BfDI imposes fines on Vodafone

A fine of 15 million euros was imposed because in terms of data protection law (Article 28 (1) sentence 1 GDPR), Vodafone GmbH had not adequately reviewed and monitored partner agencies working on its behalf. 

Moreover, as vulnerabilities in certain distribution systems had been identified, the BfDI issued a warning to Vodafone for violating Article 32(1) of the GDPR. 

A further fine of 30 million euros was imposed for security deficiencies in the authentication process for the combined use of the online portal ‘MeinVodafone (“My Vodafone”)’ with the Vodafone Hotline. The identified authentication vulnerabilities enabled, among other things, unauthorized third parties to access eSIM profiles.

Vodafone GmbH has now improved its processes and systems and in some cases even completely replaced them in order to eliminate such risks in the future. It has also revised the processes for selecting and auditing partner agencies and it has separated from partners identified as having committed fraud. In a follow-up check, the BfDI will review the practical effectiveness of the measures taken by Vodafone. 

I would like to point out that Vodafone has cooperated with me continuously and without restriction throughout the entire proceedings and has also disclosed circumstances that have incriminated the company, emphasizes Prof. Specht-Riemenschneider. The fines have been accepted and have already been paid in full to the federal treasury. 

The experience of data protection authorities shows that companies in many industries have an investment backlog in modernizing and consolidating IT systems. As a result, some companies are cutting back on security. The use of data processors is also often not adequately monitored in practice. New technological possibilities and more complex threat scenarios lead to increased risks for customers, who could suffer damages due to a lack of data protection. 

Data protection is often mistakenly seen as an obstacle to IT investments. In fact, the opposite is true: Without IT investments, there is the threat of security incidents and sanctions from data protection regulators. Therefore, my appeal: Investing instead of incurring risks! Prof. Dr. Louisa Specht-Riemenschneider

In the case of Vodafone GmbH, the company has redirected its efforts, prioritizing projects of IT consolidation and modernization. Moreover, the areas of compliance and data protection have been strengthened. Vodafone has committed itself to strong data protection and fundamental digital rights, viewing them as the foundation for customer trust. In order to demonstrate that Vodafone has understood the importance of data protection, Vodafone GmbH has also donated several million euros to various organizations dedicated to promoting data protection, media competence and digital literacy, and combating cyberbullying.

Prof. Specht-Riemenschneider concluded: Where data breaches take place, sanctions must be imposed. However, with my work, I also want to ensure that data breaches do not occur in the first place. Companies that want to comply with data protection law must be empowered to do so. Data protection is a factor of trust for users of digital services and can therefore become a competitive advantage. More and more companies are understanding this.