Vodafone Faces Record Fines from German Data Protection Authority

The Federal Commissioner for Data Protection and Freedom of Information in Germany has imposed record fines on Vodafone due to violations of the General Data Protection Regulation (GDPR).

Two separate penalties were issued against the telecommunications giant, amounting to EUR15 million and EUR30 million respectively, marking the highest fines ever levied by the authority since the GDPR came into effect. Vodafone has acknowledged the fines and has already settled the payments.

The investigation into Vodafone by the Bonn-based regulatory authority spanned several years. It was brought to light in 2021 that customer data was being improperly used by partner agencies--third-party representatives who help acquire customers for Vodafone on a commission basis.

These unauthorized practices reportedly led to unauthorized changes in customer contracts, prompting the initial EUR15 million fine. This penalty is independent of any other legal actions being pursued by affected customers, particularly those related to fraud.

The second fine stems from a more severe incident involving a self-service portal operated by Vodafone. This portal allowed registrations without an existing customer relationship, enabling fraudsters to use easily guessable passwords to unlawfully register eSIM cards associated with legitimate users. This breach is particularly concerning given that SMS messages are often used as a verification method for legitimate transactions.

The Federal Commissioner emphasized that data protection laws are robust and that the agency is committed to enforcing them. The Commissioner stated that the authority is willing to provide guidance to companies and expressed a desire for organizations to proactively engage in rectifying potential data protection violations before they escalate to fines.

Vodafone reportedly cooperated fully during the investigation, which played a role in determining the fine amounts in accordance with agreements among European data protection authorities. The Commissioner urged companies to take data protection seriously to prevent similar situations from arising in the future.

The financial repercussions of these fines, along with potential future claims from customers under GDPR, could result in greater economic damage to Vodafone than the fines themselves.