AEPD (Spain) - EXP202310345
Spain's AEPD fines DIGI Spain €140,000 for ineffective security measures against SIM swap attacks.
Summary
The Spanish Data Protection Agency (AEPD) has upheld its decision to fine DIGI Spain €140,000 for inadequate security measures that led to identity theft via SIM swap attacks. The DPA found that DIGI processed personal data without a legal basis by issuing a duplicate SIM card to an unauthorized third party who passed identity verification protocols. The agency emphasized that DIGI failed to demonstrate sufficient due diligence, especially given the documented risks of SIM swap attacks and the scale of their operations.
Full text
Help AEPD (Spain) - EXP202310345: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 19:30, 13 July 2026 view source Eleonora (talk | contribs)10 edits Tag: submission [1.0] (No difference) Latest revision as of 19:30, 13 July 2026 AEPD - EXP202310345 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(2) GDPR Article 6(1) GDPR Article 83(5)(a) GDPR Type: Other Outcome: n/a Started: Decided: Published: Fine: 140.000 EUR Parties: DIGI Spain Telecom National Case Number/Name: EXP202310345 European Case Law Identifier: n/a Appeal: Appealed - OverturnedAEPDExpediente nº.: EXP202310345 Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: Eleonora The Spanish DPA maintained its decision to fine DIGI Spain on the basis of Article 6(1) GDPR for ineffective security measures against identity theft in 'SIM swap attacks'. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On December 28, 2022, DIGI Telecom, the controller, delivered a duplicate SIM card to an unauthorized third party without the consent of the original line holder (the data subject) The duplicate SIM card was delivered to an impersonator after they passed the established protocols for verifying the applicant's identity. The controller appealed the decision by the Spanish DPA to impose a fine because they claimed that they had appropriate security measures. The controller claims that, by focusing on the result, the Spanish DPA is acting under strict liability. The mere fact that identity theft occurred does not equal a lack of due diligence on the part of the controller. The controller also requested a reduction of the fine on the basis of Article 83(5)(a) GDPR because there were no aggravating circumstances and no special categories of data were processed Holding The Spanish DPA found a violation of Article 6(1) GDPR because issuing a duplicate SIM card and delivering it to a person other than the telephone line holder constitutes the processing of personal data within the meaning of Article 4(1) GDPR without a legal basis because the data subject did not give consent. The DPA ruled that the controller violated their duty of care because the security measures lacked the dilligence required. According to Article 5(2) GDPR (principle of proactive responsibility) the controller must demonstrate compliance to the GDPR. Proactive responsibility means that the measures are compliant to the GDPR under normal circumstances. The controller must also demonstrate that the measures are compliant with the GDPR and that they are effective in the specific context and purposes of processing (Article 24 en 25 GDPR). The controller had a higher standard of care because of a documented risk to SIM swap attacks and the high scale of processing. Recital 74 GDPR states that the controller’s must implement effective and appropriate measures that take into account the nature, scope and context, and purposes of processing. The card allows an impersonator to access additional data through which they can carry out actions with grave consequences. The controller did not demonstrate that their security measures sufficiently protected the data subject. Factual circumstances should have alerted DIGI to the fraud: the SIM card replacement was processed at a physical store in a different province from where the data subject resided. The Spanish DPA flagged that the controller did not ask the reason for issuing the card and they did not verify whether the old SIM card was functioning. Therefore the security measures were not appropriate to prevent'SIM swap attacks' that are prevalent in the telecom context. With regard to to the height of the fine, the Spanish DPA found that no new legal arguments were made that would lead to the reduction of the fine. Comment Consequently, in this appeal for reconsideration, the controller did not presented any facts or legal arguments that would have lead to an effective appeal Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/52 • File No.: EXP202310345 RESOLUTION OF THE APPEAL FOR RECONSIDERATION Having examined the appeal for reconsideration filed by DIGI SPAIN TELECOM, S.L.U. (hereinafter, the appellant) against the resolution issued by the Presidency of the Spanish Data Protection Agency dated November 23, 2025, and based on the following: FACTS FIRST: On November 23, 2025, a resolution was issued by the Presidency of the Spanish Data Protection Agency in file EXP202310345, imposing a fine of €140,000 (one hundred forty thousand euros) on DIGI SPAIN TELECOM, S.L.U., for an infringement of Article 6.1 of the GDPR, as defined in Article 83.5(a) of the GDPR. This resolution, which was notified to the appellant on December 1, 2025, was issued following the processing of the corresponding sanctioning procedure, in accordance with the provisions of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and supplementarily with Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), regarding the processing of sanctioning procedures. SECOND: The following facts were established in the aforementioned sanctioning procedure, PS/00499/2024: FIRST. - The claimant, residing at ***LOCATION.1, is a client of the entity DIGI. Among the contracted services is the mobile phone line number ***PHONE.1. SECOND. - On December 27, 2022, a third party requested a duplicate SIM card for the claimant's mobile phone line number ***PHONE.1, in person at the DIGI Locutorio distributor or dealer (...), located at ***ADDRESS.1, ***PROVINCE.2. Following security protocols, the distributor collected the requesting third party's identification document and made the following copy. This duplicate SIM card was activated on December 28, 2022, leaving the claimant without service. THIRD. – DIGI has confirmed that the security protocols in place on the date of the SIM card duplicate request were dated February 7, 2022, and consisted of the following: “These protocols and security measures ensured the verification of the SIM duplicate applicant's identity as the line holder. At the time of the events, the protocols and security measures were specified as follows: FOURTH. – Comparing the data on both sides of the copy of the National Identity Document (DNI) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/52 provided in the SIM duplicate request with the data provided by the claimant in the police report dated December 28, 2022, and its subsequent addenda, the following data match: DNI number, name and surnames, nationality, place and date of birth and full address. The parents' names do not match. FIFTH. – The screenshots provided by DIGI show that on December 28, 2022, DIGI validated the duplicate SIM card by sending an SMS confirming its availability to the number ***PHONE.2 and an email to ***EMAIL.1. DIGI has reported that the number ***PHONE.2 was provided by the third party who requested the duplicate SIM card. SIXTH. – After activating the duplicate SIM card described in the Second Proven Fact, and having lost service on his mobile phone line, the claimant contacted DIGI on several occasions to resolve the issue, both by phone and email from the address “***EMAIL.2”. A recording of the claimant's phone call to customer service is included in the case file. DIGI, dated December 28, 2022, at 4:59 p.m., where the complainant stated they had no network connection and requested the suspension of the line due to suspicions of cloning. The representative recommended they visit a distributor to resolve the issue. The complainant requeste