Vodafone – €740,000 Fine (Greece, 2025)

The data subject is a client of Vodafone Greece (controller). The controller had partnered with DS Phone EE, a company which operated some of the controller’s physical stores (processor). In 2022, a third individual visited store X operated by the processor and using the data subject’s ID card details they registered 15 Vodafone prepaid numbers under her name. They did this by claiming that they were the leader of a group of tourists and wanted to issue prepaid numbers for the whole group under one name for convenience purposes. The data subject only became aware of this in 2023, when she was called by the police in the context of a preliminary investigation for fraud using one of the telephone numbers registered under her name. The data subject immediately informed the controller about the situation. The latter carried out a search in its information system and registered the incident. Later the data subject lodged a complaint with the DPA against the controller, complaining about the unlawful processing of her data. She argued that she never provided her data to this particular store of the processor, as she was a client of a different one, and that she did not consent to the issuance of the phone numbers at hand. She further claimed that when the controller was asked by the Public Prosecutor's Office in the course of the preliminary investigation for fraud to provide information about the owner of the phone number, it provided her name and failed to point out that the number had been illegally activated. As a result, the controller directly pointed to the data subject as the perpetrator of the fraud under investigation, even though it knew the real perpetrator. The processor claimed that the employee who was entrusted with the registration of the data attached the wrong file and mistakenly registered the numbers mentioned above under the identity details of the data subject. It admitted that it had not complied with the client identification procedure. The c