI-verified

Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1) f) GDPR

Original data from scraper before AI verification against source document.

Source verified 10 March 2026
articles corrected
national law identified
Spain enforcementAgencia Española de Protección de Datos actionsAll XFERA MÓVILES, S.A. actions
Full Legal Summary
Detailed

The Spanish DPA has fined XFERA MÓVILES, S.A. EUR 200,000. Two Xfera customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Xfera and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Xfera had not properly verified the identity of the fraudsters before issuing the SIM cards and ensured that the inquirers were really the SIM card holders.

Related Enforcement Actions (2)

Other enforcement actions involving XFERA MÓVILES, S.A. in ES

Current
Feb 2022

Fine

€200K

Fine
Apr 2025· Agencia Española de Protección de Datos

XFERA MÓVILES, S.A. (also known as Yoigo, the controller) is a telecommunications company. On 15 April 2022, a data subject presented a complaint to t...

€70K
Fine
May 2025· Agencia Española de Protección de Datos

XFERA MÓVILES, S.A. (the controller) is a telecommunications company. A data subject received a text message informing them that their phone line woul...

€200K

Details

Fine Date

1 February 2022

Authority

Agencia Española de Protección de Datos

Fine Amount

€200,000

Enforcement Tracker ID

ETid-1058

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. XFERA MÓVILES, S.A. - Spain (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: