The Spanish Data Protection Agency (AEPD) has fined Orange Spain €30,000 for illegally registering a telephone line in the name of a customer without verifying the customer's identity.
The facts
An individual files a complaint against the company for having registered a telephone line in his name without his consent.
He claims to have been a victim of identity theft. He received a call from the Granada police informing him that a fraudulent crime had been committed with the phone number in question.
He accused the company of having introduced the personal data into its information systems without verifying the identity of the person who contracted.
Verify the identity of the data subject to ensure consent
As a reminder, Article 6.1 of the General Data Protection Regulation (GDPR) states that there are six possible legal bases for data processing, one of which is the consent of the person (Art. 6.1.a).
The AEPD considered that the company violated the lawfulness of the processing of personal data, since it formalized a cell phone contract, using the complainant as the holder of the contract, without duly verifying the complainant's data, which resulted in the impersonation of the complainant.
This being the case, Orange Spain violated Article 6.1 of the GDPR, which ensures that personal data is processed lawfully, since it didn't have the consent of the data subject.
The company should have verified the identity of the customer to ensure consent.