GFB One s.r.l. – €90,000 Fine (Italy, 2023)

€90,000Garante per la protezione dei dati personali14 September 2023Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

GFB One s.r.l. was fined for activating SIM cards in a person's name without their consent. This is important because it shows that companies must verify the identity of individuals before processing their personal data. The EUR 90,000 fine serves as a warning to other businesses about the importance of obtaining proper consent.

What happened

GFB One s.r.l. activated SIM cards for a person without their consent and failed to verify the legitimacy of the data used.

Who was affected

An individual whose identity was used to activate SIM cards without their knowledge was affected.

What the authority found

The Italian data protection authority ruled that the company violated data protection rules by not obtaining proper consent and failing to verify the identity of the individual.

Why this matters

This ruling highlights the need for companies to have strong identity verification processes in place. Businesses should review their practices to ensure they are not activating services without user consent.

GDPR Articles Cited

Art. 6(GDPR)
Art. 13(GDPR)
Art. 5(1)(a) GDPR
Art. 157 Codice della privacy GDPR
Italy enforcementGarante per la protezione dei dati personali actionsAll GFB One s.r.l. actions
Full Legal Summary
Detailed

The Italian DPA has imposed a fine of EUR 90,000 on GFB One s.r.l.. An individual had filed a complaint with the DPA because SIM cards were registered in their name, although they had never requested this. The individual had received two emails and an SMS notifying them that a Vodafone business, which belongs to the controller, had activated two SIM cards in their name. The individual, after requesting the phone company to block the SIM cards, had reconstructed that the cards had been activated with a barely legible photocopy of their ID card. During its investigation, the DPA found that the controller had neither requested an original ID card for registration nor verified the legitimacy of the data. The controller also failed to inform the data subject how he had obtained the photocopies of his ID.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for GFB One s.r.l. in IT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

RAMONA FILMS, S.L.

2022 · Agencia Española de Protección de Datos

€8K

CNIL

2019 · Court of Justice of the European Union

Minister for Legal Protection

2022 · DPA RbOverijssel

Details

Fine Date

14 September 2023

Authority

Garante per la protezione dei dati personali

Fine Amount

€90,000

Enforcement Tracker ID

ETid-2068

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. GFB One s.r.l. - Italy (2023). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: