Orange Espagne, S.A.U. – €200,000 Fine (Spain, 2024)

On 15 August 2022, a complaint was filed with the Spanish DPA (AEPD) against Orange Espagne, S.A.U. (the controller) alleging that the controller provided a third party with a duplicate of the data subject’s SIM card without the data subject’s consent. The third party accessed the data subject’s banking data as a result, causing financial harm. When the data subject notified the controller of the incident and requested that the SIM card be annulled, the controller responded that they could not annul the card until the data subject received a new physical SIM card in a few days. The DPA’s investigation found that the controller duplicated the data subject’s eSIM to a third party without their consent and without verifying the identity of the requesting party. The third party then accessed information contained in the phone including the data subject’s email address, bank details, passwords, and other personal data. In its defense brief, the controller stated that upon detecting irregularities in the request for the duplicate SIM, it recorded the incident to prevent the accrual of charges for duplicate invoices. The controller also adjusted charges generated by the duplicate SIMs and blacklisted the International Mobile Equipment Identity of the device that created the duplicate SIM to prevent future malfeasance. In addition, the controller argued that the identity thief already had knowledge of personal data of the data subject which was not accessed through the controller. The AEPD fined the controller € 200,000 for violating Article 6(1) GDPR. The AEPD determined that the controller did not take the necessary precautions to avoid the occurrence of these events. It noted that even though the data subject informed the controller they had not requested the additional SIM card, the controller failed to immediately block the SIM. Its delay of three days thus allowed the third party to access the data subject’s banking data and cause financial harms. The controller