AEPD (Spain) - EXP202306073

Holding |Date_Published=05.01.2026|Date_Published=05.01.2026 |Year=|Year= |Fine=400.000|Fine=300.000 |Currency=EUR|Currency=EUR }}}} The DPA fined a telephone operator company €400,000 for unlawfully changing a mobile line’s ownership and issuing a duplicate SIM card without proper identity verification, breaching [[Article 6 GDPR|Article 6 GDPR]] after a SIM swap fraud.The DPA fined a telephone operator company €400,000 for unlawfully changing a mobile line’s ownership and issuing a duplicate SIM card without proper identity verification, breaching [[Article 6 GDPR]] after a SIM swap fraud. == English Summary ==== English Summary == The AEPD rejected the controller’s argument that the processing was lawful on the basis of contract performance. It held that, due to the absence of proper identity verification, the controller could not rely on [[Article 6 GDPR#1b|Article 6(1)(b)]] because it had not ensured that the request came from the data subject or with their consent.The AEPD reject