Following the large Tik Tok fine at the beginning of April, the rest of the month was quite calm in terms of GDPR fines. However, there is one that struck out the most:
Vodafone Spain was fined for failing to verify the identity of a third party who requested a duplicate of a user’s SIM card, the lack of interest in obtaining consent from the original user resulting in unauthorised transactions and access to all bank accounts. What’s more, the provider did not seek consent or try to contact the user in any way to obtain their explicit consent, which is needed in lack of a legal basis or a specific purpose for gaining access to personal data.
The Spanish Authority imposed a 140.000 EUR fine to the telecom provider, which was further reduced to 112.000 EUR as the company paid the fine voluntarily.
Written by: Briana Huști