TELEFÓNICA MÓVILES ESPAÑA, S.A. – €200,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
TELEFÓNICA MÓVILES ESPAÑA, S.A. (the controller) is a telecommunications provider. One of the brands provided is O2, which the data subject has a contract with. On 16 January 2023, the controller received a request to duplicate the e-SIM card of the data subject by a third person. The controller processed the request, which left the data subject without service. The data subject contacted the controller and was informed of the e-SIM duplicate. After going to one of the controller’s physical stores, the data subject was also informed that a third person had requested the duplicate by e-mail. The controller argued that it had no record of the e-mail sent by the third person. In addition, the controller argued its security measures were sufficient at the time, and that it added measures following the unauthorised e-SIM duplication. Finally, the controller stated that its security measures were not followed by the sales agent, who was required to make a security call. The data subject filed a complaint with the DPA on 17 April 2023. The DPA began sanctioning proceedings against the controller on 21 May 2024. The controller objected to the DPA’s sanctioning proceedings, arguing that the incident is still subject to criminal proceedings. Under Spanish administrative law, the issue must first be resolved criminally before it is resolved administratively. The DPA first dismissed the controller’s objection to the proceedings. National administrative lawArticle 75 Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP, or Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas), https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565#a75 binds public bodies to facts declared proven by final criminal court rulings. However, the DPA considered that the criminal and administrative cases were separate enough: for example, the controller was responsible for violations of the GDPR and natio
GDPR Articles Cited
National Law Articles
TELEFÓNICA MÓVILES ESPAÑA, S.A. (the controller) is a telecommunications provider. One of the brands provided is O2, which the data subject has a contract with. On 16 January 2023, the controller received a request to duplicate the e-SIM card of the data subject by a third person. The controller processed the request, which left the data subject without service. The data subject contacted the controller and was informed of the e-SIM duplicate. After going to one of the controller’s physical stores, the data subject was also informed that a third person had requested the duplicate by e-mail. The controller argued that it had no record of the e-mail sent by the third person. In addition, the controller argued its security measures were sufficient at the time, and that it added measures following the unauthorised e-SIM duplication. Finally, the controller stated that its security measures were not followed by the sales agent, who was required to make a security call. The data subject filed a complaint with the DPA on 17 April 2023. The DPA began sanctioning proceedings against the controller on 21 May 2024. The controller objected to the DPA’s sanctioning proceedings, arguing that the incident is still subject to criminal proceedings. Under Spanish administrative law, the issue must first be resolved criminally before it is resolved administratively. The DPA first dismissed the controller’s objection to the proceedings. National administrative lawArticle 75 Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP, or Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas), https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565#a75 binds public bodies to facts declared proven by final criminal court rulings. However, the DPA considered that the criminal and administrative cases were separate enough: for example, the controller was responsible for violations of the GDPR and natio
Related Enforcement Actions (0)
No other enforcement actions found for TELEFÓNICA MÓVILES ESPAÑA, S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
21 May 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€200,000
Enforcement Tracker ID
ETid-2736
GDPRhub ID
gdprhub-9406About this data
Cite as: Cookie Fines. TELEFÓNICA MÓVILES ESPAÑA, S.A. - Spain (2025). Retrieved from cookiefines.eu
Last updated: