AEPD (Spain) – EXP202306354 (PS/00312/2024)

11 February 2026

Rp: /* Facts */

{{DPAdecisionBOX

|Case_Number_Name=EXP202306354 (PS/00312/2024)
|ECLI=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=

|Initial_Contributor=RP
|
}}

The DPA fined a telecommunications provider €150,000 for unlawfully issuing a duplicate SIM card to a fraudster. The DPA held that they processed the data subject’s personal data without a valid legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]].

== English Summary ==

=== Facts ===
The Spanish Data Protection Agency (AEPD) investigated Vodafone España, S.A.U. as controller after a SIM swapping incident.

On 21 September 2021, an unknown third party requested a duplicate SIM card for the mobile line of a data subject. The request was made through Vodafone’s internal telephone support channel for retail stores. The caller impersonated staff and provided several data elements, including the store user code, the data subject’s identification number (NIE), the mobile phone number and digits of the ICC number of the new SIM card.

Vodafone processed the request and activated the duplicate SIM card. On the same day, the data subject’s phone stopped working. Shortly afterwards, four unauthorised transactions totalling €1,996 were carried out from their bank account.

The data subject contacted Vodafone, their bank and the police. Vodafone confirmed that a duplicate SIM card had been issued through a physical point of sale. After the data subject presented a complaint, during the investigation, Vodafone explained that its internal policy required store staff to call a dedicated support channel and provide identifying information before a duplicate SIM could be issued. Vodafone stated that the fraudster had provided the required information and that the security protocol in force at the time had been followed. The controller also informed the AEPD that it later adopted additional measures to reinforce the security of the duplicate SIM procedure.

On the basis of these facts, the AEPD opened sanctioning proceedings against Vodafone for an alleged infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]].

=== Holding ===
The AEPD found that Vodafone infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by processing the personal data of the data subject without a valid legal basis.

The AEPD held that the issuance and activation of a duplicate SIM card involved the processing of personal data. Vodafone carried out this processing without the knowledge or consent of the data subject and without any other legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]]. As a result, the processing was unlawful.

The AEPD rejected the controller’s argument that it had complied with its internal security protocols. The DPA stated that the existence of internal procedures did not remove the obligation to ensure that processing had a valid legal basis. The intervention of a criminal third party did not exempt the controller from responsibility where the unlawful processing occurred within its own systems and procedures.

The AEPD considered that Vodafone acted at least negligently. It took into account the nature of the infringement and the link between the processing and the controller’s core business activity. The DPA imposed an administrative fine of €150,000 on Vodafone for the infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]].

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

<pre>
1/52

• File No.: EXP202306354 (PS/00312/2024)

RESOLUTION OF SANCTIONING PROCEEDINGS

From the proceedings initiated by the Spanish Data Protection Agency and based on the following:

BACKGROUND

FIRST: A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on March 23, 2023. The complaint is directed against VODAFONE ESPAÑA, S.A.U., with Tax Identification Number A80907397 (hereinafter, the respondent, Vodafone, or Lowi). The grounds for the

claim are as follows:

The claimant states that, on September 21, 2021, their phone service was interrupted, and four transfers totaling €1,996 were made from their bank account using Bizum to an unknown third party.

After contacting the bank, they were informed that the bank could not be held responsible for the events that occurred.

Subsequently, on September 25, 2021, they filed a complaint with Vodafone for providing a duplicate SIM card for their mobile phone line ***TELÉFONO.1 without their consent. The claimant adds that the
claimant confirmed they had been the victim of fraud when their SIM card was duplicated at a physical store they have been unable to identify.

Vodafone has deactivated the fraudulent card, restored service to the claimant by processing a new duplicate, and added their personal data to their prevention files.

According to the claimant, Vodafone has been unable to identify the store where the duplicate was made or prove that it was carried out following all possible authentication measures, and they deny any responsibility in this regard. The claimant believes that Vodafone provided a new SIM card to an unknown person without verifying their information, thus enabling identity theft that led to fraudulent activity.

The complainant states that, in attempting to resolve the matter, they received a response from the defendant on October 20, 2021, confirming the issuance of a duplicate SIM card through a physical store. The defendant responded that the complainant was unable to obtain the duplicate SIM card because they were working near the city of Albacete.

The complainant submitted the following documentation with the complaint:

– A report filed with the Civil Guard on September 21, 2021, detailing the events described.

– A list of phone calls and internet connections made from the complainant’s number after the fraudulent duplication of their SIM card. This list includes

four phone calls between 8:59 PM and 9:06 PM on September 21, 2021, all to the number ***TELÉFONO.2.

— Claim from the claimant to the respondent, dated

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 2/52

13/10/2021, requesting compensation for damages due to the aforementioned events.

This claim states that the claimant, on
September 25, 2021, contacted VODAFONE by telephone to file a
complaint regarding the delivery of a duplicate SIM card to a third party without their
consent.

— VODAFONE’s response to the previous complaint, dated 20/10/2021, in which it is expressly stated: “We wish to inform you that, after
carrying out the appropriate procedures and verifying the facts described in your
letter by Mr… (the complainant), we have confirmed that on September 21,

we were informed that a

duplicate SIM card for line ***PHONE.1 was being processed through a physical store. We informed you that in order to
process this request, the applicant had to undergo a security check that included providing their ID and certain personal data.

On September 22, the customer service department

received a call from Mr… (the complainant), in which he indicated that his SIM card had been
cloned and requested a new one. During this call,

the procedure for requesting the SIM card through the customer app was explained, but it was not
processed by our agent because the delivery address did not

match the one associated with the Customer in the database. On September 22, D… (the claimant) informed us that they were managing the blocking of the line through the app; however, we confirmed usage from the line every day of September, and it remained active until today. We have attached the September invoice.”

— Complaint filed with the operator on November 15, 2021, in which the claimant insists that when the duplicate SIM card was issued, they were working in Albacete and requests information on which physical store the duplicate card was issued and a signed document confirming its delivery, including the details of the person who received it. — VODAFONE letter, dated February 9, 2022, responding to a previous letter

from the complainant dated January 3, 2022, stating: “We wish to inform you
that, after carrying out the appropriate procedures and verifying the
facts described in your letter by Mr… (the complainant), we have

confirmed that, on September 21, 2021, a duplicate SIM card for line

TELEPHONE.1 was requested in physical form, but it was not registered as a duplicate SIM card because

instead of processing a duplicate, it appears they provided the person with a
new SIM card. We are currently identifying the store where
this occurred…”. — VODAFONE letter, dated April 12, 2022, responding to a previous letter

from the claimant dated March 15, 2022, stating: “We wish to inform you
that, after carrying out the necessary procedures and verifying the
facts you described in your letter…, we are pleased to report that, after reviewing the
case, we were unable to locate the physical store where the
SIM card replacement not recognized by the customer was processed. We confirm that once
the issue was resolved, the service remains active. On April 12,

2022, a refund of €37 was requested in favor of the claimant, covering
the full amount of the invoice issued during the month of March…”.

SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the complaint was forwarded to the respondent so that they could analyze it and inform this Agency within one month of the actions taken to comply with the requirements of the data protection regulations.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es
3/52

(hereinafter LOPDGDD) The transfer, carried out in accordance with the regulations established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was received on May 17, 2023, as evidenced by the acknowledgment of receipt included in the file.

No response was received to this transfer within the allotted time.

THIRD: On June 23, 2023, in accordance with Article 65 of the LOPDGDD, the complaint filed by the claimant was admitted for processing.

FOURTH: On July 20, 2023, the response issued by Vodafone to the transfer of the complaint was received by this Spanish Data Protection Agency (AEPD). In this response, Vodafone states the following:

Regarding the procedures for requesting a duplicate SIM card.

Vodafone explains that a duplicate SIM card can be requested through:

the customer service hotline 121 (in this case, the duplicate can only be sent to the customer’s address on file);

the website, in the customer area after logging in with your username and password;

the “My Lowi” app, also accessed with a username and password; and
in a physical store.

In the latter case, the SIM card is handed to the customer upon request for their ID.

Regarding the specific case that is the subject of the complaint:

Vodafone notes that it classified the customer as a victim of fraud on February 22, 2022, after
verifying the events, which, according to the complainant, resulted in the following:

On September 21, 2021, an unauthorized third party requested a SIM card replacement.

Having access to the customer’s data, the third party requested the SIM card replacement without the customer’s consent via telephone.

The existing security policy for telephone requests was followed:

Call the store support number.

Identify the store using its postal code.

Identify the user making the request to verify their authorization.

Provide the customer’s identification number and the line number affected by the replacement.

Indicate certain ICC numbers of the card to be duplicated.

Finally, the SIM card replacement is always sent to the authorized store that requested it.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 4/52

requested it.

According to the claimant, in this case, the SIM card replacement request appeared

legitimate, given that the person who called store support provided all the data
required to pass the security policy. They add that, as proof, they provide
a recording of an unauthorized third party requesting the replacement and a record of the request in
their systems, which shows that the user provided was
authorized personnel for carrying out these procedures.

They add that another indication of legitimacy is that the SIM card was sent to the authorized store that
made the request.

Furthermore, VODAFONE details the data provided to pass the security policy in effect at the time (September 21, 2021) by the person who made the SIM card replacement request,

who was an employee of an authorized store:

. Postal code of the authorized store (***REFERENCE.1);

. The user is identified as an authorized user by providing the following user number:

***USER.1, which authorized them to request duplicate SIM cards from an authorized store;

The customer’s NIE number (***NIF.1) and the number of the line affected by the duplicate SIM (***PHONE.1);

Certain ICC numbers of the SIM card to be duplicated (***REFERENCE.2).

Regarding the actions of the defendant when they detect the issuance of a fraudulent duplicate SIM card:

When the issuance of a fraudulent duplicate SIM card is detected, the affected line is blocked, and a duplicate is issued to the registered owner so they can restore service.

Additionally, disciplinary action is taken (the store involved in this case was penalized in July 2022, and the store itself dismissed one of its employees and requested that none of them be allowed to request duplicate SIM cards).

Furthermore, it was decided to reinforce the security policy (see attached document 5), and a circular was sent to call centers to emphasize this security policy.

As additional measures adopted, the following are reported:

Reduction in the number of stores that can request a duplicate SIM card.

Stores must provide a unique identification code for each store.

Providing the customer’s identification number and the affected line number.

Collecting a copy of the customer’s identification document.

Finally, VODAFONE reports that, on September 22, 2021, the claimant contacted customer service to report the situation and that same day requested a new SIM card in store, which was processed.

With their response, they provided, among other documentation, the following:

Details of the entry in VODAFONE’s information systems

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 5/52

Regarding the request for a duplicate SIM card, dated 09/21/2021, at 8:35 PM. The channel listed is “Customer Service Calls,” originating from the phone number
***TELÉFONO.3.

The following information is also included in this record:

“(…)”

Details of an entry associated with the claimant, undated, with the following details:

“Manual Alerts
Do not duplicate SIM cards for any phone due to potential fraud!!!”

Report prepared by “Claims” indicating the following:

“The duplicate SIM was indeed requested and delivered in-store. The sales representative called Retail Support and provided us with the security policy we have in place for these cases.

Therefore, we completed the ICC change through the store support channel… We don’t have the exact store names, but I’m providing you with the information we have for the store that processed it: • Postal Code: ***REFERENCE.1
• Location: ***CITY.1 • Sales Representative who handled the duplicate:
***USER.1 The SIM change was made on 09/21/2021 at 8:35:00 PM.
It was done via a call to Retail Support (Store Support) from the number

***PHONE.3
The fraudulent SIM card used, ***REFERENCE.3, belonged to an order from Fibranorte, (…)…
In the recording, they impersonate a store colleague. Date Recording
***PHONE.1 21.09.21.mp3 Fraud was categorized on 02/28/2022…
This POS (Point of Sale) is still active with Fibranorte; it belongs to the SMART &

PHONE chain of stores.

I’ll explain:
On the date you mentioned regarding the duplicate SIM, the POS manager was notified. He stated that
he was unaware that his sales representatives were making duplicate SIMs and requested
that none of his stores be allowed to make duplicates. He also dismissed some sales representatives.

(…)”

Outline of the new security policy in place at the time the response was sent. For cases where the customer requests a duplicate SIM card through
a distributor, it includes requesting ID and confirmation that the person is the account holder
of the line, and a call to “Support” to confirm the customer’s information. It also includes:

Checking the distribution lists to see if the person calling us is

authorized to perform SIM card changes. The information must be left in the comments
of Altitude.

The distributor is responsible for requesting the documentation from the customer. They must
keep a photocopy or scan of it. Before making the change,
we inform the distributor of this; if they confirm that they have requested it, we make

the change.

Copy of a circular that claims to have been sent to call centers on October 10, 2022,
with the subject “Customer Data Changes – Security Policy Modification,” which states:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 6/52

“Following recent complaints, we are reinforcing our security policies
for changes to customer data.

These frauds are perpetrated by organized crime groups, meaning they have developed social engineering techniques that allow them to modify data using customer information,
processes, and systems they obtain from us. Once they gain access to a customer’s line, they have access to all their information and bank accounts, apps,
cards, etc.
To prevent these types of scams, we are working to protect our customers.

Therefore, no changes to data, email address, ICC, etc., should be made without
following The following steps:

1. No information should be given about our systems, processes, or customer information…

2. If a call is received from a colleague, it is necessary to verify the origin of the incoming call. In all cases, it must be an extension, never a long number.

(…)”

Copy of the recording of the SIM card replacement request, processed

by telephone between a supposed physical store and the central office. In this recording, the store representative requests a SIM card replacement on behalf of a customer (the claimant). This is done by calling the store support channel following its specific protocol, and although a valid postal code is not provided as a means of identifying the store, the process continues. The conversation is reproduced in Proven Fact Four.

FIFTH: The Deputy Directorate General for Data Inspection carried out preliminary investigative actions to clarify the facts in question, pursuant to the functions assigned to supervisory authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD, having learned the following:

1. In response to the request for information made by the inspection services, VODAFONE, in a letter dated August 31, 2023, reported the following:

This entity confirms the security policy that was in place at the time of the events giving rise to the complaint and reports that sending duplicate SIM cards to stores is not necessary because these stores already have them. After

calling “Support” and providing the information required to complete the security policy,
the card is activated and available at the authorized store.

It also confirms the additional measures already communicated during
the transfer process, which include obtaining a copy of the customer’s identification

documentation as proof of consent. It warns that points of sale that do not have a direct relationship with VODAFONE, but rather operate through an agent,
as is the case here, have been prohibited from issuing duplicate SIM cards since March 2022. In these cases, the customer must call customer service.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 7/52

The respondent clarifies that the point of sale involved has the legal name
***EMPRESA.1 and the trade name SMART PHONE, with its registered address at
***DIRECCIÓN.1. According to Vodafone, this store is one of the points of sale managed by Fibranorte S.L., which acts as an agent.

According to Vodafone, the contract it enters into with the agent transfers to the agent the obligation to verify customer identification during transactions and to provide Vodafone with photocopies of identity documents. These requirements must be respected by all points of sale and sub-agents, although the information provided pertains to new contracts.

Regarding the actions of the point of sale in issuing the duplicate card for which the claim is being made, the entity reports that it is unaware of the reason why the store staff acted irregularly or whether the store staff provided the data to an unauthorized third party to carry out the fraudulent actions. It adds that the person who carried out these actions had information about the entity’s internal processes.

With its response, VODAFONE provides, among other things, the following documentation:

“Alternative Channel Agency Agreement,” between VODAFONE ENABLER ESPAÑA, S.L. and FIBRANORTE S.L., whose Annexes identify the points of sale or sub-agents covered by said agreement, all of them located in Catalonia and Aragon, none of them in ***LOCALIDAD.1. In the town of Mollet del Vallès, four sub-agents appear, one of them with an address at ***ADDRESS.1 and telephone number ***PHONE.4. None of the sub-agents listed in the contract have the telephone number ***PHONE.3 associated with them. The names of the sub-agent entities are not included in this list.

Furthermore, it is detailed: “VODAFONE ENABLER is an entity that is part of the same corporate group as VODAFONE ESPAÑA, S.A.U.”
FIBRANORTE S.L. is the data processor, and the physical store SMART PHONE is considered a sub-processor.

The respondent also provides the instructions given to the data processor regarding data protection, who, in turn, undertakes to pass them on to the sub-processors for the staff who provide in-person service in the physical stores. While emphasis is placed on identity verification, the

transfer of documentation from the physical store to the VODAFONE headquarters is not
immediate at the time of processing.

History of interactions with the claimant between September 1, 2021, and October 1, 2021, including notes made

by the managers and actions taken in each instance.

In addition to the support call regarding the request for a duplicate fraudulent card, dated September 21, 2021, the VODAFONE information system records, among others, the following contacts:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 8/52

. 23/09/2021: The complainant, via telephone, reports that “they have been asked for a duplicate SIM card without permission and money linked to their bank account has been withdrawn.”

25/09/2021, 14:06: The complainant calls Customer Service, stating that “they want to file a complaint because it appears their SIM swap has been duplicated and they have been scammed. They are instructed to send the complaint by email.”

25/09/2021: “I call the customer to check if the line is active. The line is working correctly and there is a dial tone…”

October 1, 2021, regarding the previous contact of September 25, 2024, 2:06 PM: “Case closed

September 25, 2021, 2:06 PM… classified and comment left on the initial post: SIM card duplication should not be performed on any phone due to potential fraud. It is best to go to a retail store to request a duplicate so we can review the policy and provide a photocopy or scan of your ID.”

October 1, 2021: “Customer requests information about a scam she experienced and believes a SIM card duplication was performed without her consent // I verify that this is not the case and inform her

that no duplication has been performed.”

2. On November 10, 2023, a response was received from Vodafone to a new
information request made by the Inspection Services, in which the company was informed that the previously submitted documentation did not include any point of sale associated with the provided postal code,

address, and telephone number of the point of sale that requested the fraudulent SIM card duplicate, and that, as can be seen in the recording of the call to “support,” the indicated postal code was not listed as authorized.

Regarding these issues, Vodafone modified the information previously provided.

It now states that the postal code was not a requirement of the Security Policy for calls to the store support number. The policy was limited to identifying the specific code assigned to the user to verify authorization, providing the customer’s ID number and the phone number affected by the SIM card replacement, as well as certain ICC numbers of the new SIM card.

In this regard, Vodafone reiterates that the person who impersonated the store staff knew this specific code (***USER.1) and the rest of the data: ID number, name, and the ICC numbers of the new SIM card.

Furthermore, Vodafone reported that the Claims team, due to a one-off error, forwarded incorrect information regarding the point of sale that performed the SIM card replacement. Vodafone now confirms that the point of sale that actually requested the SIM card replacement was the store located at ***ADDRESS.1. It adds that this point of sale is listed in the contract as one of the points used by the distributor involved in the case.

According to Vodafone, the claims team has been unable to identify the cause of that error.

Sixth: According to the report obtained from the AXESOR tool, the entity Vodafone España, S.A.U. It is a large company established in 1994, with

a turnover of €2,909,851,000 in 2024.

SEVENTH: On September 3, 2024, the Director of the Spanish Data Protection Agency (AEPD) agreed to initiate sanction proceedings against the respondent,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 9/52

in accordance with the provisions of Articles 63 and 64 of the LPACAP (Law on the Common Administrative Procedure of Public Administrations), for the alleged
infringement of Article 6.1 of the GDPR, as defined in Article 83.5 of the GDPR.

EIGHTH: Having been notified of the aforementioned commencement agreement in accordance with the rules established in the LPACAP (Law on Administrative Procedure and Common Administrative Procedure), the respondent requested an extension of the deadline and a copy of the file, which was granted. On October 8, 2024, the respondent submitted a brief of allegations requesting the dismissal of the proceedings or, alternatively, the imposition of a minimal fine. This request is based on the following considerations:

1. Vodafone has implemented the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk and the lawful processing of personal data.

I. Preliminary Note: The obligation to adopt technical and organizational measures to guarantee a level of security appropriate to the risk is not an absolute obligation.

First, the Agency notes that it believes Vodafone infringed Article 6.1 of the GDPR by processing the complainant’s personal data without their consent, as a result of failing to adopt appropriate measures to prevent third parties from impersonating the complainant and obtaining a duplicate SIM card. The Agency emphasizes that, according to the National Court and the Spanish Data Protection Agency (AEPD) itself, the obligation to adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk is not an absolute obligation.

In other words, according to Vodafone, the fact that a third party has bypassed these measures cannot be understood as, per se, a breach of the obligation and, therefore, the carrying out of unlawful data processing. Thus, the data controller is subject to an obligation of means, not an obligation of results, meaning that every incident constitutes a breach of the duty to ensure a level of security appropriate to the risk.

Therefore, the fact that a third party, through the commission of crimes, has
overcome Vodafone’s security measures cannot automatically imply
that Vodafone has not been diligent in verifying the identity of its customers and,
therefore, has not processed the claimant’s personal data in accordance with Article 6.1

of the GDPR.

II. Vodafone is responsible for adopting technical and organizational measures aimed at
ensuring that duplicate SIM cards are provided to the owners of the telephone lines.

These measures are designed to guarantee that the applicant for the duplicate SIM card is the owner of the contracted telephone line. Therefore, in this
case of SIM card duplication carried out electronically (by telephone
impersonating an authorized store), the prior actions of the fraudster to obtain data from the victims, or subsequent actions, such as those committed to access online banking, are outside the sphere of control of

Vodafone.

III. Technical and Organizational Measures Adopted by Vodafone

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 10/52

For applications processed electronically by authorized stores,
on the date of the events, store personnel were required to call “store channel support”

to verify the store’s authorization and identify the line owner,
providing the store’s user code, certain numbers from the new SIM card

(available in store and activated after these verifications), name, surname,
national identity card number, and telephone number. It adds that they must make a copy of the identity document

before issuing a duplicate SIM card.

In this case, the impersonated store is SMART&HOME, located at
***ADDRESS.1, covered by the agency agreement signed by Vodafone with
FIBRANORTE S.L. (hereinafter, “FIBRANORTE”) dated April 1, 2021, which
in turn has an agreement with SMART&HOME. This agreement establishes the
obligation of the stores to correctly identify customers (reproducing the

instructions made for new sign-ups).

SMART&HOME’s user code was ***USER.1.

Certain numbers on the new LOWI SIM card (ICC): ***REFERENCE.2.

The claimant’s information includes their NIE number (***NIF.1), the mobile number of the
line affected by the duplicate SIM (***PHONE.1), as well as their name and

surname.

To verify compliance with the security policy, Vodafone refers to the recording,
already provided in the initial information request, with the filename

“***REFERENCE.4”. As can be seen in the recording, the fraudster has

all the necessary information to circumvent LOWI’s security policy: (i)
the authorized store’s user code; (ii) the ICC of the new SIM card (which
implies physical possession of the SIM); and (iii) the claimant’s information: name,
surname, ID number, and the mobile line number to be duplicated.

Regarding this matter, in response to what was stated in the opening agreement, concerning Vodafone’s failure to verify the identity verification performed by the store and the failure to verify the phone number from which the duplicate SIM request was made—which in this case does not match any line number associated with the store in question—Vodafone states that the store is obligated to verify the customer’s identity with their identification document and that it has restricted this type of transaction to the alternative channel (stores not directly affiliated with Vodafone, but rather with the agent). In these cases, if the customer wishes to request a duplicate SIM, they must call customer service and request it directly, after following the corresponding security policy.

Vodafone then refers to the actions taken against the agent in connection with this case and the refund issued to the claimant as compensation for the services resulting from the fraudulent duplicate, as detailed in its previous communications, and the new measures implemented:

Deterrent measures, such as sanctions for the perpetrators.

The Vodafone Group has developed a solution called “Vodafone Identity Hub (VIH),” which allows verification of whether a user requesting a specific transaction
on third-party platforms (for example, taking out a loan from

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 11/52

a bank or any other banking transaction requiring customer identification, such as issuing a debit card) has recently changed or duplicated their SIM card. If so, the platform sends this

information to the contracting entity, alerting them to a high probability of fraud in
the transaction. Vodafone has implemented this solution in Spain and has
various banking clients who have adopted it for inclusion in their
banking transaction authorization processes.

Once a fraudulent SIM swap is detected: the SIM card is blocked;
SMS reception is restricted to prevent the mobile line from receiving codes from

banks that fraudsters could use to steal money from the customer’s
accounts; and the customer is marked as a “fraud victim,” along with
pop-up notifications instructing Vodafone sales representatives
not to perform any transactions on these accounts.

IV. We are dealing with a third party whose purpose is, through criminal activity, to
bypass these security measures.

This is not a failure or error in the system implemented by Vodafone, but rather an
access to the personal data of the individuals concerned that occurs through a
properly organized and planned criminal activity.

In this case, the fraudster, knowing the internal procedures and providing all the following information: the code identifying the store as an authorized store, the new LOWI SIM card number (ICC), and all the information relating to the claimant, managed to circumvent Lowi’s security policy and carry out the SIM duplication. Vodafone acted at all times in accordance with its security policies and properly verified the authorized establishment, as well as the customer’s data for whom the transaction was requested. Furthermore, stores are obligated to identify the requester.

V. Regarding the alleged aspects that Vodafone failed to prove, as established by the Spanish Data Protection Agency (AEPD) in the initial agreement.

In this section, Vodafone refers to the same issues already mentioned in section III and reiterates the previous arguments.

Regarding the lack of verification of the caller’s number by the “store support channel,”
it indicates that this was not a requirement of the security policy at the time of the
events. It concludes that the fact that a third party bypasses Vodafone’s
security measures does not automatically imply that Vodafone was not diligent in
verifying the identity of customers and, therefore, did not process personal

data in accordance with Article 6 of the GDPR.

2. Alternatively, and in the event that the Agency considers that Vodafone has
infringed Article 6.1 of the GDPR, no culpability can be established
for the infringements attributed to Vodafone and, consequently, no sanction can be imposed on

Vodafone.

After citing Article 28.1 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector, it states that there is no culpability in its conduct, neither intentional nor negligent.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 12/52

Whatsoever, neither intentional nor negligent.

It also details the doctrine of the Supreme Court, according to which “for exoneration,

it will not suffice to invoke the absence of culpability, but rather it will be necessary that the diligence required of the party alleging its non-existence has been employed (among others, the Supreme Court Judgment of January 23, 1998 [RJ 1998601])”; and invokes the
Judgment of the National Court (Administrative Chamber, Section 1) of February 25, 2010 [JUR 2010/82723], concerning a precedent processed by this Agency, in which, according to Vodafone, it was concluded that imputing liability to a data controller for third-party access to data through criminal acts could lead to a violation of the principle of culpability, and cites the following paragraph from that Judgment:

“Thus, even though Article 9 of the Spanish Data Protection Act (LOPD) establishes an obligation of result,

consisting of adopting the necessary measures to prevent data from being lost, misplaced, or falling into the hands of third parties, this obligation is not absolute and cannot encompass a case such as the one analyzed. In the present case, the result is a consequence of an intrusive activity, not protected by law, and in that sense illegal, by a third party with advanced computer skills who, by breaching established security systems, accessed the database of

registered users at www.portalatino.com, downloading a copy of it.

And, such actions cannot be attributed to the appellant entity because, otherwise, the principle of culpability would be violated.

It understands that this is what happened in this case, in which we are dealing with a

criminal act carried out by a third party, who, acting with intent, deceived the
store channel support agent, impersonating store personnel by providing all
the information required by the security policy.

Therefore, it must be determined whether Vodafone exercised the due diligence required

to guarantee the legality of the processing of its
customers’ personal data and prevent SIM card duplication by third parties.

According to Vodafone, the fact that the SIM card was duplicated does not mean that it did not act with due diligence, since all its actions have always been aimed at establishing and supervising technical and organizational measures

designed to guarantee the security of its customers’ personal data and to ensure that the person requesting the SIM card duplicate is the line owner. In this regard, it highlights:

It has security policies to prevent fraudulent SIM card swapping,

and a specific policy for requesting a duplicate from an authorized store.

It updates these security measures and sends communications and alerts to its agents and stores.

In the event of fraud, it reacts on four fronts:

Towards the customer, by blocking the card and restricting the receipt of SMS messages, as well as

reimbursing the services consumed by the fraudster.

Actions directed at agents and employees, including sending periodic communications, information on the modus operandi, application of penalties, etc.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 13/52

With the Security Forces, by filing complaints or collaborating in the fight against this fraud.

Regarding third parties, such as credit institutions, warning about recent SIM card duplicates.

Consequently, Vodafone maintains that it has acted at all times in compliance with the required due diligence, and therefore cannot be held liable.

3. Alternatively, should the Agency determine that an infringement has occurred and that a sanction should be imposed on Vodafone, the following aggravating and mitigating circumstances must be taken into account, and the sanction reduced accordingly.

a) Regarding the aggravating circumstances considered by the Spanish Data Protection Agency (AEPD):

I. Any prior infringement committed by the data controller or processor.

In the four cases mentioned by the Agency (EXP202204287,
EXP202203914, EXP202203916 and EXP202206290) Vodafone did indeed accept
a reduction of the penalty, without admitting guilt and, in any case, it is necessary
to clarify that the mere mention of non-compliance with article 6.1 of the GDPR can
cover a multitude of data processing scenarios that have nothing to do with
the events that occurred and were sanctioned in this Agreement. Considers that the

application of this aggravating circumstance has not been sufficiently justified by the
Agency, its application causing serious harm to my client’s defense
and to legal certainty, given that any breach of Article 6.1 of the GDPR in
general, without regard to the proven facts of each case, would serve as mere proof
of the application of this aggravating circumstance, with the inherent consequence of increasing the
amount of the penalty.

II. The connection between Vodafone’s activity and the processing of
personal data (Article 83.2.k of the GDPR in relation to Article
76.2.b of the LOPDGDD).

“Indeed, there is a link between Vodafone’s activity and the processing

of its customers’ personal data, which it carries out to ensure the proper
provision of contracted services and to address their requests and inquiries.

The Agency refers to negligence when a data controller fails to act with the required diligence, emphasizing the need for rigor and

exquisite care in complying with legal requirements.

Evidence of the special care and caution applied in the processing of personal data
by my client lies in all the security measures
implemented, as well as the continuous review of policies and their

compliance. Therefore, this factor should not be considered an aggravating circumstance when
determining the appropriate penalty.”

b) Mitigating factors that, in Vodafone’s opinion, should be taken into consideration:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 14/52

III. The degree of responsibility of the data controller, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32 of the GDPR, in light of the measures implemented to ensure that the person requesting the duplicate or replacement of the SIM card is the account holder.

IV. The degree of cooperation with the supervisory authority during the prior inspection proceedings in order to remedy the infringement and mitigate its potential adverse effects.

V. Any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.

“Vodafone has not obtained any benefit or avoided any losses as a result of the

fraudulent duplication of the SIM card; quite the contrary. In this regard, the
criminal activity carried out by the fraudsters and cybercriminals has also
caused reputational damage to my client and a breach of its
security policies.”

4. It proposes that the following documentary evidence be admitted:

In addition to the SIM card replacement security policy, the agency agreement with
Fibranorte, S.L., the record in its systems of the call requesting the duplicate SIM card corresponding to this case, the letter sent to the claimant dated
July 18, 2023, explaining what happened, and the refund made to the claimant, all of which have already

been submitted and outlined in the previous background information; Vodafone submits:

Instructions were sent to the sales force informing them of the need to require the store code and to inform the store that it must keep a photocopy or scan of the customer’s documentation.

Email thread regarding the codes of the authorized stores at the time of the events. This list does not provide any details about the entities to which these codes correspond.

Codes of the authorized stores at the time of the events. This list does not provide any details about the entities to which these codes correspond.

The following documents are mentioned in your letter, although they were not submitted:
The two recordings already submitted to the file with the file names “***REFERENCE.5” and “***REFERENCE.6”.

Annex III Vodafone Enabler Data Processing Agreement

Recording already submitted to the file with the file name “***REFERENCE.4”

which demonstrates compliance with the security policy at the time of the events.

NINTH: On October 15, 2024, the investigating officer agreed to open a period for the taking of evidence, declaring the claim filed and its supporting documentation, as well as the documentation comprising the

admissibility phase and the preliminary investigative actions, to be duly submitted, and considering the
allegations submitted by Vodafone to the decision to initiate the proceedings to be duly presented.

Furthermore, Vodafone was required to provide the documents

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 15/52

indicated in its statement of allegations and not submitted with said statement.

TENTH: On November 6, 2024, Vodafone, within the allotted timeframe

during the trial period, reported that the recordings referred to in the
request had already been submitted to the proceedings and provided a copy of “Annex III
Vodafone Enabler Data Processing Agreement”.

ELEVENTH: On July 9, 2025, a proposed resolution was issued,
recommending that VODAFONE ESPAÑA, S.A.U., with Tax Identification Number A80907397, be sanctioned

for an infringement of Article 6.1 of the GDPR, classified under Article 83.5 of the GDPR,

with a fine of €150,000 (one hundred and fifty thousand euros) and granting it a period of
ten days to submit its arguments.

TWELFTH: Once the aforementioned proposed resolution was notified in accordance with the rules

established in the LPACAP (Law on Administrative Procedure of Public Administrations), the respondent requested an extension of the deadline, which was
granted, and on August 5, 2025, submitted a statement of allegations requesting
the dismissal of the proceedings or, alternatively, the imposition of a
minimum fine. Vodafone bases its claims on the considerations
set forth below, referring in all cases, and in their entirety, to what was previously
stated in its statement of allegations to the initial agreement.

1. Vodafone has acted diligently insofar as it has
implemented the necessary processes to correctly identify its customers,
the adoption of technical and organizational measures being an obligation that is not
absolute.

First, Vodafone emphasizes that, although the proposed resolution of this
procedure does not accuse it of an infringement due to insufficient or inadequate
security measures, but rather of unlawful processing of personal data,
it does refer to the ineffectiveness of its security measures.

Next, it states that it has implemented the appropriate technical and organizational measures
to correctly identify its customers and prevent the
unlawful processing of data. However, if third parties, through illicit and
fraudulent techniques, obtain customers’ confidential data and, through this data,
impersonate them and circumvent the implemented measures, this does not mean that the

policy is insufficient, but rather that the necessary data has been obtained, through means
external to my client, to circumvent the established measures.

Furthermore, it is important to remember that the obligation to adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk is not an absolute obligation. Rather, the data controller is subject to an obligation of means when implementing a robust and effective security policy, such as that of Vodafone (Judgments of the National Court (Administrative Chamber, Section 1) of February 25, 2010 [JUR 2010/82723] and November 10, 2017 [JUR 2018/3170]).

Vodafone argues that all security policies are susceptible to being breached at any given time, despite having measures and requirements that are difficult to compromise, and appeals to the concept that “zero risk” does not exist, as this Agency has indicated in its Guide, of June 2021, on “Risk Management and Impact Assessment in the Processing of Personal Data.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 16/52

This same line of reasoning is followed in Opinion 3/2010, of the Article 29 Working Party (WP29), which is included by the Agency itself in its Proposed Resolution and indicates that

“the essence of proactive responsibility is the obligation of the data controller to implement measures that, under normal circumstances, ensure that data protection rules are met in the context of processing operations.”

Consequently, what can be requested of the responsible party is that they implement a

appropriate identity verification process that, under normal circumstances, guarantees the proper handling of data. These measures were
in place by my client when the SIM card replacement was carried out.

Specifically, Vodafone performed the SIM card replacement because the applicant
fraudulently claimed to be an agent of an authorized establishment

by providing certain information and the claimant’s data, having
obtained the claimant’s personal data through external means, such as, for example, social engineering techniques.

On the other hand, it describes the security policy required at the time of the events,
highlighting that:

– The point-of-sale staff must call channel support, which authorizes the
SIM duplication, after providing: (i) the user code of the authorized store,

ii) certain numbers from the new SIM card (ICC),

iii) the name,
surname, ID/NIE number, and telephone number of the customer whose line is to be duplicated.

– The store must identify the customer by viewing their ID.

– The security policy for SIM duplications requested from the store previously depended on postal codes, but this was not the case at the time of the events, as

proven by the recordings provided. If the agent had validated the operation based on the postal code, they would have violated Vodafone’s security policy, which was not the case.

– The need to consult store codes to determine if the point of sale is authorized. In this case, the fraudster provided the store code.

– The fraudster not only knew the authorized store code but also had the new SIM card (ICC) and the customer’s personal data (Name, Surname, ID number, and phone number of the line to be duplicated).

– The reason why the claims team provided incorrect information regarding the store involved in this case is unknown, but it is true that Vodafone is a large company, and sometimes, to obtain details about certain operations, it is necessary to contact specific individuals.

– The Retail support agent did not verify the incoming line because it was not a required field, as the store code was available. The requirement to verify the incoming line was later included in a circular dated October 10, 2022.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 17/52

– A photocopy and safekeeping of the identity document were required by the point of sale, as stated in the contract with the agent.

Vodafone believes it should not be responsible for the illegal acts of third parties, arguing that it could not verify that the request was being made by a third party, given that the fraudster’s identity was concealed and they were posing as a store colleague, circumventing established security policies through illicit techniques.

Regarding the observation in the Proposed Resolution concerning the possibility of additional security measures having been adopted, Vodafone argues that, in this case, the perpetrator managed to bypass internal controls because they were familiar with the internal processes. This leads them to conclude that the problem is not the control measures, but rather the existence of fraudulent activity

whose sole motivation is to harm third parties, in this case the claimant and Vodafone.

Therefore, Vodafone believes it has implemented the necessary and appropriate technical and organizational measures for the risk of the data processing it carries out,

minimizing the prevailing risk as much as possible, in order to carry out lawful data processing in accordance with current data protection regulations, and
that it complies with the due diligence that can be required of it.

2. The issuance of a SIM card replacement does not entail access to banking information,

passwords, email addresses, etc., of Vodafone customers, but rather to the mobile and internet services they may have contracted.

Regarding this matter, Vodafone states that the fraudulent duplication of the SIM card is neither a necessary action (some banks do not send SMS messages with their unique access codes) nor sufficient (access to other data and keys is required)

to gain access to the accounts of the affected individuals. Consequently, Vodafone believes that the Agency’s assertion in the Proposed Resolution cannot be accepted, as it lacks any supporting evidence. The assertion claims that the affected individual’s banking credentials, such as passwords, email address, and other data, were stored on the mobile phone, which was the

source of access to said data, thereby bypassing the security policy of the corresponding bank.

In this regard, it understands that if the aim is truly to ascertain how the claimant’s bank accounts were accessed, at the very least, information should be requested from the claimant’s bank to determine how the unauthorized access to their accounts occurred and what other data was necessary to carry out those transfers.

Finally, it concludes that Vodafone can only be held liable for infringements related to the data processing and security measures for which it is responsible,

that is, those aimed at ensuring that the applicant for a duplicate SIM card is the account holder; these measures are not (and cannot be) aimed at preventing identity theft (such as ID card forgery) or access to bank accounts through the bank’s application.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 18/52

3. No culpability can be established for the infringements attributed to Vodafone, and consequently, no sanction can be imposed.

Vodafone disagrees with the argument that there would be culpability due to a lack of diligence shown in its actions and, consequently, rejects the possibility of any resulting sanction.

In this regard, Vodafone maintains that it has acted diligently in establishing organizational and technical measures appropriate to the level of risk and refers to the information provided in the First Allegation of these allegations.

Furthermore, it considers that the principle of proactivity, which places on Vodafone the obligation to comply with regulations and to be able to demonstrate such compliance, has been fully met by providing evidence that the relevant processes were followed.

Finally, it argues that only the outcome of the events, the fraudulent issuance of the duplicate SIM card, has been considered, without taking into account all the security measures implemented to prevent fraud. Consequently, it believes that Vodafone is subject to the obligation to prevent all fraud, an absolute obligation, not merely an obligation of means, which would contradict the ruling of the National Court.

4. Alternatively, should the Agency determine that an infringement has occurred and that a sanction should be imposed on Vodafone, this party disagrees with the aggravating circumstances and the failure to consider the mitigating circumstances mentioned.

Regarding the aggravating factors applied by the Agency when assessing the sanction:

I. Article 83.2.d) of the GDPR: “the degree of responsibility of the controller or the processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32.”

Vodafone disagrees that the infringement has systemic implications, considering that this is an isolated case in which internal information was used to circumvent existing company procedures and defraud both the complainant and Vodafone. This should be taken into account to reduce the amount of the sanction, not increase it.

Regarding the lack of security measures and their ineffectiveness, Vodafone refers to what was already stated in the First Allegation.

II. The connection between Vodafone’s activity and the processing of personal data (Article 83.2.k of the GDPR in conjunction with Article 76.2.b of the LOPDGDD).

Vodafone acknowledges the connection between its activity and the processing of its customers’ personal data, which it carries out to ensure the proper provision of the contracted services and to address their requests and inquiries.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 19/52

In this regard, Vodafone cites as evidence of the special care and caution applied in the processing of personal data it carries out all the security measures implemented and detailed in the First Allegation, in addition to the continuous review of its policies and compliance with them. Therefore, it considers that this
factor should not be taken into account as an aggravating factor when determining the
sanction.

Additionally, it considers that the following

mitigating factors should be taken into consideration:

I. The degree of responsibility of the data controller, taking into account the
technical or organizational measures they have implemented pursuant to Articles 25 and 32
of the GDPR.

To that effect, please refer to Allegation One of these allegations.

II. The degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate its potential adverse effects.

Vodafone believes that it has taken steps to remedy and mitigate the potential adverse effects of the fraudulent practice of SIM card duplication, as evidenced in the first statement of these allegations. Furthermore, it highlights the prohibition, in place since March 2022, on SIM card duplication through retail support, requiring customers to contact Customer Service directly.

It also highlights the reactive measures directed at affected customers, its agents and employees, third parties such as credit institutions, and its collaboration with law enforcement agencies.

III. Any other aggravating or mitigating factors applicable to the circumstances of the case,

such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.

Vodafone alleges that it has not obtained any type of benefit or avoided any losses as a result
of the fraudulent duplication of the SIM card; on the contrary, the criminal activity has caused it
reputational damage.

ESTIMATED FACTS

1. The claimant, residing at ***LOCATION.1, is a Vodafone customer. Among the contracted services is the mobile phone line number

***PHONE.1.

2. On September 21, 2021, an unauthorized third party requested a duplicate SIM card
for the claimant’s line ***PHONE.1. This request, made by telephone through the internal channel for store support (Retail Support), was

processed by Vodafone, and the requested SIM card was delivered to the third party.

3. Regarding the request for a duplicate SIM card mentioned in the Second Proven Fact, Vodafone’s information systems show that it took place

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 20/52

on 21/09/2021, at 20:35 hours. This record lists it as “Customer Service Calls,” originating from telephone number ***TELÉFONO.3, and the following instructions:

“(…)”.

4. Vodafone provided the proceedings with a copy of the recording of the call made to Retail Support to request the SIM card duplicate described in Proven Fact Two. The conversation is reproduced below:

I have a customer here who wants to duplicate their SIM card.

In this case, first confirm your store’s postal code so I can see if you are authorized or not…

Okay, it would be ***REFERENCE.1

Okay, ***REFERENCE.1, no, in this case you wouldn’t be authorized. Do you have any other code?

I’ll tell you the customer code, the store code.

The store code, of course, I really need the store’s postal code.

(…)

No, not that either. It doesn’t appear.

Yes, it would be (…)

Let’s see if there’s another one, I’m looking, give me a moment… It doesn’t appear… Any other one, because with the postal code the store should appear, ***REFERENCE.1 doesn’t appear.

No, that should be enough. Furthermore, if you’d like, I can give you the username.

Spell the username for me.

(…)

I’ll look it up. Yes, here it is. Okay, now tell me the customer’s ID number.

It would be… (NIE number), YYYY.

Now confirm the mobile number.

***PHONE.1

Finally, confirm the new ICC starting from 100.

***REFERENCE.7

That’s it.

5. Vodafone, in its response to the transfer of the complaint, dated 20/07/2023, reported that on 22/09/2021, the complainant contacted

customer service to report the situation and that same day requested a new SIM card in store, which was then processed.

6. The following contacts, among others, are recorded in Vodafone’s information systems:

September 23, 2021: The complainant, via telephone, reports that “they have been asked for a duplicate SIM card without permission and money has been taken from their bank account.”

September 25, 2021: The complainant calls Customer Service, stating that they “want to file a complaint because it appears their SIM card has been duplicated and they have been scammed. They are instructed to send the complaint by email.”

October 1, 2021, regarding the previous contact: “Case closed on September 25, 2021, at 2:06 PM… classified and commented on the initial report: SIM card duplication should not be requested for any phone due to potential fraud. It is best to go to a retail store to request a duplicate SIM card for policy purposes and leave a photocopy or scan of your ID.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 21/52

to pass the policy and leave a photocopy or scan of your ID.”

7. In a letter dated October 20, 2021, responding to a claim from the

claimant dated October 13, 2021, in which the claimant requests compensation for
damages due to the events described, Vodafone expressly states: “We wish to inform you that, after carrying out the appropriate procedures and verifying the facts described
in his letter by Mr… (the claimant), we have confirmed that on September 21, we were informed that a duplicate SIM card for line ***PHONE.1 was being processed through a physical store. We inform you that in order to

carry out this process, the applicant must undergo a security check that includes submitting their ID and providing certain personal data. On September 22, customer service received a call from Mr… (the claimant), in which he indicated that his SIM card had been cloned and requested a new one. During this call, The communication outlines the procedure for

the request from the customer app, but it was not processed by our agent because
the delivery address did not match the one associated with the customer in the database.

On September 22nd, Mr./Ms. [the claimant] informed us that they were managing the line blocking through the app; however, we confirmed usage
from the line every day in September, and it remained active
until today. We attached the September invoice.”

8. On November 15, 2021, the claimant requested that Vodafone inform them in which
physical store the SIM card was duplicated and provide a signed document
corresponding to its delivery, including the recipient’s information.

9. In a letter dated February 9, 2022, responding to a previous letter from the claimant dated January 3, 2022, Vodafone expressly states: “We wish to inform you that, after carrying out the appropriate procedures and verifying the facts described in the letter by Mr. [name omitted] (the claimant), we have confirmed that, on September 21, 2021, a duplicate SIM card for line ***TELÉFONO.1 was requested in physical form, but it was not registered as a duplicate SIM card because, instead of processing a duplicate, it appears that the person was given a new SIM card. We are currently identifying the store where this occurred…”.

10. In its response to the transfer of the complaint, dated July 20, 2023,
Vodafone informed the Spanish Data Protection Agency (AEPD) that it classified the customer as a victim of fraud on

February 22, 2022, after verifying the facts of the case.

11. In a letter dated April 12, 2022, responding to a previous letter from the claimant dated March 15, 2022, Vodafone states: “We wish to inform you that, after carrying out the necessary procedures and verifying the facts you described in your letter…, we are pleased to report that, after reviewing the case, we were unable to locate the physical store where the SIM card replacement not recognized by the customer was processed. We confirm that once the issue was resolved, the service remains active. On April 12, 2022, a refund of €37 was requested in favor of the claimant, covering the full amount of the invoice issued during the month of March…”.

12. In its response to the complaint transfer process, dated July 20, 2023,
Vodafone informed the Spanish Data Protection Agency (AEPD) that for a physical store to issue a duplicate SIM card, it must call Retail Support, identify the store

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 22/52

by providing its postal code, and provide the name of the user making the request to verify their authorization, as well as the customer’s identification number, the line number
affected by the duplicate, and certain ICC numbers of the card to be duplicated.

13. In its response to the transfer of the complaint, dated July 20, 2023,
Vodafone informed the Spanish Data Protection Agency (AEPD) that the data provided by the person who made the
request for the duplicate SIM card described in Finding Two were the following:

Postal code of the authorized store (***REFERENCE.1);

Identification as an authorized user, providing the following user number:

***USER.1, who was then authorized to request duplicate SIM cards from the authorized store;

Customer’s NIE number (***NIF.1) and the number of the line affected by the duplicate SIM card (***PHONE.1);

Certain ICC numbers of the SIM card to be duplicated (***REFERENCE.2).

14. In its response to the complaint transfer process, dated July 20, 2023,
Vodafone provided a copy of the report prepared by the “Complaints” department, which states the following:

“The duplicate SIM card was indeed requested and delivered in-store. The sales representative called
retail and provided us with the security policy we have in place for these cases, so we completed the ICC change through the store support channel… This was done by calling Retail Support (Store Support) from the number
***PHONE.3

The fraudulent SIM card used, ***REFERENCE.3, belonged to an order from
Fibranorte, (…)…
In the recording, they impersonate a store colleague. Recording date:
***PHONE.1 09/21/2021.mp3 Fraud was classified on February 28, 2022… This POS remains active with Fibranorte and belongs to the SMART store chain.” &

PHONE…”.

15. On August 31, 2023, in response to the first request made by the Spanish Data Protection Agency (AEPD) inspection services, Vodafone reported that the point of sale involved has the company name ***EMPRESA.1 and the trade name Smart
Phone, with its registered address at ***DIRECCIÓN.1. According to Vodafone, this store is one of the points of sale managed by FIBRANORTE S.L., which acts as its agent.

16. On November 10, 2023, in response to the second request made by the AEPD inspection services, Vodafone reported that the postal code was not a requirement of the Security Policy for calls to the store support number. The policy only required identifying the specific code assigned to the user to verify authorization, providing the customer’s ID number, the line number affected by the SIM card replacement, and certain ICC numbers from the new card.

Vodafone also reported that the Claims team, due to a one-off error, forwarded incorrect information regarding the point of sale that performed the SIM replacement. The store that actually requested the SIM replacement was located at:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 23/52

located at ***ADDRESS.1. It adds that this point of sale is listed in the contract as one of the points used by the distributor involved in the case.

According to Vodafone, the claims team has been unable to identify the cause of

that error.

17. Vodafone states in its response dated August 31, 2023, that “The reason why the store staff acted improperly is unknown, as is whether the store staff provided the data to an unauthorized third party to carry out the fraudulent actions.”

18. Vodafone submitted to the proceedings a copy of the “Alternative Channel Agency Agreement,” signed by Vodafone Enabler España, S.L. and Fibranorte, S.L., whose annexes identify the points of sale or sub-agents covered by said agreement, all of them located in Catalonia and Aragon, none of them in ***LOCATION.1. In

the town of Mollet del Vallés, four sub-agents appear, one of them with
address at ***ADDRESS.1 and telephone number ***PHONE.4. None of the sub-agents
listed in the contract have the telephone number ***PHONE.3 associated with them.

The names of the sub-agent entities are not included in this list.

Furthermore, it is specified: “Vodafone Enabler is an entity that is part of the

same corporate group as Vodafone España, S.A.U.” Fibranorte, S.L.

is the data controller, and the physical Smart Phone store is considered a sub-processor.

LEGAL BASIS

I
Jurisdiction

In accordance with the powers granted to each supervisory authority by Article 58.2 of the GDPR and as established in Articles 47, 48.1, 64.2, and 68.1 of the LOPDGDD, the Presidency of the Spanish Data Protection Agency is competent to resolve this procedure.

Likewise, Article 63.2 of the LOPDGDD stipulates that: “Procedures

processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, this Organic Law, the implementing regulations issued thereunder, and, insofar as they do not contradict them, subsidiarily, by the general rules on administrative procedures.”

II
Response to the allegations presented against the agreement to initiate the proceedings

1. Establishment of measures and the principle of culpability.

The respondent asserts that it has acted diligently insofar as it has implemented the necessary protocols or measures to correctly identify its customers and ensure that duplicate SIM cards are provided to the telephone line holders. The adoption of technical and organizational measures is not an absolute obligation, but rather an obligation of means.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 24/52

It cannot be understood that the fact that a third party circumvents these measures, using planned and organized criminal activity, implies, per se, the unlawfulness of the data processing carried out.

On this same basis, Vodafone invokes the principle of culpability and points out that the issuance of the duplicate SIM card… This does not mean that it did not act with due diligence, since all its actions have always been aimed at establishing and supervising technical and organizational measures to guarantee the security of its clients’ personal data and to ensure that the person requesting the duplicate SIM is the line owner.

In this regard, it should be noted that in the present case the infringement is not based on the insufficiency or adequacy of security measures, but rather on a lack of lawfulness in the processing of personal data that entails issuing a duplicate SIM card and delivering it to an unauthorized third party, without the card owner even being aware of such processing.

Article 6.1 establishes that the processing of personal data is only lawful if at least one of the conditions provided for in the aforementioned article is met. In this case, the violation of the principle of lawfulness is manifested in the improper processing of the personal data of the complainant, who was not the actual applicant. Regarding the duplicate SIM card:

This type of processing requires adequately verifying the applicant’s identity.

To this end, it is necessary to establish measures that ensure correct identification. The establishment of these measures or protocols, as well as their monitoring and implementation by the responsible entity, serves to assess the conduct and the degree of diligence employed, but these are not the determining factors of the infringement.

Vodafone issued a duplicate SIM card without the consent of the line holder and delivered it to a third party without a valid legal basis. This constitutes unlawful data processing.

In short, in this case, the sanction is not based on the existence or absence of technical and organizational measures, but rather on the fact that, in this specific case, the processing of the complainant’s personal data was carried out without complying with the lawfulness requirements established in Article 6.1 of the GDPR. The infringement of this article confirms that the complainant allowed unauthorized processing. of the
data, thereby violating the rights of the complainant.

In this regard, the mere existence of a security policy cannot justify
a violation of the principle of lawfulness provided for in Article 6.1 of the GDPR. In addition to
existing, these measures must be effective and enable the data controller to demonstrate compliance with the principles

relating to the processing of personal data. Otherwise, the measures
adopted are ineffective and may lead to unlawful processing, as is the case here.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 25/52

Therefore, the respondent cannot claim to be exonerated from its
responsibility by appealing to the existence of such security measures, especially
when the failure lay in their application, allowing a breach of the

lawfulness of the processing.

The It is true that the mere issuance of a SIM card and its delivery to an unauthorized third party already constitutes a violation of the principle of lawfulness, as it is considered the processing of personal data.

It is also important to note that it is undisputed that the issuance of the duplicate SIM card and its delivery to an unauthorized third party was carried out without the involvement of the claimant and owner of the telephone line. Vodafone itself classified the case as fraudulent, as stated in the established facts.

Furthermore, given the proven existence of unlawful conduct by Vodafone (the processing of the claimant’s data without legal basis), the question now centers on whether such conduct can give rise to administrative liability.

Vodafone maintains that it cannot find culpability in the alleged infraction, either intentionally or negligently, and therefore cannot impose a sanction. some.

The principle of culpability governs administrative sanctioning law (Article 28 of Law 40/2015, on the Legal Regime of the Public Sector, LRJSP), therefore the

subjective or culpability element is an indispensable condition for the
stipulation of liability to arise. Article 28 of the LRJSP, “Liability,” states:

“1. Only natural and legal persons, as well as, when a Law recognizes their legal capacity, groups of affected parties, associations and entities
without legal personality, and independent or autonomous estates, may be sanctioned for acts constituting an administrative offense, provided they are

responsible for said acts on the grounds of intent or negligence.”

In light of this provision, liability for sanctions can be demanded on the grounds of

intent or negligence, with the mere failure to observe the duty of

care being sufficient in the latter case.

The Constitutional Court, among others, in its Judgment 76/1999, has declared that
administrative sanctions share the same nature as criminal sanctions, being
one of the manifestations of the State’s power to punish, and that, as a requirement

derived from the principles of legal certainty and legality in criminal law enshrined in
Articles 9.3 and 25.1 of the Spanish Constitution, their existence is essential for their imposition.

Regarding the culpability of legal entities, it is appropriate to cite Constitutional Court Judgment 246/1991, of December 19, 1991 (Legal Basis 2), according to which, with respect to legal entities, the

subjective element of culpability must necessarily be applied differently than
it is applied with respect to natural persons, adding that “This different construction
of the imputability of the authorship of the infringement to the legal entity arises from the very
nature of legal fiction to which these subjects respond. They lack the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 26/52

volitional element in the strict sense, but not the capacity to infringe the rules to which
they are subject. Capacity for infringement and, therefore, direct blameworthiness that
derives from the legal interest protected by the rule that is infringed and the need for

said protection to be truly effective […]”.

The Spanish Data Protection Agency (AEPD) shares the position expressed by Vodafone in its arguments, in which it refers to the doctrine of our Supreme Court, which states that “for exoneration, it is not enough to invoke the absence of fault; rather, it is necessary that the diligence required of the party alleging its absence was exercised (among others, the Supreme Court Judgment of January 23, 1998 [RJ
1998601]).”

Thus, the decision to close a sanctioning proceeding may be based on the absence of the element of culpability when the person responsible for the unlawful conduct acted with all the diligence required by the circumstances of the case.

In compliance with the principle of culpability, the AEPD has on numerous occasions closed sanctioning proceedings in which the element of culpability of the offending party was not present. Cases in which, despite the existence of unlawful conduct, it had been proven that the responsible party had acted with all due diligence, and therefore no fault was found in their conduct. This has been the criterion maintained by the Administrative Law Chamber, Section 1, of the National Court. The following judgments, which are very enlightening, can be cited:

– SAN judgment of April 26, 2002 (Appeal No. 895/2009), which states:
“Indeed, culpability cannot be established based on the outcome, and this is precisely what the Agency does by arguing that, since the security measures were not implemented, there is culpability. Far from it, what should be done, and what is lacking in the Resolution, is to analyze the sufficiency of the measures based on the parameters of the average diligence required in the data traffic market. If one acts with full diligence, scrupulously fulfilling the duties arising from diligent conduct, it is impossible to assert or presume the existence of any culpability.”

– The National High Court (SAN) ruling of April 29, 2010, Legal Basis Six, regarding a fraudulent contract, states that “The issue is not whether the appellant processed

the complainant’s personal data without her consent, but rather whether
she exercised reasonable diligence in trying to identify the person
with whom she entered into the contract.”

At this point, it is worth recalling what Constitutional Court Ruling 246/1991 has

stated regarding the culpability of legal entities: that they possess the
“capacity to infringe the rules to which they are subject.” “Capacity to infringe […] which derives from the legal interest protected by the rule that is infringed and the
need for said protection to be truly effective […]”.

In connection with the foregoing, reference must be made to Article 5.2. of the GDPR (principle of proactive responsibility), according to which the data controller will be responsible for compliance with the provisions of paragraph 1—and, relevant here, with the principle of lawfulness in relation to Article 6.1 of the GDPR—and able to demonstrate compliance.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 27/52

The principle of proactivity transfers to the data controller the obligation not only to comply with the regulations, but also to be able to demonstrate such compliance.

Opinion 3/2010 of the Article 29 Working Party (WP29) – Working Party 173 – issued
during the validity of the repealed Directive 95/46/EEC, but whose considerations are still
applicable, states that the “essence” of proactive responsibility is
the controller’s obligation to implement measures that, under
normal circumstances, ensure that data protection rules are met in the context of processing operations and to have
documents available that demonstrate to data subjects and supervisory authorities what measures have been taken to achieve compliance with data protection rules.

Article 5.2 is further developed in Article 24 of the GDPR, which obliges the controller to
adopt appropriate technical and organizational measures “to ensure and be able to demonstrate” that processing is compliant with the GDPR. The provision states:

“Responsibility of the controller”
“1. Taking into account the nature, scope, context, and purposes of the processing,

as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation. These measures shall be reviewed and updated where necessary.

2. Where proportionate to the processing activities, the measures referred to in paragraph 1 shall include the implementation by the controller of appropriate data protection policies.

3. Adherence to approved codes of conduct pursuant to Article 40 or to an approved certification mechanism pursuant to Article 42 may be used as evidence of the controller’s compliance with its obligations.”

Article 25 of the GDPR, “Data protection by design and by default”,
states:

“1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement, both at the time of determining the means of processing and at the time of processing itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement the data protection principles, such as data minimization, and to integrate the necessary safeguards into the processing, in order to comply with the requirements of this Regulation and to safeguard the rights of data subjects.
2. […]”.

It is worth asking what parameters of due diligence Vodafone should have observed in relation to the conduct under examination. The answer is that the due diligence it should have exercised was that which was necessary to comply with the obligations imposed on it by Articles 5.2, 24, and 25 of the GDPR, in light of the rulings of the National Court and the jurisprudence of the Supreme Court.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 28/52

The judgment of the National High Court of 17 October 2007 (appeal no. 63/2006) is fully applicable to this case. That judgment,
after stating that entities whose business activities
involve the continuous processing of customer and third-party data must observe an
adequate level of diligence, states: “[…] the Supreme Court has consistently held that
negligence exists whenever a legal duty of care is disregarded, that is,
when the offender does not act with the required diligence. And in assessing the

degree of diligence, special consideration must be given to the professional status of the individual,
and there is no doubt that, in the case now under examination, given that the appellant’s activity involves the constant and extensive handling of personal data,
the rigor and meticulous care to comply with the relevant legal provisions must be emphasized.”

The judgment of the National High Court of 19 September 2023 (appeal no. 403/2021) is also fully applicable to this case. It states: “The insurance policy was contracted with a third party without sufficient control or supervision, as it was unable to detect that the person expressing their intention to contract was not who they claimed to be. Had the necessary precautions been taken to ensure the identity of the contracting party (for which it would have been sufficient to address the incorrect answers to the customer’s identification and verification questions).”

The defendant has invoked various arguments to justify the lack of culpability for its conduct. Essentially, it claims to have a security policy

aimed at ensuring that duplicate SIM cards are delivered to the registered owners of the telephone lines, a policy followed by Vodafone that did not fail, but rather was overcome by criminal actions committed by a third party who was aware of its internal procedures and all the necessary information. Vodafone understands that
we are dealing with a criminal act carried out by a third party, who, acting

with malice aforethought, deceives the channel support agent for the store, impersonating store personnel by providing all the information required by their security policy; and cites the
Judgment of the National Court (Administrative Chamber, Section 1) of February 25, 2010 [JUR 2010/82723], referring to a precedent processed in
this Agency, in which it was concluded that imputing liability to a data controller
would violate the principle of culpability when “the result is a consequence of an

intrusion activity, not protected by law and therefore illegal,
by a third party with advanced computer skills who, by breaking the established
security systems, accesses the database of registered users…, downloading a copy of it.”

Based on this, Vodafone considers that its conduct cannot be classified as negligent.

However, there are numerous factual circumstances in this case that lead to classifying Vodafone’s conduct as reckless and culpable in its failure to

preventively detect the fraud, which would have allowed it to deny the
request for a duplicate SIM card received from an unauthorized third party and, consequently, refrain from processing the personal data of
the claimant that the issuance of said card and its delivery to a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 29/52

person other than its owner.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 29/52

person other than its owner.

First, it is necessary to highlight the following two aspects:

1. That there are numerous factual circumstances that should have alerted Vodafone
to the fraud or, in other words, that demonstrate the negligence of its
conduct.

2. That Vodafone, on each occasion that it has contacted this Spanish Data Protection Agency (AEPD)
to explain the case, has offered a different version of events, without providing

conclusive evidence to lend credibility to its statements, and even
sometimes contradicting what was shown in the documentation provided by the company itself.

The duplicate card was supposedly processed from a physical store or

using a physical store’s user password. According to the established protocol,
for this process, the store must contact Vodafone’s “Retail Support” department by telephone and request activation of the duplicate card, after fulfilling the
measures established by the company by providing the required information.

However, Vodafone wasn’t even certain about the “Vodafone store” involved

in the incident. Months after the events occurred, Vodafone itself responded to the claimant that “after reviewing the case, it has not been possible to locate
the physical store where the SIM card replacement was processed, which the customer did not recognize.”

Vodafone’s information systems contain a record indicating that the postal code
of said store is ***REFERENCE.1, belonging to ***LOCATION.1. This is also stated
in the report prepared by the “Claims” department
in connection with the actions that led to these proceedings, and this is what Vodafone itself reported
in its response to the transfer of the

claim.

It was later, in response to information requests from the Spanish Data Protection Agency (AEPD), that Vodafone pointed to a store located in the town of [LOCATION]. It is unclear why, if this store had been assigned the user code provided by the third-party impersonator, Vodafone did not identify the point of sale until so long afterward. Furthermore, the phone number used to request a duplicate SIM card did not match the one associated with this store in the relevant contractual documentation. This should have led Vodafone to question the duplicate request and adds further uncertainty regarding the store and the information provided to “Retail Support” by the caller.

None of the explanations offered by Vodafone to explain these two circumstances—those relating to the store’s postal code and the phone number that made the call—are convincing.

Regarding the store’s postal code, Vodafone states that it was not information required to process the duplicate at the time the events occurred.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 30/52

(September 2021), providing recordings of other cases in which the “Retail Support” staff did not request it from the person making the request.

But the fact is that, in this case, the “Retail Support” agent did request it and was given one (***REFERENCE.1) that does not correspond to any store. Thus, whether
the data was specified as necessary for the procedure in the security policy,
or not, the fact remains that non-existent data was provided, and this should
again have served as a warning to Vodafone to exercise extreme caution. The details of the conversation on this specific point are revealing:

“I have a customer here who wants to get a duplicate SIM card.

In this case, first confirm your store’s postal code so I know if you’re authorized or not…

Okay, it would be ***REFERENCE.1

Okay, ***REFERENCE.1, no, in this case you wouldn’t be authorized. Do you have any other code?

I’ll tell you the customer code, the store code.

The store code, of course, I really need the store’s postal code.

(…)

No, not that either. It doesn’t appear.

Yes, it would be (…)

Let’s see if there’s another one, I’m looking, give me a moment… It doesn’t appear… Any other one, because with the postal code the store should appear, ***REFERENCE.1 doesn’t appear.”

Regarding Vodafone’s failure to verify the number from which the duplicate SIM card request was made, which in this case does not match any line number associated with the store in question, the aforementioned entity simply attributes the responsibility for identifying the customer to the store, which is unacceptable given its status as the data controller for its customers’ data.

Evidence that this failure to verify the originating number of the call is a weakness in Vodafone’s established verification process and that it should be checked is the circular that Vodafone itself distributed to its call center on October 10, 2022, which was included with its response to the complaint transfer process. In this circular, among other things, it warns that “if a call is received from a colleague, it is necessary to verify the origin of the incoming call.”

Regarding the method of identifying customers requesting a duplicate SIM card, neither the security policy established by Vodafone in September 2021 nor the agency agreement signed with Fibranorte, SL., the entity with which the store in question collaborates, contains any specific provisions beyond verifying the identity document for new sign-ups.

The information that the person calling “Retail Support” must provide includes certain ICC numbers of the card to be duplicated. Vodafone stated that sending SIM cards to stores is unnecessary because they already have them. Therefore, once the security verification process with “Retail Support” is completed, the card is activated. Vodafone also stated that it does not have a direct relationship with the points of sale (the stores), but rather operates through an agent, as is the case here.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 31/52

Thus, the fact that Vodafone does not know the
numbering of the SIM cards available in each store constitutes a further weakness, which would have allowed it to
associate the card with the point of sale that made the call in question. The

case file, provided by Vodafone, contains the report prepared by its
“Complaints” department regarding this case, which indicates that the numbering
of “the fraudulent SIM card used ***REFERENCE.3 belonged to an order from
Fibranorte.”

Furthermore, it is worth noting that there is no record that Vodafone took

any action directed at the complainant to verify the legitimacy of the
request it was receiving, nor to ascertain the reason for requesting a
duplicate SIM card. This would have allowed Vodafone to verify that the SIM card being used by the complainant was active and functioning without any issues, and to confirm that the customer had not made any requests.

Furthermore, this Agency considers another red flag to be the fact that a person residing in ***LOCATION.1 requested a duplicate SIM card at a store located in a different Autonomous Community, whichever one it may be. While not a determining factor, as it is not improbable, it should be taken into consideration when initiating the process and implementing the necessary precautions.

In short, there has been no proactive approach to effectively applying data protection principles.

It follows, therefore, that Vodafone’s actions have been
clearly ineffective and insufficient, falling far short of the possibilities offered by
current technological developments and failing to consider the evident risk that
contracting the services it markets represents for the rights and
freedoms of individuals. Consequently, it must be held liable for the infringement

committed due to its lack of due diligence.

As a large-scale repository of personal data, and therefore accustomed
to or specifically dedicated to managing the personal data of
customers, it must be especially diligent and careful in its processing.

Recital 74 of the GDPR states: The controller’s
responsibility for any processing of personal data carried out by the controller or on behalf of the controller must be established. In particular, the controller must
be obliged to implement timely and effective measures and must be able to demonstrate the
compliance of processing activities with this Regulation, including the

effectiveness of the measures. These measures must take into account the nature,
scope, context, and purposes of the processing, as well as the risk to the rights and
freedoms of natural persons. Recital 79 also states: The protection
of the rights and freedoms of data subjects, as well as the responsibility of
controllers and processors, including with regard to

supervision by supervisory authorities and the measures taken by
them, requires a clear allocation of responsibilities under this
Regulation, including where a controller determines the purposes and
means of processing jointly with other controllers, or where the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 32/52

processing is carried out on behalf of a controller.

Furthermore, considering all the factual circumstances of this

case, it cannot be said that the incident involving the processing of the claimant’s
personal data was the result of a sophisticated attack carried out by
a third party with advanced computer skills capable of bypassing Vodafone’s
security systems, the consequences of which could not have been avoided.

In addition, regarding Vodafone’s claim that

the fraudster’s prior actions to obtain
the victims’ data, or subsequent actions such as those taken to access
online banking, are beyond its control, it should be noted that no liability is being attributed in this
sanctioning procedure for such actions by the third party, whether related
to obtaining the claimant’s personal data provided

to “Retail Support” or to the third party’s subsequent use of that data once
the duplicate card was obtained. This is without prejudice to the consideration of the impact that a third party obtaining a duplicate SIM card for their mobile phone line may have on the data subject, which obliges the responsible entity to take all necessary precautions to prevent it.

2. Determination of the Sanction

Vodafone requests that, subsidiarily, and in the event that the Agency finds that an infringement has occurred and a sanction must be imposed on the respondent, the following aggravating and mitigating circumstances should be taken into account.

Vodafone requests that the following mitigating circumstances be considered:

– The degree of responsibility of the data controller, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32 of the GDPR.

– The degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate its potential adverse effects.

— Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.

Regarding the first issue, we refer to what is indicated on this factor of
graduation in Legal Basis V.

The degree of cooperation is regulated in Article 83.2.f) of the GDPR: “degree of

cooperation with the supervisory authority for the purpose of remedying the infringement and
mitigating the possible adverse effects of the infringement;”.

The degree of cooperation with the Agency cannot be considered a mitigating factor either,

since the respondent’s response to the information request from the Sub-Directorate of

Inspection did not fulfill these purposes, and therefore does not fall under this
mitigating circumstance.

To this end, it is necessary to take into account Guidelines 04/2022 of the European Data Protection Committee

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 33/52

on the calculation of administrative fines under the GDPR, version 2.1, adopted on May 24, 2023, which
state that “the ordinary duty to cooperate should be considered mandatory

and, therefore, should be considered neutral (and not a mitigating factor).”

This is confirmed in the EDPB Guidelines on the application and imposition of administrative fines under Regulation 2016/679, adopted on October 3, 2017, which state that “That said, it would not be appropriate to take into account, in addition, the cooperation required by law; for example, in all cases, the entity is required to allow the supervisory authority access to the premises to carry out audits or inspections.”

Therefore, we can conclude that what is required or mandatory by law for the data controller, as happened in this case, cannot be understood as “cooperation.”

Furthermore, this Spanish Data Protection Agency (AEPD) does not agree that Vodafone’s actions were adequate to mitigate the adverse effects of the infringement, except with regard to the reimbursement of the services not consumed by the complainant. It should be noted that

when the complainant’s personal data has already been disclosed to

an unknown third party, it is difficult to mitigate the damage caused to the
rights of the data subject.

Regarding the application of Article 76.2.c) of the LOPDGDD (Spanish Data Protection Law), in conjunction with Article
83.2.k), the absence of benefits obtained, it should be noted that this circumstance can only

operate as an aggravating factor and in no case as a mitigating factor.

Article 83.2.k) of the GDPR refers to “any other aggravating or mitigating factor
applicable to the circumstances of the case, such as financial benefits obtained or
losses avoided, directly or indirectly, through the infringement.” And Article

76.2c) of the LOPDGDD states that “2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: […] c) The profits
obtained as a consequence of the commission of the infringement.” Both provisions
mention the “profits” obtained as a factor that may be taken into account in determining the penalty,
but not the “absence” of such profits, which is what Vodafone
alleges.

Furthermore, according to Article 83.1 of the GDPR, the imposition of fines
is governed by the following principles: they must be individualized for each
particular case, be effective, proportionate, and dissuasive. The admission that the absence of profits can operate as a mitigating factor is contrary to the spirit of Article 83.1

of the GDPR and to the principles governing the determination of the amount of the fine. If, following the commission of a GDPR infringement, the absence of profits is considered a mitigating factor, the deterrent purpose of the penalty is partially nullified. Accepting this argument in a case such as the one at hand would introduce an artificial reduction in the penalty that should truly be imposed; the one that results from considering the circumstances of Article 83.2 of the GDPR, which must be taken into account.

The Administrative Chamber of the National Court has warned that,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 34/52

the fact that in a specific case not all the elements that constitute a circumstance modifying liability, which by its nature is aggravating, are present, cannot lead to the conclusion that such circumstance is applicable

as a mitigating factor. The ruling made by the National Court in its
Judgment of May 5, 2021 (Appeal No. 1437/2020) – even though that ruling deals
with the circumstance in section e) of Article 83.2. Under the GDPR, the commission of prior infringements is applicable to the issue at hand. The defendant’s claim that the “absence” of benefits should be accepted as a mitigating factor is unfounded, given that both the GDPR and the LOPDGDD refer only to “benefits obtained.”

Therefore, the mitigating factors invoked by Vodafone are rejected.

III
Response to the allegations submitted to the proposed resolution of the

procedure

The allegations now presented essentially reproduce those already submitted in the initial phase of the procedure, which were expressly assessed and addressed in the proposed resolution. Therefore, we refer to and reiterate what has already been stated. Notwithstanding the foregoing, certain clarifications are deemed appropriate.

1. Vodafone reiterates that it has acted diligently, having implemented appropriate measures to correctly identify its customers. The
adoption of technical and organizational security measures is not an

absolute obligation. Principle of culpability.

it does refer to the ineffectiveness of its security measures.

Furthermore, it reiterates that it has acted with due diligence, having
implemented the appropriate technical and organizational measures to correctly identify
its customers and prevent the unlawful processing of data.

The adoption of such measures is not
an absolute obligation, but rather an obligation of

means. Based on this, it believes that the fact that a third party circumvents these measures,
using illicit and fraudulent techniques, does not mean that its security policy
is insufficient.

In line with the above, and regarding the alleged lack of culpability, it maintains that

this Agency has not taken into consideration, for its analysis, all the measures that
existed at the time the events subject to sanction occurred, nor the
improvement measures that Vodafone has implemented, observing only the
result of the events, that is, the fraudulent issuance of the duplicate SIM card.

It adds that it considers the principle of proactivity to have been amply met
by providing evidence that the relevant processes were followed.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 35/52

Regarding the legal classification of the infringement, the Agency reaffirms what it has already stated
in its response to the allegations against the initial agreement, namely that the facts
constituting the infringement consist of the violation of the principle of lawfulness of the

processing, which materializes in the issuance of a duplicate SIM card and its
delivery to an unauthorized third party.

Given the characteristics and context of the processing, it is important to clarify that SIM swapping is a well-documented and frequently occurring risk in the telecommunications sector.

Consequently, as it is an inherent risk of the activity, it is legally required that appropriate technical and organizational measures be adopted in the SIM card replacement process for its prevention and detection, in order to avoid the unlawful processing of personal data. Therefore, the proper and rigorous verification of the line owner’s identity is crucial for the operator’s actions to be considered diligent and in accordance with the obligations imposed by Articles 5.2, 24, 25, and 32 of the GDPR.

In this regard, contrary to what has been alleged, this Agency has not limited its analysis
solely to the material result, that is, the fraudulent issuance of the duplicate SIM card,
but has thoroughly assessed the measures implemented by the

defendant, identifying deficiencies or irregularities therein that
call into question Vodafone’s diligence in this case.

As already stated, numerous factual circumstances exist in this case that
lead to characterizing Vodafone’s conduct as reckless and negligent in

preventively detecting the fraud. Regarding these circumstances already described, Vodafone
merely reiterates its previous allegations, without specifically addressing the
arguments considered in the proposed resolution.

Vodafone fails to clarify the initial lack of certainty and the delay in identifying the

establishment involved in issuing the disputed duplicate SIM card, especially since said establishment had an assigned user code, which was provided by the third-party impersonator. This is confirmed by the emails provided by the defendant. The defendant simply reiterates what has already been stated in previous submissions: “the reason why the claims team provided incorrect information is unknown.”

Similarly, it does not adequately justify its failure to question the duplicate request, despite two circumstances that should reasonably have raised suspicions: firstly, the phone number from which the call was made did not match the one associated with the store according to the corresponding contractual documentation; and secondly, a postal code was provided that did not correspond to any authorized establishment. Vodafone insists that
both of these measures were not required under the security policy in effect at the
time of the events. However, it fails to consider that these circumstances
should, in any case, have generated the appropriate suspicion or alert, given the

standards and precautions required for the proper prevention of risks and fraud.

Regarding the method of identifying customers requesting a duplicate
SIM card, Vodafone also fails to demonstrate the existence of any specific provision,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 36/52

either in the security policy established in September 2021 or in the
agency agreement signed with Fibranorte S.L., beyond simply verifying the
identity document in the case of new sign-ups. In its defense, Vodafone
merely provides an excerpt from an operational document regarding the SIM card replacement procedure in distribution, which appears to be purely informative and lacks

any regulatory development, stating:

“(…)”.

Regarding the contract with FRIBRANORTE S.L., it provides an excerpt from the contract’s
definitions section, which defines fraud as:

namely:

“(iii) failure to verify the Customer’s identity in the event of a change of ownership of an already
contracted Service, portability or migration of a Service, or SIM card replacement.”

From reading the provided excerpts, it is clear that they do not describe any controls
beyond simply verifying the identity document in-store, and therefore, the observation made is not refuted.

Furthermore, with specific regard to the lack of additional mechanisms
to ensure the legitimacy of the request, such as contacting the line owner

to verify the authenticity of the request received and determine the reason
for requesting the duplicate, it is considered that the respondent is straying from the
central issue by merely alleging that the problem lies in the
fraudulent actions of a third party who managed to circumvent the established internal controls.

In light of the foregoing, both in the proposed resolution and in this

response, neither the evidence provided nor the arguments presented are
sufficient to demonstrate that the data controller applied appropriate and proportionate measures in the specific context in which it operates in order to
guarantee the processing’s compliance with data protection regulations.

Consequently, the principle of proactive responsibility cannot be considered fulfilled.

The defendant, in its defense, focuses on reiterating that the fraudster ultimately provided the required information in accordance with the security policy in effect at the time of the events: store user code, certain SIM card numbers (ICC), and the claimant’s personal data (name, surname, national identity document number, and mobile phone number to be duplicated).

It is significant, particularly regarding applicable security policies and measures, that the data controller refrains from thoroughly analyzing the due diligence required in its conduct, shifting responsibility to a third party, especially concerning the veracity of the SIM card duplicate request, the verification of which is essential for effective fraud prevention.

Furthermore, the doctrine established by the Supreme Court, Administrative Law Chamber, Third Section, in its Judgment of December 13, 2021 (Cassation Appeal No. 6109/2020), is of particular interest. This judgment analyzes a case of online contracting in which the actions taken by the appellant to verify that it was contracting with the true data subject are questioned.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 37/52

Case of Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es
37/52 According to the order admitting the aforementioned appeal, “the issue that presents
objective grounds for cassation in order to establish jurisprudence consists of
interpreting the current personal data protection regulations in order to
clarify whether the fraudulent intervention of a third party, who impersonates
another person in an online contract, allows for the exclusion of any infringement
due to the lack of the necessary unambiguous consent for the processing of personal data

required by Article 6 of Organic Law 3/2018, of December 5, on the grounds that
the contracting company acted with due diligence and in the belief
that it was contracting with the true owner of such data.”

This Judgment states the following:

“SECOND.- Regarding the alleged violations of the judgment by the appellant.

(…)

Having thus defined the task at hand, we begin by noting that the

appealed judgment does not dispute the existence of a third party who
impersonated the data subject. In fact, it can be said that the
judgment acknowledges the existence of that fraudulent third-party intervention; however,
the court considers that this fact—which has not been contested—is not
in itself sufficient to invalidate the legal requirements that the data subject

give their consent for the use of their data and that this data be processed
in accordance with the legally established principles and guarantees…

Thus, the appealed judgment finds, on the one hand, a lack of due diligence in the actions of the
appellant, which resulted in a failure to comply with the requirement to obtain the

consent of the data subject (Article 6 LOPD)…

Regarding the first issue (lack of due diligence in the proceedings), the appeal reiterates the allegations made by the plaintiff in the lower court proceedings, namely that… she adopted all necessary and appropriate measures,
from the perspective of personal data protection, to process the microcredit application…

In short, none of the measures adopted by the appellant are intended to
prove that the person requesting the microcredit is the same person as the holder of the ID card provided. And, indeed, the appealed judgment continues, the evidence

gathered during the administrative proceedings revealed that, with respect to the telephone line provided when the loan was requested, neither the name, surname, nor tax identification number (NIF) of the line holder matched the personal data of the complainant (holder of the ID card); and with respect to the bank account listed in the records of…, to which the microloan amount was allegedly transferred, the data of the account holder did not match. The account details on the

date the loan was taken out also do not match the complainant’s personal data. Not even the mobile phone number and the bank account holder are the same person.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 38/52

These findings of the lower court regarding the inadequacy of the measures
adopted in the online loan application process, and, ultimately, regarding the lack of
due diligence on the part of the appellant, have not been refuted in any way on appeal, where the representative of… has reiterated the
statements made in the lower court proceedings but has provided nothing that serves

to refute the conclusions of the trial court.

In short, we share the opinion of the National Court regarding the
insufficiency of the measures applied by the appellant in the
procurement procedure. To the considerations set forth in the appealed judgment, which
we share and adopt as our own, we will only add two observations:

First, the verification measures applied by the appellant appear
entirely aimed at ensuring the successful completion of the loan, but, conversely, they
completely disregard the objective of verifying the truthfulness and accuracy of the
data, and, in particular, of verifying that the person requesting the loan is indeed

who they claim to be. Thus, in any case where a third party misuses a stolen or lost ID card to make a purchase or apply for an online loan, the unauthorized processing of the document holder’s personal data would always be completed, even if the holder had previously reported the loss or theft of their ID card to the authorities. None of the measures proposed by the appellant appear to be even remotely aimed at preventing or hindering this outcome.

Secondly, the above does not mean that the contracting company is responsible for preventing an illegal or criminal act, such as the fraudulent use of an ID card by someone other than its holder. However, it is
required of said contracting company, as a necessary precaution to avoid being

accused of non-compliance with its obligations regarding the protection of
personal data—both in terms of the requirement for the data subject’s consent and in relation to the principle of truthfulness and accuracy of the data—to
implement control measures aimed at verifying that the person seeking
to be hired is who they claim to be, that is, that they match the holder of the ID card provided…

THIRD.—The Court’s response to the issue of legal interest raised in the
order admitting the appeal.

In response to the question raised in the order admitting this appeal, we must declare that the fraudulent intervention of a third party, who impersonates another person in an online transaction, does not preclude the possibility that the contracting company, which processes the personal data, may have committed an infringement due to the lack of the necessary unambiguous consent required by Article 6 of Organic Law 3/2018, of December 5, since that fraudulent intervention by a third party does not in itself imply that the contracting company acted with due diligence.

The foregoing does not mean that the contracting company is held responsible for preventing an unlawful or criminal act, such as the fraudulent use of a national identity document by someone who is not its holder. But it is indeed required
of said contracting company, as a necessary precaution to avoid being

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 39/52

of failing to comply with its obligations regarding the protection of personal data – both in terms of requiring the consent of the
data subject and in relation to the principle of truthfulness and accuracy of the data – to

implement control and verification measures aimed at ensuring that the person
seeking to contract is who they claim to be, that is, that they match the holder of the ID card
provided.”

In summary, as already indicated in the proposed resolution, as a result of the
deficiencies or irregularities described, the defendant issued a duplicate SIM card

to a third party who was not the account holder, thus calling into question the diligence
exercised on its part when carrying out the Timely checks to verify the identity of the interested client, as well as the legitimacy of the request.

It should also be noted that, in accordance with the principle of proactive responsibility established in Article 5.2 of the GDPR, the data controller has not only the obligation to comply with the principles of processing, and therefore, the principle of lawfulness is relevant here, but also the burden of demonstrating compliance.

Furthermore, when the legal basis for processing is consent, the requirement for the data controller to demonstrate the lawfulness of the processing carried out is not only imposed by Article 5.2 of the GDPR. Article 7 of the GDPR, under the heading “Conditions for consent,” states:

“1. Where processing is based on the data subject’s consent, the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data.”

This allegation is therefore dismissed.

2. According to Vodafone, obtaining a duplicate SIM card does not grant access to

bank information, passwords, email addresses, etc., of Vodafone customers, but rather to the mobile and internet services they may have contracted.

The defendant argues that the potential fraudulent duplication of a SIM card is neither a necessary nor sufficient action to gain access to the bank accounts of the affected parties.

For this reason, it argues that it can only be held liable for infringements related to
those processing activities and security measures for which it holds the
controller status, namely those aimed at ensuring that the person requesting the duplicate SIM card is the legitimate owner of the line.

With respect to this argument, it should be noted that, in this case, the only infringement attributed to the defendant is based on the unlawful processing of personal data.

The reference to the phenomenon The investigation into SIM swapping and its potential consequences is carried out to assess the scope and nature of the alleged infringement, taking into account the repercussions that such practices may have on the rights of the data subject.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 40/52

In this regard, the National Court, in its judgment of May 13, 2024, Appeal No. 0002336/2021, establishes that “(…) in the first phase of this type of fraud, the impersonator fraudulently obtains the client’s online banking login credentials, but lacks the verification code, the second authentication factor, to be able to carry out any transaction. The moment they obtain the duplicate SIM card, they also gain access to this second authentication factor and, therefore, from that moment on, they can carry out any asset-related transactions they wish.

For its part, the National Cybersecurity Institute (INCIBE) includes the following information about SIM swapping on its website, incibe.es:

“Remember that in SIM swapping, cybercriminals attempt to fraudulently duplicate a person’s mobile device’s SIM card. To do this, they impersonate the victim to obtain a duplicate. Subsequently, once the victim is left without phone service, they access their personal information and take control of their applications, impersonating them on social media, email accounts, or online banking, using the verification SMS messages sent to the phone number.” In this way, the cybercriminal can retrieve the

confirmation text messages containing the keys and commit cybercrimes with these
credentials, such as carrying out banking transactions and identity theft.

Therefore, the mere use of a SIM card by an unauthorized third party

significantly increases the risk to its owner, insofar as the
impersonator may have access to additional data that allows them to carry out
actions with particularly serious consequences, such as unauthorized financial transactions,
as has occurred in the case at hand.

For this reason, providing a duplicate SIM card is a process in which the
due diligence exercised by the operators is essential to prevent this type of fraud
and guarantee the adequate protection of customers’ rights and interests,
diligence which, as already stated, is in question in this
case.

Consequently, this allegation is dismissed.

3. Alternatively, and for Should the Agency determine that an infringement has occurred and that a sanction should be imposed on Vodafone, this party disagrees with the aggravating circumstances and the failure to consider the aforementioned mitigating circumstances.

The respondent disagrees with the factors considered to determine the seriousness of the infringement and the aggravating circumstances applied by the Agency when assessing the sanction. However, the allegations made by the respondent are insufficient to refute the arguments presented, and therefore must be dismissed, referring to the provisions of Legal Basis VI of this resolution.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 41/52

Nevertheless, it is important to note that, in determining the amount of the administrative fine, the fact that the infringement directly affects a single party has been considered paramount. The claimant, without prejudice to assessing the weaknesses already

described in the security measures and policy implemented by the defendant and the
possibility that this could lead to similar events with other affected parties.

Likewise, the mitigating circumstances invoked by the defendant are dismissed,
regarding the degree of cooperation shown by Vodafone and the lack of
benefits derived from the commission of the infringement, as they reiterate those already

included in its statement of grounds for the commencement of proceedings, for the reasons described
in Legal Basis II, which reproduces the response offered to said
allegations in the proposed resolution of these proceedings.

Breach of Obligation

The defendant is accused of committing an infringement by violating Article 6 of the GDPR, “Lawfulness of Processing,” which specifies in paragraph 1 the circumstances under which the processing of third-party data is considered lawful:

“1. Processing shall be lawful only if at least one of the following conditions applies:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The provisions of point (f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their functions.

It should be noted that data processing requires a legal basis that legitimizes it.

In accordance with Article 6.1 of the GDPR, in addition to consent, there are
other possible grounds that legitimize the processing of data without the need for

the authorization of the data subject, in particular, when it is necessary for the performance of
a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, or when it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 42/52

those interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of such data. The processing
is also considered lawful when necessary for compliance with a

legal obligation to which the controller is subject, to protect the
vital interests of the data subject or of another natural person, or for the performance of a task carried out
in the public interest or in the exercise of official authority vested in the
controller.

In this case, Vodafone is accused of violating Article 6.1 of the GDPR because

the unlawfulness of the processing carried out has been demonstrated, and none of the legal bases provided for in the aforementioned article have been proven in relation to the
processing of the complainant’s data.

Processing is considered to be any operation performed on personal data,

including the disclosure of such data to a third party. The GDPR, in point 2 of its
Article 4, defines processing as “any operation or set of operations performed on personal data or sets of personal data, whether or not by
automated means, such as collection, recording, organization,
structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making available,

alignment or combination, restriction, erasure or destruction.”

It is also important to note that Article 4.1 of the GDPR defines: “personal data” as “any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

In this regard, it is important to clarify that the SIM card is inserted inside the mobile device. It is a small, physical smart card that contains a chip storing the subscriber’s service key, used to identify them to the network. This key includes the customer’s MSISDN (Mobile Station Integrated Services Digital Network) mobile phone number, as well as the subscriber’s IMSI (International Mobile Subscriber Identity). It can also provide other data, such as call logs and message history.

Furthermore, issuing a duplicate SIM card and providing it to a third party involves processing the cardholder’s personal data, since an identifiable natural person is defined as any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier [Article 4.1 of the GDPR].

In summary, both the data processed to issue a duplicate SIM card and the

SIM card (Subscriber Identity Module) that uniquely and unambiguously identifies
the subscriber on the network, constitute personal data, and their processing must be
subject to data protection regulations.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 43/52

In this case, it has been established that Vodafone issued a duplicate
of the SIM card corresponding to the claimant’s mobile phone line and
delivered it to an unauthorized third party, all without the knowledge or consent

of the data subject and without any other legal basis to justify such processing of
personal data.

Indeed, as has been explained, the alleged point of sale that requested the
duplicate SIM card from Vodafone headquarters, on behalf of the claimant, did so by
telephone through the internal store support channel. According to the protocol

in effect at that time, the customer’s ID number
and the telephone line number for which the request was being made were required.

The ICC number of the new SIM card was also required, information that is
held by the agents contracted by Vodafone. Furthermore, the response to the
referral states that the postal code of the store from which the
duplicate was requested was required,

even though the claimant later stated that it was not
valid at the time of the incident. As recorded in the call
record, the postal code was requested, and an invalid one was provided.

The investigation revealed no further verification by Vodafone’s central office to confirm that the request was actually made by the customer, nor any additional security measures. This suggests that the central office presumes that prior identification was carried out by the store staff handling the request. In this regard, the identity verification requirement stipulated in the protocols provided by the defendant is invalidated, since this verification is not performed by the central office when requested by the authorized store.

Furthermore, according to the information provided, the call made on behalf of the alleged store originated from the number ***TELÉFONO.3, which does not match the number listed in the documentation provided by the defendant for that establishment.

Furthermore, as previously stated, upon reviewing the recording of the duplicate request, processed by telephone, it was noted that the representative from the store did not provide a valid postal code to identify the store. The postal code provided was ***REFERENCE.1 and not ***REFERENCE.8, which would correspond to the physical store indicated by Vodafone. In this regard, the respondent states that postal code verification was not in effect at the time of the incident, although this measure was mentioned in the response to the transfer and reiterated later in response to another request. The request was ultimately processed after the caller provided a store identification username (…) that accredited them as authorized, along with the ICC number and customer data.

In this case, the result of these deficiencies or irregularities was that the defendant
issued a duplicate SIM card to a third party who was not the line owner,
calling into question the diligence employed on their part when carrying out the

appropriate checks to verify the identity of the interested customer, as well as
the legitimacy of the request.

In short, issuing a duplicate SIM card necessarily involves

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 44/52

the processing of personal data, since it involves the SIM card number and the identity of the
holder. This processing must comply with a legal basis that legitimizes it, as
required by Article 6.1 of the GDPR, as does any communication of

personal data to a third party, which also constitutes data processing and which, in
this case, occurs with the delivery of the card to an unauthorized third party.

In this case, issuing the duplicate SIM card at the request of a third party without the involvement
or consent of the holder constitutes a lack of a valid legal basis for said
data processing.

Therefore, issuing the duplicate SIM card under these conditions and delivering it to a person other than the telephone line holder constitutes the processing of personal data without a legal basis and, consequently, an infringement of Article 6.1 of the GDPR, since it was carried out without complying with any of the legitimate grounds for such processing.

Based on the available evidence, it is considered that the conduct of the respondent violates Article 6.1 of the GDPR and constitutes the infringement defined in Article 83.5(a) of Regulation 2016/679.

In this regard, Recital 40 of the GDPR states:

“(40) For processing to be lawful, personal data must be processed with the data subject’s consent or on some other legitimate ground established in accordance with the law, whether in this Regulation or under other Union or Member State law to which this Regulation refers, including the need to comply with a legal obligation to which the controller is subject or the need to perform a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.”

V
Classification and Assessment of the Infringement

The infringement is classified under Article 83.5 of the GDPR, which defines it as follows:

“5. Infringements of the following provisions shall be subject, in accordance with paragraph 2, to administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) The basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9.”

For the purposes of the statute of limitations for infringements, Article 72.1 of the LOPDGD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights) classifies the following as a very serious infringement, with a three-year statute of limitations:

(b) The processing of personal data without any of the conditions for lawful processing established in Article 6 of Regulation (EU) 2016/679 being met.

(b)

(c)

(d)

(e)

(f … C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 45/52

VI
Fine: Determination of the Amount

Determining the appropriate fine in this case requires compliance with the provisions of Articles 83.1 and 2 of the GDPR, which, respectively, stipulate the following:

“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are, in each individual case, effective, proportionate and dissuasive.”

“2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as an alternative to the measures provided for in

Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due consideration shall be given to:

(a) the nature, seriousness, and duration of the infringement, taking into account the nature, scope, or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage they have suffered;
(b) the intent or negligence of the infringement;
(c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects;
(d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32;
(e) any prior infringements committed by the controller or processor processing;

f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate its possible adverse effects;

g) the categories of personal data affected by the infringement;

h) how the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement;

i) where the measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;

j) adherence to codes of conduct pursuant to Article 40 or to approved certification mechanisms pursuant to Article 42; and

k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.

Within this section, the LOPDGDD (Spanish Data Protection Law) stipulates in its Article 76, entitled
“Sanctions and Corrective Measures”:

“1. The sanctions provided for in paragraphs 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the criteria for determining the severity of the sanction established in paragraph 2 of said Article.
2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 46/52

the following may also be taken into account:

a) The ongoing nature of the infringement.

b) The connection between the infringer’s activity and the processing of personal data.
c) The benefits obtained as a result of committing the infringement.
d) The possibility that the affected party’s conduct could have induced others to the commission of the infringement.

e) The existence of a merger by absorption subsequent to the commission of the infringement, which cannot be attributed to the acquiring entity.

f) The impact on the rights of minors.

g) The appointment of a data protection officer, when not mandatory.

h) The voluntary submission by the controller or processor to alternative dispute resolution mechanisms in cases where disputes arise between them and any data subject.

3. The adoption of the remaining corrective measures referred to in Article 83.2 of Regulation (EU) 2016/679 may be adopted, either as a complement or alternative, where appropriate.

In this case, considering the seriousness of the potential infringement, and paying particular attention to the consequences of its commission for those affected, a fine is warranted.

It is necessary to quantify the appropriate sanction, taking into account that the fine imposed

must be, in each individual case, effective, proportionate, and dissuasive,
in accordance with the provisions of Article 83.1 of the GDPR. To guarantee these
principles, the turnover of VODAFONE is considered beforehand,
which amounted to €2,909,851,000 in the 2024 financial year.

First, the category of the infringement committed is taken into account,
which falls under the highest level of Article 83 of the GDPR, which the regulation sanctions with
the greatest severity in paragraph 5, punishing the conduct with a maximum fine of
€20 million or, in the case of a company, with a fine of an amount
equivalent to a maximum of 4% of its annual turnover. According to the aforementioned
provision, when establishing the maximum applicable amount, the higher of the two limits set by the regulation must be chosen.

In this case, since it concerns a company whose turnover in 2024 amounted to €2,909,851,000, the amount of the fine to be imposed will necessarily be between €0.00 and €116,396,040.

In accordance with the aforementioned provisions, for the purpose of determining the final amount of the
penalty to be imposed in this case for the infringement of Article 6.1 of the GDPR for which
VODAFONE is held responsible, as defined in Article 83.5.a) of the GDPR, the following factors are considered relevant:

1. The following circumstances are taken into account as determining factors of the severity of the infringement:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 47/52

Article 83.2.a) of the GDPR: “the nature, severity and duration of the infringement,
taking into account the nature, scope or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage and

loss suffered by them.”

Nature of the infringement:

Article 83.5 encompasses several different types of conduct. In this case, the infringed provision affects a fundamental principle of the right to the protection of

personal data, as it underpins the legality of data processing and its
violation entails a significant risk to the rights of data subjects.

In this case, VODAFONE’s conduct has directly caused the
infringement of the legal interest protected by Article 6 of the GDPR, preventing its

effective application and the objective it seeks to protect. The processing of personal data
is carried out (i) without VODAFONE having any guarantee that the
applicant for the duplicate SIM card is the true owner of the line and, therefore,
of the personal data; and (ii) without having carried out any

check to verify that the issuance of this duplicate was necessary for the
provision of the services contracted by the claimant, who already had

an active and functioning SIM card. As a result, the
data in question has been processed without any legal basis to legitimize it.

Seriousness of the infringement:

Nature and purpose of the processing:

Assessing the seriousness of these aspects of the processing of personal data requires considering the context in which it takes place.

The data processing carried out in this case is for the purpose of issuing
a SIM card, necessary for VODAFONE to provide the
services contracted by its owner. If this card is requested by a third party and
the entity does not fulfill its obligations to prevent this
irregularity, the end result is the delivery of the card to a person

not authorized to use it and, consequently, the possibility that a third party may access
various information of the true cardholder, which can be
used for fraudulent purposes. This is what happened in the present case, in which a
third party used the fraudulently obtained duplicate SIM card to
withdraw funds from the claimant’s bank accounts.

This is the phenomenon known as “SIM swapping,” widespread in the current context and well known to Vodafone. Once they gain access to the victim’s phone line, the third party has numerous options to impersonate them and access all kinds of personal accounts

(messaging, email, social media, and any type of online account, including financial ones).

Given this context, the processing carried out by Vodafone,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 48/52

considering its nature and purpose, entails significant risks for the data subject. It cannot be overlooked that this data processing is carried out within the framework of the main and core business activity of the aforementioned operator, which is conducted for profit.

Scope of the Processing:

The assessed infringement is committed through the unlawful processing of the personal data of a single data subject, the complainant, as

considered in the following grading factors.

However, it is important to consider that VODAFONE is a telecommunications company operating nationwide and that the infringement is a direct
consequence of weaknesses in the mechanisms designed by VODAFONE

for processing online SIM card replacement requests, and therefore, the risk this entails increases the number of potential
victims.

The relationship between the infringement committed and the allocation of resources
that can be required of VODAFONE to prevent this type of unlawful activity

must be analyzed based on the actual risk and the circumstance of its nationwide
scope of operations.

Number of Data Subjects:

The sanctioned infringement is a consequence of the unlawful processing of the personal data of a single data subject, the complainant.

The level of harm suffered by the complainant:

In accordance with Recital 75 of the GDPR, the level of harm suffered refers to physical, material, or non-material damages.

In this case, the harm suffered by the complainant cannot be considered marginal. On the one hand, the complainant was deprived of the service they had contracted with Vodafone, and on the other hand, they suffered bank fraud as a direct consequence of the infringement being sanctioned. This infringement, as stated, was committed not only through the data processing necessary to issue the duplicate SIM card, but also through the data processing consisting of communicating the complainant’s data to a third party, resulting from the delivery of the duplicate SIM card to said third party.

In cases like this, the data subject loses control of their personal data, and therefore the harm could persist for an indefinite period.

Article 83.2.b) of the GDPR: “Intentional or negligent infringement.”

VODAFONE’s conduct demonstrates gross negligence, due to a breach of the duty of care required by law, beyond what might be considered a neutral factor associated with the subjective element of culpability.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 49/52

This conclusion is based on objective elements of VODAFONE’s conduct,
obtained from all the factual circumstances detailed in the

Legal Grounds preceding this report, especially in section 1 of
Legal Ground II, which clearly show all the red flags that VODAFONE failed to consider when suspecting the irregularity of the SIM card replacement request it received from a supposed physical store belonging to a collaborating agent, which has not even been definitively identified by the company.

Among the circumstances observed in this case, the following stand out:

The SIM card replacement was supposedly processed from a physical store or
using a physical store’s user password, which, according to the established protocol,
should have contacted the Vodafone “Retail Support” department by telephone. However,

Vodafone has not even definitively confirmed which “Vodafone store”
was involved in the incident.

The person who called “Retail Support,” supposedly an employee of
a physical store belonging to an agent, did not provide the necessary information to validate
the SIM card replacement request.

The call was made from a phone line that did not belong to any Vodafone

a company that has no established mechanism for
verifying this information.

The information that the person calling “Retail Support” must provide includes
the ICC numbers of the card to be duplicated, although
Vodafone does not know the serial numbers of the cards available in each store, which

would have allowed them to associate the card with the point of sale and add another layer of assurance
in verifying the legitimacy of the request.

Regarding the method of identifying customers requesting a duplicate SIM card, the established security policy contained no specific provision, nor did the agency agreement signed with the supposed intermediary agent, beyond

verifying the identity document for new sign-ups.

VODAFONE had not made any arrangements to contact the complainant
to verify the legitimacy of the request it was receiving, nor to ascertain the
reason for requesting the duplicate card. Nor had it conducted any checks
to verify whether the complainant’s card was active or had any issues
that would justify the request for a duplicate.

Finally, it should be noted that the operator did not consider, when activating alerts for
potential fraud, that the request was being made from an autonomous community different from
the complainant’s place of residence.

The final consequence of all this was that VODAFONE validated the request, activated the

SIM card, and delivered it to a third party without any conclusive evidence regarding the identity of the
person who made the call or the person making the request, to
ensure that the latter corresponded to the owner of the services and the personal data.

Also related to the degree of diligence that VODAFONE is obliged to exercise
in complying with the obligations imposed by data protection regulations, we can cite the ruling of the National High Court (SAN) of October 17, 2007. Although it was issued before the GDPR came into effect, its pronouncement is perfectly applicable to the case

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 50/52

that we are analyzing. The ruling, after noting that entities whose activities involve the continuous processing of customer and third-party data must maintain an appropriate level of diligence, specified that “(…) the

Supreme Court has consistently held that negligence exists whenever a legal duty of care is disregarded, that is, when the offender does not act with the required diligence. And in assessing the degree of diligence, special consideration must be given to the professional status of the individual, and there is no doubt that, in the case now under examination, given the appellant’s constant and extensive handling of personal data, the rigor and meticulous care must be emphasized

to comply with the relevant legal requirements.”

Article 83.2.g) of the GDPR: “the categories of personal data affected by the infringement.”

Apart from the personal data whose processing is necessary for issuing the duplicate card, the evident risks cannot be overlooked that delivering this duplicate to a third party could allow them access to special categories of data or other sensitive information, such as the complainant’s financial information, as demonstrated in this case.

2. The following factors are considered aggravating circumstances:

Article 83.2.d) of the GDPR: “the degree of responsibility of the controller or the processor, taking into account the technical and organizational measures implemented pursuant to Articles 25 and 32.”

The aforementioned provisions, both Article 25 and Article 32 of the GDPR, oblige the responsible entity to take into account “the state of the art, the cost of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity of processing for the rights and freedoms of natural persons” when implementing appropriate technical and organizational measures to ensure the effective application of the principles of data protection, in this case, the principle of lawfulness of processing, and to guarantee a level of security appropriate to the risk.

In light of these provisions, the actions taken by Vodafone have proven to be clearly ineffective and insufficient. They fall far short of the possibilities offered by current technical developments and fail to consider the evident risk that the provision of its services poses to the rights and freedoms of individuals.

In this regard, its high volume of business means that the level of demand in terms of

incorporating the tools and functionalities that the state of the art
offers at any given time is high.

The weaknesses already expressed regarding Vodafone’s establishment of a
security policy to prevent the impersonation of its customers, in

guarantee of the principle of lawfulness in data processing, call into question the robustness of
the measures adopted under Articles 25 and 32 of the GDPR, which aggravates its
conduct in this specific case.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 51/52

Thus, it can be concluded that the infringement has systemic implications and, therefore,
may affect, even at different times, additional data subjects who have not
filed complaints with this supervisory authority.

Article 83.2.k of the GDPR in conjunction with Article 76.2(b) of the LOPDGDD:

“The connection between the infringer’s activity and the processing of personal data.”

The activity of the allegedly infringing entity is linked to the processing of personal data of both clients and third parties. The processing of personal data is essential to the activity carried out by the defendant, making the significance of the conduct that is the subject of this complaint undeniable. Furthermore, the data processing for which the sanction is imposed is carried out in the course of the defendant’s main activity.

This circumstance, in general, constitutes an aggravating factor. This has also been the view of the National Court in its Judgment of September 13, 2024, which states: “In the case at hand, the appellant achieved a turnover exceeding 46 million euros in 2018 and has more than 600 employees.

Therefore, the imposed sanction cannot be considered disproportionate given the circumstances, taking into account its turnover and its connection to the processing of personal data, considering the number of employees and its activities.”

Based on the foregoing, and considering the requirement that the fine be effective, proportionate, and dissuasive, and with the aim of ensuring effective compliance with the GDPR and the LOPDGDD, the assessment of the circumstances contemplated in Article 83.2 of the GDPR and Article 76.2 of the LOPDGDD, considered as a whole, with respect to the infringement committed by violating the provisions of Article 6 of the GDPR, allows for the imposition of an administrative fine of €150,000.00 (one hundred and fifty thousand euros).

Therefore, in accordance with applicable legislation and having assessed the criteria for determining the severity of the sanctions, the existence of which has been proven, the President of the Spanish Data Protection Agency resolves:

FIRST: To impose on VODAFONE ESPAÑA, S.A.U., with Tax Identification Number A80907397, for an infringement of Article 6.1 of the GDPR, as defined in Article 83.5 of the GDPR, a fine of €150,000 (one hundred and fifty thousand euros).

SECOND: To notify VODAFONE ESPAÑA, S.A.U., with Tax Identification Number A80907397, of this resolution.

THIRD: This resolution will become enforceable once the deadline for filing the optional appeal for reconsideration (one month from the day following notification of this resolution) has expired without the interested party having exercised this right.

The sanctioned party is advised that they must pay the imposed sanction once this resolution becomes enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to Article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 52/52 62 of Law 58/2003, of December 17,

by depositing the fine, indicating the Tax Identification Number (NIF) of the sanctioned party and the procedure number shown in the heading of this document, into the restricted account IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), held in the name of the Spanish Data Protection Agency at CAIXABANK, S.A.

Otherwise, collection will be pursued during the enforcement period.

Upon receipt of the notification and once it becomes enforceable, if the enforceability date falls between the 1st and 15th of each month, inclusive, the deadline for making the voluntary payment will be the 20th of the following month or the next business day thereafter. If the date falls between the 16th and the last day of each month, inclusive, the payment deadline will be the 5th of the second following month or the next business day thereafter.

In accordance with Article 50 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights), this Resolution will be made public. Publication will take place once the resolution is final through administrative channels.

This resolution, which concludes the administrative process pursuant to Article 50 of the LOPDGDD, may be appealed. 48.6 of the
LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the
interested parties may, optionally, file an appeal for reconsideration with the
Presidency of the Spanish Data Protection Agency within one month from the
day following notification of this resolution, or directly

file an administrative appeal with the Administrative Chamber of the
National Court, pursuant to the provisions of Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Administrative Jurisdiction, within two months from the
day following notification of this act, as provided for in Article 46.1 of the

said Law.

Finally, it is noted that, in accordance with the provisions of Article 90.3 a) of the LPACAP, a
final administrative decision may be provisionally suspended if the
interested party expresses their intention to file an appeal with the Administrative Court.

If this is the case, the interested party must formally communicate this fact by

submitting a written communication to the Spanish Data Protection Agency through
the Agency’s Electronic Registry [https://sedeaepd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in Article 16.4 of
Law 39/2015, of October 1. They must also provide the Agency with
documentation proving the effective filing of the appeal with the Administrative Court.

If the Agency is not notified of the filing of the appeal within two months from the day following
notification of this resolution, the provisional suspension will be terminated.

938-180725
Lorenzo Cotino Hueso
President of the Spanish Data Protection Agency

6 Jorge Juan Street www.aepd.es
28001 – Madrid sedeaepd.gob.es
</pre>

FTC Sends Checks to Consumers Who Bought Certain Products from Golden Sunrise Nutraceutical Between 2017 and 2020

VG Düsseldorf – 29 K 511/24