Orange Espagne – €1,200,000 Fine (Spain, 2025)

In 2022, a duplicate of the SIM card owned by the data subject was made, without the data subject having requested it, by an agent of “TOWER PHONE, S.L.,” (the processor) acting as a franchise of ORANGE (the controller). The data subject lodged a complaint with the DPA claiming, that as a result of the duplicate, €9,000 had been stolen from his bank accounts resulting from the SIM swapping scheme. Such a scheme consists of a third party - impersonating the data subject - requesting a duplicate of the SIM card of their mobile phone from the provider to gain access to the data subject's online banking by receiving confirmation codes via the new SIM to eventually divert money from the data subject's account. The data subject only found out about this when it's original SIM was deactivated. During parallel criminal investigation it was found, that not only the complaining data subject's SIM Card was wrongly duplicated by the franchise but the SIM swapping scheme was at least attempted in numerous instances with the same agent. = The DPA held, that the issuance of a duplicate SIM card without the consent of the owner of the line, constitutes an infringement of Article 6(1) GDPR. The DPA stated, that it is clear from the franchise contract, that regarding the issuance of the duplicate SIM ORANGE is the controller and the franchisee only the processor as it's explicitly provided in the franchise contract, that the SIM duplication process is determined by ORANGE in accordance with Article 4(7) GDPR. In light of Article 83(2)(a) GDPR, the DPA found, that the controller's action lead to a loss of control over the personal data by the data subject, which resulted in identity theft, and the performance of fraud. The DPA stated, that obtaining a duplicate SIM card may generally be a gateway to access other data that may lead to a significant financial loss for its owner, as happened in the case of the data subject. Additionally the DPA took numerous previous GDPR infrin