German data privacy authorities on Monday imposed a €45 million ($51.2 million) fine on multinational telecom giant Vodafone, citing misconduct by third-party sales agents and serious lapses in its customer authentication systems.
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) stated that Vodafone’s partner agencies orchestrated fraudulent transactions with customers. These agencies created fake contracts and altered existing agreements in ways that harmed the customers, all while acting on Vodafone’s behalf.
The regulator issued a €15 million ($17.1 million) fine because Vodafone failed to properly oversee and verify the conduct of its partner agencies, as required under the European Union’s General Data Protection Regulation (GDPR), according to a BfDI press release.
In addition, BfDI handed down another €30 million ($34 million) fine due to major flaws in Vodafone’s authentication procedures, particularly for customers accessing the company’s online portal and phone support services.
“The authentication weaknesses allowed unauthorized third parties to access eSIM profiles, among other sensitive data,” BfDI explained in its release.
A Vodafone spokesperson responded by attributing the partner agencies’ misconduct to poor internal oversight and inadequate data protection controls.
The spokesperson acknowledged that the authentication vulnerabilities negatively impacted customers and admitted that the existing security systems failed to provide sufficient protection.
“The tools and protocols we had at the time didn’t meet the necessary standards,” the spokesperson said. “Under the direction of our new leadership, Vodafone now treats data protection as a critical company-wide focus and has fully reviewed and restructured its systems.”
BfDI confirmed that Vodafone took significant corrective steps during the investigation, improving safeguards and making sure such failures don’t repeat.
Germany’s Federal Data Protection Commissioner, Louisa Specht-Riemenschneider, emphasized that her goal remains to prevent privacy violations from occurring in the first place.
She highlighted that companies need the right frameworks to comply with regulations and build trust with digital service users. “Strong data protection can serve as a competitive edge,” she noted.
EU regulators continue to apply pressure under GDPR rules. Meta recently faced a €1.2 billion ($1.37 billion) fine for illegal data transfers, and Uber was hit with a €290 million ($330 million) fine for allegedly moving driver data to the U.S. without proper safeguards.