EUR 45 million GDPR-fine against Vodafone – What are the conclusions for EU-companies?

On June 3, 2025, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) published a decision on two fines totaling 45 million euros against Vodafone GmbH. This was due to violations of key provisions of the General Data Protection Regulation (GDPR), in particular in connection with the integration of external sales partners and security-relevant processes in digital customer contact.

The cases show that data protection violations are not limited to internal processes, but can also affect outsourced structures and technical interfaces. Even large and established companies are not immune to significant shortcomings in the practical implementation of data protection regulations – with far-reaching consequences.

The BfDI's decision is a reminder for all data processing companies to put their existing data protection structures to the test. This article classifies the known facts in legal terms, highlights the relevant standards and shows what measures are required to identify and avoid similar risks in your own company at an early stage.

I. Inadequate monitoring of partner agencies (15 million euros)

The first fine of 15 million euros relates to the use of so-called partner agencies that broker contracts with customers on behalf of Vodafone GmbH. According to the BfDI, data protection obligations to monitor and control contract processors were breached for years. Specifically, this concerns violations of Art. 28 para. 1 sentence 1 GDPR, according to which the controller must ensure that service providers commissioned by it offer sufficient guarantees for processing in compliance with the GDPR.

In several cases, employees of such sales partners had misused customer data, for example to amend or conclude new contracts without consent. In some cases, this was done to the detriment of the customers themselves, for example by adding additional or more expensive contract components, and in other cases by concluding fictitious contracts for their own benefit – for example to obtain unauthorized commission payments. The BfDI considered the behavior of the partner agencies to be the result of inadequate monitoring by Vodafone.

In particular, it criticized the fact that there were no effective processes for selecting, auditing and continuously monitoring the partners, even though they had access to extensive personal data – including sensitive contract data and account information. The BfDI found that Vodafone had not sufficiently complied with its obligations under Art. 28 GDPR in this context.

Vodafone did not deny the allegations, accepted the fine and, according to its own statements, drew comprehensive structural consequences: Among other things, partner contracts were terminated, processes for connecting external bodies were revised and internal control mechanisms were strengthened.

II. Security flaws in the authentication process (30 million euros)

A further fine of 30 million euros was imposed by the BfDI due to significant security deficiencies in the authentication processes when using the online portal "MeinVodafone" in connection with telephone customer support. A technical combination attack on both systems made it possible for third parties to gain unlawful access to user accounts by exploiting weak or faulty authentication procedures – in particular to eSIM profiles, which are required to access mobile services.

The vulnerabilities uncovered made it possible to take over mobile phone numbers and potentially misuse them for other digital services – for example in the context of two-factor authentication or the use of mobile numbers as an identity feature in payment transactions.

In its press release, the BfDI did not provide any specific information on the data protection standard on the basis of which this fine was assessed. However, it expressly referred to the serious practical risks for the rights of the data subjects, particularly in connection with the use of digital identities.

In addition, the BfDI issued a warning pursuant to Art. 58 para. 2 lit. b) GDPR. According to its information, this concerned further vulnerabilities in Vodafone's sales systems, which violated the provisions of Art. 32 para. 1 GDPR and had been identified independently of the authentication procedure. Art. 32 GDPR obliges controllers to ensure a level of protection appropriate to the risk and, for example, to take measures for pseudonymization, encryption and to ensure the integrity, availability and resilience of systems and services.

As explained by the LfD Lower Saxony in the 26th Activity Report 2020, the warning is not a mere admonition, but a formal determination of a completed data protection breach with legal effect. It documents misconduct on record and can be taken into account in the event of a repeat offense, thus increasing the fine. Even without a directly enforceable order, it therefore has a regulatory effect that should not be underestimated.

Vodafone has responded to the criticism of the supervisory authority and announced that it has now revised its technical systems and completely replaced some of them. The area of selecting and managing service providers has also been restructured. The BfDI announced that it would review the practical implementation and effectiveness of these measures as part of a follow-up inspection.

III. Relevance for companies – typical weaknesses and specific obligations to act

The fines against Vodafone GmbH relate to two areas that are of central importance for data processing companies: The integration of external service providers and the security of digital access systems. In corporate practice, both areas are often characterized by organizational gaps and insufficient risk awareness. The BfDI's decisions clearly show that the regulatory expectations go far beyond mere contractual obligations and are aimed at structured, risk-oriented control of data protection processes.

1. Order processing

In the case of the partner agencies, the breach of data protection law was due to the inadequate monitoring of commissioned bodies. According to Art. 28 para. 1 sentence 1 GDPR, a company that commissions a service provider with the processing of personal data is obliged not only to contractually involve the service provider, but also to ensure that the service provider actually has suitable technical and organizational measures in place to carry out the processing in accordance with the Regulation. This obligation is not of a formal but of a material nature: The selection of the service provider must be based on a comprehensible assessment. In addition, companies are obliged to continuously review the implementation of data protection requirements during the term of the contract.

In practice, however, it is often the case that such a review is either not carried out or only superficially. Although contracts are concluded with processors, specific checks or audits are not carried out. Particularly in sales-related or branch-based divisions, the issue of data protection is often shifted to the interfaces without central coordination. In the Vodafone case, the BfDI expressly criticized the lack of effective processes for selecting, auditing and monitoring partner agencies – even though they had access to a considerable amount of personal data. The fine makes it clear that a breach of these due diligence obligations can have concrete financial and legal consequences.

2. Technical and organizational measures

In addition to the organizational control of external partners, the second part of the decision concerns another risk that affects many companies: Securing digital customer and user access. Article 32(1) of the GDPR requires that personal data be protected against unauthorized access, unlawful processing and accidental loss by means of technical and organizational measures. A level of protection appropriate to the risk must be ensured, taking into account the likelihood of an attack occurring, the categories of data concerned and the potential impact on the data subjects.

In its 2023 activity report, the BfDI under the heading "Authentication in the telecommunications sector".set out the risks associated with inadequate identity verification in the digital environment  In particular, the BfDI refers to the potential for misuse associated with the replacement of SIM cards or access to communication data, for example. A risk analysis is always required, which is based on the type of customer contact: Online access, call centers or physical stores differ considerably in terms of authentication risk. A password request alone is not sufficient, especially when accessing sensitive contract or communication data. Rather, multi-factor authentication and encrypted communication are required in most cases, especially for digital self-service systems.

According to the BfDI, a typical risk is that mobile phone numbers or email addresses are used as security anchors for other services. Unauthorized access to this data can have far-reaching consequences, including identity theft, financial losses or the compromise of other accounts. Even if such consequences are partly beyond the control of the telecommunications provider, they must still be included in their risk assessment.

In the view of the supervisory authority, special security mechanisms are required to safeguard against these risks, particularly when issuing replacement SIM cards or similar sensitive processes. These must be suitable for effectively preventing access by unauthorized third parties and implementing the principle of integrity and confidentiality of personal data. But this also means for companies from other sectors: Technical and organizational measures must always be selected depending on the company's own risk profile.

3. Internal governance and data protection management systems

What both areas have in common is the need for structured data protection management. The GDPR not only obliges companies to comply with individual regulations, but also requires the establishment of a verifiable overall system for compliance with data protection regulations. This accountability is explicitly standardized in Art. 5 para. 2 GDPR. Companies must be able to prove, at the request of the supervisory authority, that they have taken all necessary technical, organizational and legal measures to comply with the General Data Protection Regulation.

In addition to the documentation of processing procedures, this also includes the introduction of systematic review processes, a clear allocation of tasks in the data protection organization and regular employee training. Data protection should not be seen as a minor matter, especially in company-related areas with customer contact or sales structures, but should be actively managed. This also includes the establishment of early warning systems – such as internal whistleblower systems or regular checks of risky processes.

In its 2024 activity report, Berlin data protection authority the pointed out that an effective data protection management system must also include a binding deletion concept. It must be regularly reviewed which personal data is still required and whether it is still subject to purpose limitation. The basis of such systems is the hardening of server systems, strong logical access protection – usually via multi-factor or key authentication – and the avoidance of unnecessary data storage. The more personal data is stored, the higher the risk of unauthorized access and data leaks. Companies are therefore well advised to structurally meet the requirements for data protection compliance through clear responsibilities, technical safeguards and robust documentation.

IV. Conclusion

The measures imposed on Vodafone impressively underline the fact that data protection responsibility must be considered comprehensively – it does not end at the company's borders or with contracts concluded with third parties. Supervisory authorities are increasingly conducting structural checks: Anyone who processes personal data must document, monitor and technically secure it – on a permanent and risk-oriented basis.

Companies that involve external service providers or provide digital customer access must align their processes with the applicable legal standards. It is crucial that not only formal requirements are met, but also that a functioning control and verification structure is established.

The BfDI's decision shows that those who fail to recognize and eliminate structural deficits at an early stage risk not only fines, but also reputational damage and a long-term loss of trust. Data protection must therefore be seen as part of corporate risk management – not as an isolated legal issue, but as a permanent management task.

This article was created in collaboration with our student employee Emily Bernklau.