AEPD (Spain) - EXP202305035
AEPD fines Orange España €230K for issuing duplicate eSIM without consent.
Summary
Spain's Data Protection Authority (AEPD) fined telecommunications company Orange Espagne S.A.U. €230,000 for violating Article 32 GDPR by failing to ensure adequate security of personal data processing. A third party exploited weak security controls to fraudulently obtain a duplicate eSIM card, change the associated email, and conduct unauthorized transactions, despite the company detecting identity theft and issuing an internal warning that did not prevent employee issuance of the duplicate. The DPA found the security measures ineffective and characterized the weakness as systemic rather than isolated.
Full text
Help AEPD (Spain) - EXP202305035: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 09:01, 31 March 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators530 edits Tag: submission [1.0] (No difference) Latest revision as of 09:01, 31 March 2026 AEPD - EXP202305035 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 32 GDPR Type: Complaint Outcome: Upheld Started: 27.02.2023 Decided: Published: 30.03.2026 Fine: 230,000 EUR Parties: Orange Espagne S.A.U. National Case Number/Name: EXP202305035 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: ap The DPA fined a telecommunications company €230,000 for issuing a duplicate eSIM card to a third party without the data subject’s consent. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Orange Espagne S.A.U. (the controller) is a telecommunications company. In 2023, a third person made several attempts to request a duplicate of a data subject’s eSIM. According to the controller, the third person was able to circumvent its security policy by knowing the data subject’s information, but was failed to activate the eSIM as they did not answer the controller’s random questions correctly. The third person, however, was able to change the email address associated with the eSIM. The controller noted that the third person also used a manipulated copy of the data subject’s ID with a different picture, and the controller issued an internal warning regarding the data subject’s identity theft. Nonetheless, the third person was able to later request a new eSIM duplicate and activate it. The data subject brought a complaint to the DPA, after receiving notifications from their bank regarding fraudulent transactions, and losing phone coverage. The data subject stated that the controller did not inform them of the failed eSIM duplication requests, or of the internal warning on identity theft. The controller argued that there was a pending criminal investigation relating to the case, and that the DPA could not investigate the criminal proceedings were closed, in accordance with national law. In addition, the controller argued that its security policy prevented several attempts to duplicate the data subject’s eSIM. Holding The DPA first dismissed the controller’s argument regarding the pending criminal investigation. The DPA stated that the two cases involved different parties being investigated (the controller for the DPA, the third person for the criminal case), and that the scope was different. Therefore, there was no need for the DPA to wait for the outcome of the criminal proceedings. The DPA found a violation of Article 32 GDPR, as the controller failed to ensure security of processing. The DPA noted that the controller issued an internal warning after detecting a case of identity theft. This, however, did not prevent an employee from later issuing a duplicate eSIM. Therefore, the measures were not effective. The DPA emphasised that this was not an isolated incident, but rather a general weakness in the controller’s security policy. The DPA fined the controller €230,000, and ordered the controller to ensure that its processing activities complied with the requirements under Article 32 GDPR. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/54 • File No.: EXP202305035 RESOLUTION OF SANCTIONING PROCEEDINGS From the proceedings initiated by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: Complaint to the AEPD A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on February 27, 2023. The complaint is directed against ORANGE ESPAGNE, S.A.U., with Tax Identification Number A82009812 (hereinafter, the respondent, Jazztel, or Orange), ***COMPANY.1 with Tax Identification Number ***NIF.1, and ***COMPANY.2 with Tax Identification Number ***NIF.2. The grounds for the claim are as follows: The claimant, through their representative, states that they have a mobile phone and internet service contract with Jazztel (the defendant's brand) and indicates that on February 4, 2023, an attempt was made to duplicate their phone number, ***TELÉFONO.1, and to change their email address without their knowledge. They also state that on February 7, 2023, several bank transfers were fraudulently made without their consent from an account on which they are authorized, for a total of (…) euros. Furthermore, they state that on February 10, 2023, Jazztel opened an internal incident report, which was not communicated to them, documenting the attempted duplication of their SIM card. He states that in said incident, Jazztel indicated that it should not process any request related to the card number. He adds that on February 11, 2023, another attempt was made to duplicate his card at a Jazztel point of sale, which, according to the company, was not processed. On that same date, he states that he went to an Orange store to request a duplicate card, since his phone had no coverage. Furthermore, he notes that on February 13, 2023, a third attempt was made to duplicate his card, which, according to Jazztel, was also not processed. However, he states that on that same day, a duplicate eSIM was processed through the customer area, referring to the email address that had been fraudulently changed, and that on that same date, several fraudulent bank transfers were made from his account number for a total amount of (…) euros. And, that on February 14, 2023, he received communications from his two banks -***COMPANY.1 and ***COMPANY.2- warning of irregularities related to the fraudulent transfers. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/54 Therefore, he believes that there has been a breach of his personal data by the three parties involved. And, he attaches the following relevant documentation: 1. Table of fraudulent bank transactions. 2. Jazztel telephone and internet service contract. 3. Emails exchanged with your financial institutions, and complaints filed against them. 4. Complaint against Jazztel regarding irregularities that occurred with your mobile phone SIM card: specifically, the change of email address and the duplicate eSIM from the customer area carried out on February 13, 2023; and the theft of money totaling (…) euros. 7. Report filed with the National Police, Zaragoza-Centro branch, dated February 17, 2023, denouncing the events that occurred on February 7, 2023. 8. Report filed with the National Police, Zaragoza-Centro branch, dated February 20, 2023, stating the account holder's name and the charges made to that account. SECOND: Transfer of the Complaint In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (hereinafter, LOPDGDD), the complaint was transferred to Orange so that it could analyze it and inform this Agency, within one month, of the actions taken to comply with the requirements of data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was received on April 25, 2023, as evidenced by the acknowledgment of receipt included in the file. On May 25, 2023, this Agency received a written response stating: <<FIRST. – The claimant's claim, as stated in Annex I, is to determine the alleged "joint responsibility" of JAZZTEL, ***COMPANY.1, and ***COMPANY.2 in the "theft of funds from bank accounts in which t