AEPD (Spain) - EXP202301160: Difference between revisions

AEPD - EXP202301160
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 6(1) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	14.12.2022
Decided:	08.05.2024
Published:
Fine:	200,000 EUR
Parties:	Vodafone Spain
National Case Number/Name:	EXP202301160
European Case Law Identifier:	n/a
Appeal:	Appealed - Confirmed AEPD EXP202301160
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	Ao

The DPA fined Vodafone Spain €200,000 for failing to implement safeguards which would have prevented the unauthorised delivery of a sim card to a third party.

English Summary

Facts

On the 14 December 2022, the data subject filed a complaint against Vodafone Spain with the Spanish DPA (AEPD). The data subject alleged that a third party, without his consent, requested and received a duplicate of his SIM card from Vodafone. The third party had logged in to the data subject’s account and requested the delivery of a duplicate sim card to an address different to the billing address. The third party as a result had access to the data subject’s personal data including his bank account information.

The controller argued that the third party accredited their fraudulent identity through correctly providing access credentials which were obtained through social engineering techniques. It argued that it cannot be expected to verify the identity of users who enter valid login details. Further, it stated that the logistics provider used for the delivery of the sim card verified the identity of the third party upon delivery by asking for an ID card. It submitted that the third party must have been in possession of a fake ID card and that as a controller it cannot be expected to prevent identity theft.

The controller could not provide proof of a signature by the third party nor the recording of an activation call necessary to use the sim card.

Holding

The AEPD held that the controller had failed to implement measures which prevent third parties from impersonating customers. As the controller handles personal data on a large scale, it should have had measures in place, which prevent impersonation of customers. Further, the controller must be able to demonstrate compliance to the lawful processing of data under Article 6(1) GDPR.

The AEPD stated that the controller could not prove that its security policy had been complied with as it could not provide a recording of the verification call nor the signature of the third party upon delivery.

Therefore, the AEPD concluded that the controller could not show that it had lawfully processed the personal data of the data subject under Article 6(1) GDPR. For this, it imposed a fine of €200,000 based on Vodafone Spain's annual turnover.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/28

 File No.: EXP202301160

SANCTIONING PROCEDURE RESOLUTION

From the procedure initiated by the Spanish Data Protection Agency and based

on the following:

BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) filed a claim with the Spanish Data Protection Agency on December 14,
2022. The

claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (hereinafter, the respondent party or Vodafone). The reasons on which the claim is based are
the following:

The complainant states that a third party without his consent requested on December 2, 2022 a duplicate of his LOWI brand SIM card from Vodafone, which
did not comply with the security and data protection measures when delivering the
new SIM card to a third party, without correctly identifying him. As a result of
what happened, they had access to his personal data and his bank accounts,
making transfers and bizums, causing him serious harm. He states that he

contacted the defendant to find out about what happened and did not receive
a satisfactory response.

And, he provides the following relevant documentation:

Emails dated December 9 and 13, 2022 sent by the

complainant to the defendant's LOWI brand.

LOWI's response dated December 9, 20222.

Complaints filed with the Guardia Urbana of the L'Hospitalet City Council.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was forwarded to the respondent party, so that it could proceed to analyze it and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was recorded on February 6, 2023, as

recorded in the acknowledgment of receipt in the file.

On March 16, 2023, this Agency received a response letter
indicating: << On December 1, 2022, the request for

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/28

a SIM duplicate was recorded from the claimant's private customer area, which
is accessed by email address or mobile phone number and the established
password. This request was made without any prior evidence of

unauthorized access to the customer area or unauthorized access to

customer data, with only two prior telephone calls to customer

services requesting a change in the customer's email address, linked to access to

their private area. This procedure could not be completed successfully as all the information provided for in Vodafone's

Security Policy to verify the caller's identity was not provided

correctly (in particular, checking the digits of the bank account linked to the contracted service). This does not imply, in principle,

any presumption of fraudulent or unrelated action by the service holder, but
simply leads to the impossibility of carrying out the requested procedure through that

channel. Vodafone has also not detected any unauthorized access by a third party to its internal systems or databases in which the complainant's data is stored, nor any other security incident that has led to the leakage of the complainant's data or passwords.

Consequently, the information regarding the complainant's email address/phone number and the password to access the complainant's private customer area did not occur as a result of a data leak in Vodafone's internal systems or as a consequence of negligent action by Vodafone's Customer Service agents.

If there had been illegal access to the private area, the alleged offender should have known or previously obtained the complainant's access credentials, which allowed him to access the private area and request a duplicate SIM card on the complainant's telephone line.

Thus, we understand that what happened is outside the scope of responsibility
of my client, since clients or interested parties have the responsibility to
properly safeguard their personal data and to establish a password with
sufficient robustness, and the
appropriate definition of the procedures, systems, controls and
security measures applicable depending on the criticality of the treatment that
ensure the correct identification of the owner of the personal data is only within the sphere of control of my client.

In the request for a SIM duplicate made from the private client area, a different postal address was provided as the delivery address
to the billing address.

Subsequently, the SIM duplicate was effectively delivered to the address indicated
on December 2, 2022, at 12:31 p.m. For said delivery, the
identification of the recipient was required, who in this case provided the name and surname and the
ID of the claimant, signing the delivery note as if he or she were the
claimant himself or herself.

Vodafone has been able to verify that various allegedly fraudulent actions were carried out on the mobile telephone line belonging to the complainant. Prior to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/28

the incident that is the subject of the complaint, on November 30, 2022, there were
two attempts to change the email address by telephone, supposedly to be able to access the private customer area.

However, this request was not carried out as it did not comply with the
Security Policy, insofar as the bank account digits provided by the
complainant in application of the Security Policy did not match the numbers in the internal
systems. Despite this, and despite not having obtained the
change of email address that would allow the caller to gain
access to the private customer area, a request for a duplicate SIM card was processed online, on December 1, 2022, through the private customer

area.

In view of the events that occurred, once the complainant became aware of the
reported events, on December 2, 2022, she contacted my
representative indicating that the previous actions had been carried out

supposedly without her consent, this being the first moment in which
Vodafone became aware of the facts subject to the complaint. In this regard, my
representative proceeded to carry out the appropriate investigations and actions in order to
resolve the incident that occurred. Therefore, after Vodafone verified that it was facing
actions that, despite having the appearance of truth, were fraudulent in nature;
proceeded to deactivate the fraudulent SIM card and manage the change of owner to

rectify this incident, activating additional security measures on the claimant's customer account
to avoid any further harm to the claimant.

Therefore, my client managed to resolve the incident that is the subject of the claim
effectively prior to the receipt of this request by
the Agency>>.

THIRD: In accordance with article 65 of the LOPDGDD, when a claim is submitted
to the Spanish Data Protection Agency (hereinafter, AEPD), the latter must assess its admissibility for processing, and must notify the
claimant of the decision on whether it is admitted or not admitted to processing, within three months from the date the claim was received by this Agency. If, after this period, such notification is not made, it will be understood that the processing of the claim continues in accordance with the provisions of Title VIII of the Law.

This provision also applies to the procedures that the AEPD
must process in exercising the powers attributed to it by other laws.

In this case, taking into account the above and that the claim was
submitted to this Agency on December 14, 2022, it is reported that your
claim has been admitted for processing on March 14, 2023, three months having passed since it was received by the AEPD.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, pursuant to the functions assigned to the control authorities in article 57.1 and the powers granted in article 58.1 of Regulation (EU)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/28

2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD, having knowledge of the following points:

Regarding the collection of the SIM card at home.

The respondent has been asked for documentation proving that he has verified the identity of the person who collected the duplicate SIM at the address, indicating that there is no signature on the delivery note provided, and therefore a reason for this or a copy of the signed document is requested. It is verified that the delivery note contains the literal "express mail".

In this regard, he indicates that he has carried out the appropriate investigations in order to
be able to provide the information requested and that his Security Policy applicable to the
duplicate SIM card requires verification of the identity of the recipient of the duplicate SIM of the telephone line, in order to confirm the identity of the client and avoid
fraudulent actions. He states that notwithstanding the above, after the investigations carried out, he has been able to verify that, in the present case and in an
extraordinary manner, he does not have proof of signature on the delivery note for the SIM card.

It does not provide documentary evidence of the type of delivery that was carried out in this case, nor
additional documentation on whether the contracted services include verification of the identity of the recipient as such. This identity verification is not mentioned in the
contract, which does mention, as an additional service if the contracted services so
include, the verification of the authenticity of the recipient's ID (by

checking for signs of falsification), and obtaining a copy of the ID, which is not provided. It does not provide documentary evidence of the additional contracting
of this service.

It also does not provide documentary evidence of having demanded as a client the
accreditation of receipt by recording the name and surname of the recipient

of the delivery and his ID together with the capture of his signature, stating in the contract that it is
carried out "in those cases in which the Client so demands".

About the request.

Documentation has also been requested to prove that the request for the duplicate SIM dated December 1, 2022 was made from the private area of the
customer.

The respondent party again states that it was made through said channel and provides

a printout of a record from the Information System in relation to an order dated
12/01/2022 at 1:23 p.m. where the complainant's data appears, the order being of the
type "SIM_SWAP" (SIM change) and listed as the "WEB" channel.

Regarding the activation of the duplicate SIM card.

A copy of the interaction/contact (screen print) has been requested that reflects the
passing of the security policy including all the notes of the telephone manager
in this regard. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/28

The respondent party indicates that it does not have evidence to confirm the
passing of the full security policy by calling 121, stating that it does

not have the recording of the telephone procedure referred to as the recording of said call did not take place. Nor does it provide a copy of the contact where the passage of the security policy is reflected.

Contacts.

Vodafone has been asked for a list and details of all contacts maintained with
the complainant from 01/12/2022 to 06/12/2022, including the notes
made by the telephone/chat/etc. service managers and the reflection of the actions
undertaken by the entity on the occasion of each contact.

In its reply, Vodafone indicates the following contacts:

“There is a contact from 12/02/2022 in which the note “…WE RECEIVED AN
E-MAIL FROM 020_ INDICATING THAT THE SIM HAS BEEN DELIVERED// I CLOSED
E-MAIL AND RECORD”.

There is another contact from 12/04/2022 with a note that the customer has the
line blocked due to fraud, and that he sends documents by mail. There is a note
that the request is forwarded for review by the corresponding department and
that the customer is informed to wait for them to contact him”.

It does not provide further information on other actions carried out between these dates.

FIFTH: According to the report collected from the AXESOR tool, the entity
VODAFONE ESPAÑA, S.A.U. It is a large company established in 1994, with a
turnover of 2,928,817,000 euros in 2022.

SIXTH: On November 20, 2023, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against the respondent party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 6.1 of the GDPR, classified in

Article 83.5 of the GDPR.

SEVENTH: The aforementioned start agreement was notified electronically on November 29, 2023, in accordance with the rules established in the LPACAP, the respondent party requested an extension of the deadline and a copy of the file on November 30, 2023, and on December 1 of the same year, the instructor of the file agreed:
"to extend the deadline for making allegations up to a maximum of five days, which
should be computed from the day following the day on which the first period for allegations ends."

EIGHTH: On December 21, 2023, Vodafone submitted a written statement of allegations in which, in summary, it states: << the Agency understands that Vodafone
would have infringed article 6.1 of the GDPR by processing the personal data of the
complainant without her consent as a result of not adopting the appropriate measures

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/28

to prevent third parties from impersonating the complainant and
obtaining a duplicate of her SIM cards. In this regard, it should be noted that,
the data controller is subject to an obligation of means, not to an

obligation of results in the sense of understanding that any incident is a
breach of the duty to guarantee a level of security appropriate to the risk.

Therefore, the fact that a third party, by committing crimes, has
overcome Vodafone's security measures cannot automatically be inferred
that Vodafone has not been diligent in verifying the identity of customers and,

therefore, has not processed the personal data of the complainant in accordance with article 6.1
of the GDPR.

Vodafone may be accused of infringements only in respect of those data processing
and security measures for which it is responsible, that is, those

aimed at ensuring that the applicant for the duplicate SIM card is the owner of the
line; they are not (and cannot be) aimed at preventing identity theft
(forgery of the ID, for example) or at preventing access to bank accounts
through the application of the credit institution in question.

For the delivery of the SIM card, the carriers are instructed to only

deliver it to the service holder, signing the delivery note as

evidence and conclusion of the management. In any case, any modification in the
customer data associated with their shipping address will be linked to the
passing of the LOWI Security Policy. In this regard, it is important to highlight that my
representative has implemented a double identity verification process

during the processing of a SIM duplicate (i) through access to the My Lowi app and

(ii) at the time of delivery.

In this sense, Vodafone has contracted the exclusive delivery modality with the
transport agencies for the delivery of SIM cards. Under this delivery, the

carriers must verify that the person who collects the SIM card shipment is
the recipient of the same (holder of the mobile line in question). To do this, the
carrier will request a sample of the DNI/NIE, checking that the data
contained there matches the name of the holder to whom the package is addressed. Regarding this
process, the LOWI client is informed prior to delivery, warning him/her
of the obligation to have his/her DNI or NIE in order for the delivery to be
carried out correctly. Therefore, in the case at hand, the person in charge
of delivering the SIM card in question had the obligation to verify the identity of
the person who received it, checking that the identification data on his/her DNI matched
those of the shipment.

However, it is important to note that it is not possible to provide documentary evidence
that proves that the carrier requested the DNI or NIE, since to do so it would
be necessary to make a photocopy of the DNI or NIE of the interested party and store it. Therefore, my client has adopted a procedure in which
only a visual verification of the DNI or NIE is carried out at the time of

delivery and only in the event that the data matches that of the holder will the
duplicate SIM be delivered. As proof of this, the transport agent
notes the verification of the recipient's DNI on the delivery note,
noting his name and surname and DNI number as indicated below.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/28

Furthermore, if once a SIM card has been delivered, the client reports an incident
in its use or activation, in order to reduce the risk of fraud, the LOWI Security Policy

stipulates that the identity of the applicant will be verified, in accordance with the provisions
in said Policy in order to overcome it, and the correct assignment of the SIM card in the LOWI
systems. In the event of any anomaly, if the request is made in person at another establishment, the authorized distributor's establishment must inform you that the procedure must be carried out at the same establishment where the duplicate was requested.

In addition, to reduce the risk of any fraudulent activity, Vodafone continually reviews and
improves its Security Policy and the actions of its authorized agents and
distributors.

To this end, they indicate below the changes made to the LOWI Security Policy
in relation to the procedure for changing SIM cards in 2019, in March
2022 and point out that, to avoid this type of scam, they are working to protect their
customers.

On the other hand, they point out that since August 2023, a double-factor authentication mechanism with OTP has been implemented for all LOWI customers and they have implemented deterrent measures, such as sanctions for agents for
failing to comply with the policies and processes established and communicated by Vodafone and that the Vodafone Group has developed a solution called "Vodafone Identity Hub
(VIH)", and they state the actions carried out by Vodafone once a fraudulent SIM change has been detected.

Thus, Vodafone has carried out the SIM card change because the applicant has proven
(fraudulently) his identity by correctly providing the access credentials, having obtained the personal data of the victims

through social engineering techniques. To expect Vodafone to prove the identity of
the applicants once they have validly provided their username and
password is a kind of diabolical test that cannot be required of Vodafone.

Alternatively, and in the event that the Agency understands that Vodafone has
infringed article 6.1 of the GDPR, the existence of culpability cannot be
considered in the infringements imputed to Vodafone and, consequently, no sanction can be imposed on
the same.

Alternatively, in the event that this Agency understands that Vodafone has
infringed article 6.1 of the GDPR, no sanction can be imposed on
my client for the reasons that will be seen below. I. Vodafone has not acted
in a negligent manner, so no sanction can be imposed. Therefore, in the
case that the Agency understood that Vodafone's conduct constitutes the
infringement indicated in the Commencement Agreement, it is clear that there is no culpability in Vodafone's
conduct, either by way of intent or fault.

My client respectfully disagrees with the aggravating factors indicated in the Commencement
Agreement for the reasons set out below and for which he understands that
the sanction – if imposed – should be modulated downwards. I. Any previous infringement

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/28

committed by the controller or the person in charge of the treatment. It is relevant to highlight that
the sanctioning procedures to which the Agency refers to
support this aggravating factor; EXP202204287, EXP202203914 and EXP202203916. In

this sense, it is considered that these, as they are not analogous to the case analysed
in this sanction, should not be applied as an aggravating factor. II. The link between
Vodafone's activity and the processing of personal data.
Indeed, there is a link between Vodafone's activity and the
processing of personal data of its clients that it carries out to
correctly provide the contracted services and to attend to the requests and petitions
that they make. The Agency refers to the existence of imprudence when
a data controller does not behave with the required diligence, and
the rigour and exquisite care must be insisted upon in order to comply with the legal
precautions in this regard. Proof of the special care and caution applied in the processing of personal
data carried out by my client are all the security measures
implemented and detailed in the First Allegation, in addition to the continuous
review of its policies and compliance with them. Therefore, this factor should not
be taken into account as an aggravating factor when graduating the sanction.

In addition, we understand that the following
mitigating factors should also be taken into consideration: I. Vodafone proceeded to resolve the incident that is the subject of the claim
effectively as soon as it became aware of the facts (art. 83.2 c of the GDPR). As stated, the duplicate SIM was delivered on December 2, 2022 at
12:31 p.m. However, immediately after the complainant
contacted Customer Service, the duplicate SIM was blocked by the Fraud Department, specifically on the same day, December 2,

2022 at 2:56 p.m. In this regard, a screenshot is attached
of the internal systems of my client where the blocking of the duplicate SIM in question is recorded. Likewise, the Fraud Department proceeded to activate the fraud victim check in Vodafone's internal systems, including the complainant's personal data in the fraud group and in Vodafone's prevention files, activating additional security measures on her data to prevent a similar case from occurring in the future.

II. The degree of responsibility of the data controller, taking into account the technical or organizational measures that they have applied pursuant to articles 25 and 32 of the GDPR. As explained, Vodafone has implemented technical and organizational measures appropriate to the risk generated by my client, that is, aimed at ensuring that the person requesting the duplicate or change of a SIM card is the owner of the line.

III. The degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement. My client
also understands that his degree of cooperation with the Agency during the
preliminary inspection actions has been high.

IV. Any other aggravating or mitigating factor applicable to the circumstances of the case,

such as the financial benefits obtained or the losses avoided, directly or
indirectly, through the infringement Vodafone has not obtained any type of
benefit or avoided losses as a result of the fraudulent duplication of SIM cards, but
quite the contrary. In this sense, the criminal activity carried out by the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/28

scammers and cybercriminals has also caused reputational damage to my

client and a fraud in its security policies. By virtue of all the above, I request that you consider this document and all the accompanying documents to be submitted and, accordingly, consider the statements contained therein to have been made and, after the appropriate procedures, agree: 1) The
dismissal of the file with the consequent archiving of the proceedings, as none of the imputed violations have been committed. 2) Alternatively, that in the event that any sanction is imposed, it be imposed in a minimum amount, in light of the
mitigating circumstances indicated in this document>>.

NINTH: On January 15, 2024, the instructor of the procedure agreed
to carry out the following tests: “1. The claim filed by A.A.A. is reproduced for evidentiary purposes. and its documentation, the documents obtained and
generated during the admission phase of the claim, and the report of
preliminary investigation actions that are part of the procedure

AI/00092/2023. 2. Likewise, the
allegations to the agreement to initiate the referenced sanctioning procedure,
presented by VODAFONE ESPAÑA, S.A.U., and the documentation that accompanies them, are reproduced for evidentiary purposes.

TENTH: On January 31, 2024, Vodafone, within the period granted in the

evidence period, makes the following allegations: <<Vodafone requires its
logistical partner to verify the identity of the person to whom it delivers the
duplicate SIM. It is important to note, as my client has pointed out in the
allegations presented to the Start Agreement, that Vodafone adopts robust and
effective technical and organizational measures appropriate to guarantee a level of
security appropriate to the risk associated with each of the procedures requested by its

customers. In the event that the interested party wants to request a duplicate SIM through
the My Lowi app, they must prove their identity by correctly providing the user (the
contact email address, or the contracted telephone number) and the password.

Likewise, with regard to the delivery process of the SIM duplicate, Lowi requires
its logistics partner, in this case Correos Express, to carry out the

delivery of said duplicate using an “exclusive delivery” mechanism, that is,
the person who collects the duplicate must prove their identity by
providing their ID, NIE or passport to the carrier, who will carry out a visual
verification to check that the data collected there matches that of the person to whom the package is addressed.

In this regard, it is necessary to clarify that all shipments of SIM duplicates that
are made by Vodafone follow an exclusive delivery method, which is
internally specified in the systems of my representative, as well as in the shipping order for the carrier with the number 89, which
means exclusive delivery. Therefore, if in the shipment record the delivery method is identified with said

number, it will be carried out using this method.

With regard to the case that motivates this Start Agreement, my client has
verified in its internal systems that the delivery of the duplicate SIM, which was
made without the claimant's consent, was categorized as "89 Delivery

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/28

Exclusive", so the carrier had to request the ID from the person receiving it,
performing a visual verification of the document and verifying that the
information contained therein coincided with that of the owner, the claimant.

In this regard, a screenshot of Vodafone's internal systems is attached.
Therefore, the fraudster must have had the claimant's ID, since
otherwise the delivery of said duplicate SIM would not have occurred as it did
not exceed the Security Policy set by Lowi. In this regard, the fact that a third party, by committing crimes, has overcome Vodafone's security measures cannot automatically lead to the conclusion that Vodafone has not been diligent in verifying

the identity of customers and, therefore, has not processed the personal data of the complainant in accordance with article 6.1 of the GDPR.

Likewise, it should be noted that my client sends periodic reminders
to the transport company with which it collaborates in order to emphasize the duty of its carriers to follow the exclusive delivery method in all those shipments that
have been categorized with the rating of 89.

On this point, a screenshot of an example of them is attached.

By virtue of all the above, I request the Spanish Data Protection Agency to
consider this document submitted, to accept it, and, by virtue thereof, to consider
the statements contained therein made and the procedure granted for the
pertinent purposes>>.

ELEVENTH: On February 7, 2024, the instructor of the file issued the
proposed resolution and was electronically notified on the 14th of the same month and
year and in it it was proposed: "that the Director of the Spanish Data
Protection Agency sanction VODAFONE ESPAÑA, S.A.U., with NIF
A80907397, for an infringement of Article 6.1 of the GDPR, classified in Article
83.5.a) of the GDPR, with a fine of €200,000 (two hundred thousand euros)".

TWELFTH: On February 14, 2024, Vodafone requested an extension of the
deadline to submit objections to the resolution proposal and on the 17th of the
same month and year it was granted and on March 6, 2024 it submitted a written objection in which, in summary, it stated that: << Vodafone refers in its entirety to the Objections to the Commencement Agreement.

For the delivery of the SIM duplicate, Vodafone has contracted an exclusive delivery

service with the transport company collaborating with this entity.

(i.) Regarding the delivery of the SIM card to an address other than the billing address.

As my client has made clear in the previous objection, the
duplicate of the card is requested through the private area of the claimant, that

is, the fraudster has previously provided the username and password established
by the claimant correctly. With this, the fraudster, impersonating the
identity of the claimant, without my client being able to identify that it was
a third party other than her, was able to request the duplicate and send it to the address

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/28

that she wanted after having previously accredited her identity. Consequently,
this cannot be understood as a violation of Vodafone's Security Policy, since having correctly provided the unique and

non-transferable credentials of the claimant, from the private area of the My Lowi app a duplicate SIM can be
requested with an address other than the billing address. (ii.) On the other
hand, this Agency indicates that the delivery note for the duplicate SIM is not
signed. On this point, it should be clarified that the delivery note for the duplicate SIM, which was provided by my client as Document number 1 of the allegations presented on March 16, 2023 to this Agency, is correctly signed.

In this regard, Correos Express, the transport entity that, as this Agency already knows, was used to deliver the duplicate SIM that is the subject of this initiation agreement, has implemented a signature process in which the carrier, as indicated, must request the DNI or NIE of the person who collects it, carry out a visual verification of it, checking that the information collected there matches that of the person to whom the package is addressed and, if so, proceed with the delivery.

As proof of this, you must enter the name and surname, as well as the DNI or NIE number on the delivery note itself electronically through the digital tablet provided to the transport agents. In this regard, it is important to
note that the carrier had no prior knowledge of the DNI or NIE number of the owner of the package until it had requested the DNI or NIE of the person to whom it was
delivering it. As can be seen in the following screenshot of the delivery note
of the SIM duplicate in question, the signature section correctly
shows the name and surname of the claimant, as well as her DNI number,
information that could only be completed once the carrier verified the DNI of the owner, this information not being pre-filled in any way.

(iii.) Regarding the type of delivery carried out for the shipment of the SIM duplicate that motivates the
present resolution to the Commencement Agreement, as my representative referred to this
Agency after the open trial period, an exclusive delivery method was followed
through which the transport company Correos Express had to verify the
identity of the recipient. Referring again to the evidence provided on January 31, 2024, it can be seen that, in Vodafone's internal systems,

used to manage shipments, the shipment of the SIM duplicate requested through the claimant's private area is classified as number "89: Exclusive
Delivery", and whose screenshot is again sent below. The entity
that I represent has contracted with the logistics operator CEVA Logistics
("CEVA"), an exclusive delivery service by which it is established that all

shipments classified internally by Lowi with the number 89 must follow an exclusive delivery method. CEVA works with different transport companies
for the delivery of these duplicates, in this case Correos Express, and transfers and
identifies the deliveries that must follow an exclusive delivery method.

The exclusive delivery method establishes that the carrier must request the recipient's ID, enter their ID number in the shipment management system to which they have access, and that they will automatically verify that the data provided matches those registered in the shipment order, that is, those of the owner. If the data does not match, delivery cannot be made. Therefore, in this case, the carrier had to verify the identity of the recipient of the duplicate SIM, requesting their ID and entering the data contained therein in the shipment management system, which automatically verified that their data matched those registered in the shipment order sent by my representative. In this regard, my client provides the certificate issued by CEVA, which
states how Vodafone has contracted the exclusive delivery service with this company, and which specifies that: This certificate is provided as
Document number 1. Likewise, it should be noted that my client sends

periodic reminders to the transport company with which it collaborates in order to
emphasize the duty of its carriers to follow the exclusive delivery method in
all those shipments that have been categorized with the rating of 89.

On this point, a screenshot of an example of them is attached. For all

this reason, my client cannot agree with what this Agency has stated,
since as it has shown on this and previous occasions, it has implemented
all the necessary measures to guarantee that the duplicate SIM is delivered to the
owner of the line. However, if a third party has all the necessary data
to impersonate a customer, including the access credentials to the customer's private area, my client cannot be accused of a lack of diligence when

verifying the identity of the claimant.

Vodafone may be accused of violations only in relation to those data processing and
security measures for which it is responsible, that is, those
aimed at ensuring that the applicant for the duplicate SIM card is the owner of the
line; they are not (and cannot be) aimed at preventing identity theft
(forgery of the DNI, for example) or at preventing access to bank accounts
through the application of the credit institution in question.

Alternatively, and in the event that the Agency understands that there has been an infringement

and a sanction must be imposed on Vodafone, the following
aggravating and mitigating circumstances must be taken into account.

I. Any previous infringement committed by the controller or the person in charge of the processing
It is important to highlight that the sanctioning procedures to which the Agency refers
to justify this aggravating circumstance; EXP202204287, EXP202203914 and

EXP202203916, relate to Vodafone customers who are not customers of the
Lowi brand and whose SIM duplicates were processed through channels other than the one in the case
analyzed here, the Mi Lowi app. In this sense, it is considered that these, as they are not
analogous to the case analyzed in this sanction, should not be applied as an
aggravating circumstance.

II. The link between Vodafone's activity and the processing of personal data Indeed, there is a link between Vodafone's activity and the processing of its clients' personal data, which it carries out in order to
correctly provide the contracted services and to respond to the requests and

petitions that they make. The Agency refers to the existence of
imprudence when a data controller does not behave with the diligence
required, and must insist on the rigor and exquisite care to comply with the
legal provisions in this regard. Proof of the special care and caution applied in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/28

processing of personal data carried out by my client are all the
security measures implemented and detailed in the First Allegation,
in addition to the continuous review of its policies and compliance with them. Therefore,

this factor should not be taken into account as an aggravating factor when graduating the
sanction.
Regarding the mitigating factors not applied by the Agency when assessing the sanction:
I. Vodafone proceeded to resolve the incident that is the subject of the claim effectively
as soon as it became aware of the facts (art. 83.2 c of the GDPR), there being no
continuous nature in the illicit treatment and no procedure to regularize the
irregular situation in a diligent manner.

As stated, the duplicate SIM was delivered on December 2,
2022 at 12:31 p.m., however, immediately after the complainant
contacted the Customer Service, the duplicate SIM was

blocked by the Fraud Department, specifically on the same day, December 2, 2022 at 2:56 p.m.

In this regard, a screenshot of the internal systems of my client is attached, where the blocking of the duplicate SIM in question is recorded. Likewise, the Fraud Department proceeded to activate the fraud victim check in

Vodafone's internal systems, including the personal data of the claimant
in the fraud group and in Vodafone's prevention files, activating
additional security measures on her data to prevent a similar case from occurring in the future.

II. The degree of responsibility of the data controller, taking into account the
technical or organizational measures that they have applied pursuant to articles 25 and 32
of the GDPR As set out in the First Allegation of this document,
Vodafone has implemented appropriate technical and organizational measures for the
risk generated by my client, that is, aimed at ensuring that the person requesting the

duplicate or change of a SIM card is the owner of the line. Therefore, following
the provisions of art. 45.4 i) of Organic Law 15/1999, of December 13, on
Protection of Personal Data, my client has proven that "prior to the facts constituting the infringement, the accused entity had
implemented appropriate procedures for action in the collection and processing of
personal data, the infringement being the result of an anomaly in
the operation of said procedures not due to a lack of diligence
required of the infringer."

III. The degree of cooperation with the supervisory authority in order to remedy
the infringement and mitigate the possible adverse effects of the infringement In this regard,

inform the Agency that Vodafone has indeed put in place measures to remedy and
mitigate the possible adverse effects of the fraudulent practice of SIM duplicates.
To indicate otherwise would be to disregard the fact that Lowi, as has been indicated, is in a constant process of updating and revising its
Security Policy, implementing new measures and controls that seek to

reduce as much as possible the risk inherent in the data processing it carries out.

IV. Any other aggravating or mitigating factor applicable to the circumstances of the case,
such as the financial benefits obtained or the losses avoided, directly or

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/28

indirectly, through the infringement Vodafone has not obtained any type of
benefit or avoided losses as a result of the fraudulent duplication of SIM cards, but
quite the opposite.

Requests: 1) The dismissal of the case with the consequent archiving of the
actions, as none of the imputed infringements have been committed and the existence of guilt cannot
be assessed. 2) Alternatively, that if any penalty is imposed, it should be imposed in a minimum amount, in light of the
mitigating circumstances indicated in this document.>>

From the actions carried out in this procedure and the documentation
in the file, the following have been proven:

PROVEN FACTS

FIRST. - The file shows that on December 1, 2022, a third party requested
a duplicate SIM card from Lowi, a Vodafone brand, through access to the claimant's private area and that the third person provided an address other than the one
that appeared in Vodafone's registry for the claimant's billing to
deliver the order for the duplicate SIM card.

SECOND. - The file shows that the duplicate SIM card was delivered on December 2, 2022, to the postal address provided by the third party.

THIRD. - Vodafone acknowledges in its letter dated March 16, 2023 that it has
been able to verify that it does not have the evidence to confirm the passage of the
security policy, nor the evidence to confirm the passage of the complete
security policy by calling 121, to activate the SIM card,
stating that it does not have the recording of the telephone procedure referred to as

the recording of said call did not take place.

FOURTH. - The file shows that previously on November 30,
2022, there were two attempts to change the email address by
phone, supposedly to be able to access the private customer area of the
complainant, said request was not carried out as it did not pass the Security Policy.

BASIS OF LAW

I

Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/28

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency shall be governed by the provisions

of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures.”

II

Response to the allegations presented

The respondent party states that the issuance of duplicate SIM cards is not
sufficient to carry out banking operations on behalf of the holders; indeed,
to complete the scam, it is necessary for a third party to “impersonate” the holder of the data
before the financial institution. This leads, a priori, to a treatment outside the principle of legality, since a third party is processing data, since it has access to them, without any legal basis, in addition to the violation of other principles, such as confidentiality.

For this reason, this is a process in which the diligence provided by the operators is essential to avoid this type of scam and violation of the GDPR.
Diligence that translates into the establishment of adequate measures to guarantee that the data processing is in accordance with the GDPR.

The same considerations are deserved by the actions of the banking entities that provide payment services, in whose scope this type of scam begins, since the third party has access to the credentials of the affected user and impersonates him.

As these entities are responsible for the processing of their clients' data, they are subject to the same obligations as those indicated up to now for operators regarding compliance with the GDPR and the LOPDGDD, and also those derived from Royal Decree-Law 19/2018, of November 23, on payment services and

other urgent measures in financial matters.

In this regard, it should be noted that the SIM card is inserted into the mobile terminal. It is a smart card, in physical format and small in size, which
contains a chip in which the subscriber's service key is stored, used to identify himself to the network, that is, the client's mobile telephone line number MSISDN (Mobile Station Integrated Services Digital Network), as well as the subscriber's personal identification number IMSI (International Mobile Subscriber Identity), but it can also provide other types of data such as information on the telephone list or the list of calls and messages.

On the other hand, the issue of a duplicate SIM card involves the processing of the personal data of its holder, since any person whose identity can be determined, directly or indirectly, in particular by means of an identifier (Article 4.1) of the GDPR) will be considered an identifiable natural person.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/28

Therefore, the SIM card identifies a telephone number and this number in turn identifies its holder. In this sense, the judgment of the CJEU in case C-101/2001 (Lindqvist) of 6.11.2003, paragraph 24, Rec. 2003 p. I-12971: «The concept of

"personal data" used in Article 3, paragraph 1, of Directive 95/46
in accordance with the definition in Article 2, letter a) of the
Directive includes "all information relating to an identified or identifiable natural person". This
concept undoubtedly includes the name of a person together with his telephone number or
other information relating to his working conditions or his hobbies».

In short, both the data processed to issue a duplicate SIM card and the SIM card (Subscriber Identity Module) that uniquely and unambiguously identifies the subscriber on the network are personal data, and their processing must be subject to data protection regulations.

As regards Vodafone's responsibility, it should be noted that, in general,

Vodafone processes its customers' data under the provisions of Article 6.1 b)
of the GDPR, as processing is considered necessary for the execution of a contract
to which the data subject is a party or for the application of pre-contractual measures at the request of the data subject. In other cases, it bases the lawfulness of the processing on the bases
provided for in Article 6.1.a), c), e) and f) of the GDPR.

For this reason, this is a process in which the diligence provided by the operators is essential to avoid this type of scam and violations of the GDPR.
Diligence that translates into the establishment of adequate measures to guarantee
that the person who hires is who he claims to be and that appropriate

measures are implemented and maintained to comply with the principle of legality.

The Constitutional Court pointed out in its Judgment 94/1998, of May 4, that we are faced
with a fundamental right to data protection by which the person is
guaranteed control over his data, any personal data, and

over its use and destination, to avoid illicit trafficking of the same or harmful to the
dignity and rights of those affected; in this way, the right to data protection is configured as a right of the citizen to oppose
certain personal data being used for purposes other than that which justified
its obtaining.

For its part, in Judgment 292/2000, dated November 30, it considers it as an
autonomous and independent right that consists of a power of disposition and
control over personal data that empowers the person to decide which of these
data to provide to a third party, be it the State or an individual, or which this
third party may collect, and that also allows the individual to know who possesses these
personal data and for what purpose, being able to oppose such possession or use.

As for Vodafone's conduct, it is considered that it responds to the title of fault.

As a large-scale depository of personal data, therefore, accustomed
or specifically dedicated to the management of the personal data of customers, it must be especially diligent and careful in its treatment. That is,

from the perspective of fault, we are faced with a surmountable error since with the
application of the appropriate technical and organizational measures, these identity thefts
could have been avoided.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/28

It is recital 74 of the GDPR that states: The responsibility of the controller for any processing of personal data carried out by the controller or on its behalf must be established. In particular, the controller must be required to implement appropriate and effective measures and must be able to demonstrate the compliance of the processing activities with this Regulation, including the effectiveness of the measures. Those measures must take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons. Recital 79 also states: The protection of the rights and freedoms of data subjects and the accountability of controllers and processors, including with regard to supervision by supervisory authorities and the measures taken by them, require a clear attribution of responsibilities under this Regulation, including in cases where a controller determines the purposes and means of processing jointly with other controllers, or where processing is carried out on behalf of a controller.

Vodafone also requests, on a subsidiary basis, that this Agency agree to the closure of the procedure on the grounds of a lack of culpability.

The principle of guilt governs administrative sanctioning law (article 28
of Law 40/2015, on the Legal Regime of the Public Sector, LRJSP), so the
subjective or guilt element is an indispensable condition for sanctioning liability to arise. Article 28 of the LRJSP, “Liability”, states:

“1. Only natural and legal persons may be sanctioned for acts constituting an administrative infringement, as well as, when a Law recognizes their capacity to act, groups of affected persons, unions and entities without legal personality and independent or autonomous assets, who are responsible for them by virtue of intent or fault.”

In light of this precept, sanctioning liability may be required by virtue of intent or fault, with mere failure to observe the duty of care being sufficient in the latter case.

The Constitutional Court, among others, in its STC 76/1999, has declared that administrative sanctions are of the same nature as criminal sanctions, being one of the manifestations of the State's ius puniendi, and that, as a requirement derived from the principles of legal certainty and criminal legality enshrined in articles 9.3 and 25.1 of the CE, their existence is essential to impose them.

Regarding the culpability of the legal person, it is appropriate to cite STC 246/1991, 19 December 1991 (F.J. 2), according to which, with respect to legal persons, the subjective element of guilt must necessarily be applied differently than with respect to natural persons, and adds that "This different construction of the imputability of the authorship of the infringement to the legal person arises from the very nature of the legal fiction to which these subjects respond. They lack the

volitional element in the strict sense, but not the capacity to infringe the rules to which they are subject. Capacity to infringe and, therefore, direct blame that
derives from the legal asset protected by the rule that is infringed and the need for
such protection to be truly effective [...]”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/28

The decision to close a sanctioning file may be based on the absence of the
element of guilt when the person responsible for the unlawful conduct has

acted with all the diligence that the circumstances of the case require.

In compliance with the principle of guilt, the AEPD has agreed on numerous
occasions to close sanctioning procedures in which the element of guilt of the offender was not present. Cases in which, despite the existence of
unlawful conduct, it had been proven that the person responsible had

acted with all the diligence required, so that no fault was found in his conduct. This has been the criterion maintained by the Administrative Litigation
Chamber, Section 1, of the National Court. The following judgments can be cited, as they are very
illuminating:

- SAN of April 26, 2002 (Rec. 895/2009) which states:
“Indeed, the existence of guilt cannot be affirmed from the result and this is
what the Agency does when it maintains that since the security measures were not prevented,
the result is guilt. Far from it, what should be done and is missing in the
Resolution is to analyze the sufficiency of the measures from the parameters of average diligence required in the data traffic market. Because if one acts with full

diligence, scrupulously fulfilling the duties derived from acting diligently, there is no reason to affirm or presume the existence of any fault.”

- SAN of April 29, 2010, Sixth Legal Basis, which, regarding a
fraudulent contract, indicates that “The issue is not to elucidate whether the appellant processed

the personal data of the complainant without her consent, but rather whether or not she used reasonable diligence when trying to identify the person with
whom she signed the contract.”

At this point, it is worth recalling what STC 246/1991 has

said regarding the culpability of the legal person: that it does not lack the
“capacity to infringe the rules to which they are subject”. “Capacity to
infringement [...] that derives from the legal asset protected by the rule that is infringed and the
need for such protection to be truly effective [...]”.

In connection with the above, it is necessary to refer to article 5.2. of the RGPD (principle of

proactive responsibility), according to which the data controller will be
responsible for compliance with the provisions of section 1 - for what is of
interest here, of the principle of legality in relation to article 6.1 of the RGPD - and able to
demonstrate its compliance. The principle of proactivity transfers to the data controller the
obligation not only to comply with the regulations, but also to be able to

demonstrate such compliance.

Opinion 3/2010, of the Working Party on Article 29 (WP29) -WP 173- issued
during the validity of the repealed Directive 95/46/CEE, but whose reflections are
applicable today, states that the “essence” of proactive responsibility is

the obligation of the data controller to apply measures that, in
normal circumstances, guarantee that in the context of the processing operations the rules on data protection are complied with and to have
documents available that demonstrate to the interested parties and the Authorities of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/28

control what measures have been adopted to achieve compliance with the rules on data protection.

Article 5.2 is developed in Article 24 of the GDPR, which requires the controller to
adopt appropriate technical and organisational measures “to ensure and be able to
demonstrate” that the processing is in compliance with the GDPR. The provision states:

“Responsibility of the controller”
“1. Taking into account the nature, scope, context and purposes of the processing,

as well as the risks of varying likelihood and severity for the rights and
freedoms of natural persons, the controller shall implement appropriate
technical and organisational measures to ensure and be able to demonstrate that the
processing is in compliance with this Regulation. These measures shall be reviewed and
updated when necessary.

2.When they are proportionate in relation to the processing activities, the
measures referred to in paragraph 1 shall include the implementation, by the controller, of appropriate data protection policies. 3. Adherence to codes of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to Article 42 may be used
as elements to demonstrate compliance with the obligations by the controller.”

Article 25 of the GDPR, “Data protection by design and by default”,
states:
“1.Taking into account the state of the art, the cost of implementation and the nature,

scope, context and purposes of processing and the risks of varying likelihood and
severity that the processing entails for the rights and freedoms of natural
persons, the controller shall, both when determining the means of processing and at the
time of the processing itself, implement appropriate technical and
organisational measures, such as pseudonymisation, designed to
effectively implement the data protection principles, such as data minimisation, and
integrate appropriate safeguards into the processing, in order to comply with the requirements of
this Regulation and protect the rights of data subjects.
2.[...]”.

The Supreme Court's decision of 17 October 2007 (rec. 63/2006) is fully applicable to the case, which,

after referring to the fact that entities whose activity involves
continuous processing of client and third party data must observe an
adequate level of diligence, states: "[...] the Supreme Court has understood that
there is imprudence whenever a legal duty of care is disregarded, that is,
when the offender does not behave with the required diligence. And in assessing the

degree of diligence, the professionalism or otherwise of the subject must be especially considered,
and there is no doubt that, in the case now examined, when the activity of the
appellant is one of constant and abundant handling of personal data, the rigor and exquisite care to comply with the legal provisions in this
regard must be insisted upon."

III

Unfulfilled obligation

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/28

The respondent party is charged with committing an infringement for violating
Article 6 of the GDPR, “Lawfulness of processing”, which indicates in its section 1 the
cases in which the processing of third party data is considered lawful:

“1. The processing will only be lawful if at least one of the following

conditions is met:

a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;

b) the processing is necessary for the execution of a contract to which the interested party
is a party or for the application at the request of the latter of pre-contractual measures;

c) the processing is necessary for compliance with a legal obligation applicable to the
data controller;

(d) the processing is necessary to protect the vital interests of the data subject or of another
natural person;

(e) the processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller;

(f) the processing is necessary for the purposes of the legitimate interests pursued
by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the
data subject which require protection of personal data, in particular where the
data subject is a child. The provisions of point (f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their
tasks.”

In the present case, it is proven first of all that the request for a duplicate SIM card was made through the private area of the complainant and it was indicated
in said request that the SIM card be sent to a postal address other than the billing address.

Furthermore, the respondent party does not have evidence to confirm the passage of the full security policy by calling 121 to activate the SIM card once it was delivered to the third party, stating that they do not have the recording of the telephone procedure referred to as the recording of said call did not take place, nor do they provide a copy of the contact where the passage of the security policy is reflected.

In this way, the respondent party provided a duplicate of the SIM card of the claimant's line, without her consent and without verifying the identity of said third party, who,
has accessed information contained in the mobile phone. Thus, the respondent did not

verify the identity of the person who requested the duplicate SIM card, did not verify the
identity of the person who was activating said duplicate SIM card, that is, did not
take the necessary precautions to prevent these events from occurring.

It should be noted that, as Vodafone acknowledges in its letter dated March 16, 2023: <<Vodafone has been able to verify that various

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/28

allegedly fraudulent actions were carried out on the mobile telephone line belonging to the

complainant. Prior to the incident that is the subject of the complaint, on November 30, 2022, there were two attempts to change the email address by telephone,

supposedly to be able to access the private customer area.

However, this request was not carried out as it did not comply with the

Security Policy, since the bank account digits provided by the

complainant in application of the Security Policy did not match the numbers in the internal

systems. Despite this, and despite not having obtained the
change of email address that would allow the caller to gain
access to the private customer area, a request for a duplicate SIM card was
processed online on December 1, 2022, through the private customer
area>>. However, Vodafone did not take the necessary precautions to

ensure that these events did not occur.
In this regard, the SAN, dated September 19, 2023 (REC 403/2021),
which says: “hired a third party without sufficient control or supervision as it was not able
to detect that in reality, the person who was expressing his willingness to
hire was not who he claimed to be. If the necessary precautions had been taken to
ensure the identity of the contracting party (for which reason it would have

been sufficient to consider the incorrect answer to the identification and
verification questions of the client) the infringement of article 6.1 of the LOPD
charged by the AEP would have been avoided.

In short, in the case analysed, the diligence used by
the respondent to identify the person who requested the duplicate of the

SIM card is called into question.

In any case, the procedure implemented by the respondent party was not followed, since,
if it had been, the request should have been denied.

In view of the above, Vodafone cannot prove that this procedure was followed and, consequently, there was unlawful processing of the personal data of

the complainant, thereby violating article 6 of the GDPR.

In this regard, Recital 40 of the GDPR states:

“(40) In order for processing to be lawful, personal data must be processed with the
consent of the data subject or on another legitimate basis established in accordance with law,

whether in this Regulation or by virtue of another Union or Member State law to which this Regulation refers, including the
need to comply with the legal obligation applicable to the controller or the
need to perform a contract to which the data subject is a party or in order to
take steps at the request of the data subject prior to entering into a

contract.”

IV

Classification and qualification of the infringement

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/28

The infringement is classified in Article 83.5 of the GDPR, which considers as such:

“5. Infringements of the following provisions shall be punished, in accordance with
section 2, with administrative fines of up to EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

total global annual turnover of the previous financial year, whichever is higher:

a) The basic principles for processing, including the conditions for

consent pursuant to Articles 5, 6, 7 and 9.”

The LOPDGD, for the purposes of the limitation period of the infringement, classifies in its article 72.1
as a very serious infringement, in this case the limitation period being three years, “b)
The processing of personal data without any of the conditions for the

lawfulness of the processing established in article 6 of Regulation (EU) 2016/679 being met.”

V

Fine: Determination of the amount

The determination of the penalty to be imposed in the present case requires

observance of the provisions of Articles 83.1 and 2 of the GDPR, which,
respectively, provide as follows:

“1. Each supervisory authority shall ensure that the imposition of administrative
fines pursuant to this Article for infringements of this Regulation
referred to in paragraphs 4, 9 and 6 are effective, proportionate and
dissuasive in each individual case.”

“2. Administrative fines shall be imposed, depending on the circumstances of each
individual case, as an additional or alternative measure to the measures provided for in
Article 58, paragraph 2, points (a) to (h) and (j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:

a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them;

b) the intent or negligence of the infringement;

c) any measures taken by the controller or processor to

mitigate the damage suffered by the data subjects;

d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures implemented by them pursuant to
Articles 25 and 32;

e) any previous infringements committed by the controller or processor;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/28

f) the degree of cooperation with the supervisory authority in order to remedy the
breach and mitigate any adverse effects of the breach;

g) the categories of personal data affected by the breach;

h) the manner in which the supervisory authority became aware of the breach, in
particular whether the controller or processor notified the breach and, if so, to what
extent;

i) where measures referred to in Article 58(2) have been previously
ordered against the controller or processor concerned in relation to the
same matter, compliance with those measures;

(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and

(k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”

Within this section, the LOPDGDD contemplates in its article 76, entitled
“Sanctions and corrective measures”:

“1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation
(EU) 2016/679 will be applied taking into account the grading criteria

established in section 2 of the aforementioned article.

“2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679,
the following may also be taken into account:

a) The continued nature of the infringement.

b) The connection between the offender's activity and the processing of personal data.

c) The benefits obtained as a result of committing the infringement.

d) The possibility that the affected party's conduct could have led to the commission of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors.

g) Having, when not mandatory, a data protection officer.

h) The voluntary submission by the controller or person in charge to alternative dispute resolution mechanisms, in those cases in which there are disputes between them and any interested party.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/28

Vodafone requests that the following mitigating circumstances be considered:

- The degree of responsibility of the data controller, taking into account the
technical or organisational measures they have applied pursuant to Articles 25 and 32 of the GDPR.

- The degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement.

- Any other aggravating or mitigating factor applicable to the circumstances of the
case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement.

None of the circumstances invoked are admissible.

Article 83.2.d) GDPR: “The degree of responsibility of the controller or the
processor, taking into account the technical or organizational measures that
they have applied pursuant to articles 25 and 32;”.

The respondent has limited herself to declaring that the third party that contracted with her exceeded the company's
security policy without providing any evidence to demonstrate that
she obtained from the person involved in the contract any document proving
that he was effectively the owner of the personal data that he had provided as his
own or that he articulated any mechanism that allowed the veracity of the identity data provided to be verified.

On the other hand, the principle of proactivity implies transferring to the controller the obligation not only to comply with the regulations, but also to be able to
demonstrate its compliance. Among the mechanisms that the GDPR provides for

achieving this are those provided for in Article 25, “data protection by design”, according to which the controller must apply “both at the time of
determining the means of processing and at the time of the processing itself”
technical and organisational measures that guarantee that it effectively applies
the principles of the GDPR in connection with the processing it carries out.

Article 83.2.f) of the GDPR refers to the “degree of cooperation with the supervisory
authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement;”.

The respondent's response to the information request from the Sub-directorate of

Inspection did not fulfil these purposes, and therefore does not fall under this
mitigating circumstance.

Regarding the application of article 76.2.c) of the LOPDGDD, in connection with article
83.2.k), the absence of benefits obtained, it should be noted that such a circumstance can only

operate as an aggravating circumstance and in no case as an attenuating circumstance.

Article 83.2.k) of the GDPR refers to “any other aggravating or attenuating factor
applicable to the circumstances of the case, such as the financial benefits obtained or the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/28

losses avoided, directly or indirectly, through the infringement.” And article
76.2c) of the LOPDGDD states that “2. According to the provisions of article 83.2.k) of
Regulation (EU) 2016/679, the following may also be taken into account: [..] c) The benefits

obtained as a result of the commission of the infringement.” Both provisions
mention as a factor that may be taken into account in the grading of the sanction
the “benefits” obtained, but not the “absence” of these, which is what Vodafone
alleges.

Furthermore, in accordance with article 83.1 of the GDPR, the imposition of fines

is governed by the following principles: they must be individualized for each
particular case, be effective, proportionate and dissuasive. The admission that the absence of benefits operates
as an attenuating circumstance is contrary to the spirit of article 83.1
of the GDPR and to the principles governing the determination of the amount of the fine. If, following the commission of an infringement of the GDPR, the absence of benefits is classified as an

attenuating circumstance, the deterrent purpose that is fulfilled through the sanction is partly annulled. Accepting Vodafone's thesis in a case such as
the one at hand would mean introducing an artificial reduction in the sanction that
really should be imposed; which results from considering the circumstances
of article 83.2 of the GDPR that must be assessed.

The Administrative Litigation Chamber of the National Court has noted that the fact that in a specific case not all the elements that make up a circumstance modifying liability that, by its nature, is aggravating, are present, cannot lead to the conclusion that such circumstance is applicable as an attenuating circumstance. The ruling made by the National Court in its

SAN of May 5, 2021 (Rec. 1437/2020) - even though that resolution deals
with the circumstance of section e) of article 83.2. of the GDPR, the commission of
previous infractions - is applicable to the question raised, the claim of the
respondent that the "absence" of benefits be accepted as an attenuating circumstance, given that both the GDPR and the LOPDGDD refer only to "the benefits obtained".

In order to graduate the amount of the fine proposed to be imposed on Vodafone for the infringement of article 6.1 of the GDPR, we consider that the following circumstances exist, which operate as
aggravating factors:

- The circumstance of article 83.2 e) GDPR: “Any previous infringement committed
by the controller or the processor”.

Recital 148 of the GDPR states that “In order to strengthen the application of the
rules of this Regulation […]” and indicates in this regard that “Particular attention

should, however, be paid to […] or any relevant previous infringement […]”.

Thus, in accordance with paragraph e) of article 83.2. RGPD, in determining the amount of the administrative fine, all previous infringements by the controller or processor may not be ignored in order to assess the unlawfulness of the conduct analysed or the culpability of the offending subject.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/28

Furthermore, a correct interpretation of the provisions of article 83.2.e) RGPD cannot ignore the purpose pursued by the rule: to decide the amount of the administrative fine in the individual case raised, always taking into account that the

sanction is proportional, effective and dissuasive.

There are numerous sanctioning procedures processed by the AEPD in which
the respondent has been sanctioned for the infringement of article 6.1 of the GDPR:

i.EXP202204287 Resolution issued on October 24, 2022 in which a fine of 70,000 euros was imposed. The facts concerned a fraudulent duplicate of the SIM card
without legitimacy. Vodafone benefited from one of the two reductions provided.

ii.EXP202203916. Resolution issued on October 24, 2022 in which a fine of 70,000 euros was imposed. The facts concerned a fraudulent duplicate of the SIM card
without legitimacy. Vodafone benefited from one of the two reductions provided.

iii.EXP202203914 Resolution issued on October 24, 2022, in which a fine of 70,000 euros was imposed. The facts concerned a fraudulent duplicate SIM card without legitimacy. Vodafone accepted one of the two reductions provided for.

The respondent argues that the previous sanctioning procedures are

related to Vodafone customers who are not customers of the Lowi brand and whose
duplicate SIM cards were processed through channels other than the one in the case analyzed here, and therefore
should not be applied as an aggravating factor.

It is proven that Lowi is a brand under the same legal name as

Vodafone, they are the same company and therefore all previous infringements by the controller or the data processor cannot be ignored in order to
calibrate the unlawfulness of the conduct analysed or the culpability of the offending subject.

- The obvious link between the business activity of the defendant and the

processing of personal data of clients or third parties (article 83.2.k, of the GDPR
in relation to article 76.2.b, of the LOPDGDD).

The National Court's ruling of 17/10/2007 (rec. 63/2006), in which,
with respect to entities whose activity involves the continuous processing of

customer data, indicates that "...the Supreme Court has understood that there is
imprudence whenever a legal duty of care is disregarded, that is, when the
offender does not behave with the required diligence. And in the assessment of the degree of
diligence, the professionalism or lack thereof of the subject must be especially considered, and
there is no doubt that, in the case now examined, when the activity of the appellant

is of constant and abundant handling of personal data, the rigor and exquisite care to comply with the legal provisions in this regard must be insisted upon."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/28

The penalty to be imposed on the respondent must be graduated and set at €200,000 for the alleged infringement of article 6.1) classified in article 83.5.a) of the cited RGPD.

Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the
penalties whose existence has been proven, the Director of the

Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE on VODAFONE ESPAÑA, S.A.U. with NIF A80907397, for a
breach of Article 6.1 of the GDPR, classified in Article 83.5 of the GDPR, a fine
in the amount of 200,000 euros (two hundred thousand euros).

SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U. with
NIF A80907397.

THIRD: This resolution will be enforceable once the deadline for filing the
optional appeal for reconsideration ends (one month from the day following the
notification of this resolution) without the interested party having made use of this faculty.

The sanctioned party is warned that he must make effective the imposed sanction once
this resolution is enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Royal Decree
939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.

Once the notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly
file an administrative appeal before the Administrative Litigation Division of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the
referred Law.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/28

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final decision in administrative proceedings may be provisionally suspended if the interested party
expresses his intention to lodge an administrative appeal.

If this is the case, the interested party must formally communicate this fact by means of a
written document addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in art. 16.4 of

the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the
documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification of this resolution, the precautionary suspension will be terminated.

Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es