Background information
- Date of decision: 25/06/2025
- National case
- Controller: Vodafone S.A
- Legal References:
- GDPR: Article 5.1.d Principle of accuracy
- GDPR: Article 28: Processor
- GDPR: Article 29: Processing under the authority of the controller or processor
- GDPR: Article 32: Security of processing, Law 3471/2006 (National Law incorporating ePrivacy Directive 2002/58/EC)
- Decision: Infringement of the GDPR, fines imposed
- Key words: Data breach, Security of processing, Processor
Summary of the Decision
Origin of the case
Α complaint was submitted to the Greek Supervisory Authority (SA) against Vodafone regarding the unlawful registration of multiple prepaid mobile connections under a subscriber's personal details.
Key Findings
The investigation of the case revealed that at a Vodafone store, operated by a third-party company under a franchise agreement, 15 prepaid mobile phone lines were activated under the complainant’s personal details without her knowledge. Τhe complainant became aware of this only when she was summoned for preliminary examination in connection with criminal offences allegedly committed via one of the numbers.
The franchisee, DS Phone, as data processor, claimed that their intention was to register those 15 numbers under the identity of a group tour leader, and that, by mistake, a copy of the complainant’s ID card — which had been stored in the system of a partner store to which the company had access — was attached to the application; subsequently, the complainant’s personal details had been connected to those subscriptions, indicating her as their owner, although she never had possession of their SIM cards. Vodafone reported the data breach to the Greek SA, while a second similar incident occurred at the same store during the same period.
Decision
In the context of the administrative audit conducted by the Authority it was discovered that the data processor acted in violation of Vodafone’s instructions, as data controller, and failed to follow the subscriber identification procedure in the store. The Greek SA imposed an administrative fine of EUR 40 000 to the processor for violation of security of processing and processing under the authority of the controller or processor in conjunction with Articles 32 and 29 of the GDPR.
At the same time, a violation was also found on the part of Vodafone, as data controller, concerning its obligations to implement appropriate technical and organizational measures, to select suitable data processors and supervise them effectively, as well as a breach of the data accuracy principle, because, despite being aware of the incident, Vodafone twice provided incorrect information to the local Public Prosecutor’s Offices, identifying the complainant as the owner of the disputed phone numbers. The Authority imposed an administrative fine of EUR 350 000 on Vodafone in conjunction with Articles 28 par. 1 and 3 of the GDPR. It also imposed a fine of EUR 150 000 for violation of Law 3471/2006 (Art. 12 par. 1 and 3) (National Law incorporating ePrivacy Directive 2002/58/EC) and issued a warning to Vodafone so that it enhances the security of its procedure for assigning new numbers to existing subscribers in conjunction with these Articles. Furthermore, the Greek SA imposed an administrative fine of EUR 200 000 for violation of the data accuracy principle (Article 5.1.d of the GDPR), as mentioned above.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.