Vodafone has fully paid the fine and described the issues as stemming from “past violations”, including insufficient checks on partner agencies and authentication flaws
Germany’s data privacy authority, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), has imposed a €45 million (£38 million) fine on Vodafone GmbH for serious breaches of GDPR compliance, including security vulnerabilities and fraudulent practices by partner agencies.
The penalties follow a dual investigation:
A USD 15 million fine was issued after the BfDI uncovered that staff at Vodafone’s partner agencies had tricked customers into signing false contracts or altering terms without consent—acts enabled by inadequate oversight by Vodafone
A further €30 million penalty was levied over weaknesses in the authentication system for Vodafone’s MeinVodafone portal and customer-service hotline, which could have allowed unauthorised access to sensitive user data like eSIM profiles.
BfDI head Louisa Specht‑Riemenschneider emphasised the importance of embedding data protection into business operations: “Companies that want to comply with data protection law must be empowered to do so… Data protection is a trust factor for users of digital services” .
Vodafone has fully paid the fine and described the issues as stemming from “past violations”, including insufficient checks on partner agencies and authentication flaws. The company has since overhauled its processes, severed relationships with non-compliant partners, and enhanced security controls and data governance measures.
This is the BfDI’s largest penalty to date, reflecting elevated scrutiny under GDPR. It follows recent high-profile GDPR fines against Meta (USD 1.2bn) and Uber USD 290 . The regulator praised Vodafone’s cooperation during the investigation, though warned that stronger safeguards are needed to prevent future data breaches .
