Vodafone – €740,000 Fine (Greece, 2025)
Vodafone Greece was fined for allowing a third party to register multiple prepaid phone numbers under a customer's name without her consent. This incident highlights the importance of protecting customer data and ensuring that personal information is not misused. Companies must take extra care to verify identities and secure personal data to avoid similar issues.
What happened
Vodafone Greece allowed a third party to register 15 prepaid phone numbers using a customer's ID without her consent.
Who was affected
The customer whose ID was misused to register the prepaid phone numbers was affected.
What the authority found
The Hellenic Data Protection Authority ruled that Vodafone Greece violated data protection rules by failing to protect customer data and allowing unauthorized processing.
Why this matters
This case emphasizes the need for companies to implement strict identity verification processes. It serves as a warning that failing to protect customer data can lead to significant fines.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject is a client of Vodafone Greece (controller). The controller had partnered with DS Phone EE, a company which operated some of the controller’s physical stores (processor). In 2022, a third individual visited store X operated by the processor and using the data subject’s ID card details they registered 15 Vodafone prepaid numbers under her name. They did this by claiming that they were the leader of a group of tourists and wanted to issue prepaid numbers for the whole group under one name for convenience purposes. The data subject only became aware of this in 2023, when she was called by the police in the context of a preliminary investigation for fraud using one of the telephone numbers registered under her name. The data subject immediately informed the controller about the situation. The latter carried out a search in its information system and registered the incident. Later the data subject lodged a complaint with the DPA against the controller, complaining about the unlawful processing of her data. She argued that she never provided her data to this particular store of the processor, as she was a client of a different one, and that she did not consent to the issuance of the phone numbers at hand. She further claimed that when the controller was asked by the Public Prosecutor's Office in the course of the preliminary investigation for fraud to provide information about the owner of the phone number, it provided her name and failed to point out that the number had been illegally activated. As a result, the controller directly pointed to the data subject as the perpetrator of the fraud under investigation, even though it knew the real perpetrator. The processor claimed that the employee who was entrusted with the registration of the data attached the wrong file and mistakenly registered the numbers mentioned above under the identity details of the data subject. It admitted that it had not complied with the client identification procedure. The c
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (2)
Other enforcement actions involving Vodafone in GR
Fine
€740K
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
25 June 2025
Authority
Hellenic Data Protection Authority
Fine Amount
€740,000
GDPRhub ID
gdprhub-9494About this data
Cite as: Cookie Fines. Vodafone - Greece (2025). Retrieved from cookiefines.eu
Last updated: