€70,000 fine for illegal processing of personal data

The Spanish Data Protection Authority (AEPD) has published its decision in proceeding No. PS/00064/2023, which resulted in Digi Spain Telecom S.L.U. being fined €70,000 for violating the GDPR.
The proceedings were initiated by a complaint. The complainant alleged that unauthorised persons impersonated him at a Digi point and activated a duplicate SIM card using his personal data. As a result, the complainant lost the connection on his mobile phone. After contacting Digi, he got his SIM card back.
The complainant indicated that after this incident there were further attempts by unauthorised persons to swap his SIM card. Digi contacted the complainant to establish a password to be used when requesting a duplicate SIM card. However, despite establishing the password, when the complainant lost his SIM card again and requested a new one, Digi issued him with a card without first asking for the password.
The AEPD found that Digi violated Article 6(1) of the GDPR by providing the complainant’s duplicate SIM card to a third party without his consent. In addition, AEPD found that Digi did not follow established verification protocols when issuing a new SIM card to the complainant.
As a consequence of these violations, the AEPD imposed a fine of €70,000 on Digi.