Vodafone Spain – €200,000 Fine (Spain, 2024)

On the 14 December 2022, the data subject filed a complaint against Vodafone Spain with the Spanish DPA (AEPD). The data subject alleged that a third party, without his consent, requested and received a duplicate of his SIM card from Vodafone. The third party had logged in to the data subject’s account and requested the delivery of a duplicate sim card to an address different to the billing address. The third party as a result had access to the data subject’s personal data including his bank account information. The controller argued that the third party accredited their fraudulent identity through correctly providing access credentials which were obtained through social engineering techniques. It argued that it cannot be expected to verify the identity of users who enter valid login details. Further, it stated that the logistics provider used for the delivery of the sim card verified the identity of the third party upon delivery by asking for an ID card. It submitted that the third party must have been in possession of a fake ID card and that as a controller it cannot be expected to prevent identity theft. The controller could not provide proof of a signature by the third party nor the recording of an activation call necessary to use the sim card. The AEPD held that the controller had failed to implement measures which prevent third parties from impersonating customers. As the controller handles personal data on a large scale, it should have had measures in place, which prevent impersonation of customers. Further, the controller must be able to demonstrate compliance to the lawful processing of data under Article 6(1) GDPR. The AEPD stated that the controller could not prove that its security policy had been complied with as it could not provide a recording of the verification call nor the signature of the third party upon delivery. Therefore, the AEPD concluded that the controller could not show that it had lawfully processed the personal data of the data sub