GFB One s.r.l.

Description

The Italian DPA has imposed a fine of EUR 90,000 on GFB One s.r.l.. An individual had filed a complaint with the DPA because SIM cards were registered in their name, although they had never requested this. The individual had received two emails and an SMS notifying them that a Vodafone business, which belongs to the controller, had activated two SIM cards in their name. The individual, after requesting the phone company to block the SIM cards, had reconstructed that the cards had been activated with a barely legible photocopy of their ID card. During its investigation, the DPA found that the controller had neither requested an original ID card for registration nor verified the legitimacy of the data. The controller also failed to inform the data subject how he had obtained the photocopies of his ID.