Spain
Telefónica Móviles España, SAU
GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2021-01-21.
Case details
- Authority
- Spanish Data Protection Authority (aepd)
- Date
- 2021-01-21
- Controller / Processor
- Telefónica Móviles España, SAU
- Sector
- Media, Telecoms and Broadcasting
- Quoted Articles
- Art. 6 (1) GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Spanish DPA (AEPD) imposed a fine of EUR 75,000 on Telefónica Móviles España, SAU. The controller had assigned five telephone lines with five numbers to the data subject as part of a mobile phone contract. One of the numbers was used by her son. When he was no longer able to use the mobile data, he contacted the controller. The controller informed him that the mobile data had been deactivated because the number was no longer in his possession. It turned out that unauthorized third parties had pretended to be the data subject and had the number transferred to a third party without the controller requiring authentication for this. Thereupon the unauthorized third parties had requested and received a replacement SIM card under the pretense of an alleged loss or theft. As a result, the son's SIM card was blocked.
Related fines