The Spanish data protection authority (AEPD) received two complaints from customers of the operator Orange Espagne S.A.U. They concerned the alleged duplication and activation of SIM cards and the taking of control of phone calls by cybercriminals. This activity was allegedly followed by fraud and extortion of money.
As a result of its investigation, the AEPD found that the data protection measures implemented by Orange Espagne S.A.U. were insufficient, as they allowed personal data to be transferred to an unauthorised third party. The AEPD further found that the operator did not adequately verify the identity of applicants before issuing SIM cards, and therefore breached the principles of integrity and confidentiality of personal data set out in Article 5(1)(f) of the GDPR.
In reaching its decision, the authority took into account that Orange Espagne S.A.U. was negligent in failing to ensure a procedure to guarantee the protection of its customers’ personal data and imposed an administrative fine on the operator.