AEPD (Spain) - EXP202308705

Summary

Spain's Data Protection Authority (AEPD) fined Vodafone España €200,000 for violating Article 6(1) GDPR by issuing a duplicate SIM card to an imposter without adequate identity verification. On 8–9 February 2023, a fraudster called customer service, changed account details, obtained a duplicate SIM, intercepted SMS authentication codes, and accessed the victim's bank accounts. The AEPD found the controller lacked lawful basis for processing personal data once the SIM was issued to a third party, and the company's internal appeal was dismissed in February 2026.

Full text

Help AEPD (Spain) - EXP202308705: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 09:35, 18 March 2026 view sourceRp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators195 edits Tag: Visual edit← Older edit Latest revision as of 11:20, 7 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators540 editsm Tag: Visual edit Line 79: Line 79: == Comment ==== Comment == This decision is interesting because the AEPD analysed SIM-swap fraud primarily under [[Article 6 GDPR#1|Article 6(1) GDPR]], focusing on the absence of a lawful basis once the duplicate SIM card was issued to a third party impersonating the subscriber. In other telecommunications cases, similar incidents have often been examined under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] (integrity and confidentiality) or [[Article 32 GDPR]] (security of processing).This decision is interesting because the AEPD analysed SIM-swap fraud primarily under [[Article 6 GDPR#1|Article 6(1) GDPR]], focusing on the absence of a lawful basis once the duplicate SIM card was issued to a third party impersonating the subscriber. In other telecommunications cases, similar incidents have often been examined under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] (integrity and confidentiality) or [[Article 32 GDPR]] (security of processing). The controller filed an [https://www.aepd.es/documento/reposicion-ps-00551-2024.pdf internal appeal] to the DPA on 20 February 2026. The DPA dismissed the appeal on the grounds that the controller had not presented any new facts or legal arguments. == Further Resources ==== Further Resources == Latest revision as of 11:20, 7 April 2026 AEPD - EXP202308705 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 6(1) GDPR Type: Complaint Outcome: Upheld Started: 17.05.2023 Decided: 11.03.2026 Published: Fine: 200,000 EUR Parties: A Vodafone Spain National Case Number/Name: EXP202308705 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: NioviGk The DPA fined Vodafone España €200,000 for violating Article 6(1) GDPR by issuing a duplicate SIM card to a third party without adequate identity verification, which enabled fraudulent access to the data subject’s bank account. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The data subject held a mobile phone contract with LOWI, a telecommunications brand operated by Vodafone España (the controller). On 8 February 2023, an unknown third party accessed the data subject’s account by calling customer service from a third-party number and requesting an email address change, in breach of the controller's own security policy requiring calls to originate from the subscriber's contracted line. Using the modified account details, the third party requested a duplicate SIM card to be delivered to another address. On 9 February 2023, the controller issued the duplicate SIM card to the third party. The third party then intercepted SMS authentication codes sent by the data subject’s banks and carried out unauthorised financial transactions on the data subject’s bank accounts. The data subject filed a complaint with the Spanish Data Protection Authority (AEPD) on 17 May 2023. The controller argued that the requester had passed its identity verification procedures and therefore appeared to be the legitimate customer. Holding The Spanish DPA held that the controller processed the data subject’s personal data in the absence of a legal basis under Article 6(1) GDPR. By issuing a duplicate SIM card to a third party without adequately verifying the requester’s identity, the controller failed to ensure that the processing was authorised by the data subject and therefore lacked a lawful basis. The authority imposed an administrative fine of €200,000. Comment This decision is interesting because the AEPD analysed SIM-swap fraud primarily under Article 6(1) GDPR, focusing on the absence of a lawful basis once the duplicate SIM card was issued to a third party impersonating the subscriber. In other telecommunications cases, similar incidents have often been examined under Article 5(1)(f) GDPR (integrity and confidentiality) or Article 32 GDPR (security of processing). The controller filed an internal appeal to the DPA on 20 February 2026. The DPA dismissed the appeal on the grounds that the controller had not presented any new facts or legal arguments. Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/42 • File No.: EXP202308705 RESOLUTION OF SANCTIONING PROCEEDINGS From the proceedings initiated by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: On May 17, 2023, a complaint was filed with the Spanish Data Protection Agency. The complaint is directed against VODAFONE ESPAÑA, S.A.U., with Tax Identification Number A80907397 (hereinafter, the respondent, VODAFONE, or LOWI). The grounds for the complaint are as follows: The complainant states that on February 9, 2023, the respondent delivered a duplicate of their SIM card (***TELÉFONO.1) to a third party via the Internet without their consent. The claimant states that, following the fraudulent duplication, financial transactions were carried out, fraudulently accessing their bank accounts. Relevant documentation provided by the claimant: - Report of the events filed with the National Police Station of ***LOCATION.1 on February 10 and 13, 2023. - Statement of charges dated February 9, 2023, on their account at ***COMPANY.1, complaint filed on March 20, 2023, and communication exchanged with said entity on April 3, 2023, from the claimant's email address ***EMAIL.1. - Statement of charges on their account at ***COMPANY.2 and complaint filed with said entity on February 13, 2023, which includes the claimant's email address ***EMAIL.2. - Response dated March 3, 2023, from Customer Service of ***COMPANY.2 to the claimant's Gmail email address regarding their claim of February 13, 2023. - Chargeback from ***COMPANY.3 dated February 16, 2023, for unrecognized payments made on February 10, 2023, which were cancelled on February 22, 2023. The chargeback includes the claimant's affected phone number and Gmail email address. - Claim dated April 24, 2023, to Lowi regarding the issuance of a duplicate SIM card. ... SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the complaint was forwarded to the respondent so that they could analyze it and inform this Agency within one month of the actions taken to comply with the requirements of data protection regulations. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was received on June 28, 2023, as evidenced by the acknowledgment of receipt included in the file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/42 On July 31, 2023, this Agency received a written response indicating the following: 1- Regarding the options available to customers for requesting a duplicate SIM card: LOWI customers have three channels: (i) By phone, through LOWI's customer service line, 121. (ii) Online, through their private user area, linked to prior authentication via username and password in the LOWI app. (iii) In person, through a very limited number of authorized distributors. The internal protocol, which includes LOWI's channels and processes for requesting a SIM card replacemen

Entities