DIGI SPAIN TELECOM, S.L. – €200,000 Fine (Spain, 2025)

DIGI SPAIN TELECOM, S.L. (the controller) is a telecommunications company. On 6 April 2021, a third person requested to duplicate the data subject’s SIM card at a store that sold the controller's products. The data subject lost phone service. Two hours later, the data subject obtained a new SIM card duplicate at a different store, which gave them access to the service again. According to the data subject, the controller did not take any measures to verify the identity of the person requesting the SIM card duplicate. Furthermore, the third person committed identity theft, because the data subject noticed an unauthorised bank transfer from their account (this was not addressed in the case). The data subject presented a complaint to the DPA on 12 July 2023. The DPA imposed a €200,000 fine on the controller for duplicating SIM cards for unauthorised third parties on 8 November 2024. The controller then filed an internal appeal to the DPA on 11 December 2024. The controller argued that its procedure for situations such as these that was carefully followed, and allowed it to process data lawfully in accordance to its obligations. The controller also contested the unauthorised bank transfer as a result of the SIM duplicate. In addition, it argued that it could not be held completely responsible for identifying and mitigating fraud. The controller requested a lower fine based on mitigating circumstances, stating that the DPA had set a disproportionately high fine. Among others, it argued that it had effectively solved the situation and that it did not process special categories of personal data. According to the DPA, the controller duplicated the data subject’s SIM card without a valid legal basis under Article 6(1) GDPR, despite the protocols set in place by the controller. The protocol to verify an individual’s identity was based solely on matching specific data with its database, and did not ensure that the data subject was involved or aware. The DPA stated that the