Germany: Federal Commissioner for Data Protection and Freedom of Information fined Vodafone GmbH EUR 45 million for data protection violations

On 3 June 2025, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed two fines totalling EUR 45 million on Vodafone GmbH. This action followed an investigation into alleged data protection violations. A fine of EUR 15 million was issued because Vodafone GmbH reportedly failed to adequately review and monitor its partner agencies for compliance with data protection laws, specifically referencing Article 28(1) of the General Data Protection Regulation (GDPR). The BfDI noted that fraudulent cases, including fake contracts and unauthorised contract modifications by employees of partner agencies, occurred as a result. A further fine of EUR 30 million was imposed for security flaws in the authentication process used for the "MeinVodafone" online portal when combined with the Vodafone hotline. These weaknesses reportedly allowed unauthorised third parties to access eSIM profiles, also referencing Article 32(1) GDPR. Additionally, the BfDI issued a warning to Vodafone for identified vulnerabilities in certain sales systems, citing a violation of Article 32(1) GDPR. Vodafone GmbH has implemented improvements to its processes and systems and revised its partner agency selection and auditing procedures, terminating partnerships where fraud was detected. The company cooperated throughout the proceedings, accepted the fines, and paid them in full.