BfDI record fines: Vodafone pays 45 million euros

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Louisa Specht-Riemenschneider, has imposed two fines on Vodafone in the amount of 15 and 30 million euros respectively for two different cases. This is the highest fine imposed by the BfDI to date since the General Data Protection Regulation came into force. The company has accepted the fines and has already paid them.

The Bonn-based supervisory authority had been investigating the telecommunications company for years. In 2021, employees of the Federal Data Protection Authority responsible for telecommunications became aware for the first time that customer data was being used improperly by so-called partner agencies, i.e., agents who are supposed to acquire customers for Vodafone and usually work on a commission basis.

Among other things, customers are said to have suffered damages as a result of unauthorized changes to contracts. The breach of the provisions of the General Data Protection Regulation has now been penalized with 15 million euros and is independent of other proceedings by injured parties, such as fraud.

The second fine is based on an even more blatant case: Vodafone had operated a self-service portal where registration was possible even without a customer relationship. After registering there, fraudsters were able to illegally register eSIM cards of regular users to these accounts with an easily guessable password from customer service without having to identify themselves as such. This procedure is particularly problematic when it comes to the use of mobile phone numbers for third-party services, such as transaction confirmation text messages. Many providers still use SMS as an authentication feature for legitimate transactions.

“Data protection law is not toothless”

For the Federal Data Protection Commissioner, this is the first completed fine proceedings. “Data protection law is not toothless, and we are proving the opposite here today,” said Specht-Riemenschneider about the fine proceedings. “We take action against violations of data protection law through – and with all the means at our disposal.” The authority is always ready to provide advice, and if a company actively helps to clarify possible data protection violations, this is to be welcomed, said the Federal Data Protection Commissioner, who was elected by the Bundestag a year ago. To date, her authority has been responsible for federal authorities and the postal and telecommunications sectors, but the black-red coalition is currently considering assigning the BfDI further responsibilities in the area of business supervision.

According to Specht-Riemenschneider, the company cooperated extensively in the case of Vodafone – which had also been assessed in the amount of the fine in accordance with the agreements between the European data protection supervisory authorities for fines. She appealed to companies to take data protection seriously. She wanted to ensure that no fines were imposed in the first place.

For the telecommunications provider, the economic damage incurred by the company and possible future claims for damages from customers under the GDPR could potentially exceed the fine imposed by the BfDI.

(mki)