Italy

GFB One s.r.l.

90,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2023-09-14.

Rank · Sector

#118

of 369 in Media, Telecoms and Broadcasting

Rank · Italy

#86

of 543

Rank · All fines

#509

of 3,050

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2023-09-14
Controller / Processor: GFB One s.r.l.
Sector: Media, Telecoms and Broadcasting
Quoted Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 157 Codice della privacy
Type of violation: Insufficient legal basis for data processing

Summary

The Italian DPA has imposed a fine of EUR 90,000 on GFB One s.r.l.. An individual had filed a complaint with the DPA because SIM cards were registered in their name, although they had never requested this. The individual had received two emails and an SMS notifying them that a Vodafone business, which belongs to the controller, had activated two SIM cards in their name.

The individual, after requesting the phone company to block the SIM cards, had reconstructed that the cards had been activated with a barely legible photocopy of their ID card. During its investigation, the DPA found that the controller had neither requested an original ID card for registration nor verified the legitimacy of the data. The controller also failed to inform the data subject how he had obtained the photocopies of his ID.

Open original source Links to the regulator's original publication or another source.