Telefónica España, S.A.U. – €75,000 Fine (Spain, 2021)

A data subject filed a complaint with the Spanish Data Protection Authority (AEPD) against the telecommunication company Telefonica. The reasons on which the complaint was based were that the data subject's personal data had been used to contract, without knowledge or authorization, a Movistar service from March to October 2019 - when the line was cancelled due to non-payment. The data subject indicated that they had been included in the credit information files for unrecognised debt. They also indicated that they had no relationship whatsoever with the contracted service or with the installation address of said services. Likewise, the data subject did not know how the debt collection company was able to locate them to their phone number. During the investigation, the controller indicated that there was no copy of the documentation collected for the verification of the identity of the complainant, reason for which the cancellation was made of the contracted services, as well as the cancellation of all the invoices issued in the data subject's name. Telefónica confirmed that this incident could possibly have been caused due to identity theft and that all necessary actions were carried out to regularise the situation proceeding to cancel the debt and request the exclusion of the complainant from the assets insolvency files in which it had been included. Telefónica advised that during 2020, it had implemented several organisational and technical measures in order to prevent recurrence of incidents of this type. The DPA alleged that the controller had not been diligent enough and had not implemented adequate measures to prevent identity theft. This had led to an impossibility, in this case, to exhibit proof of the calls with the initial contractor and the identification they provided. Therefore, the DPA argues that the lack of diligence and the impossibility to present proof constitutes a breach of the accountability principle, and hence imply that there i