AEPD Resolution: EXP202513723

The Incident (The SIM Swap Fraud Evidence Hostage): On 18 December 2024, a Spanish mobile phone user became the victim of a sophisticated SIM swap fraud. Criminals fraudulently ported their phone number (***TELÉFONO.1) from their legitimate carrier (MásMóvil) to Simyo (operated by Orange España Virtual S.L.) without authorisation, enabling the fraudsters to intercept two-factor authentication codes, hijack online accounts, and potentially commit financial crimes. This type of fraud—known as "SIM swapping" or "SIM jacking"—is one of the most dangerous forms of identity theft because it allows criminals to bypass SMS-based security systems used by banks, email providers, and cryptocurrency exchanges.

The Critical Access Request (The Evidence Hunt): Two days after discovering the fraud (20 December 2024), the victim immediately contacted Simyo exercising their Article 15 GDPR right of access, requesting a specific piece of crucial evidence: the voice recording of the telephone conversation during which the fraudulent number portability was processed. The victim needed this recording for two essential purposes: (1) to prove to police that the voice on the call was not theirs, demonstrating identity theft, and (2) to identify potential security failures in Simyo's customer verification procedures that allowed the fraud to succeed. The victim explicitly mentioned they had filed a police report and needed the recording as evidence in the criminal investigation.

The "Court Order Only" Refusal: On 31 January 2025—already beyond the 30-day GDPR deadline—Simyo sent a shocking response. The company categorically refused to provide the voice recording, stating it could only be released "if the request comes from an official entity and within the framework of a judicial proceeding or investigation." In other words, Simyo demanded a court order before they would provide the victim with their own personal data. This is a fundamental misunderstanding of GDPR: Article 15 grants individuals the right to access their personal data without needing judicial authorisation, police involvement, or any third-party permission. Voice recordings of conversations with a customer are unequivocally that customer's personal data.

The AEPD Investigation and Continued Obstruction: The victim filed a GDPR complaint with the AEPD on 7 August 2025. On 21 October 2025, the AEPD transferred the complaint to Simyo, giving them an opportunity to explain their refusal. On 24 November 2025—nearly 11 months after the original request—Simyo finally provided the voice recording. However, they attempted to justify their earlier refusal by claiming they initially withheld the recording to "guarantee traceability and custody of information in a context showing signs of irregularity and avoid possible misuse of the data," suggesting the victim should have channeled their request through law enforcement instead of directly exercising GDPR rights.

The Devastating Contents of the Recording: When the victim finally received the voice recording in November 2025, its contents were damning. The audio revealed that Simyo had processed the fraudulent number portability based solely on a stranger providing the victim's ID number and basic personal details—without meaningful voice verification, without confirming the delivery address matched official records, and without implementing any enhanced authentication measures despite the high-risk nature of SIM port requests. The SIM card was shipped to a completely different address than the victim's registered domicile, with no additional security checks. The recording was critical evidence not only of the fraud but also of Simyo's inadequate security measures that facilitated the crime.

The Core Ruling (Formal Estimation with Scathing Implications): The AEPD ruled decisively in favour of the victim, formally confirming that Simyo violated Article 15 GDPR and Article 12.3 GDPR. The regulator categorically rejected Simyo's "court order" requirement, emphasising that data subjects have an unconditional right to access their personal data within 30 days—no judicial authorisation required. The 11-month delay was particularly egregious given the fraud context and the victim's explicit need for evidence in criminal proceedings. However, because Simyo had eventually provided the recording (though unconscionably late), the AEPD determined no further remedial action was required beyond the formal ruling. Critically, the AEPD noted that whilst this rights procedure only addresses the access request delay, the victim's allegations about security failures in Simyo's verification procedures "may be analysed in other distinct proceedings if sufficient indications are found"—leaving the door open for potential sanctions related to the underlying fraud facilitation.

Based on Resolution EXP202513723, here is the compliance protocol for telecommunications companies, financial services, and any organisation that records customer interactions:

1. Voice Recordings Are Personal Data—No Court Order Required

Simyo's fundamental error was treating voice recordings as "evidence" requiring judicial authorisation rather than as personal data subject to Article 15 GDPR.

Legal Reality: Audio recordings of telephone conversations with customers are personal data under Article 4(1) GDPR because they directly identify the speaker and contain information about their relationship with your company. Customers have an absolute right to access these recordings within 30 days—full stop. No exceptions for:

• Criminal investigations
• Fraud allegations
• Police reports
• "Sensitive" content
• Internal security concerns

Action: Train all customer service, legal, and compliance staff that voice recordings fall under GDPR access rights and must be provided upon request without requiring judicial orders, police involvement, or any third-party authorisation.

2. Fraud Victims Have URGENT Need for Access to Evidence

This case involved SIM swap fraud where the voice recording was critical evidence to prove the victim's identity had been stolen.

Priority Protocol for Fraud-Related Requests: When a customer requests access to recordings or data in the context of identity theft, account takeover, or suspected fraud:

• Immediate Acknowledgment: Respond within 24 hours confirming receipt
• Expedited Processing: Prioritise above routine access requests—target 7-day delivery instead of the full 30-day period
• Complete Evidence Package: Provide:
  • Full audio recordings (not just transcripts)
  • Metadata (date, time, duration, caller ID if available)
  • Authentication logs showing what verification steps were performed
  • Transaction records related to the fraud
  • Any other data that could assist law enforcement or legal proceedings

Rationale: Fraud victims are fighting against time—criminals may be actively exploiting stolen accounts, financial deadlines for disputing charges are short, and criminal investigations require prompt evidence gathering. An 11-month delay (as in this case) can result in:

• Evidence degradation or deletion
• Missed statute of limitations deadlines
• Inability to freeze fraudulent accounts or reverse transactions
• Lost opportunity to identify and apprehend criminals

3. The "Channel Through Law Enforcement" Excuse Is Invalid

Simyo argued the victim should have requested the recording through police rather than directly exercising GDPR rights.

Legal Principle: Data subjects can choose to exercise their rights directly under GDPR or have authorities request data through legal processes (court orders, police requisitions). They are not required to use law enforcement channels, and suggesting they must do so violates Article 12.1 GDPR's requirement to "facilitate the exercise" of rights.

Action: Never tell customers "you need to get a court order" or "ask the police to request this." The correct response is: "We will provide this data to you directly under GDPR within 30 days. If law enforcement separately requests this information through official channels, we will cooperate with them as well."

4. Security Concerns Do Not Override Access Rights

Simyo claimed withholding the recording was necessary to ensure "traceability and custody" and prevent "misuse."

AEPD Position: Article 15 GDPR does not include a "security exception" allowing data controllers to deny access based on concerns about how the data subject might use their own personal data.

Permitted Restrictions (Very Limited):

• Identity Verification: You can require proof of identity before releasing sensitive data (Article 12.6 GDPR)
• Third-Party Privacy: You can redact portions that contain other people's personal data (Article 15.4 GDPR)
• Manifestly Unfounded Requests: You can refuse obviously fraudulent or harassing requests (Article 12.5 GDPR)

Prohibited Restrictions:

• Requiring court orders
• Demanding the requester explain why they need the data
• Insisting requests go through intermediaries (lawyers, police, etc.)
• Conditioning access on waiving rights to legal action
• Delaying release to "verify authenticity" beyond reasonable identity checks

Action: If you suspect a request is fraudulent (e.g., someone impersonating the customer), implement enhanced identity verification (video call, in-person presentation of ID, notarised declaration), but you cannot refuse access indefinitely based on vague "security concerns."

5. Voice Recording Retention and Access Procedures

Telecommunications companies and call centres must have clear policies for retaining and releasing call recordings.

Minimum Technical Requirements:

• Retention Period: Clearly state in your privacy policy how long recordings are kept (typically 6-12 months for quality assurance, longer for dispute resolution)
• Searchable Database: Maintain systems that allow you to locate specific recordings by date, phone number, or customer ID
• Secure Delivery: Provide recordings via:
  • Encrypted email attachment
  • Secure download link with password protection
  • Secure customer portal with two-factor authentication
• Third-Party Redaction: Before releasing, review recordings to identify and beep/mute names or details of other customers, employees (beyond first names), or uninvolved third parties

Action: Create a standard operating procedure titled "Voice Recording Access Requests" with step-by-step instructions for locating, reviewing, redacting, and delivering recordings within the 30-day deadline.

6. SIM Swap and Number Portability Requests Require Enhanced Security

The underlying fraud in this case succeeded because Simyo processed a number portability request with insufficient authentication.

Best Practices to Prevent SIM Swap Fraud:

• Multi-Factor Authentication: Require at least two of: (1) PIN/password, (2) biometric verification, (3) one-time code to existing phone/email
• Out-of-Band Verification: Call the customer at their registered number (not the number requesting the port) to verbally confirm the request
• Delivery Address Verification: Flag any portability request where the SIM card delivery address differs from the registered billing address—require additional authentication (video ID check, in-person visit to store)
• High-Risk Indicators: Automatically escalate to fraud review if:
  • Recent change of contact details (within 7 days)
  • Multiple failed authentication attempts
  • Request originates from foreign IP address or VPN
  • Customer account has been dormant then suddenly active

Regulatory Context: Spain's telecommunications regulator (CNMC) and the AEPD have both issued guidance requiring telecom operators to implement "appropriate technical and organisational measures" (Article 32 GDPR) to prevent SIM swap fraud. Failure to do so can result in separate sanctions beyond this access request violation.

7. What to Do When You Receive a Fraud Victim's Access Request

If a customer contacts you stating they are a fraud victim and requesting data for police or legal proceedings:

Immediate Response (Within 24 Hours): "Dear [Customer], we have received your access request dated [date]. We understand you are reporting suspected fraud and need this information urgently. We are processing your request as a priority and will provide the requested data within [X] days. In the meantime, we have [frozen your account / initiated fraud review / other protective measures]. Please provide your police report reference number for our records."

Data Package to Provide:

1. Full voice recordings (with metadata)
2. Authentication logs (what ID verification was performed)
3. Transaction history during the fraud period
4. IP addresses and device fingerprints if available
5. Correspondence records (emails, SMS, prior calls)
6. Any fraud alerts or security flags that were triggered (or should have been)

Follow-Up Support:

• Offer to provide a written statement for police explaining your company's involvement
• Designate a fraud liaison officer who can answer investigator questions
• Proactively review and strengthen security measures to prevent recurrence

8. The 30-Day Deadline Cannot Be Extended for "Complexity"

Simyo might argue that fraud investigations are "complex" and justify extensions under Article 12.3 GDPR.

AEPD Position: Whilst Article 12.3 permits a two-month extension for complex requests, you must notify the data subject of the extension within the original 30-day period, explaining why it's necessary. You cannot remain silent for 11 months and then claim "complexity."

Action: If you genuinely need extra time to locate recordings, review for third-party data, or verify authenticity, send an extension notice within 28 days: "Due to the volume of recordings to review and the need to protect third-party privacy, we are extending our response deadline by [X] additional weeks under Article 12.3 GDPR. We will provide your data by [new deadline date]."

9. Create a "Fraud Victim Data Access" Fast-Track Procedure

Many organisations have standard 30-day processes for routine access requests, but fraud victims need faster service.

Two-Tier System:

• Standard Access Requests: 30-day timeline for routine requests (customer wants to see what data you hold, download their account history, etc.)
• Urgent Fraud Access Requests: 7-day timeline for requests explicitly related to fraud, identity theft, unauthorised transactions, or criminal proceedings

Triggers for Urgent Track:

• Customer mentions "fraud," "identity theft," "unauthorised," "police report," "criminal investigation"
• Request specifically asks for authentication logs, recordings of suspicious transactions, or access logs
• Customer provides police report reference number

Action: Train customer service to flag these requests immediately and route them to a senior data protection officer with authority to expedite processing.

10. The Broader Implications: Security Failures May Trigger Separate Sanctions

The AEPD explicitly noted that whilst this resolution only addresses the access request delay, the victim's allegations about inadequate authentication and security failures "may be analysed in other distinct proceedings."

Potential Follow-Up Enforcement:

• Article 5.1(f) GDPR (Security Principle): Failing to implement appropriate security measures to prevent SIM swap fraud
• Article 32 GDPR (Security of Processing): Inadequate authentication procedures for high-risk operations like number portability
• Article 25 GDPR (Data Protection by Design): Not building fraud prevention mechanisms into portability workflows

Risk Assessment: If the AEPD opens a separate security investigation and finds Simyo's verification procedures were systemically deficient, the company could face sanctions under Article 83.4 GDPR (up to €10 million or 2% of global turnover) for security violations, in addition to this access request violation.

Action for Telecoms Operators: Immediately audit your SIM activation, number portability, and account access procedures. Implement the enhanced security measures outlined in Step 6 above. Document all improvements and retain evidence showing compliance—this demonstrates good faith if regulators investigate.

Summary of Business Risk

This case establishes that telecommunications companies cannot withhold voice recordings from fraud victims by demanding court orders or insisting requests go through law enforcement—Article 15 GDPR grants unconditional access to personal data including call recordings within 30 days. The 11-month delay was particularly damaging because it deprived the victim of critical evidence needed for criminal proceedings and financial fraud disputes. Beyond the formal access violation, the case exposes serious security deficiencies in Simyo's number portability authentication procedures that facilitated the SIM swap fraud, potentially triggering separate AEPD enforcement action for violations of GDPR's security principles. Telecommunications operators must implement both robust fraud prevention measures and expedited data access procedures for fraud victims.