AEPD (Spain) - EXP202310345
Facts — On December 28, 2022, DIGI Telecom, the controller, delivered a duplicate SIM card to an unauthorized third party without the consent of the original line holder (the data subject) The duplicate SIM card was delivered to an impersonator after they passed the established protocols for verifying the applicant's identity. The controller appealed the decision by the Spanish DPA to impose a fine because they claimed that they had appropriate security measures. The controller claims that, by focusing on the result, the Spanish DPA is acting under strict liability. The mere fact that identity theft occurred does not equal a lack of due diligence on the part of the controller. The controller also requested a reduction of the fine on the basis of Article 83(5)(a) GDPR because there were no aggravating circumstances and no special categories of data were processed Holding — The Spanish DPA found a violation of Article 6(1) GDPR because issuing a duplicate SIM card and delivering it to a person other than the telephone line holder constitutes the processing of personal data within the meaning of Article 4(1) GDPR without a legal basis because the data subject did not give consent. The DPA ruled that the controller violated their duty of care because the security measures lacked the dilligence required. According to Article 5(2) GDPR (principle of proactive responsibility) the controller must demonstrate compliance to the GDPR. Proactive responsibility means that the measures are compliant to the GDPR under normal circumstances. The controller must also demonstrate that the measures are compliant with the GDPR and that they are effective in the specific context and purposes of processing (Article 24 en 25 GDPR). The controller had a higher standard of care because of a documented risk to SIM swap attacks and the high scale of processing. Recital 74 GDPR states that the controller’s must implement effective and appropriate measures that take into account the nature, scope and context, and purposes of processing. The card allows an impersonator to access additional data through which they can carry out actions with grave consequences. The controller did not demonstrate that their security measures sufficiently protected the data subject. Factual circumstances should have alerted DIGI to the fraud: the SIM card replacement was processed at a physical store in a different province from where the data subject resided. The Spanish DPA flagged that the controller did not ask the reason for issuing the card and they did not verify whether the old SIM card was functioning. Therefore the security measures were not appropriate to prevent'SIM swap attacks' that are prevalent in the telecom context. With regard to to the height of the fine, the Spanish DPA found that no new legal arguments were made that would lead to the reduction of the fine.
How it connects
Related across sources
Full text
1/52 • File No.: EXP202310345 RESOLUTION OF THE APPEAL FOR RECONSIDERATION Having examined the appeal for reconsideration filed by DIGI SPAIN TELECOM, S.L.U. (hereinafter, the appellant) against the resolution issued by the Presidency of the Spanish Data Protection Agency dated November 23, 2025, and based on the following: FACTS FIRST: On November 23, 2025, a resolution was issued by the Presidency of the Spanish Data Protection Agency in file EXP202310345, imposing a fine of €140,000 (one hundred forty thousand euros) on DIGI SPAIN TELECOM, S.L.U., for an infringement of Article 6.1 of the GDPR, as defined in Article 83.5(a) of the GDPR. This resolution, which was notified to the appellant on December 1, 2025, was issued following the processing of the corresponding sanctioning procedure, in accordance with the provisions of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and supplementarily with Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), regarding the processing of sanctioning procedures. SECOND: The following facts were established in the aforementioned sanctioning procedure, PS/00499/2024: FIRST. - The claimant, residing at ***LOCATION.1, is a client of the entity DIGI. Among the contracted services is the mobile phone line number PHONE.1. SECOND. - On December 27, 2022, a third party requested a duplicate SIM card for the claimant's mobile phone line number ***PHONE.1, in person at the DIGI Locutorio distributor or dealer (...), located at ADDRESS.1, ***PROVINCE.2. Following security protocols, the distributor collected the requesting third party's identification document and made the following copy. This duplicate SIM card was activated on December 28, 2022, leaving the claimant without service. THIRD. – DIGI has confirmed that the security protocols in place on the date of the SIM card duplicate request were dated February 7, 2022, and consisted of the following: “These protocols and security measures ensured the verification of the SIM duplicate applicant's identity as the line holder. At the time of the events, the protocols and security measures were specified as follows: FOURTH. – Comparing the data on both sides of the copy of the National Identity Document (DNI) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/52 provided in the SIM duplicate request with the data provided by the claimant in the police report dated December 28, 2022, and its subsequent addenda, the following data match: DNI number, name and surnames, nationality, place and date of birth and full address. The parents' names do not match. FIFTH. – The screenshots provided by DIGI show that on December 28, 2022, DIGI validated the duplicate SIM card by sending an SMS confirming its availability to the number ***PHONE.2 and an email to ***EMAIL.1. DIGI has reported that the number ***PHONE.2 was provided by the third party who requested the duplicate SIM card. SIXTH. – After activating the duplicate SIM card described in the Second Proven Fact, and having lost service on his mobile phone line, the claimant contacted DIGI on several occasions to resolve the issue, both by phone and email from the address “***EMAIL.2”. A recording of the claimant's phone call to customer service is included in the case file. DIGI, dated December 28, 2022, at 4:59 p.m., where the complainant stated they had no network connection and requested the suspension of the line due to suspicions of cloning. The representative recommended they visit a distributor to resolve the issue. The complainant requested the SIM card be blocked. Later, on the same day, December 28, 2022, at 6:33 p.m., the complainant requested a new line in their name through a DIGI dealer. They also requested the cancellation of line ***TELÉFONO.1 due to problems with the duplicate SIM. SEVENTH. – DIGI's information systems contain entries with the following dates and details: - December 29, 2022, 3:50 p.m. The affected line was canceled. - December 30, 2022, 6:39 p.m. The customer requested to file a complaint. Since another line was suspended on 12/28, not the affected one. Request for proof of SIM card replacement. Ticket opened. - 1/1/23 7:42 PM. Contact via email informing about the unauthorized access. A commercial discount ticket is opened. - 1/2/23 9:01 AM. The commercial discount ticket is closed and a possible fraud ticket is opened. Claims is consulted with Sales. The customer provides email address ***EMAIL.2 - 1/3/23 11:00 AM. Proof of SIM card replacement is sent and the ticket is closed. - 1/4/23 12:31 PM. A security note is left for Fraud/Suspected Fraud. - 1/5/23 11:16 AM. The customer wants the store where the SIM card replacement was made to be indicated since they have been a victim of fraud. They are instructed to write by email. customer.service@digimobil.es - 10/01/23 1:33 PM. Customer contacted to add keywords and provide information. Request to send us a complaint so we can provide the DEALER'S information: - 11/01/23 10:51 AM. Customer sends complaint and ID. We open a ticket for Identity Theft. We send the DEALER'S information and close the ticket. - 11/01/23 10:07 PM. Contact via email. Customer sends complaint; it has been validated in a ticket. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 3/52 - 12/01/23 12:36 PM. - Wants to know where the fraudulent SIM card duplication took place. A note is left on the ticket. - 16/01/23 - 11:19 AM - From CLAIMS - An email is sent to the customer with point of sale details. The ticket is closed. THIRD: On January 2, 2026, the appellant filed an appeal for reconsideration with this Spanish Data Protection Agency, basing it, basically, on the following: FIRST. - ON THE NON-COMPLIANCE WITH THE LAW OF THE RESOLUTION 1. On the omission of proven facts in the Resolution. DIGI points out that the proven facts demonstrate that the identity theft and access to personal data occurred prior to any contact with DIGI, since the alleged impersonator even has the Claimant's National Identity Document (DNI), allegedly falsified, as well as all the necessary data to request a duplicate. It states that despite DIGI establishing security measures, both technical and organizational, and subjecting them to review and improvement, It continues, no procedure or security measure is, nor can be, completely infallible, and DIGI cannot be required to ensure that its implemented procedures and measures are so; and it is essential that individuals, as owners of their personal data, also exercise due diligence in safeguarding it, without making it available to third parties or neglecting it, thus allowing third parties to obtain their personal information, which facilitates identity theft, as has occurred in this case, where it is evident that the identity thieves had the data of the claimant, which allowed them to attempt to impersonate them through various means. It indicates that no responsibility can be attributed to it for the events that are the subject of the claim, the cause of which lies in the prior improper acquisition of the claimant's personal data by third parties unrelated to DIGI, and not in a breach of the applied protocols, which have proven to be adequate, proportionate, and effective measures for the detection, blocking, and mitigation of fraud attempts. 2. Regarding the legality of the data processing carried out by DIGI. It maintains that, although DIGI issued a duplicate SIM card to the claimant, this action is insufficient to gain access and perform banking transactions on their behalf. It requires a third party to "impersonate" the data subject before the financial institution without any legal basis and in a fraudulent manner. It points out that requiring DIGI to have a detection capacity beyond what is humanly verifiable through ID and in-person verification would be demanding an obligation of result—virtually impossible—that lacks legal and jurisprudential support. It asserts that it is necessary to consider the interpretation of the Judgment of the General Court of the European Union (Eighth Chamber, extended) of April 26, 2023, which determines that The classification of an alphanumeric code as personal data cannot be presumed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 4/52 It is the responsibility of the Supervisory Authority to justify the ability to link the personal data to a specific individual; it is not sufficient to simply presume this based on the possibility that it could potentially allow for identification. He argues that, according to the General Court's ruling, this case does not constitute unlawful processing of personal data. It points out that, in this regard, even if a duplicate SIM card is made available to a third party who impersonates its legitimate owner, insofar as the card constitutes a device containing only numerical codes whose link to the owner's identity can only be identified by their telephone operator, the SIM card could not be considered personal data in the terms used by the Spanish Data Protection Agency (AEPD), where it ignores the actual capacity to identify each party involved and applies a theoretical and absolute criterion that does not reflect the actual information accessed by the third party. The Supreme Administrative Court of Poland has also ruled in this sense in its Judgment III OSK 2595/22 of October 16, 2025. It indicates that DIGI cannot be accused of unlawful data processing when not carrying it out would constitute a violation of the GDPR. Finally, it is worth noting here that, as evidence of DIGI's proactive approach, this company is always continuously seeking the best security practices and standards. 3. Regarding the lack of evidence of fault or negligence on the part of DIGI. DIGI asserts that the Spanish Data Protection Agency (AEPD) bases its conclusion solely on the outcome, omitting the documentary evidence provided, to determine that DIGI failed to comply with the procedure. At no point is the level of due diligence exercised considered. DIGI points out that it is difficult to consider the protocol required by DIGI insufficient, as it includes in-person identity verification, the retention of a copy of the ID card – a measure that, in many cases, was considered excessive by the AEPD itself, depending on the context, even though it now describes it as minimal – and its subsequent, reinforced validation by DIGI's Back Office department. It is evident that the DIGI protocol and its implementation are reinforced and incorporate elements that go beyond what can be considered basic, using the National Identity Document as a method of identification, a document that has the capacity (legally attributed by law) to identify on its own. Based on the reasoning included in the Resolution, the Spanish Data Protection Agency (AEPD) seems to confuse the concept of proactive responsibility with the obligation of result imposed by strict liability. As indicated by Section 1 of the Administrative Chamber of the National Court in its Judgment 1066/2023, of February 9, 2023: “The principle of culpability derived from Article 25 of the Spanish Constitution, as noted in Constitutional Court Judgment 246/1991, of December 19, constitutes a basic structural principle of administrative sanctioning law, and is recognized in Article 28.1 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector, which states that: “Only natural or legal persons (...) who are responsible for acts constituting an administrative offense may be sanctioned for acts constituting an administrative offense, whether intentionally or negligently.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 5/52 who are responsible for said acts, whether intentionally or negligently.” Therefore, as the Supreme Court Judgment of March 18 points out 2005, Rec. 7707/2000, it is evident that "an administrative infraction could not be considered committed if the subjective element of culpability were not present, or in other words, if the conduct typically constituting an administrative infraction were not attributable to intent or negligence." In the case of the aforementioned Judgment, the Court considers the telecommunications operator's culpability proven, insofar as the Agency has indeed assessed the established procedure. It affirms that the procedure DIGI had implemented on the date of the events (December 2022), the requirements identified by the National Court in February 2023, and in line with Organic Law 4/2015 on the protection of public safety, these requirements being proof of the exercise of sufficient diligence in the request for duplicate SIM cards. In relation to this point, DIGI emphasizes that the process design was carried out in accordance with the criteria made public by the Spanish Data Protection Agency (AEPD), therefore, it was required that the applicant's identification be carried out using their National Identity Document (DNI) and its subsequent entry for verification by the Dealer Care system (which was carried out correctly, since otherwise it would be technically impossible to create a duplicate), which, subsequently, after the corresponding photocopy was made, was manually verified by the DIGI Back Office team. 4. On the inadmissibility of strict liability. The Constitutional Court, since its Judgment No. 76/1990, has been warning of the inadmissibility in our legal system of strict liability and, consequently, of the requirement in all cases that the Administration, when imposing sanctions, prove a sufficient degree of intent on the part of the sanctioned party. In this regard, DIGI mentions, as set forth in the Judgment of the National Court, Administrative Chamber, Section 1, of December 23, 2013, Appeal No. 341/2012, regarding strict liability. In this case, the Spanish Data Protection Agency (AEPD) does not acknowledge the due diligence exercised by DIGI in its actions, but rather unequivocally imposes strict liability on DIGI, in which, regardless of the diligence and measures taken, the entity's guilt is declared. It points out that, in this case, there is evidence of strict control, both before and after the duplicate request, the establishment of prior and subsequent measures, as well as the existence of specific measures aimed at preventing these practices in advance. DIGI, citing Supreme Court Judgment 543/2022 of February 15, indicates that its Legal Basis establishes Third, that: “The obligation to adopt the necessary measures to guarantee the security of personal data cannot be considered an obligation of result, implying that in the event of a leak of personal data to a third party, liability exists regardless of the measures adopted and the activity carried out by the data controller or the processor.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 6/52 And, the Supreme Court defines this obligation as an obligation of means, in which (Legal Basis 3): “the commitment undertaken is to adopt the technical and organizational means, as well as to carry out diligent activity in their implementation and use, aiming to achieve the expected result with means that can reasonably be considered suitable and sufficient for its attainment; therefore, they are called “obligations of diligence” or “obligations of conduct.” Furthermore, it refers to the Judgment of the Third Chamber of the Court of Justice of the European Union (hereinafter, “CJEU”) of 14 December 2023 in Case C-340/21, ECLI:EU:C:2023:986, which concerns the preliminary ruling requested by the Supreme Administrative Court of Bulgaria on 14 May 2021. It states that Articles 24 and 32 of the GDPR cannot be interpreted as meaning that an unauthorized disclosure of personal data or unauthorized access to such data by a third party is sufficient to conclude that the measures taken by the controller were not appropriate within the meaning of those provisions, without even allowing the controller to present evidence to the contrary. It asserts that the present Resolution is not in accordance with the law, as it imposes on DIGI an obligation of result, based solely on the harmful outcome produced by the fraudulent activity of a third party, without considering the diligence used and without determining the deployment of technically appropriate and implemented measures. 5. Regarding the failure to assess the evidence and the violation of the right to defense. It maintains that the evidence provided by DIGI has not been assessed, and that the Agency has not assessed compliance with the established procedure, but rather denies such compliance despite the existing documentary evidence. It points out that the Spanish Data Protection Agency (AEPD) has the obligation to analyze and assess the documentary evidence in accordance with the criteria for civil proceedings (Article 90.1 of Law 39/2015). The Constitutional Court ruling 145/2004, of September 13, points out that the right to a defense, which prohibits any lack of due process, includes the unjustified denial of evidence (among others, Constitutional Court rulings 7/1998, of January 13; 3/1999, of January 26; 14/1999, of February 22; 276/2000, of November 16; and 117/2002, of May 20). It indicates that the Spanish Data Protection Agency (AEPD) is violating this party's right to use the appropriate means of evidence for its defense, which constitutes a violation of Article 24.2 of the Spanish Constitution. SECOND. - ON THE SUBSIDIARY REQUEST FOR REDUCTION OF THE SANCTION DUE TO LACK OF PROPORTIONALITY It is argued that the following points, which are classified as aggravating factors, do not meet the necessary circumstances for their consideration in relation to the facts analyzed: • The nature, seriousness, and duration of the infringement, taking into account the nature, scope, or purpose of the processing operation in question, as well as the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 7/52 number of data subjects affected and the level of damages suffered (Article 83.2.a) of the GDPR) It is maintained that the appealed Resolution considers the “nature, seriousness, and duration of the infringement” as an aggravating factor, pursuant to Article 83.2.a) of the GDPR. However, the circumstances that would justify its application in this case are not present, for the following reasons: “1. Fraudulent origin unrelated to DIGI. The events that prompted this procedure stem from fraudulent conduct by a third party who, using seemingly original and legitimate documentation, managed to impersonate the legitimate owner of the line. DIGI cannot be held responsible for the impersonator's initial actions, especially since the controls stipulated in the internal protocol were applied and there was no prior report of loss or theft of the document that would have allowed DIGI to detect the deception. Under no circumstances should liability be established that, moreover, would aggravate the nature of the infraction. 2. Limited duration of the incident. As soon as the Claimant reported the suspected impersonation (despite using social media), DIGI acted immediately and diligently, suspending the line, opening the corresponding fraud ticket, and activating the available corrective measures. The incident was therefore resolved very quickly. In other words, far from any omission or inaction, what is evident is an immediate and responsible reaction to the suspicion of an irregularity. 3. Absence of damages attributable to DIGI. The alleged damage suffered by the Claimant, who was listed as a debtor with DIGI, is eliminated and mitigated by this party, which assumes the amount generated by the alleged impersonator. DIGI rectified the data according to the available information, proceeded to block the debt, and canceled any information linking the Claimant to fraud against DIGI. Therefore, there is no basis to claim the existence of any damage suffered by the Claimant. 4. Number of affected parties: an isolated case. The procedure concerns a single interested party within DIGI's overall clientele, which demonstrates a specific and isolated incident, and not a widespread or massive practice that would justify aggravating the infraction. In conclusion, the conditions required by the GDPR to apply the aggravating factor of the nature, seriousness and duration of the infringement are not met. On the contrary, as has been demonstrated, DIGI acted proactively and diligently, in accordance with current security standards, reacting immediately to the suspicion of fraud and adopting effective corrective measures. • The intent or negligence in the infringement (Article 83.2.b) of the GDPR). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 8/52 It considers that the alleged gross negligence is not duly proven in the file, and that even if negligent conduct were deemed to have occurred, it should be noted that this classification has already been expressly considered by the AEPD itself as a substantial element for declaring the existence of the infringement and determining the appropriateness of imposing the sanction. • The categories of personal data affected by the infringement (Article 83.2.g) of the GDPR). It points out, that the imputation of this aggravating circumstance lacks an objective basis, since the type of data processed does not correspond to the categories specially protected by the GDPR, nor has it been proven that DIGI directly accessed or processed sensitive information that would justify the aggravation of the infringement according to this criterion. In any case, the damages resulting from fraudulent access to other services are attributable to the security mechanisms of those services and not to the processing carried out by DIGI within the framework of its ordinary and legitimate activity. • The degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32 (Article 83.2.d) of the GDPR). It considers the application of this aggravating circumstance inappropriate, as it has not been proven that DIGI has breached the obligations established in Articles 25 and 32 of the GDPR. It notes that DIGI had of a structured, consistent, and up-to-date internal procedure for managing new postpaid lines. Furthermore, it states that it cannot be ignored that the same act—that is, the bypassing of the security procedure by a third party using falsified documentation—has already been considered by the Agency as an aggravating circumstance provided for in Article 83.2.b) of the GDPR (intent or negligence). Therefore, using this same circumstance to substantiate the aggravating circumstance in Article 83.2.d), without substantial differentiation between the two, constitutes an inadmissible duplication in the administrative sanctioning context. • Any prior infringement committed by the controller or processor (Article 83.2.e) GDPR. The Spanish Data Protection Agency (AEPD) justifies the application of the aggravating circumstance in Article 83.2.e) GDPR by invoking the existence of previous sanctioning proceedings, in which a violation of Article 6.1 was found of the GDPR for SIM swapping fraud. It maintains that the present case is a consequence of the unlawful actions of a professional third party. Recital 148 of the GDPR establishes that, when assessing administrative infringements, consideration must be given to “aggravating or mitigating circumstances applicable to the case, such as, for example, relevant prior infringements committed by the controller.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 9/52 This reference expresses the need for a direct and relevant relationship between the prior facts and those currently under analysis. In this case, there is no such relevant relationship or material connection between the aforementioned background and the present case, which validly prevents the application of the alleged aggravating circumstance. • The link between the business activity of the respondent and the processing of personal data of clients or third parties (Article Article 83.2k of the GDPR in relation to Article 76.2.b of the LOPDGDD. It indicates that, while it is true that DIGI's activity necessitates the processing of its clients' personal data, this factor is ambiguous in its assessment for inclusion as an aggravating circumstance, since this connection does not imply, by any means, a direct relationship with the alleged infringement. Article 83.2 k) requires that said aggravating circumstance be linked to the specific facts of the case. In this sense, the data processing does not stem from an intention of the entity, but rather occurs as a result of the commission of a crime of which DIGI is the injured party. Therefore, it considers that this aspect cannot be interpreted as an aggravating circumstance. And, it points out that the following mitigating circumstances are present in this case, which were not considered in the appropriate determination of the sanction: • The defendant effectively resolved the issue that was the subject of the complaint. (Art. 83.2 c GDPR); It states that DIGI took swift and effective action, suspending the mobile service on the irregularly activated line and returning control to the Complainant, and that this action demonstrates significant diligence on the part of DIGI: it allows the situation to be rectified and minimizes the impact on the Complainant, which should be positively valued. • At no time have special categories of data been processed (Art. 83.2 g) GDPR). It states that the data processed by DIGI does not fall within the “special categories of data” provided for in Article 9 of the GDPR. This provision clearly and specifically establishes that only data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, will be considered special categories of data. aimed at uniquely identifying a natural person, data relating to health or data relating to a natural person's sex life or sexual orientation. Neither the name, nor the surname, nor the national identity card number—even though it is a robust identifier—meets these criteria. The fact that they can be fraudulently used by third parties does not alter their legal nature as ordinary identification data. • The degree of DIGI's cooperation with the Spanish Data Protection Agency (AEPD) in order to remedy an alleged infringement and mitigate its potential adverse effects. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 10/52 It indicates that the respondent has answered all information requests made by this Agency in a timely manner. Furthermore, DIGI voluntarily provided the documentation related to this case in its response to the information request, expressly stating its good faith and intention to cooperate with the authority (Art. 83.2 f) GDPR). • The non-existent benefit obtained by DIGI as a result of the Data processing that is the subject of this procedure. It states that DIGI has been harmed, having been affected by the commission of fraud by a third party, which has forced it to rectify the situation and carry out investigations, with the consequent associated costs (Art. 83.2 k) GDPR) and wishes to record and demonstrate that the measures in place at the time of the events complied with the most rigorous rules, guidelines, standards and recommendations (including those issued by the Spanish Data Protection Agency - AEPD) to address the risks and that they were appropriate and suitable considering the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons. DIGI: REQUESTS that a resolution be issued ordering the filing of File No.: EXP202310345. And, alternatively, requests that the Spanish Data Protection Agency (AEPD) take into account the mitigating circumstances based on the aforementioned allegations and, consequently, conclude the proceedings with a warning and, ultimately, if it deems that a sanction is warranted, reduce or adjust the sanction imposed in the Resolution notified to DIGI. LEGAL BASIS I Jurisdiction The Presidency of the Spanish Data Protection Agency has jurisdiction to resolve this appeal, in accordance with the provisions of Article 123 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) and Article 48.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD). II Grounds for the Appealed Resolution Regarding the statements made by the appellant, essentially reiterating the arguments already presented throughout the sanctioning procedure, it should be noted that all of them were already analyzed and dismissed in Legal Grounds III to VII of the appealed Resolution, which sufficiently describe the factual circumstances that determined the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 11/52 infringement and its correct legal classification, as well as those that were considered in determining the sanction, as transcribed below: “III Response to the arguments presented against the initiation agreement In response to the arguments presented by the defendant, the following should be noted: 1. Establishment of measures and principle of culpability. Unlawful processing of personal data. DIGI states The incident occurred because a third party, who possessed the claimant's personal data and original identity document, managed to circumvent their security policy through deception, impersonating the claimant. DIGI, in its defense, refers to the set of security measures it has adopted and maintains that it complied with all established security protocols. Therefore, it believes that the Spanish Data Protection Agency (AEPD) has reached erroneous conclusions by considering that the mere fact that identity theft occurred is indicative of a lack of due diligence on the part of the company. Based on this, it concludes by arguing that strict liability cannot be imposed; that is, the company cannot be sanctioned simply for the outcome of the incident without demonstrating fault or negligence. Given the characteristics and context of the data processing, it is important to clarify that SIM swapping is a well-documented and frequently occurring risk in the telecommunications sector. Consequently, being an inherent risk in the activity, it is legally required that in the process of requesting duplicate SIM cards, appropriate technical and organizational measures be adopted to guarantee that the person requesting the duplicate SIM card is indeed who they claim to be, that is, the owner of the phone number and that these measures are implemented, in order to prevent the unlawful processing of personal data. Therefore, the proper and rigorous verification of the identity of the line owner is crucial for the operator's actions to be considered diligent and in accordance with the obligations imposed by the GDPR. In this regard, contrary to what has been alleged, this Agency has not limited its analysis solely to the material result, that is, the fraudulent issuance of the duplicate SIM, but has thoroughly assessed both DIGI's conduct and the measures implemented, identifying deficiencies or irregularities in DIGI's actions that call into question the diligence of this entity in this case. First Finally, it should be noted that in this case, an infringement is alleged due to the unlawful processing of personal data resulting from the issuance of a duplicate card and its delivery to an unauthorized third party, without the cardholder being even aware of such processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 12/52 Article 6.1 establishes that the processing of personal data is only lawful if at least one of the conditions stipulated in the aforementioned article is met. In this case, the violation of the principle of lawfulness is manifested in the improper processing of the claimant's personal data, as the claimant was not the actual applicant for the duplicate card. This type of processing requires adequately verifying the applicant's identity, and for this purpose, it is necessary to establish measures that ensure correct identification. The establishment of these measures or protocols, as well as their monitoring and implementation by the entity itself, are essential. The responsible party serves to assess the conduct and the degree of diligence employed. DIGI issued a duplicate SIM card without the consent of the line holder and delivered it to a third party without a valid legal basis. This constitutes unlawful data processing, as it was carried out without complying with the requirements established in Article 6.1 of the GDPR. The infringement of this article confirms that DIGI carried out unauthorized data processing, thereby violating the rights of the complainant. In this regard, the mere existence of a security policy cannot justify a violation of the principle of lawfulness provided for in Article 6.1 of the GDPR. In addition to existing, these measures must be effective and enable the data controller to demonstrate compliance with the principles relating to the processing of personal data. Otherwise, the measures adopted are ineffective and may lead to unlawful processing. as occurs in the present case. Therefore, DIGI cannot claim to be exonerated from its responsibility by appealing to the existence of such security measures. The fact is that the mere issuance of a SIM card and its delivery to an unauthorized third party already constitutes a violation of the principle of lawfulness, insofar as it is considered the processing of personal data. It should also be noted that it is an undisputed fact that the issuance of the duplicate SIM card and its delivery to an unauthorized third party was carried out without the involvement of the claimant and owner of the telephone line. DIGI itself classified the case as fraudulent, as stated in the established facts. Furthermore, given the proven existence of unlawful conduct by DIGI (the processing of the claimant's data without legal basis), the question centers on determining whether such conduct can give rise to administrative sanctioning liability. Governed by Administrative Law The principle of culpability is the basis for imposing sanctions (Article 28 of Law 40/2015, on the Legal Regime of the Public Sector, LRJSP), therefore the subjective or culpability element is an indispensable condition for the sanitary liability to arise. Article 28 of the LRJSP, “Liability,” states: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 13/52 “1. Only natural and legal persons, as well as, when a Law recognizes their legal capacity, groups of affected parties, associations and entities without legal personality, and independent or autonomous estates, who are responsible for them due to intent or negligence, may be sanctioned for acts constituting an administrative offense.” In light of this precept, liability for sanctions can be demanded on the grounds of intent or negligence, with the mere failure to observe the duty of care being sufficient in the latter case. The Constitutional Court, among others, in its Judgment 76/1999, has declared that administrative sanctions share the same nature as criminal sanctions, being one of the manifestations of the State's power to punish, and that, as a requirement derived from the principles of legal certainty and legality in criminal law enshrined in Articles 9.3 and 25.1 of the Spanish Constitution, their existence is essential for their imposition. Regarding the culpability of legal entities, it is appropriate to cite Judgment 246/1991, of December 19, 1991 (Legal Basis 2), according to which, with respect to legal entities, the subjective element of negligence must necessarily be applied differently than it is with respect to natural persons. and adds that “This distinct construction of the imputability of the authorship of the infringement to the legal entity arises from the very nature of legal fiction to which these subjects respond. They lack the volitional element in the strict sense, but not the capacity to infringe the rules to which they are subject. Capacity for infringement and, therefore, direct blameworthiness that derives from the legal interest protected by the rule that is infringed and the need for said protection to be truly effective [...]”. Thus, the decision to close a disciplinary case may be based on the absence of the element of culpability when the person responsible for the unlawful conduct acted with all the diligence that the circumstances of the case require. At this point, it is worth recalling what Constitutional Court Judgment 246/1991 stated regarding the culpability of legal entities: that they possess the capacity to infringe the rules to which they are subject. This capacity to infringe [...] derives from the legal interest protected by the rule that is infringed and the need for said protection to be truly effective [...]. In connection with the foregoing, reference must be made to Article 5.2. of the GDPR (principle of proactive responsibility), according to which the data controller will be responsible for compliance with the provisions of paragraph 1—and, relevant here, with the principle of lawfulness in relation to Article 6.1 of the GDPR—and able to demonstrate such compliance. The principle of proactivity transfers to the data controller the obligation not only to comply with the regulations, but also to be able to demonstrate such compliance. Opinion 3/2010 of the Article 29 Working Party (WP29) -WP 173- issued during the validity of the repealed Directive 95/46/EEC, but whose reflections are still applicable, states that the “essence” of proactive responsibility is the obligation of the data controller to implement measures that, under normal circumstances, ensure that, in the context of data processing operations, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 14/52 data protection rules are met and to have documents available that demonstrate to data subjects and supervisory authorities what measures have been taken to achieve compliance with data protection rules. Article 5.2 is further developed in Article 24 of the GDPR, which obliges the controller to adopt appropriate technical and organizational measures “to ensure and be able to demonstrate” that the processing is in accordance with the GDPR. The provision states: “Responsibility of the controller” “1. Taking into account the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing complies with this Regulation. These measures shall be reviewed and updated where necessary. 2. Where proportionate to the processing activities, the measures referred to in paragraph 1 shall include the implementation, by the controller, of appropriate data protection policies. 3. Adherence to approved codes of conduct pursuant to Article 40 or to an certification mechanism approved pursuant to Article 42 may be used as evidence of the controller's compliance with its obligations.” Article 25 of the GDPR, “Data protection by design and by default”, states: “1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement, both at the time of determining the means of processing and at the time of processing itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement the principles of data protection, such as data minimization, and to integrate the necessary safeguards into the processing, in order to comply with the requirements of this Regulation and to safeguard the rights of data subjects. 2.[...]”. In the present case, contrary to the provisions of these rules, DIGI has failed to demonstrate compliance with the regulations regarding the lawfulness of the processing of personal data for which it is being sanctioned. It is worth asking what parameters of due diligence DIGI should have observed in relation to the conduct examined. The answer is that the due diligence it should have observed is that which was necessary to comply with the obligations imposed on it by Articles 5.2, 24, and 25 of the GDPR, in light of the rulings of the National Court and the jurisprudence of the Supreme Court. The judgment of the National High Court of Justice of 17 October 2007 (appeal no. 63/2006) is fully applicable to this case. After stating that entities whose activities C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 15/52 involve the continuous processing of customer and third-party data must observe an adequate level of diligence, it states: “[...] the Supreme Court has consistently held that negligence exists whenever a legal duty of care is disregarded, that is, when the offender does not act with the required diligence. And in assessing the degree of diligence, special consideration must be given to the professional status of the individual, and there is no doubt that, in the case now under examination, when the appellant's activity involves the constant and extensive handling of personal data, rigor and meticulous care must be emphasized for complying with the legal provisions in this regard.” The judgment of the National High Court (SAN) of September 19, 2023 (appeal no. 403/2021) is also fully applicable to this case, stating: “The insurance policy was contracted with a third party without sufficient control or supervision, as it was unable to detect that the person expressing their intention to contract was not who they claimed to be. Had the necessary precautions been taken to ensure the identity of the contracting party (for which it would have been sufficient to address the incorrect answers to the client's identification and verification questions).” The defendant has invoked various arguments to justify the lack of culpability in its conduct. Basically, having a security policy aimed at ensuring that SIM card replacements are delivered to the owners of the telephone lines, which was followed by DIGI and did not fail, but was overcome by actions committed by a third party who had the claimant's personal data and identity document. DIGI understands that its conduct cannot be considered negligent, and that the mere fact that identity theft occurred is not indicative of a lack of diligence. However, there are numerous factual circumstances in this case that lead to characterizing DIGI's conduct as reckless and negligent in its failure to detect the fraud preventively, which would have allowed it to deny the request for a duplicate SIM card received from an unauthorized third party and, thereby, refrain from processing the personal data of the claimant that the issuance of said card and its delivery to a person other than its owner entails. There are numerous factual circumstances that should have alerted DIGI to the fraud or, in other words, demonstrate the negligence of its conduct. The SIM card replacement was processed at a physical store, (…) Firstly, this Agency considers the fact that a person residing in a municipality of PROVINCE.1 requests a SIM card replacement at a store located in a different Autonomous Community, in a municipality of the province of ***PROVINCE.2, to be a red flag. This is not a determining factor, as it is not improbable, but it should be taken into consideration when initiating the process and applying the necessary precautions. Furthermore, it is deemed appropriate to highlight that (…). In this regard, it is significant that (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 16/52 The verification of the applicant's identity by the point of sale cannot be considered diligent either. Regarding the method of identifying customers who request a duplicate SIM card, DIGI also fails to demonstrate the existence of any specific provision, (...). On this matter, it is important to note that in this case, it has been proven that the third party used a falsified ID. Thus, it can be concluded that the processing of personal data is carried out (i) without DIGI providing any guarantee that the applicant for the duplicate SIM card was the true owner of the line and, consequently, of the personal data; (ii) without knowing the reason for issuing the duplicate card; and (iii) without having carried out any verification to confirm that issuing this duplicate was necessary for the provision of the services contracted by the claimant, who already had an active and functioning card. Therefore, it turns out that DIGI did not correctly verify the identity of the person who requested the duplicate SIM card that prompted these proceedings, and that, had this operation been carried out correctly, the duplicate would have been denied, thus calling into question the diligence used by said entity to verify the identity of the person who requested a duplicate SIM card. It is significant, particularly regarding the applicable protocols, that the data controller does not thoroughly analyze the required diligence, shifting the responsibility to the agent, when the control over the veracity of the SIM card duplicate request, essential for the effective prevention of fraud, lies with DIGI itself. In short, there has been no proactive approach to effectively applying the principles of data protection. Therefore, the actions taken by DIGI have been clearly ineffective and insufficient, falling far short of the possibilities offered by current technical developments, and failing to consider the evident risk that contracting the services it markets represents for the rights and freedoms of individuals. Consequently, DIGI must be held liable for the infringement committed due to the lack of due diligence shown. As a large-scale repository of personal data, and therefore accustomed to or specifically dedicated to managing the personal data of clients, it must be especially diligent and careful in its processing. Recital 74 of the GDPR states: The controller's responsibility for any processing of personal data carried out by the controller or on behalf of the controller must be established. In particular, the controller must be obliged to implement appropriate and effective measures and must be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Such measures must take into account the nature, scope, context, and purposes of the processing, as well as the risk to the rights and freedoms of natural persons. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 17/52 Furthermore, considering all the factual circumstances of this case, it cannot be said that the incident affecting the processing of the complainant's personal data was the result of a sophisticated attack, as DIGI indicates in its response to the transfer request. In other matters, regarding DIGI's allegation that the fraudster had prior access to the claimant's data and documents, it should be clarified that no liability is being attributed in these sanctioning proceedings for the conduct of the third party who requested the duplicate SIM card, nor for the fraudster's prior actions in obtaining the claimant's data or subsequent actions, such as those committed to access bank accounts, whether related to obtaining the claimant's personal data provided to DIGI or to the third party's subsequent use of that data once the duplicate card was obtained. This is without prejudice to the potential impact on the claimant of a third party obtaining a duplicate of the SIM card for their mobile phone line, which obliges the responsible entity to establish all necessary safeguards to prevent it. The fact that we are dealing with third-party fraud makes it necessary to ensure that the person to whom the duplicate SIM card is issued is who they claim to be, and appropriate preventative measures must be taken to verify the identity of a person whose data will be processed, as recognized in Legal Basis Seven of the SAN, SCA, of May 5, 2021 (“On the other hand, regarding the fact that we are dealing with third-party fraud, as we stated in the SAN of October 3, 2013 (Appeal No. 54/2012): “Precisely for this reason, it is necessary to ensure that the person contracting is who they claim to be, and appropriate preventative measures must be taken to verify the identity of a person whose personal data will be processed…”). The only infringement attributed to the defendant is based on the lack of legality in the processing of the claimant's personal data. Regarding this classification of the facts, we could cite Judgment 4660/2021, of December 13, 2021, which states that “the fraudulent intervention of a third party, who impersonates another person in an online transaction, does not preclude the possibility that the contracting company, which processes the personal data, may have committed an infringement due to the lack of the necessary unambiguous consent required by Article 6 of Organic Law 3/2018, of December 5, since that fraudulent intervention by a third party does not in itself imply that the contracting company acted with due diligence. The foregoing does not mean that the contracting company is held responsible for preventing an unlawful or criminal act, such as the fraudulent use of a national identity document by someone who is not its holder.” However, it is required of said contracting company, as a necessary precaution to avoid being accused of non-compliance with its obligations regarding the protection of personal data—both in terms of requiring the data subject's consent and the principle of truthfulness and accuracy of the data—to implement control and verification measures to ensure that the person C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 18/52 who intends to contract is who they claim to be, that is, that they match the holder of the ID card provided.” It is the issuance of a duplicate SIM card and its delivery to a third party that constitutes the processing of the personal data of its holder, since an identifiable natural person is considered to be any person whose identity can be determined, directly or indirectly, in particular by means of an identifier (Article 4.1 of the GDPR). The issuance of a SIM card duplication necessarily involves the processing of personal data, as it is carried out on the line and the identity of the account holder. As can be seen in the proceedings, the data processing under analysis has involved the use of the claimant's data relating to name, surname, national identity document number, and mobile phone line, among others. The reference to the phenomenon known as SIM swapping and its potential consequences is made in order to assess the scope and nature of the alleged infringement, considering the repercussions that such practices may have on the rights of the owner of the affected personal data. In this regard, the National Court, in its judgment of May 13, 2024, Appeal No. 0002336/2021, establishes that "(...) in the first phase of this type of fraud, the impersonator fraudulently obtains the access data or credentials for the client's online banking, but still needs to know the password." verification, second authentication factor, to be able to execute any operation. The moment the duplicate SIM card is obtained, the recipient also gains access to this second authentication factor and, therefore, from that moment on, can carry out any desired asset disposal transactions. Regarding the access to the customer's personal data that results from the delivery of the card to a third party, it is necessary to point out that access to a duplicate SIM card, which identifies its holder, falls under the definition of personal data in Article 4.1 of the GDPR, as indicated in the Initial Agreement. In this regard, Judgment 595/2024 of the National Court, dated February 8, 2024, states: "We must start from the premise that the issuance of a duplicate SIM card involves the processing of the holder's personal data, since, according to Article 4.1 of the GDPR, an identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier." Well, inside the mobile device, the SIM card is inserted. It's a small, physical smart card containing a chip that stores the subscriber's service key, used to identify them to the network. This includes the customer's MSISDN (Mobile Station Integrated Services Digital Network) mobile line number, as well as the subscriber's IMSI (International Mobile Subscriber Identity). It can also provide other data, such as call logs and message history. ... And as highlighted in the appealed resolution, since 2007, in Spain, in accordance with the Sole Additional Provision of Law 25/2007, of October 18, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 19/52 regarding the retention of data related to electronic communications and public communications networks, it is required that the holders of all SIM cards, whether prepaid or contract, be duly identified and registered. Therefore, when obtaining a duplicate SIM card, the person requesting it must also identify themselves and that their identity matches that of the cardholder. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 19/52 Therefore, the mere use of a SIM card by an unauthorized third party significantly increases the risk to its owner, insofar as the impersonator may have access to additional data that allows them to carry out actions with particularly serious consequences, such as unauthorized financial transactions, as has happened in the case at hand. Thus, providing a duplicate SIM card is a process in which the diligence exercised by the operators is essential to prevent this type of fraud and guarantee the adequate protection of customers' rights and interests, diligence which, as already explained, is called into question in this case. In relation to all of the above, the doctrine established by the Supreme Court, Administrative Law Chamber, Third Section, in its Judgment of December 13, 2021 (Cassation Appeal No. 6109/2020), is of particular interest. This judgment analyzes a case of identity theft for online contracting, in which the actions taken by the appellant to verify that it was contracting with the true data subject are questioned, and the appellant is sanctioned for the unlawful processing of the data subject's personal data. According to the order admitting the aforementioned appeal, “the issue that presents objective grounds for cassation in order to establish jurisprudence consists of interpreting the current personal data protection regulations in order to clarify whether the fraudulent intervention of a third party, who impersonates another person in an online contract, allows for the exclusion of any infringement due to the lack of the necessary unequivocal consent for the processing of personal data required by Article 6 of Organic Law 3/2018, of December 5, on the grounds that the contracting company acted with due diligence and in the belief that it was contracting with the true owner of such data.” This Judgment declares the following: THIRD.- The Court's response to the issue of grounds for cassation indicated in the order admitting the appeal. In response to the question raised in the order admitting this appeal, we must declare that the fraudulent intervention of a third party, who impersonates another person in an online contract, does not preclude the contracting company, which processes the personal data, from having committed an infringement due to the lack of the necessary unambiguous consent required by Article 6 of Organic Law 3/2018, of December 5, since that fraudulent intervention of a third party does not in itself imply that the contracting company acted with due diligence. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 20/52 The foregoing does not mean that the contracting company is held responsible for preventing an unlawful or criminal act, such as the fraudulent use of a national identity document by someone who is not its holder. But it is indeed required of said contracting company, as a necessary precaution to avoid being accused of non-compliance with its obligations regarding the protection of personal data—both in terms of requiring the consent of the data subject and in relation to the principle of truthfulness and accuracy of the data—to implement control and verification measures aimed at ensuring that the person seeking to contract is who they claim to be, that is, that they match the holder of the ID card provided.” Therefore, it is not a matter of attributing responsibility to DIGI for the mere finding of the unlawful processing of data, but for the lack of diligence in applying controls to ensure that the processing of the claimant's data was carried out with a legitimate basis. In short, the defendant issued a duplicate SIM card to a third party who was neither the account holder nor had proven that they were acting on their behalf, thus calling into question the diligence employed by DIGI when carrying out the appropriate checks to verify the identity of the interested client, as well as the legitimacy of the request and the processing of the data. In light of the foregoing, it cannot be said that DIGI is subject to strict liability, thus violating the principle of culpability, or that there is no infringement due to the unlawful processing of the claimant's personal data. 2. Regarding the lack of proportionality of the proposed sanction With respect to the sanction, the respondent argues that it is disproportionate in relation to the facts, taking into account the circumstances and the content of the alleged infringement. On the one hand, it questions the circumstances considered to quantify the sanction indicated in the agreement to initiate these disciplinary proceedings, specifically those relating to the negligence observed in its conduct, the connection of its activity with the processing of personal data, and the previous infringements. These issues are They analyze this in Legal Basis V, to which we refer at this point. Furthermore, it points out that, according to the provisions of Article 83.2 of the GDPR and Article 76.2 of the LOPDGDD, the following mitigating circumstances exist in this case that were not considered in the appropriate determination of the sanction: — The respondent effectively resolved the issue in question (Article 83.2 c GDPR). The admission that the respondent's effective resolution of the issue in question (Article 83.2 c) of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 21/52 GDPR) partially negates the deterrent purpose of the sanction. Accepting DIGI's argument in a A scenario like the one at hand would introduce an artificial reduction in the penalty that should truly be imposed; the one resulting from considering the circumstances of Article 83.2 GDPR that must be assessed. Furthermore, as reflected in this document, DIGI took no action to resolve the situation created by the issuance of the fraudulent duplicate SIM card. Rather, it was the actions taken by the claimant to recover their mobile service that led to the cancellation of the fraudulent card. —At no time were special categories of data processed (Article 83.2 g) GDPR). This issue is addressed in Legal Basis V cited above. —The degree of cooperation from DIGI with the Spanish Data Protection Agency (AEPD) in order to remedy an alleged infringement and mitigate its potential adverse effects (Article 83.2 f) GDPR). Cannot be taken into account This allegation is invalid insofar as responding to the information requests sent by this Agency does not fall under this mitigating circumstance. — The non-existent benefit obtained by DIGI as a result of the data processing that is the subject of this proceeding (Art. 83.2 k) GDPR). Article 83.2.k) of the GDPR refers to “any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” And Article 76.2c) of the LOPDGDD states that “2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: [...] c) The benefits obtained as a consequence of the commission of the infringement.” Both provisions mention as a factor that may be taken into account when determining the penalty the “benefits” obtained, but not the “absence” of such benefits, which is what DIGI alleges. Furthermore, according to Article 83.1 of the GDPR, the imposition of fines is governed by the following principles: they must be individualized for each particular case, be effective, proportionate, and dissuasive. The admission that the absence of benefits can operate as a mitigating factor is contrary to the spirit of Article 83.1 of the GDPR and to the principles governing the determination of the amount of the fine. If, as a result of committing a GDPR infringement, the absence of benefits is considered a mitigating factor, the deterrent purpose of the penalty is partially nullified. Accepting DIGI's argument in a case such as the one at hand would entail introducing an artificial reduction in the penalty. truly it is appropriate to impose; the one that results from considering the circumstances of Article 83.2 of the GDPR, which must indeed be assessed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 22/52 The Administrative Chamber of the National Court has warned that the fact that, in a specific case, not all the elements that constitute a circumstance modifying liability, which by its nature is aggravating, are present, cannot lead to the conclusion that such circumstance is applicable as a mitigating factor. The ruling made by the National Court in its judgment of May 5, 2021 (Appeal No. 1437/2020)—even though that ruling deals with the circumstance of paragraph (e) of Article 83.2 of the GDPR, the commission of prior infringements—is applicable to the question raised, the claim of The claim that the "absence" of benefits should be accepted as a mitigating factor is based on the fact that both the GDPR and the LOPDGDD refer only to "benefits obtained." Furthermore, DIGI points out that the quantification of the possible sanction to be imposed on DIGI in relation to the alleged breach of the obligations of Article 6.1 of the GDPR should be limited to a warning, and that, ultimately, the proposal included in the Initial Agreement notified to DIGI should be moderated or adjusted, taking into account its arguments. Regarding the imposition of a warning, reprimand, or the adoption of corrective measures pursuant to Article 58 of the GDPR, a dissuasive fine is one that has a genuine deterrent effect. In this regard, the Judgment of the CJEU of 13 June 2013, Versalis Spa v Commission, C-511/11, ECLI:EU:C:2013:386, states: “94. With regard, firstly, to the reference to the Showa Denko v Commission judgment, cited above, it should be noted that Versalis misinterprets it. Indeed, the Court of Justice, in stating in paragraph 23 of that judgment that the deterrent factor is assessed taking into account a multitude of elements and not only the particular situation of the undertaking concerned, was referring to points 53 to 55 of the Opinion delivered in that case by Advocate General Geelhoed, who had pointed out, in essence, that the deterrent multiplier can have as its objective not only a ‘general deterrence’, defined as an action to discourage all the companies, in general, from committing the infringement in question, but also a “specific deterrent,” consisting of dissuading the specific defendant from infringing the rules again in the future. Therefore, the Court of Justice, in that judgment, merely confirmed that the Commission was not obliged to limit its assessment to factors related solely to the particular situation of the company in question. “102. According to settled case law, the objective of the deterrent multiplier and the consideration, in this context, of the size and overall resources of the company in question lies in the desired impact on that company, since the penalty must not be insignificant, especially in relation to the company's financial capacity (in this regard, see, in particular, the judgment of 17 June 2010, Lafarge v Commission, C-413/08 P, ECR p. I-5361, paragraph 104, and the order of 7 February 2012, Total and Elf Aquitaine v Commission, C-421/11 P, paragraph 82).” We must consider the unique circumstances of the complaint filed, which demonstrate that, from the moment the impersonator replaces the SIM card, the victim's phone loses service, transferring control of the line to the impersonators. Consequently, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 23/52 their rights of disposition and control over their personal data are affected, which constitute part of the fundamental right to data protection, as established by the Constitutional Court in Judgment 292/2000, of November 30, 2000 (Legal Basis 7). Therefore, by obtaining a duplicate SIM card, under certain circumstances, it becomes possible to access contacts or applications and services that use SMS code recovery as a password reset procedure. In short, they can impersonate the affected individuals, gaining access to and control of, for example: email accounts; bank accounts; applications such as WhatsApp; social networks like Facebook or Twitter; and much more. In summary, once the access code is changed by the impersonators, the affected individuals lose control of their accounts, applications, and services, posing a significant threat. IV Response to the allegations presented against the proposed resolution The allegations presented do not invalidate the grounds justifying the agreement adopted in this resolution. In its written submissions to the proposed resolution, DIGI essentially reiterates the same arguments it made when the proceedings were initiated, without considering the established facts and the grounds that formed the basis of the aforementioned proposal, which this resolution adopts. These grounds extensively analyze the circumstances presented by DIGI and explain the reasons for its rejection. Therefore, the arguments contained in its new written submissions are more than adequately refuted by the arguments transcribed in the preceding Legal Basis and those that follow, which are considered valid and sufficient to reject DIGI's arguments. Notwithstanding the foregoing, it is deemed appropriate to expand upon this response as follows: 1. On the principle of culpability and strict liability. No infringement of Article 6 of the GDPR. Lack of due process and legal certainty. The preceding Legal Basis extensively analyzes these issues, paying particular attention to the circumstances observed in this case. However, after reiterating its initial arguments from the commencement of the proceedings and disregarding the reasoning presented by this Spanish Data Protection Agency (AEPD), DIGI insists that the measures implemented and the diligence exercised by it are not taken into account, but only the result produced by the unlawful actions of a third party who committed criminal acts by impersonating the claimant and using a false identity document that appeared entirely legal, as it included the correct name and number. DIGI argues that the absolute obligation to detect a false document is not applicable. DIGI maintains that basing the imposition of a sanction solely on the outcome of the action constitutes adopting a principle of strict liability and disregarding the necessary element of culpability. Digi argues that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 24/52 All of this has been sufficiently addressed in the preceding Legal Basis, which analyzes DIGI's conduct and the measures implemented, without limiting the analysis to the outcome, and sets forth the circumstances that led to the classification of its conduct as culpable or negligent. On the contrary, it is DIGI that omits in its allegations any reference to these circumstances and the lack of adequate mechanisms to ensure the validity of the request, regarding which it provides no explanation, and deviates from the central issue by merely alleging that the problem lies in the fraudulent actions of a third party. As already indicated, DIGI (…). Given this situation, it cannot be said that the processing of the claimant's personal data for the issuance of the duplicate card was necessary for the performance of the contract. Nor can the verification of the applicant's identity by the point of sale be considered diligent. Regarding the method of identifying customers who request a duplicate SIM card, DIGI also fails to demonstrate the existence of any specific provision. On this matter, it is important to note that in this case, it has been proven that the third party used a falsified ID. Similarly, it does not adequately justify its failure to question the fact that the duplicate request was made in a physical store in [LOCATION.2] ([PROVINCE.2]) by a person residing in a municipality in [LOCATION.1]. It fails to consider that this circumstance should, in any case, have raised the appropriate suspicion or alert, given the standards and precautions required for the proper prevention of risks and fraud. Consequently, the principle of proactive responsibility cannot be considered fulfilled. Nor can the infraction be considered to have resulted from a single, isolated error by the sales agent during the visual verification of an identity document, or from the use of an undetectable false identity document. DIGI insists on the suitability of the implemented measures and that a mere, isolated human error cannot, in itself, lead to sanctions, especially when said error is intentionally caused by the illicit actions of a third party, as is the case here. Thus, it is asserted that DIGI lacks measures authorized by the supervisory authority that would allow it to guarantee due diligence. Furthermore, it maintains that this Agency's aversion to or questioning of identification measures is such that it has even generated a negative perception of these practices, such as, for example, the request for a copy of the national identity document. In support of the above statement, DIGI provides a list of news items, obtained through internet searches, related to the use of the National Identity Document (DNI) as a means of verifying the identity of interested parties, as well as two reports from the Legal Department of the Spanish Data Protection Agency (AEPD). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 25/52 First, it should be emphasized that it is the responsibility of the respondent entity to determine the specific procedures, mechanisms, or instruments to implement the appropriate security measures for the protection of personal data, since it is the data controller who fully understands their organization and must decide, based on proactive responsibility and a risk-based approach, how to comply with the GDPR and the Spanish Data Protection Act (LOPDGDD). On the other hand, characterizing the legitimate exercise of this Agency's oversight powers as an alleged "aversion" lacks legal basis and is entirely inappropriate. The internet search results collected, as well as the cited reports from the Legal Department, refer to material areas different from the one that constitutes the specific object of these proceedings, which takes the analysis out of context and distorts the issue and, consequently, is invalid because it distorts the meaning and scope of the matter actually under discussion. Regarding the criteria that this Spanish Data Protection Agency (AEPD) applies concerning the identification of data subjects through identity documents, the collection of which is sometimes considered excessive, DIGI does not consider that, in defining the cases, the organization of the data controller and respect for the principle of proactive responsibility are taken into account. In none of the eighteen sanctioning proceedings brought by this AEPD against DIGI for defects in the identification of the data subject, whether completed or ongoing, all of them for infringement of Article 6 of the GDPR, is a discrepancy of criteria evident regarding this circumstance. This Agency considers that DIGI's exemption from liability requires demonstrating diligent conduct, which, in light of this Agency's assessment of DIGI's conduct and the measures implemented, has not been demonstrated. Therefore, the claim of lack of due process is inadmissible, since the sanction is not based on the mere occurrence of a harmful result, as alleged, and no lack of justification is observed in the proposed solution. Furthermore, DIGI is not being held liable in these sanctioning proceedings for the conduct of the third party who requested the duplicate SIM card, nor for the fraudster's prior actions to obtain the claimant's data, or subsequent actions, such as those committed to access bank accounts, whether related to obtaining the claimant's personal data provided to DIGI or to the third party's subsequent use of that data once the duplicate SIM card was obtained. This is without prejudice to the fact that the potential impact on the data subject of a third party obtaining a duplicate SIM card for their mobile phone line may be taken into account. This obliges the responsible entity to establish all necessary safeguards to prevent it. The only infringement attributed to the respondent is based on the lack of lawfulness in the processing of the complainant's personal data. DIGI, by issuing a duplicate SIM card to the complainant without having reliably verified the applicant's identity or confirmed that the request came from the legitimate owner of the line, acted contrary to the principle of lawfulness established in Article 6.1 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 26/52 This action lacks a valid legal basis to legitimize the processing. DIGI invokes as the legal basis for carrying out the SIM card duplication, the execution of the existing telecommunications service agreement between the claimant and DIGI, emphasizing that consent is never used as a legal basis. However, in cases like this, the data processing involved in issuing a duplicate SIM card is not necessary for the provision of services, which were being provided normally. It is precisely the issuance of this duplicate and its delivery to a third party that causes the service interruption for the account holder, forcing them to request a new card to restore service. The reference to the phenomenon known as SIM swapping and its potential consequences is made in order to assess the scope and nature of the alleged infringement, considering the repercussions that such practices may have on the rights of the data subject. DIGI insists that a duplicate SIM card does not grant access to any applications or personal accounts, which are stored on the mobile device, not the SIM card. Furthermore, it reiterates that, on the one hand, it is through phishing attacks that the claimant loses control over their personal data, and this is what triggers and enables the commission of fraud. On the other hand, it is the financial institutions that ultimately enable access to the victims' data and allow the SIM card to be used as a means of accessing individuals' accounts. For these reasons, DIGI concludes that it cannot be held liable for any unlawful processing of personal data. In this context, the defendant entity cites in its defense the report entitled “COUNTERING SIM-SWAPPING Overview and good practices to reduce the impact of SIM-Swapping attacks” (original English title: COUNTERING SIM-SWAPPING Overview and good practices to reduce the impact of SIM-Swapping attacks) published by the European Union Agency for Cybersecurity (ENISA) in December 2021, and the 2021 Report of the Spanish State Attorney General's Office (FGE) on Cybercrime. Regarding the matter at hand, it suffices to point out that the process of issuing a SIM card is an act carried out under the direct control of the operator or its authorized distributors, and its proper execution forms part of the duty of professional diligence imposed by regulations on security and the protection of subscribers' personal data. In particular, telecommunications operators maintain a duty of due diligence in managing their subscribers' data and preventing unauthorized access, an obligation that cannot be circumvented by the participation of other parties in the fraud. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 27/52 Furthermore, while the ENISA report “Countering SIM Swapping” acknowledges that, to carry out fraud through SIM card duplication, the perpetrator must have prior access to certain personal data of the victim, this circumstance does not exempt the mobile network operator from liability. The existence of prior unauthorized access to the data does not interrupt the operator's duty of verification, authentication, and safekeeping during the duplication process. On the contrary, precisely because it is a known and documented risk factor, the operator is obligated to implement enhanced identification and validation controls, in accordance with the principles of professional diligence, security by design, and fraud prevention. Therefore, the aforementioned report, in section 4.1, includes specific guidelines for mobile phone operators to strengthen measures for the prevention and detection of this type of illicit activity. Among such guidelines is that of establish stricter controls for client authentication and sharing (duplicate) SIM cards: “Measures that can be applied to mitigate the attack include internal checks on aspects such as limiting staff access to customer information and the ability to perform SIM swaps; back-end system validations before executing changes; enforcement of time based restrictions on account changes; checks, based on location of subscriber; notification of changes to customers (call-back verification); and the use of passwords and PINs by customers to access their accounts. Performing background checks on the subscriber using a back-office team could also prove to be an effective countermeasure. Such background checks could include checking the most recently provided postal address, cross-checking the ID card presented in store with previous copies maintained under the subscriber’s profile and examining the customer’s recent contacts with customer representatives.” “Measures that can be implemented to mitigate the attack include internal controls regarding aspects such as limiting staff access to customer information and the ability to change SIM cards; back-end system validations before implementing changes; applying temporary restrictions to account changes; controls based on subscriber location; notifying customers of changes (verification via callback); and requiring customers to use passwords and PINs to access their accounts. Conducting subscriber background checks by an administrative team could also be an effective countermeasure. Such background checks could include verifying the most recently provided postal address, cross-referencing the ID presented in the store with previous copies stored in the subscriber's profile, and reviewing the customer's recent contacts with customer service representatives.” (Unofficial translation) These recommendations, while not legally binding, constitute due diligence parameters and relevant technical standards for the interpretation of the duty of communications security. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 28/52 Regarding the subscriber location-based controls mentioned in the ENISA report “Countering SIM Swapping” and in light of the allegations made by DIGI in this regard, it should be noted that, given the current trends in digital fraud and identity theft, the fact that the telephone line holder is located in a different municipality than their place of residence, while not a determining factor in itself, could reasonably serve as an additional indicator requiring more rigorous verification by the operator. The discrepancy between the address associated with the line and the location from which the duplicate is requested constitutes an objective fact that, while not conclusive, can be considered an operational risk factor. In such cases, it would be reasonably advisable to activate additional authentication or verification mechanisms for the account holder. Regarding the 2021 Annual Report of the Attorney General's Office (fiscal year 2020), this Agency does not share DIGI's interpretation of the document. On the contrary, it understands that the report presents a different line of reasoning, in which, far from attributing the status of victims of SIM swapping fraud to mobile phone operators, it highlights, on the one hand, the specific security measures that these entities have been forced to implement in order to strengthen the procedures for issuing and duplicating SIM cards, in response to the efficiency and ease with which the perpetrators were able to carry out their illicit activities. Furthermore, it emphasizes its participation in two Working Groups aimed at finding solutions to the problems generated by the type of fraud known as SIM swapping, particularly underscoring the importance of establishing effective cooperation among all the agencies involved. For its part, the National Cybersecurity Institute (INCIBE) includes the following information about SIM swapping on its website, “incibe.es”: “Remember that in SIM swapping, cybercriminals attempt to fraudulently duplicate a person's mobile device SIM card. To do this, they impersonate the victim to obtain a duplicate. Subsequently, once the victim is without phone service, they access their personal information and take control of their applications, impersonating them on social media, email accounts, or online banking, using the verification SMS messages sent to the phone number. In this way, the cybercriminal can retrieve the confirmation text messages with the credentials and commit cybercrimes using these credentials, such as carrying out banking transactions or identity theft.” Therefore, the mere use of a SIM card by an unauthorized third party significantly increases the risk to its owner, insofar as the impersonator may have access to additional data that allows them to carry out actions with particularly serious consequences, such as unauthorized financial transactions, as has occurred in the case at hand. Thus, providing a duplicate SIM card is a process in which the diligence exercised by the operators is essential to prevent this type of fraud and guarantee the adequate protection of customers' rights and interests, diligence which, as already explained, is called into question in this case. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 29/52 2. Proportionality of the Sanction The respondent disagrees with the factors considered to determine the seriousness of the infringement and the aggravating circumstances applied by the Agency when assessing the sanction. However, the allegations made by the respondent are not sufficient to refute the arguments presented, and therefore must be dismissed, referring, for this purpose, to what is stated in the Legal Grounds of this resolution, specifically sections II, which contains the response to the allegations made by DIGI at the start of the proceedings, and VI, which details the factors used to determine the severity of the imposed sanction. However, it is important to note that, in determining the amount of the administrative fine, the primary consideration was that the infraction directly affects a single interested party, the claimant, without prejudice to assessing the weaknesses already described in the security measures and policy implemented by the respondent and the possibility that this could lead to similar incidents affecting other parties. Thus, the fine imposed in this case (€140,000) falls within a range significantly lower than the potential penalty range, which, as already indicated in the proposed resolution, is set between €0.00 and €25,760,000 for a company whose turnover in 2023 amounted to €644,000,000. Similarly, the mitigating circumstances invoked by the respondent are dismissed, regarding the category of personal data processed, the degree of cooperation shown by DIGI, the lack of any benefit derived from the commission of the infringement, and the respondent's effective resolution of the issue in question (Art. 83.2 c), as they reiterate those already included in their statement of allegations to the initial agreement, for the reasons described in the aforementioned Legal Basis III. However, it is deemed appropriate to clarify the following: a) With respect to the intervention of a third party who used falsified documentation, and the negligence observed in DIGI's conduct, it is necessary to reiterate all the arguments presented herein. b) DIGI understands that the Spanish Data Protection Agency (AEPD) considers the technical and organizational measures for assessing the factors for determining the severity of the fine, as outlined in points b) and d) of Article 83.2 of the GDPR. However, this Agency does not share this view, since the negligence observed in DIGI's specific conduct in this particular case and the development of an effective general procedure to prevent similar situations are issues that can be assessed separately for the purpose of quantifying the fine. ... c) Regarding the application of the aggravating factor provided for in Article 83.2.k) of the GDPR in conjunction with Article 76.2.b) of the LOPDGDD, the assertion made by DIGI that Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted on May 24, 2023, by the European Data Protection Board (EDPB), exclude the business activity and sector of the infringer as a criterion to be considered in the imposition and quantification of penalties arising from an infringement of data protection regulations, does not correspond with the text of the aforementioned Guidelines. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 30/52 Conversely, Article 83.2.k) of the GDPR is open-ended and has allowed the Spanish legislator to consider the connection between the controller's activity and the processing of personal data as a factor in determining the fine. This specific circumstance is what is assessed in the Legal Basis dedicated to determining the amount of the fine, and not the activity itself or the business sector to which the infringer belongs. V Breach of Obligation The defendant is accused of committing an infringement by violating Article 6 of the GDPR, "Lawfulness of Processing," which specifies in paragraph 1 the circumstances under which the processing of third-party data is considered lawful: "1. Processing shall be lawful only if at least one of the following conditions applies: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary for compliance with a legal obligation to which the controller is subject; d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller." processing; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The provisions of point (f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their administrative functions. It is important to note that Article 4.1 of the GDPR defines “personal data” as: “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as, for example, a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 31/52 In this regard, it should be clarified that the SIM card is inserted inside the mobile device. It is a small, physical smart card that contains a chip storing the subscriber's service key. This key is used to identify the subscriber to the network, that is, the customer's MSISDN (Mobile Station Integrated Services Digital Network) mobile phone number, as well as the subscriber's IMSI (International Mobile Subscriber Identity). However, it can also provide other data such as call logs and message history. On the other hand, issuing a duplicate SIM card involves processing the personal data of its holder, since any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier (Article 4.1 of the GDPR), is considered an identifiable natural person. Both the data processed to issue a duplicate SIM card and the SIM card (Subscriber Identity Module) itself, which uniquely and unambiguously identifies the subscriber on the network, constitute personal data, and their processing must comply with data protection regulations. In this case, it has been established that, on December 28, 2022, DIGI delivered a duplicate SIM card to an unauthorized third party without the claimant's consent. The duplicate SIM card was delivered to an alleged impersonator after he passed the established protocols for verifying the applicant's identity. To do so, the third party provided manipulated or falsified documents, namely, the claimant's identity document. However, DIGI failed to perform the necessary checks to verify whether the applicant for the duplicate SIM card was indeed the owner of the personal data and the services contracted with the operator, as detailed in the preceding Legal Grounds. As a result, the defendant issued the SIM card to a third party who was not the account holder. Therefore, in this case, the diligence exercised by the defendant to verify the identity of the person who requested a duplicate SIM card, as well as the legitimacy of the request, is called into question. In short, issuing a duplicate SIM card necessarily involves the processing of personal data, as it is carried out on the SIM card line and the identity of the account holder. This processing must comply with a legal basis that legitimizes it, as required by Article 6.1 of the GDPR, just like any communication of personal data to a third party, which also constitutes data processing and which, in this case, occurs with the delivery of the card to an unauthorized third party. In this case, issuing the duplicate SIM card at the request of a third party without the involvement or consent of the account holder constitutes a lack of a valid legal basis for said data processing. Therefore, issuing a duplicate SIM card under these conditions and delivering it to a person other than the telephone line holder constitutes the processing of personal data without a legal basis and, consequently, an infringement of Article 6.1 of the GDPR, since it was carried out without complying with any of the legal bases for such processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 32/52 Therefore, the facts are considered to constitute an infringement attributable to DIGI, for violation of Article 6.1 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 32/52 In this regard, Recital 40 of the GDPR states: “(40) For processing to be lawful, personal data must be processed with the data subject’s consent or on some other legitimate ground established in accordance with the law, whether in this Regulation or under other Union or Member State law to which this Regulation refers, including the need to comply with a legal obligation to which the controller is subject or the need to perform a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.” VI Classification and Assessment of the Infringement The infringement is classified under Article 83.5 of the GDPR, which defines it as follows: “5. Infringements of the following provisions shall be subject, in accordance with paragraph 2, to administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher: 1. The basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9.” For the purposes of the statute of limitations for infringements, the LOPDGD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights), in its Article 72.1, classifies as a very serious infringement, in which case the statute of limitations is three years, “(b) The processing of personal data without any of the conditions for lawfulness of processing established in Article 6 of Regulation (EU) 2016/679 being met.” VII Sanction In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed. These articles state: “1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are, in each individual case, effective, proportionate and dissuasive.” “2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due consideration shall be given to: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 33/52 (a) the nature, seriousness, and duration of the infringement, taking into account the nature, scope, or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage suffered; (b) the intent or negligence of the infringement; (c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects; (d) the degree of responsibility of the controller or processor, taking into account the technical measures or organizational measures that have been implemented pursuant to Articles 25 and 32; (e) any previous infringement committed by the controller or processor; (f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate its possible adverse effects; (g) the categories of personal data affected by the infringement; (h) how the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement; (i) where the measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or to approved certification mechanisms pursuant to Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits profits gained or losses avoided, directly or indirectly, through the infringement. Within this section, the LOPDGDD (Spanish Data Protection Law) stipulates in Article 76, entitled “Sanctions and Corrective Measures”: “1. The sanctions provided for in paragraphs 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the criteria for determining the severity of the sanction established in paragraph 2 of said Article. 2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The ongoing nature of the infringement. b) The connection between the infringer's activity and the processing of personal data. c) The benefits obtained as a result of committing the infringement. d) The possibility that the data subject's conduct may have induced the commission of the infringement. e) The existence of a merger by acquisition subsequent to the commission of the infringement, which cannot be attributed to the entity.” absorbing. f) The impact on the rights of minors. g) Appointing a data protection officer, where not mandatory. h) The voluntary submission by the controller or processor to alternative dispute resolution mechanisms in cases where disputes arise between them and any data subject. 3. It will be possible, either as a complement or alternative, to adopt, where appropriate, the remaining corrective measures referred to in Article 83.2 of Regulation (EU) 2016/679. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 34/52 In this case, considering the seriousness of the potential infringement, and paying particular attention to the consequences of its commission for those affected, a fine is warranted. It is necessary to quantify the proposed sanction, taking into account that the fine imposed must be, in each individual case, effective, proportionate, and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR. To guarantee these principles, DIGI's turnover is considered beforehand, which amounted to €644,000,000 in the 2023 financial year. First, the category of the infringement committed is taken into account, which falls under the highest level of Article 83 of the GDPR, which the regulation sanctions with the greatest severity in paragraph 5, punishing the conduct with a maximum fine of €20 million or, in the case of a company, with a fine of up to 4% of its annual turnover. According to the aforementioned provision, when establishing the maximum applicable amount, the higher of the two limits set by the regulation must be chosen. In this case, since it is a company whose turnover in 2023 amounted to €644,000,000, the amount of the fine to be imposed will necessarily be between €0.00 and €25,760,000. In accordance with the aforementioned provisions, for the purpose of determining the final amount of the penalty to be imposed in this case for the infringement of Article 6.1 of the GDPR for which DIGI is responsible, classified under Article 83.5(a) of the GDPR, the following factors are considered to be present: 1. The following circumstances are taken into account as determining factors of the seriousness of the infringement: . Article 83.2(a) of the GDPR: “the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned and the number of data subjects affected and the level of damage and loss suffered by them.” . Nature of the infringement: Article 83.5 encompasses several different types of conduct. In this case, the infringed provision affects a fundamental principle of the right to the protection of personal data, as it underpins the legality of data processing and its violation poses a significant risk to the rights of data subjects. In this case, DIGI's conduct has directly caused harm to the legally protected interest under Article 6 of the GDPR, preventing its effective application and the objective it seeks to protect. The processing of personal data is carried out (i) without DIGI having any guarantee that the applicant for the duplicate SIM card is the true owner of the line and, consequently, of the personal data; and (ii) without having carried out any checks or contacted the complainant to verify that issuing this duplicate was necessary for the provision of the services C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 35/52 contracted by the complainant, who already had an active and functioning card. As a result, the data in question has been processed without any legal basis. Seriousness of the infringement: Nature and purpose of the processing: Assessing the seriousness of these aspects of the processing of personal data requires considering the context in which it takes place. The data processing carried out in this case is for the purpose of issuing a SIM card, necessary for DIGI to provide the services contracted by its holder. If that card is requested by a third party and the entity fails to fulfill its obligations to prevent this irregularity, the final consequence is the delivery of the card to an unauthorized person and, consequently, the possibility of a third party accessing various pieces of information about the true cardholder, which can be used for fraudulent purposes. This is what happened in the present case, in which a third party used the fraudulently obtained duplicate SIM card to make charges to the cardholder's bank account. This is the phenomenon known as "SIM swapping," widespread in the current context and well known to DIGI. Once the third party gains access to the victim's phone line, they have numerous options to impersonate the victim and access all types of personal accounts (messaging, email, social media, and any type of online account, including financial ones). In this context, the processing carried out by DIGI, considering its nature and purpose, entails significant risks for the data subject. It cannot be overlooked that this data processing is carried out within the framework of the aforementioned operator's main and core business activity, conducted for profit. Scope of the processing: The assessed infringement is committed through the unlawful processing of the personal data of a single data subject, the complainant, as clearly stated in the grading factors that follow. However, it is important to consider that DIGI is a telecommunications operator that operates nationwide and that the infringement is a direct consequence of the weaknesses in the mechanisms designed by DIGI for processing SIM card replacement requests, thus increasing the number of potentially affected parties. The relationship between the infringement committed and the allocation of resources that can be required of DIGI to prevent this type of unlawful activity must be analyzed based on the actual risk and the circumstances related to its scope of action, which is national C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 36/52 Number of data subjects: The infringement being sanctioned is a consequence of the unlawful processing of the personal data of a single data subject, the complainant. Level of harm suffered by the complainant: In accordance with Recital 75 of the GDPR, the level of harm suffered refers to physical, material, or non-material damages. In this case, the harm suffered by the complainant cannot be classified as marginal. On the one hand, the claimant was deprived of the service they had contracted with DIGI, and on the other hand, they suffered bank fraud as a direct consequence of the infringement being sanctioned. This infringement, as stated, was committed not only through the data processing necessary to issue the duplicate SIM card, but also through the data processing consisting of communicating the claimant's data to a third party, resulting from the delivery of the duplicate SIM card to said third party. In cases like this, the data subject loses control of their personal data, and therefore, the damage could persist for an indefinite period. Article 83.2.b) of the GDPR: “the intent or negligence of the infringement.” In this case, we are dealing with a grossly negligent act, since the defendant issued a SIM card to a third party who was not the account holder under the circumstances described herein. DIGI's conduct demonstrates gross negligence, specifically a breach of the duty of care required by law, beyond what might be considered a neutral factor associated with the subjective element of culpability. This conclusion stems from objective elements of DIGI's conduct, obtained based on all the factual circumstances detailed in the preceding Legal Grounds, particularly in section 1 of Legal Ground III, which clearly demonstrate all the warning signs that DIGI failed to consider, leading to suspicions about the irregularity of the SIM card replacement request it received from a third party. Among the circumstances observed in this case, the following stand out: (...) The ultimate consequence of all this was that DIGI validated the request, activated the SIM card, and delivered it to a third party without any conclusive evidence regarding the identity of the person making the request, thus failing to ensure that the latter corresponded to the owner of the services and personal data. Also connected to the degree of diligence that DIGI is obliged to exercise in compliance with the obligations imposed on it by data protection regulations C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 37/52 The National High Court ruling of 17/10/2007 can be cited. Although it was issued before the GDPR came into effect, its pronouncement is perfectly applicable to the case we are analyzing. The ruling, after alluding to the fact that entities whose activity involves the continuous processing of customer and third-party data must observe an appropriate level of diligence, specified that “(...) the Supreme Court has consistently held that negligence exists whenever a legal duty of care is disregarded, that is, when the offender does not act with the required diligence. And in assessing the degree of diligence, special consideration must be given to the professionalism of the individual, and there is no doubt that, in the case now under examination, when the appellant's activity involves the constant and extensive handling of personal data, the rigor and meticulous care must be emphasized to comply with the relevant legal provisions.” Article 83.2.g) of the GDPR: “the categories of personal data affected by the infringement.” This circumstance is not limited to cases involving the processing of special categories of data. In this regard, when assessing this circumstance, reference should be made not only to the types of data covered by Articles 9 and 10 of the GDPR, but also to data outside the scope of these articles whose disclosure would cause immediate harm or hardship to the data subject, as permitted by the provision. In this regard, Guidelines 04/2022, concerning the calculation of administrative penalties under the GDPR, issued by the EDPB, state (unofficial translation): “Categories of personal data affected 58. With regard to the requirement to take into account the categories of personal data affected [Article 83(2)(g) of the GDPR], the GDPR clearly highlights the types of data that deserve special protection and, therefore, a stricter response in terms of fines. This refers, at a minimum, to the types of data referred to in Articles 9 and 10 of the GDPR and to data outside the scope of these articles whose disclosure would cause immediate harm to the data subject (e.g., location data, data on private communications, national identification numbers, or financial data such as transaction summaries or credit card numbers).” Therefore, when assessing this circumstance of Article 83.2.g) of the GDPR, data of a financial nature, such as bank account numbers, must be considered. Similarly, the processing of the National Identity Document (DNI/NIF) number constitutes the processing of personal data of a particularly sensitive nature, as it allows for the direct and unequivocal identification of a natural person. As established by Royal Decree 255/2025, of April 1, which regulates the National Identity Document, the DNI is a general personal numerical identifier, with sufficient value to prove both the identity and nationality of the holder, making it an element of particular sensitivity within the personal data ecosystem. Furthermore, its misuse carries a high risk of identity theft, financial losses, or infringement of the right to honor, risks expressly contemplated in recital 75 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 38/52 Therefore, a systematic and purposive interpretation of the GDPR—in accordance with recitals 51 and 75—allows us to consider the national identity card number as particularly sensitive data, given its potential to cause significant harm in the event of unauthorized use. 2. The following factors are considered aggravating circumstances: Article 83.2(d) of the GDPR: “the degree of responsibility of the controller or the processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32.” The aforementioned provisions, both Article 25 and Article 32 of the GDPR, oblige the responsible entity to take into account “the state of the art, the cost of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity of processing for the rights and freedoms of natural persons” when implementing appropriate technical and organizational measures to ensure the effective application of the principles of data protection, in this case, the principle of lawfulness of processing, and to guarantee a level of security appropriate to the risk. In light of these provisions, the actions taken by DIGI have proven clearly ineffective and insufficient, falling far short of the possibilities offered by current technical developments and failing to consider the evident risk that the provision of its services poses to the rights and freedoms of individuals. In this respect, its high business volume and technical expertise mean that the level of demand for incorporating the tools and functionalities offered by the state of the art at any given time is high. The weaknesses already expressed regarding DIGI's establishment of a security policy to prevent the impersonation of its clients, in order to guarantee the principle of lawfulness in data processing, call into question the robustness of the measures adopted under Articles 25 and 32 of the GDPR, which aggravates its conduct in this specific case. It is important to note that, at the time the events that gave rise to these proceedings took place, the contact planned by DIGI to communicate the validation of the card was not made with the cardholder, but with the person making the request. Article 83.2.e) GDPR: “Any prior infringement committed by the controller or the processor.” Article 83.2 of the GDPR and Article 76 of the LOPDGDD allow for the assessment of mitigating and aggravating circumstances not only in relation to the facts that determine the infringement, but also in relation to the past or present behavior of the responsible entity, including considerations that may be relevant and that may be obtained from previous sanctioning procedures carried out by this supervisory authority resulting in a fine. That is, it is possible to evaluate the controller's monitoring record when appropriate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 39/52 or, in other words, their general behavioral profile or attitude with respect to GDPR compliance, and to consider any relevant prior infringements (Recital 148 of the GDPR) or their response to prior breaches in order to prevent infringements of the same level and characteristics and to ensure compliance with the GDPR in general. Recital 148 of the GDPR states that “In order to strengthen the application of the rules of this Regulation […]” and indicates in this regard that “Special attention should, however, be paid to […] or any relevant prior infringements […]”. The weight to be given to these grading criteria will depend on the specific circumstances of the case in question. Obviously, when the infringing entity persists in the infringement, worsening its behavior under the aforementioned conditions, the amount of the penalty to be imposed may be much higher, especially considering the level of severity attributed to the type of infringement committed. Therefore, in accordance with section (e) of Article 83.2 of the GDPR, in determining the amount of the administrative fine, all prior infringements by the controller or processor must be taken into account in order to assess the unlawfulness of the conduct analyzed or the culpability of the infringing party. Furthermore, a correct interpretation of the provision of Article 83.2(e) of the GDPR cannot disregard the purpose of the rule: to decide the amount of the administrative fine in the individual case, always ensuring that the penalty is proportionate, effective, and dissuasive. The Spanish Data Protection Agency (AEPD) has processed numerous sanctioning procedures in which the respondent has been sanctioned for infringement of Article 6.1 of the GDPR, all of them resulting from the issuance of duplicate SIM cards, in which DIGI failed to act correctly in identifying the person making the request: i. EXP202104009 Resolution issued on March 15, 2023, imposing a fine of €70,000 for actions taken on August 28, 2021. ii. EXP202201226. Resolution issued on March 14, 2023, imposing a fine of €70,000 for actions taken on November 13, 2021. iii. EXP202204881. Resolution issued on June 2, 2023, imposing a fine of €70,000 for actions taken on April 1, 2021. iv. EXP202213029. Resolution issued on July 20, 2023, imposing a fine of €70,000 for actions taken on October 26, 2022. v. EXP202211403. Resolution issued on September 20, 2023, imposing a fine of €200,000 for actions taken on December 25, 2021. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 40/52 Article 83.2.k of the GDPR in conjunction with Article 76.2(b) of the LOPDGDD: “The connection between the infringer's activity and the processing of personal data.” The respondent provides telecommunications services, and therefore, in the course of its business, it routinely needs to process personal data. This impacts the diligence required of it to comply with the principles governing the processing of personal data and the quality and effectiveness of the technical and organizational measures it must have implemented to guarantee respect for this right. Thus, the significance of the conduct that is the subject of this complaint is undeniable. Furthermore, the data processing for which the penalty is imposed is carried out in the course of the respondent's main business activity. This circumstance, in general, constitutes an aggravating factor. This has also been considered by the National Court in its Judgment of September 13, 2024, when it declared: “In the case at hand, the appellant achieved a turnover exceeding €46 million in 2018 and has more than 600 employees. Therefore, the imposed sanction cannot be considered disproportionate given the circumstances, taking into account its turnover and its connection to the processing of personal data, considering the number of employees and its activity.” 3. The following mitigating factors are considered: Article 83.2.k) of the GDPR: “any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” The assessment of DIGI's conduct in this case requires considering the actions taken by the entity to comply with the provisions of the GDPR and the Spanish Data Protection Act (LOPDGDD), in accordance with the principle of continuous improvement. While acknowledging that this continuous improvement is an obligation for data controllers, it is deemed appropriate to consider the proactive approach taken by DIGI, which, throughout the proceedings, has implemented measures in its security policy aimed at preventing similar situations in the future. This is without prejudice to any other measures that may be necessary for the effective identification of individuals requesting duplicate SIM cards, the implementation of which is DIGI's decision based on the principle of proactive responsibility. Based on the foregoing, and considering the requirement that the fine be effective, proportionate, and dissuasive, and with the aim of ensuring effective compliance with the GDPR and the LOPDGDD, the assessment of the circumstances contemplated in Article 83.2 of the GDPR and Article 76.2 of the LOPDGDD, considered as a whole, with respect to the infringement committed by violating the provisions of Article 6 of the GDPR, allows for the imposition of an administrative fine of €140,000.00 (one hundred and forty thousand euros). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 41/52 III Response to the allegations made in the appeal A) Regarding the alleged infringement The appellant reiterates in its appeal the same allegations that were already made during the procedural steps that culminated in the contested decision. Indeed, the appeal merely reproduces the arguments presented in the previously submitted pleadings, without providing new factual or legal elements that could refute the grounds on which the appealed act is based. These grounds, which analyze the relevant circumstances and explain the reasons that led to the dismissal of the appellant's claims, are considered fully valid and sufficient to uphold the decision adopted. However, the following should be reiterated: First, it is important to clarify that the infringement attributed to DIGI is based on the unlawful processing of personal data, as provided for in Article 6.1 of the GDPR, by issuing and delivering a duplicate SIM card corresponding to the claimant's mobile phone line. to an unauthorized third party, all without the knowledge or consent of the legitimate data subject and without any other legal basis to justify such processing of personal data. Article 6.1 establishes that the processing of personal data is only lawful if at least one of the conditions set out in the aforementioned article is met. In this case, the violation of the principle of lawfulness is manifested in the improper processing of the personal data of the complainant, who was not the actual applicant for the duplicate card. This type of processing requires adequately verifying the identity of the applicant, and for this purpose, it is necessary to establish measures that ensure this correct identification. The implementation, monitoring, and compliance with these measures are relevant elements for assessing the degree of diligence exercised by the data controller and, consequently, for evaluating their level of responsibility in relation to the facts of the complaint. In this regard, Article 5.2 of the GDPR imposes the principle of accountability on the data controller. proactive, which obliges it not only to comply with the provisions of the Regulation, but also to be able to demonstrate such compliance. The duplicate was delivered to a third party impersonating the claimant after they passed the established protocols to verify the applicant's identity, for which the third party provided manipulated or falsified documents, namely, the claimant's identity document. However, DIGI did not carry out the appropriate checks to verify whether the applicant for the duplicate was actually the owner of the personal data and the services contracted with the operator, as detailed in the Legal Basis above. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 42/52 In summary, in this specific case, the processing of the claimant's personal data was carried out without complying with the lawfulness requirements established in Article 6.1 of the GDPR. The infringement of this article confirms that the The complainant allowed unauthorized processing of data, thereby violating the rights of the complaining party. The SIM card is a card inserted into the mobile terminal. It is a small, physical smart card containing a chip that stores the subscriber's service key, used to identify them to the network. This includes the customer's mobile phone number (MSISDN - Mobile Station Integrated Services Digital Network), as well as the subscriber's personal identification number (IMSI - International Mobile Subscriber Identity). It can also provide other data, such as information about the phone directory or call and message logs. Issuing a duplicate SIM card involves processing the personal data of its holder, since any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, is considered an identifiable natural person. (Article 4.1 of the GDPR). In short, both the data processed to issue a duplicate SIM card and the SIM card (Subscriber Identity Module) that uniquely and unambiguously identifies the subscriber on the network constitute personal data, and their processing must be subject to data protection regulations. The National Court ruling of February 8, 2024, addresses this point, stating: “We must begin by noting that issuing a duplicate SIM card involves the processing of the cardholder's personal data, since, according to Article 4.1 of the GDPR, an identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier. The SIM card is inserted inside the mobile device.” It is a smart card in a small, physical format, containing a chip that stores the subscriber's service key used to identify themselves to the network. This key includes the customer's MSISDN (Mobile Station Integrated Services Digital Network) mobile line number, as well as the subscriber's IMSI (International Mobile Subscriber Identity). It can also provide other data, such as call logs and message history. ... And as highlighted in the appealed resolution, since 2007, in Spain, in accordance with the Sole Additional Provision of Law 25/2007, of October 18, on the retention of data relating to electronic communications and public communications networks, it is required that the holders of all SIM cards, whether prepaid or contract, be duly identified and registered. Therefore, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 43/52 when obtaining a duplicate SIM card, the person requesting it must also identify themselves and that their identity matches that of the holder.” Likewise, the National Court ruling of February 9, 2023, also states the following: “Well, the SIM card is a smart card that is inserted into the mobile terminal, containing a chip that stores the subscriber service key used to identify the user to the network. Thus, the State Attorney General's Office, in a July 2016 report cited by the appealed resolution, points out: “According to European standards relating to digital cellular telecommunications systems, established by the European Telecommunications Standards Institute (ETSI), a fully operational mobile communications device, colloquially known as a “Mobile Phone,” is materially composed of two essential elements. First, the terminal (…). Second, the user identification module, better known as a “SIM card” (Subscriber Identity Module). This SIM card is interchangeable between the different mobile terminals on the market and its digital chip contains the information necessary to identify and authenticate the subscriber, including the International Mobile Subscriber Identity (IMSI), which uniquely identifies the subscriber on the cellular network. Without a valid IMSI, telephone services will not be accessible, except in the case of an emergency call.” Therefore, the IMSI is the identification code on the cellular communications network. It is fundamental for identifying the subscriber, and since it is stored on the SIM card, whoever has that card (the spoofer) has the IMSI stored. Furthermore, as soon as the spoofer inserts the SIM into a terminal and turns it on, the IMSI will be accessed and exchanged with the network. Therefore, insofar as the IMSI installed on the SIM card allows for the identification of an individual, it must be considered personal data, according to Article 4 of the GDPR, which defines it as “any information relating to an identified or identifiable natural person (the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” In other words, the improper issuance of a person's mobile phone SIM card to a third party who impersonates them allows that third party to access the confidential information stored on the card and the legitimate SIM card holder's phone line, resulting in a clear loss of confidentiality since the data is unlawfully transmitted to a third party. Please note that in Spain, since 2007, pursuant to the Sole Provision of Law 25/2007 of October 18, it is required that all SIM card holders be duly identified and registered. This is important because the subscriber's identification is essential for activating the SIM card, which means that when obtaining a duplicate, the person requesting it must identify themselves and their identity must match that of the cardholder. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 44/52 this will require that, when obtaining a duplicate SIM card, the person requesting it must identify themselves and that their identity matches that of the cardholder. In short, both the personal data (name, surname, and ID number) processed to issue a duplicate SIM card, and the SIM card itself, which uniquely identifies the subscriber on the network, are personal data… In this case, it has been proven that DIGI provided a duplicate SIM card to a third party without the claimant's consent. This third party accessed the information contained on the mobile phone, such as bank details, passwords, email address, and other personal data associated with the device. Therefore, the defendant failed to take the necessary precautions to prevent these events from occurring. Regarding the specific context, it is important to note that "SIM swapping" is a recurring phenomenon in the telecommunications sector. By definition, this phenomenon involves fraudulent duplication to impersonate the user and gain access to their social media accounts. instant messaging applications, banking applications, or e-commerce platforms, with the aim of interacting and performing transactions on their behalf, authenticating using a username and password previously stolen from that user, as well as with two-factor authentication upon receiving the confirmation SMS on their own mobile device where they have inserted the duplicate SIM card. As the European Union Agency for Cybersecurity (ENISA) indicates in its press release “Beware of the SIM Swapping Fraud!” published on its website on December 6, 2021: “SIM swapping attacks have been reported in the media since 2017. Such attacks usually target banking transactions, but not only. These attacks are also perpetrated against the cryptocurrency community, social media, and email accounts.” “SIM swap attacks have been reported in the media since 2017. These attacks typically target banking transactions, but not only that. They are also perpetrated against the cryptocurrency community, social networks, and email accounts.” (unofficial translation) In this regard, INCIBE states the following on its website, in the publication dated September 26, 2019, “Why is a cybercriminal interested in duplicating your SIM card?”: “The entry into force of the PSD2 regulation, in which the mobile phone takes on a very important role for making online payments, as it is necessary for confirming transactions, makes this device a clear target for cybercriminals. Obtaining the one-time “second factor” authentication code, which the bank sends to the user's phone, for example, in SMS format, will be vital for any fraudster who wants to confirm an online payment. How do they get that code?” Replacing the SIM card. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 45/52 Therefore, in practice, the persistence of this phenomenon demonstrates risks associated with the processing of personal data, which require a high level of diligence from the data controller and reinforces the need to demonstrate the effective implementation of measures that guarantee the lawfulness of the processing. In light of the foregoing, this Agency does not agree with the claim made that the issuance of a duplicate SIM card does not entail access to customers' banking information, passwords, email addresses, etc., since this claim contradicts the technical and practical reality of what a SIM swapping attack entails. DIGI has not provided sufficient evidence to demonstrate that it applied appropriate and proportionate measures in the specific context in which it operates in order to guarantee the compliance of the processing with data protection regulations. of data. However, it should be clarified that no responsibility is being transferred to DIGI in this sanctioning procedure for the conduct of the third party who requested the duplicate SIM card, nor for the fraudster's prior conduct in obtaining the claimant's data or subsequent actions, nor for those committed to access the bank accounts, whether related to obtaining the claimant's personal data that was provided to DIGI or to its subsequent use by the third party once they obtained the duplicate card. This is without prejudice to the potential impact on the interested party if a third party obtains a duplicate of the SIM card corresponding to their mobile phone line, which obliges the responsible entity to establish all necessary precautions to prevent it. As indicated, the only infringement attributed to the respondent is based on the unlawful processing of the claimant's personal data. The reference The investigation into the phenomenon of SIM swapping and its potential consequences is carried out to assess the scope and nature of the alleged infringement, taking into account the repercussions that such practices may have on the rights of the data subject. In this regard, the National Court, in its judgment of May 13, 2024, Appeal No. 0002336/2021, establishes that “(...) in the first phase of this type of fraud, the impersonator fraudulently obtains the client's online banking login credentials, but lacks the verification code, the second authentication factor, to be able to execute any transaction. At the moment when they obtain the duplicate SIM card, they also gain access to this second authentication factor and, therefore, from that moment on, they can carry out any asset transactions they wish.” For its part, the National Cybersecurity Institute (INCIBE) includes the following information about SIM swapping on its website “incibe.es”: “Remember that in SIM swapping, cybercriminals attempt to fraudulently duplicate a person's mobile device SIM card. To do this, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 46/52 they impersonate the person in order to obtain a duplicate. Subsequently, once the victim's phone service is interrupted, the attacker accesses their personal information and takes control of their applications, impersonating them on social media, email accounts, or online banking, using the verification SMS messages that arrive at the phone number. In this way, the cybercriminal can retrieve the confirmation text messages containing the access codes and use these credentials to commit cybercrimes, such as carrying out banking transactions and identity theft. Therefore, the mere use of a SIM card by an unauthorized third party significantly increases the risk to its owner, as the impersonator can obtain additional data that allows them to carry out actions with particularly serious consequences, such as unauthorized financial transactions. Precisely for this reason, it is essential to ensure that the person making the purchase is who they claim to be and to adopt appropriate preventative measures to verify the identity of the person whose personal data will be processed. Thus, providing a duplicate SIM card is a process in which the diligence exercised by operators is essential to prevent this type of fraud and guarantee the adequate protection of customers' rights and interests—diligence which, as already explained, is called into question in this case. In relation to this issue, it should be noted that the measures implemented by DIGI are the minimum required of any organization with the characteristics and in the context in which a telecommunications operator operates. In this sense, the mere existence of a security policy cannot justify a violation of the principle of lawfulness established in Article 6.1 of the GDPR. In addition to existing, these measures must be effective, and the data controller must ensure that they are strictly complied with at all times. Otherwise, the measures adopted are ineffective and may lead to unlawful processing, as is the case here. DIGI states that during the process of duplicating the claimant's SIM card to an unauthorized third party without their consent, personal data provided to DIGI by the requesting party was processed. In this regard, this statement does not absolve the defendant of responsibility, since the mere issuance of a SIM card and its delivery to an unauthorized third party already constitutes a violation of the principle of lawfulness, as it is considered personal data processing. DIGI insists that the degree of responsibility that may be attributed to them cannot depend on the actions of a third party that are beyond their control. DIGI maintains that the degree of responsibility cannot be attributed to them. ... In relation to this allegation, in addition to what has already been indicated, the degree of responsibility falls within its scope and not that of third parties, and it should be noted that the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 47/52 The National High Court (SAN) Administrative Chamber, in its ruling of May 5, 2021, establishes that: “On the other hand, regarding the fact that we are dealing with fraud by a third party, as we stated in the SAN ruling of October 3, 2013 (Appeal No. 54/2012): “Precisely for this reason, it is necessary to ensure that the person contracting is who they claim to be, and appropriate preventive measures must be adopted to verify the identity of a person whose personal data will be processed.” Indeed, the principle of responsibility established in Article 28 of the LRJSP (Law on the Legal Regime of the Public Sector) stipulates that: “Only natural and legal persons, as well as, when a law recognizes their legal capacity, groups of affected parties, associations and entities without legal personality, and independent or autonomous estates, who are responsible for such acts due to intent or negligence, may be sanctioned for acts constituting an administrative offense.” However, the method of attributing liability to legal entities does not correspond to the forms of intentional or negligent culpability that are attributable to human conduct. Therefore, in the case of offenses committed by legal entities, although the element of culpability must be present, it is necessarily applied differently than it is with respect to natural persons. According to Constitutional Court Judgment 246/1991, of December 19, Appeal 1274/1988, "(...) this distinct construction of attributing the authorship of the offense to the legal entity arises from the very nature of the legal fiction to which these subjects respond. They lack the volitional element in the strict sense, but not the capacity to infringe the rules to which they are subject." Capacity to infringe and, therefore, direct culpability derived from the legally protected interest of the rule that is infringed and the need for said protection to be truly effective, and from the risk that, consequently, the legal entity subject to compliance with said rule must assume" (in this regard, Supreme Court Judgment of November 24, 2011, Appeal No. 258/2009). To the foregoing, it must be added, following the judgment of January 23, 1998, partially transcribed in the Supreme Court Judgments of October 9, 2009, Appeal No. 5285/2005, and of October 23, 2010, Appeal No. 1067/2006, that "although the culpability of the conduct must also be subject to proof, it must be considered, in order to assume the corresponding burden, that ordinarily the volitional and cognitive elements necessary to assess it form part of the conduct typical proven, and that its exclusion requires proof of the absence of such elements, or in its normative aspect, that the diligence required by the party alleging its non-existence has been employed; In short, the mere invocation of the absence of fault is insufficient to exonerate one from conduct that is typically unlawful. Therefore, the claim of lack of fault is rejected. Ultimate responsibility for the processing remains with the data controller, who determines the existence and purpose of the processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 48/52 Furthermore, regarding the alleged obligation of result that, according to DIGI, would be required by the Spanish Data Protection Agency (AEPD), reference should be made to the judgment of the National High Court of Justice of October 29, 2024, appeal no. 1824/2021, which states that: “…it must be emphasized, in relation to the technical and organizational measures, that we are not dealing with a merely formal requirement, but a substantive one.” In this regard, and in line with the above, as the Supreme Court ruling of February 15, 2022 (Appeal No. 7359/2020) points out, “It is not enough to design the necessary technical and organizational means; their correct implementation and appropriate use are also necessary. Therefore, liability will also apply to any lack of due diligence in their use, understood as reasonable diligence considering the circumstances of the case,” which does not imply an obligation of result.” From the above, it cannot be overlooked that the risk-based approach and the flexible risk model imposed by the GDPR—based on the dual configuration of security as a principle relating to processing and an obligation for the controller or processor—does not, under any circumstances, require the infallibility of the measures, but rather their constant adaptation to the risk. B) Regarding the imposed fine As for the breach of the principle of proportionality, we refer, once again, to the response to the allegations against the initial agreement and the proposed resolution, reproduced above, as well as to Legal Basis VII of the challenged resolution, dedicated to determining the fine. Notwithstanding the foregoing, the following is emphasized: The GDPR expressly provides for the possibility of graduated fines, through the provision of adjustable fines, taking into account a series of circumstances in each individual case, thus establishing its own system of sanctions and determination of the amount of the fine in Article 83. Article 83.1 of the GDPR itself establishes, among the general conditions for the imposition of administrative fines, the mandate (common, moreover, in the field of administrative sanctions law) that fines must be effective, proportionate, and dissuasive in each individual case. In short, the fine must be imposed taking into account the specific circumstances of the case. According to According to Guidelines 04/2022 on calculating fines under the GDPR, the amount of the fine must be based on three elements: the turnover, the categorization of the infringements according to their nature (i.e., whether it is an infringement of Article 83.4, 83.5, or 83.6 of the GDPR), and the level of severity of the infringement in each specific case, determined in accordance with the circumstances set out in Article 83.2 of the GDPR, points (a), (b), and (g). In the case of a company whose turnover amounted to €644,000,000 in 2023, the amount of the fine to be imposed will necessarily be between €0.00 and €26,000,000, given that 4% of DIGI's aforementioned turnover is €25,760,000 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 49/52 Thus, the fine imposed in this case (€140,000) falls within a range significantly lower than the penalty range that could be imposed. It is important to note that, in determining the amount of the administrative fine, the fact that the infringement directly affects a single interested party, the complainant, was considered paramount, without prejudice to assessing the weaknesses already described in the security measures and policy implemented by the respondent and the possibility that this could lead to similar incidents affecting other parties. The contested resolution already took into account, as a mitigating factor, the actions undertaken by DIGI, aimed at complying with the provisions of the GDPR. Finally, regarding the possibility of using other mechanisms, such as the Warning, it is noted that Recital 148 of the GDPR states: “148. In order to strengthen the enforcement of the rules of this Regulation, any infringement thereof should be punished by penalties, including administrative fines, in addition to or instead of appropriate measures imposed by the supervisory authority under this Regulation. In the case of a minor infringement, or where the fine likely to be imposed would constitute a disproportionate burden for a natural person, a warning may be issued instead of a fine.” However, special attention must be paid to the nature, seriousness, and duration of the infringement, its intentional nature, the measures taken to mitigate the damage suffered, the degree of responsibility or any relevant prior infringement, how the supervisory authority became aware of the infringement, compliance with measures ordered against the controller or processor, adherence to codes of conduct, and any other aggravating or mitigating circumstances (...). Likewise, the CJEU judgment of 24 September 2024, in Case C-768/2021, determined that: “37 In this respect, it should be noted that the GDPR leaves the supervisory authority a margin of appreciation as to how it should remedy the deficiency found, since Article 58(2) of the GDPR empowers that authority to adopt various corrective measures.” Thus, the Court of Justice has already held that the choice of the appropriate and necessary means rests with the supervisory authority, which must make that choice taking into account all the circumstances of the specific case and fulfilling with all the diligence required in its mission to ensure full compliance with the GDPR (see, in this regard, the judgment of 16 July 2020, Facebook Ireland and Schrems, C-311/18, EU:C:2020:559, paragraph 112). 38 However, this margin of appreciation is limited by the need to ensure a consistent and high level of protection of personal data through a rigorous application of the rules, as is clear from recitals 7 and 10 of the GDPR. In short, the choice of corrective measure to be used by a supervisory authority, from among those provided for in Article 58 of the GDPR, is a power attributed to it, which is responsible for choosing the most appropriate means, taking into account the specific circumstances of the case. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 50/52 The circumstances of this case, extensively detailed in this resolution on the appeal filed by DIGI, mean that this Spanish Data Protection Agency (AEPD) has not deemed it appropriate to issue a warning. We must consider the unique circumstances of the complaint filed, which demonstrate that, from the moment the impersonator replaces the SIM card, the victim's phone loses service, transferring control of the line to the impersonators. Consequently, their powers of disposition and control over their personal data are affected, which constitute part of the content of the fundamental right to data protection, as indicated by the Constitutional Court in Judgment 292/2000, of November 30, 2000 (Legal Basis 7). Thus, by obtaining a duplicate SIM card, under certain circumstances, access is possible to contacts or to applications and services that use the password recovery procedure of sending an SMS with a code to change passwords. In short, they can impersonate the affected individuals, gaining access to and control of, for example: email accounts; bank accounts; applications such as WhatsApp; social networks, such as Facebook or Twitter, and much more. In summary, once the access password is changed by the impersonators, they lose control of their accounts, applications, and services, which poses a significant threat. Therefore, having analyzed the allegations made in this optional appeal for reconsideration, it is verified that no new legal arguments have been presented that would allow for a reconsideration of the sanctioning resolution issued on November 23, 2025. III Conclusion Consequently, in this appeal for reconsideration, the appellant has not presented any facts or legal arguments that would allow for a reconsideration of the validity of the challenged resolution. IV Obligation to issue an express resolution In accordance with the provisions of Article 24 of the LPACAP (Law on Administrative Procedure and Common Administrative Procedure), the meaning of administrative silence in proceedings for challenging acts and provisions is a rejection. However, even though the legally established deadline for issuing a decision has passed, the Administration remains obligated to issue an express decision and notify it in all proceedings, regardless of how they were initiated, including any administrative appeals that may have been filed, as provided in Article 21.1 of the aforementioned LPACAP (Law on Administrative Procedure of Public Administrations). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 51/52 In cases of dismissal by administrative silence, the express decision issued after the deadline has expired will be adopted by the Administration without being bound in any way by the meaning of the silence, as provided in Article 24.3 of the same law. Therefore, even if the appeal is not resolved within the deadline, it is necessary to issue the express decision that concludes the proceedings. Having reviewed the aforementioned provisions and other applicable regulations, the Presidency of the Spanish Data Protection Agency RESOLVES: FIRST: TO DISMISS the appeal for reconsideration filed by DIGI SPAIN TELECOM, S.L.U. against the resolution issued by this Spanish Data Protection Agency on November 23, 2025, in file EXP202310345. SECOND: TO NOTIFY DIGI SPAIN TELECOM, S.L.U. of this resolution. THIRD: To warn the sanctioned party that the imposed sanction must be paid once this resolution has been notified, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, within the voluntary payment period established by Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to Article 62 of Law 58/2003, of December 17, by depositing it into restricted account no. ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at CAIXABANK, S.A. Otherwise, collection will proceed during the enforcement period. If the notification date falls between the 1st and the 15th of each month, inclusive, the deadline for making voluntary payment will be the 20th of the following month or the next business day. If the notification date falls between the 16th and the last day of each month, inclusive, the deadline for payment will be the 5th of the second following month or the next business day. In accordance with Article 50 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights), this Resolution will be made public once it has been notified to the interested parties. This resolution, which concludes the administrative process pursuant to Article 50 of the LOPDGDD, may be appealed. 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP), interested parties may file an administrative appeal before the Administrative Chamber of the National Court, pursuant to the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law. Finally, it is noted that, in accordance with the provisions of Article 48.6 of the LOPDGDD, the interested parties may file an administrative appeal before the Administrative Chamber of the National Court, pursuant to the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Jurisdiction. 90.3 a) LPACAP, the final administrative decision may be provisionally suspended if the interested party expresses their intention to file an appeal with the Administrative Court. If this is the case, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 52/52 the interested party must formally notify the Spanish Data Protection Agency in writing, submitting it through the Agency's Electronic Registry , or through one of the other registries provided for in Article 16.4 of the aforementioned LPACAP. They must also provide the Agency with documentation proving the effective filing of the appeal with the Administrative Court. If the Agency does not receive notice of the filing of an administrative appeal within two months from the day following notification of this resolution, it will terminate the precautionary suspension. Lorenzo Cotino Hueso President of the Spanish Data Protection Agency 28001 – Madrid 6 sedeaepd.gob.es