GFB One s.r.l. – €90,000 Fine (Italy, 2023)
GFB One s.r.l. was fined €90,000 for activating SIM cards without a user's permission and failing to respond to a data protection authority's request. This case matters because it shows that companies must respect user consent and respond to inquiries from regulators. It serves as a warning to businesses about the importance of compliance with privacy laws.
What happened
GFB One s.r.l. activated SIM cards for a user without their authorization and did not respond to a data protection authority's request for information.
Who was affected
The user whose SIM cards were activated without consent was affected.
What the authority found
The Italian Data Protection Authority fined GFB One s.r.l. €90,000 for unlawfully processing personal data and failing to cooperate with the investigation.
Why this matters
This ruling highlights the importance of obtaining user consent before processing personal data. It sets a strong precedent for accountability among companies in the telecommunications sector.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
GFB One s.r.l. (the company), while acting as a sales agent for Vodafone Italia S.p.A. (the controller), activated two SIM cards for the data subject without his authorisation. The data subject contacted the controller to block the new SIM cards. He also found out that the SIM cards had been associated with a non-existent bank account. Thus, the data subject lodged a complaint at the Italian DPA, which initiated an investigation. Before making a decision, pursuant to [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9042678 Article 157 of the Italian Privacy Code], the DPA requested both the company and the controller to provide information relevant to the proceedings to acquire useful elements for a complete assessment of the case. While the controller complied with the request of the DPA, the company did not provide any response, even though the request set out the consequences, including those of a sanctioning nature, to which it might be subjected in the event of failure to reply. First of all, the DPA examined the position of the controller and pointed out that its conduct did not appear to be unlawful or in conflict with the principles of the protection of personal data. In fact, as soon as it was informed of the unlawful activations, the controller blocked the SIM cards to prevent their use by unidentified persons. Meanwhile, the DPA ascertained that the company unlawfully processed the data of the data subject. The company had allowed the activation of the SIM cards without correctly confirming the identity of the data subject, had acquired a simple paper copy of the identity document and had failed to carry out further checks on the real identity of the person concerned. In light of the above, the company was found in breach of Article 5(1)(a) GDPR and Article 6 GDPR for processing personal data without a lawful basis, Article 13 GDPR for failing to provide necessary information to the data subject, and [https://www.garantepriva
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for GFB One s.r.l. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
14 September 2023
Authority
Garante per la protezione dei dati personali
Fine Amount
€90,000
GDPRhub ID
gdprhub-6439About this data
Cite as: Cookie Fines. GFB One s.r.l. - Italy (2023). Retrieved from cookiefines.eu
Last updated: