German Federal Supervisory Authority imposes administrative fines in the amount of €15m and €30m as well as a reprimand on Vodafone

11 June 2025

The German Federal Supervisory Authority (SA) launched investigations regarding Vodafone GmbH’s partner agencies and its online service portal after having received external information outside of any complaints.

As a result, the German Federal SA imposed a fine of €15,000,000 for insufficient supervision and auditing procedures regarding the partner agencies and imposed a reprimand for the weaknesses in the IT systems. Furthermore, she imposed a fine of €30,000,000 for insufficient security measures regarding the online service portal.

Vodafone GmbH is a telecommunications service provider operating on the German market. The company uses different distribution channels, including local shops, of which some are operated by partner agencies. They are acting under the Vodafone brand and are bound to the company’s instructions. Their IT systems are based on hard- and software provided by Vodafone. Data Processing Agreements govern the processing of customer data.

Investigations discovered privacy related weaknesses in the processes to supervise and audit the processors as well as weaknesses in the IT systems leading to the risk of customer data being misused for fraud. Such risks actually materialized in some cases. Furthermore, Vodafone offers an online service portal for its customers. When used in combination with the company’s hotline, investigations by the German Federal SA found weaknesses in the authentication process for the customer accounts that could lead to misuse of eSIMs. The company has taken steps to remediate any shortcomings found.

Read more here