Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines GFB One €90,000 for lack of identity verification when activating SIM cards

On October 10, 2023, the Italian data protection authority (Garante) announced in its newsletter its Decision No. 405, as issued on September 14, 2023, in which it imposed a fine of €90,000 on GFB One s.r.l., for violations of the General Data Protection Regulation (GDPR) and the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR (the Code), following a complaint by an individual.

Background to the decision

The Garate noted that the complainant had reported the unlawful activation, in their name, of two SIM cards by Vodafone Italia S.p.A., and that the activation had been notified to the complainant via email and SMS. Further to this, the complainant had blocked the SIM cards and had independently carried out some investigations from which they discovered that the SIM card had both been activated by a Vodafone store the sending of two emails and an SMS message. The complainant, after contacting the telephone company to block the new utilities, had independently carried out some investigations from which it appeared that the numbers had both been activated by a Vodafone store owned by GFB One.

Findings of the Garante

At the end of its investigation, the Garante determined that GFB One had violated:

  • Articles 5(1)(a) and 6 of the GDPR, for having processed the personal data of the data subject in violation of the principle of lawfulness and in the absence of an appropriate legal basis;
  • Article 13 of the GDPR, for failing to explain to the data subject how it had obtained the photocopy of their identity card; and
  • Article 157 of the Code, for failing to provide the Garante with the information and documents requested in the course of the investigation.

In addition, the Garante took into account the seriousness and malicious nature of the violations and considered the conduct to be attributable to the phenomenon of illicit activation of phone cards, which may also be of criminal nature.


In conclusion, the Garante imposed a fine of €90,000 on GFB One, which may be appealed before the judicial authority.

You can read the newsletter here and the decision here, both only available in Italian.