XFERA MÓVILES, S.A. – €200,000 Fine (Spain, 2025)

XFERA MÓVILES, S.A. (the controller) is a telecommunications company. A data subject received a text message informing them that their phone line would be ported the next day. The data subject had not consented to this, and was unable to stop the portability process. In addition, the new SIM card was delivered to their address to a third person (their spouse) despite not being able to show the data subject's ID to the person delivering the card. The data subject filed a complaint with the DPA on 27 December 2022. The DPA initially dismissed the complaint, but later began investigating following an internal appeal from the data subject. The controller argued that their security measures did not raise any suspicions of fraud. In addition, it later implemented an SMS verification step when data subjects requested to duplicate their SIM cards. At the time, the SMS verification step was still in development. The DPA found a violation of Article 6(1)(f) GDPR, as the controller had no legal basis to issue duplicate SIM cards. The controller could not rely on consent (Article 6(1)(a) GDPR), as the data subject did not consent to their SIM card being duplicated. In addition, the controller could not rely on any of the other legal bases under Article 6(1) GDPR. The DPA stated that in any case it was not sufficient to ask the data subject’s spouse to show the data subject’s ID to the person delivering the new SIM card. The controller should not have waited until the last step to verify the identity of the data subject, since at that point it had already processed the data subject’s data without a legal basis. The DPA fined the controller €200,000. The DPA also ordered the controller to implement measures to avoid an incident such as this one in the future.