Spanish SA imposes a fine on Telefónica Móviles España, for a loss of confidentiality related to mobile phone sim card duplicate

Mar 31, 2022

Source: European Data Protection Board

Background information

Date of final decision: 08/11/2021
National Case
Controller: TELEFÓNICA MÓVILES ESPAÑA, S.A.U.
Legal Reference: Confidentiality (Article 5.1.f)
Decision: Imposition of a fine of 900,000 euros.
Key words: Loss of confidentiality.

Summary of the Decision

Origin of the case

Various claims are filed as a result of the issuance of duplicate SIM cards to third parties other than subscribers. As a result of the above, the holders of the telephone line are not only left without service, but the third parties access their bank accounts.

We find an assumption of using fraudulent practices based on the generation of duplicates of SIM cards without the consent of their legitimate holders in order to access confidential information for criminal purposes (known as “SIM Swapping”).

Key Findings

Spanish DPA carries out research actions to analyze the procedures followed to manage SIM change requests by TELEFÓNICA MÓVILES ESPAÑA, S.A.U., identifying the vulnerabilities that may exist in the implemented operating procedures, to detect the causes for which these cases could be occurring, as well as to find points of non-compliance, improvement or adjustment, to determine responsibilities, reduce risks and increase security in the processing of personal data of affected persons.

The data that is processed to issue a duplicate SIM card and the SIM card (Subscriber Identity Module), which unequivocally identifies the subscriber on the network, are personal data, and their treatment must be subject to data protection regulations.

It has been verified that the measures implemented by TELEFÓNICA MÓVILES ESPAÑA, S.A.U. were insufficient, so they generated a loss of confidentiality and the transfer of personal data to a third party.

Decision

The AEPD imposes a total fine of 900,000 euros for the infringement consisting of a lack of confidenciality.

For further information: https://www.aepd.es/es/documento/ps-00021-2021.pdf

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned

← ENISA: Deploying Pseudonymisation Techniques EDPB adopts statement on the new Trans-Atlantic Data Privacy Framework, letter concerning independence of Belgian SA & discusses membership Spring Conference →

Recent news

CSC elects 2nd Deputy Coordinator

Apr 10, 2024

The Coordinated Supervision Committee (CSC) has elected Matej Sironic from the Slovenian Data Protection Authority (DPA) as its Deputy Coordinator for a term of two years. Sironic will be the second Deputy Coordinator, and will work along with Sebastian Hümmeler from...

Online conference”Call for GDPR update”

Mar 12, 2024

EFDPO, together with the Czech Association for Personal Data Protection and IAPP, co-organised the online conference “Call for GDPR update?”, which took place on 11.3.2024.

CEF 2024: Launch of coordinated enforcement on the right of access

Feb 28, 2024

Brussels, 28 February - The European Data Protection Board has kicked off its Coordinated Enforcement Framework (CEF) action for 2024. Throughout the year, 31 Data Protection Authorities (DPAs), including 7 German State-level DPAs, across the EEA will take part in...