Duyurular

Administrative Fines of €15 Million and €30 Million and a Reprimand Imposed on Vodafone by the German Federal Supervisory Authority

According to the final decision issued on 10 March 2025, the German Federal Supervisory Authority (“SA”) imposed administrative sanctions on Vodafone GmbH following an investigation into the company’s data processing activities and security measures.

The case originated from external information received by the SA, independent of any formal complaints. The investigation focused on Vodafone GmbH’s partner agencies and online service portals.

The following key findings were made:

  • Vodafone GmbH operates as a telecommunications service provider on the German market through multiple distribution channels, including local shops managed by partner agencies acting under the Vodafone brand and bound to its instructions.
  • These agencies use IT systems based on hardware and software provided by Vodafone, and the processing of customer data is governed by Data Processing Agreements.
  • The investigation revealed significant deficiencies in Vodafone’s procedures to supervise and audit its processors, as well as vulnerabilities in the IT systems that created risks of customer data being misused for fraud risks, which, in some instances, materialized.
  • Additionally, the online service portal, especially when used in combination with the company’s hotline, presented weaknesses in the customer account authentication process, potentially enabling the misuse of eSIMs.

As a result, the German Federal SA:

  • Imposed an administrative fine of €15 million for insufficient supervision and auditing procedures regarding partner agencies,
  • Issued a reprimand for weaknesses identified in the IT systems,
  • A further €30 million administrative fine was imposed for inadequate security measures concerning the online service portal.

You can access the full text of the European Data Protection Board’s announcement here.

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr

 

All information and documents on our website have been prepared by Zumbul Attorneys at Law for general informational purposes only, in accordance with the Attorneyship Law, other relevant legislation and the Professional Rules of Attorneyship of the Union of Turkish Bar Associations. These publications are not intended for advertising or commercial purposes. The information and documents provided are of a general nature and under no circumstances, do they guarantee or warrant that the content is complete, accurate, up-to-date, or reliable. You should not rely on the information and documents on this website without first consulting a lawyer or expert. The links included in our website’s publications are sourced from publicly available materials and are provided solely for the convenience of visitors in accessing additional information. These links do not constitute any form of recommendation or endorsement of the linked persons, institutions or organizations. The information on this website does not in any way constitute legal advice or establish an attorney-client relationship with visitors to the site. All content on this website is the property of by Zumbul Attorneys at Law, and no content may be copied, reproduced, or used without prior written permission.