GFB One s.r.l. – €90,000 Fine (Italy, 2023)

GFB One s.r.l. (the company), while acting as a sales agent for Vodafone Italia S.p.A. (the controller), activated two SIM cards for the data subject without his authorisation. The data subject contacted the controller to block the new SIM cards. He also found out that the SIM cards had been associated with a non-existent bank account. Thus, the data subject lodged a complaint at the Italian DPA, which initiated an investigation. Before making a decision, pursuant to [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9042678 Article 157 of the Italian Privacy Code], the DPA requested both the company and the controller to provide information relevant to the proceedings to acquire useful elements for a complete assessment of the case. While the controller complied with the request of the DPA, the company did not provide any response, even though the request set out the consequences, including those of a sanctioning nature, to which it might be subjected in the event of failure to reply. First of all, the DPA examined the position of the controller and pointed out that its conduct did not appear to be unlawful or in conflict with the principles of the protection of personal data. In fact, as soon as it was informed of the unlawful activations, the controller blocked the SIM cards to prevent their use by unidentified persons. Meanwhile, the DPA ascertained that the company unlawfully processed the data of the data subject. The company had allowed the activation of the SIM cards without correctly confirming the identity of the data subject, had acquired a simple paper copy of the identity document and had failed to carry out further checks on the real identity of the person concerned. In light of the above, the company was found in breach of Article 5(1)(a) GDPR and Article 6 GDPR for processing personal data without a lawful basis, Article 13 GDPR for failing to provide necessary information to the data subject, and [https://www.garantepriva