The Spanish data protection authority ('AEPD') published, on 1 February 2022, its decision in Proceeding No. PS/00001/2021, in which it imposed a fine of €3.94 million on Vodafone España, S.A.U., violation of Articles 5(1)(f) and 5(2) of the General Data Protection Regulation (Regulation (EU) 2016679) ('GDPR') for not implementing appropriate security measures to prevent fraudulent replication of SIM cards, and not being able to prove that Vodafone implemented such measures.

Background to the decision

In particular, the AEPD noted that nine customers lodged complaints with the AEPD against Vodafone after being victims of fraud, due to the deceitful use of their SIM cards. Moreover, the AEPD provided that fraudsters obtained a replica of the data subjects' SIM cards through Vodafone, and consequently carried out various bank transfers from online banking services and concluded contracts at the expense of those affected.

Findings of the AEPD

Following its investigations, the AEPD found that Vodafone had not properly checked the identity of the fraudsters before issuing the SIM cards. Furthermore, the AEPD highlighted that Vodafone was unable to prove that they had verified the identity of the requester of the replication, the invoices issued, or the effectiveness of the measures implemented to prevent identity theft.

Moreover, the AEPD remarked that Vodafone's security measures were insufficient, as any person who had the basic personal data of a data subject could avoid Vodafone's security policy in this regard, and obtain a replica of the data subject's SIM card, without any supplementary requirements. Therefore, the AEPD concluded that Vodafone showed a lack of accountability, breaching Article 5(2) of the GDPR, for a lack of proper analysis, planning, implementation, maintenance, control, and updating of the security measures. Further to this, the AEPD noted that this related to Data Protection by Design, as enshrined in Article 25 of the GDPR.

In addition, the AEPD found that Vodafone violated Article 5(1)(f) of the GDPR as it did not act with enough diligence to prevent the circumvention of their security measures against the theft of identity. In relation to this, the AEPD informed that Vodafone should have known the risk as the measures in place were clearly insufficient and inadequate.

Further to the above, the AEPD mentioned that although Vodafone argued that the duplicate of SIM cards occurred as a result of human error, the AEPD noted that continuous human errors is a deeper problem within the organisation, which demonstrates a lack of foresight of the risks, a lack of analysis and planning, and a lack of security measures.

As a result, the AEPD informed that the affected data subjects had also lost their power to arrange and control their personal data, as a SIM card allows the access to apps and services that require authentication or password retrieval via SMS, therefore enabling identity theft for the majority of web services such as email, online banking, social networks, etc.

In deciding the sanctioning, the AEPD decided to fine Vodafone €3.94 million for violation of Articles 5(1)(f) and 5(2) of the GDPR. Further, in deciding that the fine was proportionate, the AEPD considered, among other things, that the sanction imposed should be based on the following aggravating factors:

• the nature, gravity, and duration of the infringement;
• the number of data subjects affected, which was considered too high in relation to the risk at stake;
• the categories of personal data affected by the infringement;
• the high level of damage suffered by the affected individuals, which should have been taken into account in a Data Protection ImpactAssessment pursuant to Article 35 of the GDPR; and
• the relevant previous infringements by Vodafone.

Outcomes

As a result, the AEPD imposed a fine of €3.94 million on Vodafone for violation of Articles 5(1)(f) and 5(2) of the GDPR.

You can read the decision, only available in Spanish, here.

UPDATE (5 April 2022)

EDPB publishes English summary of AEPD's decision to fine Vodafone €3.94M for accountability and security failings

The EDPB published, on 31 March 2022, an English summary of AEPD's decision to fine Vodafone €3.94M for accountability and security failings.

You can read the summary here.