Orange Espagne fined for unlawful processing of personal data

The Spanish data protection authority (AEPD) has fined Orange Espagne, S.A.U. €70,000 following a complaint. The complainant alleged that a third party entered into a contract with Orange Espagne without his consent and knowledge. As a result, the complainant’s personal data was placed in credit information systems because he had not paid for the fraudulently ordered services.
Orange Espagne claimed that the complainant did not inform it of the identity theft. However, in the supervisory authority’s view, the controller failed to exercise due diligence to prevent the breach as it did not apply its anti-fraud procedure. The controller was unable to demonstrate that the complainant’s data was being processed by it in a lawful manner.
Orange Espagne breached Article 6(1) of the GDPR because it was unable to demonstrate that it was processing the complainant’s personal data on a valid legal basis.

On the basis of its findings, the AEPD considered it appropriate to impose an administrative fine on Orange Espagne.