Background information
- Date of final decision: 10 March 2025
- National case
- Controller: Vodafone GmbH
- Legal Reference(s): Article 58(2)(i) GDPR, Article 83(4)(a) GDPR, Article 28(1) GDPR, Article 32(1) GDPR
- Decision: Administrative fine
- Key words: Administrative fine, Consumer protection, Data processing agreement, Data security, Password, Fraud User Account
Summary of the Decision
Origin of the case
The German Federal Supervisory Authority (SA) launched investigations regarding Vodafone GmbH’s partner agencies and its online service portal after having received external information outside of any complaints.
Key Findings
Vodafone GmbH is a telecommunications service provider operating on the German market. The company uses different distribution channels, including local shops, of which some are operated by partner agencies. They are acting under the Vodafone brand and are bound to the company’s instructions. Their IT systems are based on hard- and software provided by Vodafone. Data Processing Agreements govern the processing of customer data. Investigations discovered privacy related weaknesses in the processes to supervise and audit the processors as well as weaknesses in the IT systems leading to the risk of customer data being misused for fraud. Such risks actually materialized in some cases. Furthermore, Vodafone offers an online service portal for its customers. When used in combination with the company’s hotline, investigations by the German Federal SA found weaknesses in the authentication process for the customer accounts that could lead to misuse of eSIMs. The company has taken steps to remediate any shortcomings found.
Decision
The German Federal SA imposed a fine of €15 000 000 for insufficient supervision and auditing procedures regarding the partner agencies and imposed a reprimand for the weaknesses in the IT systems. Furthermore, she imposed a fine of €30 000 000 for insufficient security measures regarding the online service portal.
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.