AEPD (Spain) - PS/00308/2021: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by the same user not shown)
Line 48: Line 48:
}}
}}


The Spanish DPA fined Orange €50,000 (reduced to €30,000) for processing personal data without a valid legal basis, as processing was based on a fraudulent telephone contract. The DPA found that Orange  
The Spanish DPA fined Orange €50,000 (reduced to €30,000) for processing personal data without a valid legal basis, since processing was based on a fraudulent telephone portability contract. The DPA stated that Orange did not have an adequate identity verification system for portability requests.  
 
 
. This occurred since Orange had failed to implement an adequate identity verification system for portability requests.  
 
 
failing to implement adequate measures to avoid the processing of personal data without a valid legal basis, with regards to proper means of identification of clients to prevent identity fraud.
 
no proper identity verification system for portability requests.
 
== English Summary ==
== English Summary ==



Latest revision as of 10:06, 18 August 2021

AEPD (Spain) - PS/00308/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 10.08.2021
Fine: 50000 EUR
Parties: ORANGE ESPAGNE, S.A.U.
National Case Number/Name: PS/00308/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined Orange €50,000 (reduced to €30,000) for processing personal data without a valid legal basis, since processing was based on a fraudulent telephone portability contract. The DPA stated that Orange did not have an adequate identity verification system for portability requests.

English Summary

Facts

A data subject filed a complaint with the Spanish DPA (AEPD). The complainant had started a phone number portability from one telecommunication company (Yoigo) to another one (MasMovil). However, the complainant regretted it and asked the company to stop and cancel the portability (before the new SIM card arrived). Something went wrong during the process, as the complainant did not have phone signal during a few days. Yoigo answered that they would solve the issue and send the complainant a new SIM card.

Two days later, the complainant found that someone had been using their phone number to make bank transfers via a phone application called Bizum, that offers the possibility of making bank transfers using your phone number.

The complainant suspected that this had happened for reasons related with the portability problem, and contacted Yoigo, that answered that the SIM card had been destroyed.

Afterwards, the complainant discovered that their phone number was on Orange (another telecommunications company), but no longer in the complainant's name.

The complainant hence reported this to the police and filed the complaint with the DPA.

The AEPD launched an investigation and received an answer by Xfera Moviles (owned by MasMovil) saying that a scammer had been trying to make a fake portability several times, and had been stopped by the automated systems against fraud, but that they had been successful the last time they tried to, arranging a portability with Orange for the phone number of the complainant.

Holding

The AEPD concluded that Orange had not put into place all the necessary and adequate measures to avoid unlawfully processing personal data, since they had no proper identity verification system for portability requests.

Therefore, the AEPD fined Orange €50,000 for a violation of Article 6 GDPR, for the processing of personal data without a valid legal basis.

The fine was reduced to €30,000 for the acknowledgement of responsibility and early payment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/12











     File No.: PS / 00308/2021



       RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT
                                   VOLUNTARY

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following

                                 BACKGROUND


FIRST: On July 9, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against ORANGE ESPAGNE,
S.A.U. (hereinafter, the claimed party), through the Agreement that is transcribed:


<<






Procedure No.: PS / 00308/2021




           AGREEMENT TO START THE SANCTIONING PROCEDURE



Of the actions carried out by the Spanish Agency for Data Protection and in

based on the following



                                     ACTS




FIRST: A.A.A. (hereinafter, the claimant) dated March 17, 2020

filed a claim with the Spanish Data Protection Agency.



The claim is directed against ORANGE ESPAGNE, S.A.U., with CIF A82009812 (in

forward, the claimed one).





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12








The reasons on which the claim is based are that on February 26, 2020, the
claimant requested the portability of YOIGO to MASMOVIL, and although the next day

telephonically canceled the portability carried out, one of the lines (*** PHONE. 1)
was retained in MASMOVIL, despite assuring it that said portability was

voided (so the SIM card was not delivered).



On March 05, 2020, you do not have a mobile phone line, contact YOIGO and they will tell you

that will solve it.



On March 11, 2020, YOIGO sends you a new SIM card indicating that

they would reactivate the service in 48 hours.



Two days later (March 13, 2020), you discover that third parties are

making unauthorized, high-value bank transfers from your account
of BBVA (two of them by reimbursement by Bizum).




Contact MASMOVIL, as you suspect that what happened has its cause in the
disappearance of your SIM card and indicate that your card may have been

destroyed by the carrier for security reasons.



Who later discovers that his number *** TELEPHONE.1 belongs to Orange
since March 13, 2020 and that it is not in your name.


Along with the claim, provide a copy of the complaint to the police



SECOND: In view of the facts denounced in the claim and the

documents provided by the claimant, the Subdirectorate General for Inspection of
Data proceeded to carry out preliminary investigation actions for the

clarification of the facts in question, by virtue of the powers of investigation
granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and of

in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3








As a result of the investigative actions carried out, it is verified that the
responsible for the treatment is the claimed one.




Likewise, the following points are found:



On July 14, 2020, XFERA MÓVILES, S.A., sent this Agency the
following information and statements:




1. That from February 26, 2020 to March 5, 2020 are received
repeated requests for portability of the claimant's line, which are all
ex officio shutdowns in systems due to fraud. This is possible because the operator

donor and recipient (from YOIGO to MASMOVIL) belonged to the same company.



2. That the scammer's fourth attempt was not possible to stop the portability in the

systems (portability times are very short), but stopped in logistics of
so the SIM card was not delivered.




3. That the scammer tried portability again on 03/13/2020 and
manages to carry out the portability, this time to the ORANGE company, so he had to

pass the security of this company.



On February 6, 2021, ORANGE ESPAGNE, S.A.U. sends this Agency the

following information and statements:



1. That the request to the donor operator regarding portability was completed

through the shared system SGP with the data corresponding to the claimant and
was accepted by the donor operator.




Provides a screenshot of a portability request dated February 13
March 2020 relative to the line *** PHONE. 1 and being name and surname and number

The client's DNI those of the claimant.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12








2. That the portability was done through the Online channel.




3. That they proceeded to inform by sending an SMS to the line object of
portability as of March 12, 2020 with the following content:




"Hello. you already have your order *** ORDER.1 in the store *** STORE.1 you have 7 days to
come and pick it up Remember to bring the necessary documentation to pick up your

order. that you can check in *** URL.1. In case of not taking it, we will not be able to
deliver. And if you have not yet taken out Orange mobile insurance for your smartphone or
tablet, ask for it in your store to protect it from theft / breakage *** URL.2 "




A copy of the sms is provided.




4. Provide a copy of the DNI that served to prove the identity of the client stating
in it the name of D. B.B.B. with DNI number *** NIF. 1.




5. A copy of the portability contract is provided where it appears:



to. In the "Orange customer data" section there is B.B.B. with DNI number *** NIF. 1.




b. The e-mail contains *** EMAIL. 1.




c. In the "data of the owner of the donor operator line" section the
Name and surname of the claimant with DNI number *** NIF.1.




d. There is an indication of "Accepted by the customer electronically or by phone
date 03-11-2020 14:08:42 ”by both the Orange client and the operator client
donor.






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12








6. That the line *** TELEPHONE.1 was blocked, putting it at
disposition of the claimant again.




7. That checks are being carried out to clarify what happened, as well

how to apply the corresponding internal measures since the controls
applied by the company in relation to verification of the identity of the contractor
they were applied correctly.




8. That in recent months they have focused their efforts on implementing systems and
measures to ensure the identity verification of the holder. That have

as technologies already implemented the “Digital Signature” tool, which is software
that allows to check if the DNI is in force, if it is one of those admitted by the policy
of Orange or if it generates doubts for having non-matching data. They also have the

"MobileConnect" tool for sending challenge / sms with a message that the customer
you must accept on your device to continue with the management.




9. That, in response to the security mechanisms used to ensure
the authenticity of the data provided by the client, as well as to verify their

ownership of the line state that the SGP request to the donor operator with the
data indicated by the user was validated and accepted by the donor operator. That
Likewise, the communications indicated above were sent.



                            FOUNDATIONS OF LAW




                                              I



By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of

control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to
solve this procedure.




                                             II




Organic Law 3/2018, of December 5, on the Protection of Personal Data and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12








guarantee of digital rights, in its article 4.11 defines the consent of the
interested as “any manifestation of free will, specific, informed and

unequivocal by which the interested party accepts, either through a declaration or a
clear affirmative action, the processing of personal data that concerns you ”.




In this sense, article 6.1 of the RGPD establishes that “in accordance with
provided in article 4.11 of Regulation (EU) 2016/679, it is understood by

consent of the affected party any manifestation of free, specific will,
informed and unequivocal by which it accepts, either through a statement or
a clear affirmative action, the processing of personal data that concerns him ”.


                                              III



In accordance with the available evidence, it is considered that, of the
denounced facts, a data processing without legitimation is deduced, since the

claimed entity carried out the portability object of this complaint, without ascertaining whether the
The person requesting it was or was not the claimant, which is a violation of the
Article 6 of the RGPD.




In relation to the lack of security measures in the deliveries of Sim cards
reported, indicate that a response is being given through the procedure

sanctioner PS / 0022/2021 still in progress.






                                             IV



Article 72.1 b) of the LOPDGDD states that “depending on what is established in the

Article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe
At three years, the infractions that suppose a substantial violation of the

articles mentioned in that and in particular, the following:



c) The processing of personal data without any of the conditions of

legality of the treatment in article 6 of Regulation (EU) 2016/679. "




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12








                                             V




Article 58.2 of the RGPD provides the following: “Each control authority will have
of all of the following corrective powers listed below:




b) direct a warning to any person in charge or in charge of the treatment when the
processing operations have infringed the provisions of this Regulation;




d) order the person in charge of the treatment that the operations of

treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time frame;




i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;




                                             SAW




This offense can be sanctioned with a fine of € 20,000,000 maximum or,
in the case of a company, an amount equivalent to a maximum of 4% of the

total annual global business volume of the previous financial year, opting for the
of greater amount, in accordance with article 83.5 of the RGPD.




Likewise, it is considered that the sanction to be imposed should be adjusted in accordance with the
following criteria established in article 83.2 of the RGPD:




As aggravating factors the following:




 In the present case we are dealing with unintentional negligent action, but significant
you identified (article 83.2 b)



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/8








 Basic personal identifiers -image- are affected (art 83.2 g)




Therefore, based on the foregoing,




By the Director of the Spanish Data Protection Agency,




HE REMEMBERS:



FIRST: INITIATE SANCTIONING PROCEDURE against ORANGE ESPAGNE,

S.A.U., with CIF A82009812, in accordance with the provisions of article 58.2.b) of the
RGPD, for the alleged violation of article 6 of the RGPD, typified in article
83.5.b) of the GDPR




SECOND: ORDER ORANGE ESPAGNE, S.A.U., with CIF A82009812, of

in accordance with the provisions of article 58.2 d) of the RGPD, so that within ten
days proceed to carry out the necessary actions so that the treatment of the data
The personal data used comply with the provisions of the GDPR.




THIRD: APPOINT C.C.C. as instructor. and, as secretary, to D.D.D.,
indicating that any of them may be challenged, if applicable, in accordance with the

established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Public Sector Legal (LRJSP).




FOURTH: INCORPORATE to the sanctioning file, for evidentiary purposes, the
claim filed by the claimants and their documentation, the documents

obtained and generated by the General Subdirectorate for Data Inspection during the
investigation phase, as well as the report of previous Inspection actions.




FIFTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the

The corresponding penalty would be 50,000 euros (fifty thousand euros) without
detriment of what results from the instruction.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12










SIX: NOTIFY this agreement ORANGE ESPAGNE, S.A.U., with CIF

A82009812, granting a hearing period of ten business days to formulate
the allegations and present the evidence that it deems appropriate. In his writing of

allegations, you must provide your NIF and the procedure number that appears in the
heading of this document.




If within the stipulated period it does not make allegations to this initiation agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

the Public Administrations (hereinafter, LPACAP).



In accordance with the provisions of article 85 of the LPACAP, in the event that the

penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; it

which will entail a reduction of 20% of the penalty to be imposed in
the present procedure. With the application of this reduction, the sanction would be
established at € 2,400 (two thousand four hundred euros), resolving the procedure

with the imposition of this sanction.



In the same way, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the penalty would be set at € 40,000 (forty thousand four hundred euros), and its

payment will imply the termination of the procedure.



The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate

allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be

set at € 30,000 (thirty thousand euros).







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12








In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in

administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts
mentioned above € 40,000 or € 30,000, you must make it effective through your
deposit in the account number ES00 0000 0000 0000 0000 0000 opened in the name of the

Spanish Agency for Data Protection in Banco CAIXABANK, S.A., indicating
in the concept the reference number of the procedure that appears in the
heading of this document and the cause of reduction of the amount to which

welcomes.



Likewise, you must send the proof of admission to the Subdirectorate General of

Inspection to continue the procedure according to the quantity
entered.




The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.

After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.






Mar Spain Martí

Director of the Spanish Agency for Data Protection




>>



SECOND: On August 4, 2021, the claimed party has made the payment
of the penalty in the amount of 30,000 euros making use of the two reductions
provided for in the Initiation Agreement transcribed above, which implies the
acknowledgment of responsibility.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12









THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process

administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.


                            FOUNDATIONS OF LAW


                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the

information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.

                                             II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:

"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,

the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,

except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,

20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.


The percentage of reduction foreseen in this section may be increased
regulations. "



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12









In accordance with the above, the Director of the Spanish Agency for the Protection of
Data
RESOLVES:


FIRST: DECLARE the termination of procedure PS / 00308/2021, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to ORANGE ESPAGNE, S.A.U ..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the

referred Law.


                                                                                  936-160721
Mar Spain Martí
Director of the Spanish Agency for Data Protection
































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es