AEPD (Spain) - PS/00059/2020: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...") |
m (Ar moved page AEPD - PS/00059/2020 to AEPD (Spain) - PS/00059/2020) |
||
(18 intermediate revisions by one other user not shown) | |||
Line 19: | Line 19: | ||
|Date_Decided= | |Date_Decided= | ||
|Date_Published=10.03.2021 | |Date_Published=10.03.2021 | ||
|Year= | |Year=2021 | ||
|Fine=8125000 | |Fine=8125000 | ||
|Currency=EUR | |Currency=EUR | ||
Line 31: | Line 31: | ||
|National_Law_Name_1=§ 21 LSSI | |National_Law_Name_1=§ 21 LSSI | ||
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 | |National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 | ||
|National_Law_Name_3=§ 48(1) LGT | |||
|National_Law_Name_3=§ 48(1 | |||
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2014-4950 | |National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2014-4950 | ||
Line 56: | Line 54: | ||
}} | }} | ||
The Spanish Data Protection Authority (AEPD) imposed a record fine of €8,125,000 on Vodafone España due to the continuous and numerous violations of several provisions, including Articles 28 and 44 GDPR, the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Information Society Services Act] implementing the e-Privacy Directive and the [https://www.boe.es/buscar/act.php?id=BOE-A-2014-4950 Spanish Telecommunications Act]. | |||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
The AEPD launched an investigation on Vodafone due to the high number of complaints received regarding unsolicited commercial communications. The AEPD found that 191 claimants held these complaints because Vodafone had sent the communications without previous consent or after they had exercised their right to object (mainly by soliciting to be included in the internal or general Robinson list), which would be an infringement of Article 21 LSSI (the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Information Society Services Act]). Additionally, the fact that Vodafone did not facilitate or gave an option to the claimants to exercise the right to object, and the unsolicited communications ''per se'', supposed a breach of Article 48(1) LGT (the [https://www.boe.es/buscar/act.php?id=BOE-A-2014-4950 Spanish Telecommunications Act]). | |||
The AEPD also notes that Vodafone has already been sanctioned several times in a short period of time (2 years) for the same reasons, and that they however have not been able to rectify the infringing behaviour. The AEPD has continued to receive claims based on the same facts by a high number of data subjects. | |||
The AEPD also discovered that there was lack of real, continuous, permanent and audited control of the processing operations carried out by the processors in which they relied to carry out part of their commercial actions. Many of the contracts or agreements performed between them were merely a checklist, and there was no further control or verification by Vodafone on whether they provided the adequate level of protection, measures and safeguards for the processing. | |||
== Comment == | Additionally, it was also found that Vodafone contracted with a processor that would carry processing of data in Peru, therefore transferring data to a third country, without ensuring an adequate level of protection in any way, as the contract did not make any reference to any kind of mechanism related to international transfers of data. | ||
===Dispute=== | |||
Does the continuous sending of unsolicited communications to different data subjects, some of which have already opposed, constitute a violation of the LSSI and the LGT? Does the lack of control and verification of Vodafone on the obligations of the processors they contract with suppose a violation of Article 28 GDPR? Does the contracting with a Peruvian processor without ensuring the adequate level of protection constitute a violation of Article 44 GDPR? | |||
===Holding=== | |||
The AEPD imposed on Vodafone the following sanctions, resulting in a record fine of € 8 125 000: | |||
- A € 4 000 000 fine for the infringement of Article 28 GDPR: due to the hiring of processors who do not comply with adequate safeguards, and the lack of control by Vodafone on that; | |||
- A € 2 000 000 fine for the infringement of Article 44 GDPR: due to the carrying out of international transfers without implementing adequate safeguards ''(first significant sanction by the AEPD for this reason under GDPR)''; | |||
- A € 150 000 fine for the infringement of Article 21 LSSI: due to the sending of unsolicited electronic commercial communications; | |||
- A € 2 000 000 fine for the infringement of Article 48(1) LGT + Article 21 LSSI: due to the making of unsolicited commercial calls, after several claimants having expressed their opposition or after being included in the general or internal Robinson list. Vodafone did not guarantee the effective exercise of the right to object. | |||
The aggravating factors used to modulate the sanction are of special relevance in this case, taking especially into account the high number of complaints in a quite short period of time. Among the aggravating factors used by the AEPD to graduate the sanctions, the following stand out: | |||
a) The fact that the company had already been sanctioned with a fine or warning, from January 2018 to February 2020, in more than 50 occasions; | |||
b) The fact that there were 161 complaints in a period of just two years; | |||
c) The large number of marketing actions via telephone calls (around 200 000 000). | |||
==Comment== | |||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | ||
<pre> | <pre> | ||
Page 1 | |||
1/97 | |||
Procedure No.: PS / 00059/2020 | |||
RESOLUTION OF SANCTIONING PROCEDURE | |||
Of the procedure instructed by the Spanish Agency for Data Protection and with | |||
based on the following | |||
BACKGROUND | |||
FIRST. Since the second quarter of 2018 they have been received in this Agency | |||
191 claims as of the date of the commencement agreement 02/26/2020 (23 of which between | |||
on October 1, 2019 and February 2020) against the entity VODAFONE ESPAÑA, | |||
SAU (hereinafter VODAFONE or VDF), with NIF A80907397, in which | |||
denounces the carrying out of marketing and commercial prospecting actions in | |||
name and on behalf of VDF through telephone calls and by sending | |||
electronic commercial communications (SMS messages and emails). | |||
Such actions could violate both the regulations Law 9/2014, of May 9, General | |||
of Telecommunications (hereinafter LGT), Law 34/2002, of July 11, on services | |||
of the information society and electronic commerce (hereinafter LSSICE), | |||
such as Organic Law 3/2018, of December 5, on the Protection of Personal Data and | |||
Guarantees of Digital Rights (hereinafter LOPDGD). | |||
The above, because these denounced electronic communications are produced, for | |||
one side and with regard to the LSSICE, without having been requested or | |||
expressly authorized and / or without attending to the exercise of the right to oppose the shipment | |||
of new notifications; on the other, regarding the LGT, without facilitating the possibility of | |||
exercise the right of opposition or, once the affected party has exercised | |||
previously your right of opposition through its inclusion in the file of | |||
internal advertising exclusion of the indicated entities (hereinafter Robinson List | |||
Internal -LRI-), or through the common general advertising exclusion system | |||
named Robinson Adigital Listing -LRAD-; and, finally, as regards the | |||
LOPDGDD without adapting the procedures and guarantees established for the execution | |||
of marketing actions in the content of the contracts with those in charge of | |||
the treatments that act in the name and on behalf of the person in charge (VDF) and without | |||
offer the interested party the necessary, sufficient and appropriate means that guarantee | |||
the protection of your rights and freedoms. | |||
Likewise, it should be made clear that the analysis of the answers to the | |||
information requirements of this Agency evacuated by the claimed entity are | |||
In summary, it follows the following: | |||
| |||
They do not explain the reason why the events happen and continue to happen | |||
object of claim. | |||
| |||
The origin of the data relating to the telephone line number or | |||
e-mail address of the recipients. | |||
| |||
The reason why there are claimants who have exercised the | |||
right to object to receive marketing actions and / or appear in your LRI or | |||
LRAD and, nevertheless, commercial actions have been carried out again. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 2 | |||
2/97 | |||
| |||
They do not explain the reasons why the rights exercised by | |||
the complainants nor do they propose effective actions aimed at avoiding this | |||
type of behavior. | |||
| |||
Marketing actions continue after AEPD resolutions in | |||
protection of the rights exercised and previous procedural resolutions | |||
sanctioners urging the cancellation of commercial actions and sanctioning the | |||
same facts now analyzed. | |||
| |||
Regarding the process for the admission of claims provided for in article 65 of the | |||
LOPDGDD it appears that although a satisfactory answer has been obtained for | |||
the claimant in certain claims having stated the entity | |||
claimed that the claimant's data were incorporated into the exclusion files of | |||
publicity actions of the entities (LRI) (despite already being incorporated | |||
in the LRAD), it becomes clear that the procedure carried out is not | |||
decisive. Marketing actions continue, and may involve conduct | |||
regular and permanent violation of the rights and freedoms of the | |||
interested in the field of direct marketing actions, customer service | |||
rights recognized in the aforementioned regulations (LGT, LSSICE and LOPDGDD) and absence | |||
of appropriate technical and organizational measures for the effective implementation | |||
of the principles and guarantees of the interested parties as indicated by current regulations | |||
above. | |||
| |||
To which must be added, for the purposes of lack of collaboration, that the last | |||
claims before this Agency during the process of admission for processing have not been | |||
attended by the entity, or they have been after the expiration of the period of 3 | |||
months, which has given rise to its admission for processing by imperative of article 65.5 of the | |||
LOPDGDD. | |||
It consists of the documentation received from VDF on 04/26/2019 (in pendrive given | |||
the large volume of information, with entry registration number 021640/2019) that | |||
the volume of commercial actions carried out in the name and on behalf of VDF | |||
from May 2018 to March 2019 it is 200,000,000 (two hundred million). | |||
It also consists of the balance of annual accounts (March 2018-March 2019) presented | |||
by VDF that the net amount of the turnover exceeds 1,600 million euros | |||
and has 4,000 employees. | |||
Consequently, it was deemed necessary to initiate investigation actions by the | |||
Subdirectorate General for Data Inspection aimed at clarifying the | |||
responsibilities regarding data protection (RGPD and LOPDGDD) | |||
the person responsible for the treatment object of the claims may have incurred | |||
in their marketing actions and attention to the exercise of rights | |||
established in Regulation (EU) 2016/679 of the European Parliament and of the Council | |||
of April 27, 2016 on the protection of natural persons in what | |||
regarding the processing of personal data and the free circulation of these data and by | |||
which repeals Directive 95/46 / CE (hereinafter RGPD). | |||
It was also deemed necessary to investigate the facts denounced in order to resolve the | |||
responsibilities that may have been incurred by the person responsible for the actions of | |||
marketing in relation to the provisions of article 48 of Law 9/2014, of 9 of | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 3 | |||
3/97 | |||
May, General Telecommunications (LGT) and article 21 of Law 34/2002, of 11 | |||
July, services of the information society and electronic commerce (LSSICE). | |||
SECOND: In view of the above, the Director of the Spanish Protection Agency | |||
of Data urged the Subdirectorate General for Data Inspection to proceed to | |||
carry out investigative actions necessary to clarify the facts | |||
in denounced, by virtue of the powers of investigation granted to the authorities | |||
of control in article 57.1 of the RGPD, and in accordance with the provisions of the | |||
Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the | |||
following extremes: | |||
On 02/26/2019, it was agreed to initiate investigative actions in order to | |||
prove the possible existence of a regular and continued conduct of violation of | |||
the data protection regulations (RGPD and LOPDGDD), LGT and LSSICE in the field | |||
of direct marketing actions by the entity now investigated | |||
(VDF). | |||
The object of the research actions to be carried out is framed in the analysis of | |||
the internally designed procedures for the data processing carried out | |||
in the field of direct marketing in the name and on behalf of VDF, since | |||
the data is incorporated into the information systems for which it is responsible until | |||
which is no longer used for these purposes. | |||
This implies that the origin of the processed data is clarified, the subsequent treatment | |||
of these and the relationship with those in charge of the treatments, the prior verification | |||
of inclusion in the internal or general advertising exclusion system of those affected | |||
(internal Robinson and General Adigital listings), the management of the rights of | |||
opposition and deletion, as well as the technical and organizational measures implemented and | |||
their degree of compliance for the protection of the rights and freedoms of | |||
interested. | |||
INVESTIGATED ENTITIES | |||
During these proceedings, investigations have been carried out into the following | |||
entities: | |||
| |||
VODAFONE ONO, SAU | |||
| |||
VODAFONE ESPAÑA, SAU | |||
| |||
VODAFONE ENABLER ESPAÑA, SL | |||
| |||
TELEFONICA DE ESPAÑA, SAU | |||
| |||
TELEFONICA MOVILES ESPAÑA, SAU | |||
| |||
LYCA MOBILE, SL | |||
| |||
XTRA TELECOM | |||
| |||
INTERACTIVE SERVICES DIALOGUE | |||
| |||
FLASH MEDIA EUROPE, | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 4 | |||
4/97 | |||
| |||
ORANGE ESPAÑA, SAU | |||
| |||
GLOBALIA CALL CENTER, SA | |||
| |||
MARKTEL GLOBAL SERVICES, SA | |||
| |||
ENGINYERIA INFORMATICA OLOT, SL | |||
| |||
CASMAR TELECOM, SL (hereinafter Casmar) | |||
| |||
THREE-QUARTERS FULL, SL (hereinafter TQF) | |||
RESULT OF RESEARCH ACTIONS | |||
1. | |||
From the beginning of the investigative actions that are in the file | |||
reference E / 01615/2019, 191 claims have been incorporated through the | |||
reference file E / 09541/2018, of which 23 received since October | |||
2019 to February 2020. | |||
On the dates of 02/27/2019, 03/08/2019, 03/18/2019, 06/07/2019 | |||
information requirements to VODAFONE ESPAÑA, SAU and on dates of | |||
09/18/2019 and 09/30/2019 a face-to-face inspection is carried out (whose Minutes and documentation | |||
is incorporated into the file) at the VDF headquarters in order to be able to contrast with the | |||
current regulations the general procedure of management of the relative data processing | |||
to direct marketing actions through phone calls, SMS and | |||
emails, having knowledge of the following: | |||
1.1 In general, marketing actions can be classified | |||
attending to several criteria. | |||
1.1.1. Campaigns managed directly by VDF and Campaigns managed by others | |||
entities by account and name of VDF. | |||
The difference between campaigns managed directly by VDF from those that are | |||
managed by other entities on behalf of and on behalf of VDF is the following: | |||
That in the first (VDF), the databases of the recipients of the actions | |||
commercial actions are provided by VDF and commercial actions are carried out, or | |||
the internal Marketing Department or the internal Telesales Department | |||
(Hereinafter TVTA), the latter through entities contracted by VDF that | |||
make up what they call the TVTA Platform. | |||
And the second (entities that act on behalf and on behalf of VDF) are carried out in | |||
in its entirety by the so-called Distributors / Collaborators / Agents (who sometimes, | |||
In turn, they subcontract the management and data processing of affected persons for the | |||
effective performance of marketing actions in the name and on behalf of | |||
VDF) being able, in this case, to use the databases provided by the | |||
VDF or its own databases being in charge, according to VDF, said | |||
distributors / collaborators / agents of the filtered data with both lists | |||
Robinson (internal, LRI and Adigital, LRAD). | |||
Regarding the "campaigns managed by other entities on behalf of VDF" , no | |||
It is clear that VDF has the technical and organizational control over the treatments and | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 5 | |||
5/97 | |||
databases used by these entities, since not even when the | |||
"Distributor / collaborator / agent" uses its own databases or when it uses | |||
those provided by the VDF itself, VDF does not have implanted methods or technical means | |||
and organizational that verify the legality, the origin of these or their effective prior filtering | |||
with LRIs or LRADs, nor for how long they are used. | |||
There is also no evidence that VDF has real control over the commercial actions themselves. | |||
themselves (calls, SMS and emails), but only has a formal control based on the | |||
contractual obligations that distributors / collaborators / agents acquire with | |||
VDF and referred only to internal informative communications, not of | |||
prior authorizations to carry out marketing actions, in the case | |||
that they use their own databases of distributors / collaborators / agents and | |||
therefore unrelated to VDF. In this sense, it should be noted that from the documentation required to | |||
VDF and to these entities it is inferred that control over marketing actions | |||
It is a posteriori, that is, once the deficiency has been detected or a claim has been filed | |||
Before the AEPD, the acting entities are informed and indicate, where appropriate, | |||
corrective actions. | |||
The internal VDF department that contracts with the entities | |||
distributors / collaborators / agents that make up this second set of is the | |||
called "Distribution / agents" that is divided into several sales channels, between | |||
others: << Door to Door channel >> (hereinafter D2D), << online channel >>, << corners | |||
physical in shopping centers and establishments >>. | |||
1.1.2. Classification according to who materially performs the commercial actions: | |||
These may be those carried out by: | |||
(A) VDF's internal Marketing Department through VDF's own means. | |||
(B) Internal Telesales Department of VDF through the entities that make up | |||
the TVTA Platform. | |||
(C) Department of Distributors / Collaborators / Agents through its network of | |||
distributors / agents / collaborators . | |||
A.- VDF's internal Marketing Department carries out its own actions of | |||
advertising from their own databases, without prejudice to having competencies and | |||
functions that are projected onto the TVTA department. | |||
B.- The VDF TVTA Department is made up of the following platforms | |||
outsourced: | |||
For LOWI the telesales platforms are: | |||
Global Sales Solutions Line, SL (GSS) | |||
Emergia Contact Center, SL (Emergia) | |||
Konecta Bto, SL (Konecta) | |||
For VDF and ONO, the teleshopping platforms are: | |||
Global Sales Solutions Line, SL (GSS) | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 6 | |||
6/97 | |||
Emergia Contact Center, SL (Emergia) | |||
Konecta Bto, SL (Konecta) | |||
Telecyl, SA (Madison) | |||
Atento Teleservicios Spain Branch in Morocco / Atento Teleservicios | |||
Spain, SL (Attentive) | |||
Marktel Servicios de Marketing Telefónico, SA (Marktel) | |||
Unísono Soluciones de Negocios, SA (Unísono) | |||
VDF states that for each of the platforms that make up the Department | |||
internal TVTA, there is << a data protection framework agreement >> adapted to the | |||
RGPD and, as a minimum, a contract for the provision of services which regulates the | |||
rights and obligations, although only from the commercial sphere. | |||
All these contracts are negotiated by the Vodafone Group purchasing center | |||
which is located in Luxembourg (Vodafone Procurement, Sarl). | |||
For their part, all the aforementioned entities that make up the platform of the | |||
TVTA Department, prior to being hired, must pass a process of | |||
<< supplier approval >> which is managed by the Vodafone Group located | |||
in Budapest, Hungary. For this, they are sent a checklist where they are asked for a certain | |||
information in order to validate whether it is possible to contract with said provider. The quoted | |||
checklist is limited to answering certain questions with a "YES" or "NO", without | |||
accreditation or content of the responses and procedures management is specified | |||
to follow. The content of the form / checklist is as follows: | |||
<< GOVERNMENT POLICIES | |||
A.1 Where is your headquarters located? | |||
A.2 Do you have a person responsible for the privacy of personal data? BUT | |||
A.3 If yes, what is your address? | |||
A.4 Do you have a person responsible for GDPR? BUT | |||
A.5 If yes, what is your address? | |||
A.6 Do they have defined and documented policies and procedures for the management of personal data? YES | |||
DO NOT | |||
A.7 Do the policies and procedures include a statement of commitment to the protection of | |||
data and privacy? BUT | |||
A.8 Do the policies and procedures have transversal rules, established profiles and responsibilities | |||
defined on data protection and privacy? BUT | |||
A.9 Do the policies and procedures contemplate disciplinary processes in the event of gaps in | |||
security including appropriate escalation to report to management? BUT | |||
A.10 Are any changes to the data protection policy informed to the management? BUT | |||
A.11 Is the management informed of the privacy policy and the data protection procedures | |||
on a regular basis, eg annually? BUT | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 7 | |||
7/97 | |||
A.12 If you are asked to have a record of the personal data process, would it be valid and would it be | |||
updated? BUT | |||
EVALUATION AND MODIFICATIONS OF THE PROCESSING OF PERSONAL DATA | |||
B.1 Is there a procedure to assess whether a requirement or instruction from Vodafone regarding the | |||
Vodafone's personal data processing is legitimate? BUT | |||
B.2 Are you prepared to notify Vodafone if your assessment of the instruction or requirement on | |||
the processing of personal data received from Vodafone is illegitimate or could lead to a | |||
regulatory breach of the law on data protection and privacy? BUT | |||
B.3 Have you defined a process to ensure that if there are significant changes in the way it is | |||
process Vodafone's personal data, contact Vodafone to obtain preliminary approval | |||
when appropriate? BUT | |||
B.4 Would you be willing to obtain Vodafone's prior written consent before dealing with the | |||
Vodafone personal data with an outsourced third party? BUT | |||
B.5 Would you be willing to help Vodafone carry out the impact assessment on the | |||
privacy of personal data for those processes that Vodafone has classified as High | |||
Risk as stated in the GDPR regulations? BUT | |||
B.6.1 Will it allow Vodafone to carry out audits of its Policies and procedures for the protection of | |||
data, security and privacy? BUT | |||
B.6.2 Will it allow Vodafone to carry out audits of the systems used to process the data | |||
Vodafone personal? BUT | |||
B.6.3 Will it allow Vodafone to carry out audits of the physical locations in which they are processed | |||
said Vodafone personal data? BUT | |||
B.7 Do you have defined processes to document the processing of personal data that you carry out | |||
on behalf of Vodafone? BUT | |||
B.8 Do you have defined procedures for the erasure of Vodafone's personal data in | |||
concordance with the information retention policy or instructions provided by Vodafone? | |||
BUT | |||
B.9 In the absence of data retention guidelines established by Vodafone, is there a policy | |||
data retention and erasure standard? BUT | |||
B.10 Are there processes in place to ensure that once the contract with Vodafone has expired, | |||
all Vodafone personal data is retrieved from all systems and returned to Vodafone and | |||
removed from all systems? BUT | |||
B.11 Has a procedure been established by which to identify and communicate to Vodafone any | |||
regulation or regulatory obligation to which you are subject and that requires you to retain personal data | |||
after the end of the contract with Vodafone? BUT | |||
KNOWLEDGE ABOUT DATA PROTECTION OR PRIVACY AND PREPARATION OF THE | |||
DIRECTORS INVOLVED IN THE PROCESSING OF PERSONAL DATA | |||
C.1 Do the contracts signed by their management oblige them to protect and properly manage the | |||
personal information? BUT | |||
C.2 Do the contracts signed by your management oblige you to extend the responsibilities over the data | |||
personal activities beyond the working day and after terminating the employment relationship with your company? BUT | |||
C.3 Do the contracts signed by your employees contemplate disciplinary measures as a result of a | |||
failed in its responsibilities with respect to personal data? BUT | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 8 | |||
8/97 | |||
C.4 Have you communicated to your management and information systems personnel that you are handling data | |||
personal data (through the appropriate channel) the data protection policy and procedures and | |||
Privacy? BUT | |||
C.5 Is the privacy and data protection policy communicated to all those new workers and | |||
to the management when there is a change in professional profile that would in turn produce new | |||
responsibilities regarding the processing of personal data? BUT | |||
C.6 Is defined and implemented training and training available on data protection and data protection | |||
privacy for all personnel involved in the processing of Vodafone personal data with | |||
in order to ensure that all personnel and management have adequate knowledge of the | |||
requirements for the processing of personal data? BUT | |||
C.7 Can you demonstrate that training has been provided to all new employees and to management | |||
existing when there are changes in the responsibilities regarding the handling of personal data? YES | |||
DO NOT | |||
C.8 Is the training and awareness program developed on a regular basis, eg annually? BUT | |||
RIGHTS OF INDIVIDUALS | |||
D.1 In the event of a request for access from an individual, or any other requirement on | |||
personal data (including any Supervisory Entity), do you have a procedure to give | |||
coverage to Vodafone or, if required by Vodafone, meet the request directly? BUT | |||
D.2 Is there a procedure in place to assist Vodafone in correcting personal data | |||
processed in the systems for which you are responsible? BUT | |||
D.3 Does the procedure have escalation processes in the communication of information to those responsible | |||
with time limits and local rectification mechanisms? BUT | |||
D.4 Do you have defined procedures that allow Vodafone to extract personal data from Vodafone | |||
of the systems for which you are responsible so that Vodafone can comply with the | |||
obligations on the portability of information of a client or an employee? BUT | |||
D.5 Do you have a procedure that would allow Vodafone to block an individual's access to its | |||
personal information? BUT | |||
D.6 Could Vodafone permanently block a subject's access to personal data | |||
individual? BUT | |||
D.7 Could Vodafone be able to block access to an individual's personal data in a way that | |||
temporary? BUT | |||
D.8 Would you be in a position to meet the requirements that Vodafone may have regarding | |||
pseudo-anonymization and anonymization of personal data? BUT | |||
DATA SECURITY GAP-INCIDENT AND NOTIFICATION MANAGEMENT | |||
E.1 Do you have defined processes for monitoring logs (activity) and reporting to Vodafone of | |||
security incidents in relation to Vodafone's personal data? BUT | |||
E.2 Are the processes for reporting security incidents and tracking logs on personal data | |||
of Vodafone communicate in your organization? BUT | |||
E.3 Are reports of security incidents and breaches investigated internally on a regular basis? | |||
security of personal data, including reviewing lessons learned and identifying how many | |||
incidents have occurred in the last 12 months? BUT | |||
E.4 If there has been a security incident in the last 12 months that has impacted on the | |||
Vodafone personal data Has Vodafone been notified? BUT | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 9 | |||
9/97 | |||
E.5 Is anyone in your organization responsible for managing incidents and reporting | |||
the same to Vodafone? BUT | |||
E.6 Does the process include the obligation to notify affected customers within 24 hours, such as | |||
Vodafone to allow customers to investigate and make the corresponding notifications to the | |||
regulators before the 72 hours established by GDPR? BUT | |||
SUBPROCESSES | |||
F.1 Is there evidence of due diligence processes for the selection of subcontractors that include | |||
a review of the technical, physical administrative controls concerning data protection | |||
personal? BUT | |||
F.2 Do you ensure that you have the agreements and contracts with your subcontractors with the same or equivalent | |||
obligations, as required in the contract with Vodafone, in relation to the processing of | |||
personal information? BUT | |||
F.3 Would you provide Vodafone with the list of threads involved or who would be involved? | |||
in the processing of Vodafone's personal data? BUT | |||
F.4 Is there a procedure to inform clients when there is a change in a used thread | |||
by the main process in the processing of personal data? BUT | |||
F.5 Is there a return strategy with all subcontracts to return personal data | |||
used by the thread? BUT | |||
LOCATION OF THE PROCESSED PERSONAL DATA | |||
G.1 Are the employees who process Vodafone's personal data in the Economic Union | |||
European? BUT | |||
G.2 Are the employees who process Vodafone's personal data outside the Economic Union | |||
European? BUT | |||
G.3 Are the employees who process Vodafone's personal data both in the Economic Union | |||
European as outside the European Economic Union? BUT | |||
G.4 Do you process Vodafone's personal data in your own data centers located in Europe? BUT | |||
G.5 Do you process Vodafone's personal data in your own data centers located outside of Europe? | |||
BUT | |||
G.6 Do you process Vodafone personal data in third party data centers located in Europe? YES | |||
DO NOT | |||
G.7 Do you process Vodafone's personal data in third-party data centers located outside of | |||
Europe? BUT | |||
G.8 Do you process Vodafone's personal data in Amazon AWS-type public cloud data centers? | |||
BUT | |||
G.9 Do you know the location of all Vodafone personal data and how / when it is used in all | |||
the jurisdictions where it operates? BUT | |||
G.10 Do you ensure that all standards and procedures in the locations / jurisdictions where you | |||
or its subcontractors operate are appropriate and in any case are at least comparable to the | |||
standards and procedures that you agreed with Vodafone? BUT | |||
G.11 Do you transfer Vodafone personal data to a country outside the European Union? BUT | |||
G.12 If personal data from Vodafone is transferred to a location such as: Non-belonging countries | |||
to the European Union or countries that are not included in the list of "Safe Countries" by the European Union, | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 10 | |||
10/97 | |||
Are you ready to sign a data transfer agreement with Vodafone based on the clauses | |||
of the European Union Model for export and import? BUT | |||
DISCLOSURE TO THIRD PARTIES | |||
H.1 Is there a defined procedure to evaluate the legitimacy or legality of the requirements for | |||
disclosure of personal data received from third parties including bodies in charge of | |||
ensure compliance with the Law? BUT | |||
H.2 Are the employees who receive and process such requests aware of that process? YES | |||
DO NOT | |||
H.3 Does the process have all the guarantees to be safely registered? BUT | |||
H.4 Does the process require an assessment to be performed to allow notification to the client of the | |||
Requirement of third parties on the request for access or on the disclosure of the personal data of the | |||
client? BUT | |||
H.5 Does the process establish who could notify the client of the third party's requirement to access or | |||
disclose the customer's personal data? BUT | |||
CONTRACTS AND RESOURCES | |||
I.1 Would your company be willing to sign a data treatment agreement with Vodafone in the | |||
terms established by Vodafone to regulate the process? BUT | |||
I.2 Would your company formalize an agreement with unlimited liability for the breaking of obligations | |||
contractual in the processing of personal data? YES NO >> | |||
Therefore, any entity that requests to join the TVTA platform has to | |||
carry out this homologation before contracting with VDF and joining the platform | |||
by TVTA. This homologation process consists of filling in a form | |||
where you get an " OK" (valid) or " KO" (invalid) response . In the event that the | |||
The result of the form is "OK", VDF generates a code called "SAP" which is the | |||
which is attributed as an identifier to the new entity and allows it to carry out contracts in | |||
VDF name. | |||
VDF has the services of a third company that performs quality audits | |||
(not specifically in terms of data protection) to verify the correct | |||
proceed from the contracted entities and compliance with the processes defined in | |||
the contracts. | |||
C.- The Department of Distributors / Collaborators / Agents is divided into several | |||
sales channels: “Door to Door” channel (hereinafter D2D), “online channel”, “corneres | |||
physical in shopping centers and establishments ”, among others. | |||
There are exclusive agents who sign with VDF << Agency contracts >> , in | |||
where a general content annex is always included regarding compliance with the | |||
data protection regulations, delegating responsibilities over the | |||
compliance with legal obligations to agents. There are also entities | |||
that do not sign an agency contract. | |||
Regarding the D2D channel , two scenarios must be distinguished when analyzing its | |||
performance, one referred to before the acquisition by VDF of ONO (on the date | |||
01/10/2018), and another later. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 11 | |||
11/97 | |||
In the first scenario, VDF agents carry out recruitment actions “at the door | |||
cold ” to potential clients in whose homes there is the possibility of installing | |||
VDF fiber optic technology. Upon acceptance of the offer by the | |||
potential client, the agent shows on his tablet the contractual conditions of the | |||
service to contract that are accepted by the user, and subsequently occurs | |||
a verification call by the verification body Marktel. | |||
In the second scenario, the Distributors / Collaborators / To people sell through | |||
of stands in shops and on the street, which in turn also reach << agreements with | |||
other telesales and commercial agencies >> (sub-managers of the treatment by | |||
VDF account) for the effective realization of telephone calls and that they manage | |||
<< your own listings >> of potential customer phone numbers. | |||
These subcontracted << other telesales and commercial agencies >> are not subject to | |||
a prior approval process -as do those assigned to the platform of | |||
TVTA- but currently it continues to work with those that already provided the | |||
service in ONO before the merger with VDF (on 01/10/2018) and there is no evidence that | |||
have verified the technical and organizational means available to them. | |||
In these cases, VDF does not know the identity of the entities ( other agencies of | |||
telesales and commercial) subcontracted by the Distributor / Collaborator / Agent and | |||
does not know the guarantees of a technical or organizational nature that they have. The | |||
Information regarding the identity of these subcontracted entities must be included in | |||
the annex to the contract (subcontract) established for this purpose, but it only appears once | |||
subcontracting performed, that is, VDF previously does not know the qualification | |||
technical and organizational and the identity of these subcontracted entities as well as their | |||
capacity to comply with current regulations. | |||
Of the clauses of the standard contract called "Canal Presencial 2019-2020" (for | |||
example, with CASMAR of May 1, 2019) signed between VDF and the entities | |||
attached to the TVTA platform, there is an obligation to previously notify | |||
VDF the list of sub-processors on behalf of VDF who will use the | |||
distributors / collaborators / agents . This communication is collected, among others, in the | |||
Clauses 5 (resources) and 6 (characteristics of the activity) of the aforementioned contract ( | |||
included in the file). Only in clauses 13.4 and 13.5 of the aforementioned contract is it made | |||
reference to the obligation to comply with data protection regulations | |||
in the following terms: “… without prejudice to the obligations assumed by the | |||
COLLABORATOR in compliance with the Data Protection legislation in force in | |||
every moment… ”(sic). Clause 13.6 expressly states that the | |||
"Collaborator will be considered the person in charge of the treatment and must | |||
formalize the standard data treatment agreement that is attached as an annex | |||
IV… ”. | |||
However, this communication to VDF of the subcontracted entities has a | |||
declarative character a posteriori and is not subject to prior approval by VDF nor does it | |||
reflected the possibility of exercising the rights of the interested parties. The purpose of | |||
This statement, according to the VDF, is fundamentally to have | |||
information when malpractice is detected. | |||
The contracts, allegations and communications between two of the | |||
distributors / Collaborators / agents (CASMAR and THE THREE QUARTERS | |||
FULL SL,) as well as the process by virtue of which VDF is aware of the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 12 | |||
12/97 | |||
entities in turn subcontracted by those, and it is concluded that it does not comply with the | |||
requirement of prior authorization by VDF, but VDF has knowledge in the | |||
moment of contracting after completing the informative ANNEX established at the | |||
effect as it becomes necessary to give <<alta>> to the intervening parties (sub-managers | |||
treatment on behalf of VDF). | |||
Once the aforementioned ANNEX has been completed, the VDF registration of the entity to be subcontracted is requested | |||
and are collected: name and surname (or company name), CIF / NIF and email, and it is in | |||
that moment when VDF has knowledge of the entity's identity | |||
outsourced. No evidence has been found that clauses 5 and | |||
6 of the contract called "Canal Presencial 2019-2020" signed between VDF and the | |||
entities attached to the TVTA platform. It is recalled that said clauses, | |||
(they appear in the documentation of the file) are in the "contract of | |||
provision of face-to-face channel services ”between VDF and Casmar dated 05/01/2019, and | |||
which, according to the VDF, is a standard contract signed with the entities in charge. | |||
In turn, there is also the contract between Casmar and A-Nexo Contact Center SAC, of | |||
date 02/01/2017, in which the services of sale of products from | |||
VDF through telephone telemarketing offers, according to the script provided by | |||
Casmar. | |||
VDF does not provide detailed documentation regarding the protection guarantees of | |||
data of the contract that supports the relationship between the initial distributor and the | |||
subcontracted or the guarantees for the fulfillment of the order. As reported | |||
VDF, the contract is similar to that held by VDF and the initial affiliated distributors | |||
to the TVTA platform. VDF includes as a generic contractual obligation that is | |||
transfer the instructions to the << third parties >> ( sub-managers of the treatment by | |||
VDF account ), so that marketing actions are carried out under the terms | |||
indicated by VDF, but without guarantees to prove compliance. | |||
The contracts between the VDF distributors (CASMAR and THE | |||
THREE QUARTER FULL, SL) with << third parties >> (sub-managers of the treatment by | |||
VDF account) and it is verified that they are not similar to the one VDF has with the | |||
distributors attached to the TVTA platform. Two modalities can be differentiated | |||
in relation to the determination of the origin of the data and the obligation to consult and | |||
Filtering of exclusion files and exercise of rights (opposition): | |||
The first, in which VDF contracts with CASMAR and the latter subcontracts with A-NEXO, | |||
which in turn subcontracts with other natural and legal persons who are the ones who | |||
they materially make the calls. In this case, the data used for the | |||
making calls, according to CASMAR, is provided by A-NEXO; However, in | |||
the contract states that CASMAR is the one who provides the data. In this sense, | |||
Marketing actions that are the object of this contract are carried out by A-NEXO with | |||
a data file provided by CASMAR and nothing is indicated on consultation | |||
previous and filtered with the files of exclusion or exercise of rights. In saying | |||
contract (seventh clause) contains the express prohibition of subcontracting with | |||
natural or legal persons without the prior express written consent of | |||
CASMAR. | |||
It is recorded as a reply by CASMAR to the request for information made | |||
by the Inspection of this AEPD on 09/11/2019, that calls from the | |||
numbering *** TELEPHONE. 2 and 954781254 were made by A-NEXO. Regarding the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 13 | |||
13/97 | |||
destination numberings, CASMAR states that they are random. They are contributed to the file at | |||
sample title, four emails between CASMAR management and A-NEXO | |||
on complaints to the AEPD of improper calls being included | |||
numbering in exclusion lists. Among others, from the numbers of CASMAR | |||
920211348, 951117277, 958146834, 679905774 and 954781254, to the numbers | |||
*** PHONE. 1, *** PHONE. 2. | |||
The second, in which VDF contracts with THE THREE QUARTERS FULL, SL and this | |||
subcontracts in turn with other natural and legal persons who are the ones who carry out | |||
materially calls. In the contributed contracts signed between THE THREE | |||
QUARTERS FULL and the sub-processors on behalf of VDF is not listed | |||
any indication regarding the obligation of prior consultation and filtering with the | |||
exclusion files or those for the exercise of rights. Nor does the origin of | |||
the data for making commercial calls. | |||
1.2. | |||
Origin of the data used by VDF for the actions of | |||
marketing and filtering obligation with Internal Robinson List and with Lista | |||
Robinson from Adigital | |||
The origin of the data used by VDF for marketing actions can | |||
be grouped into five large groups: (i) generation of random numbers (ii) | |||
databases rented to third parties (iii) records generated through the online channel | |||
(web`s) (iv) non-VDF databases of distributors / collaborators and (v) | |||
VDF databases used by distributors / partners | |||
1.2.1. | |||
(i) Generation of random numbers: | |||
Numbers are generated from different numerical ranges at the discretion of VDF, | |||
either for fixed or mobile numbering. In these cases it may happen that a | |||
user has exercised the right of deletion / opposition and after the random generation | |||
the data relating to the landline or mobile phone is included again in another campaign. | |||
Many of these called numbers do not exist or are not assigned to any | |||
person. In any case, these generated numbering databases | |||
randomly, before being used for commercial actions they are crossed by VDF | |||
both with internal Robinson and LRAD lists, as long as the exercise of the right | |||
VDF has been informed of a specific collaborator , the latter circumstance | |||
that does not appear in the signed contracts nor is it proven accredited, so in this case | |||
calls are repeated. | |||
1.2.2. | |||
(ii) Databases "rented" to third parties. | |||
Databases << rented to third parties >> are used . In this section you can | |||
basically differentiate between two origins: those coming from DATACENTRIC PDM, | |||
SA and those from MEYDIS SL | |||
In the first case, the DATACENTRIC entity is an intermediary between VDF and the | |||
database owner (there are various owners who provide this service to | |||
DATACENTRIC, such as: WEBPILOT, BELEADER, ADSLASA, EGENTIC, LNVISTO, | |||
PRESENTE SERVICE, NETSALES, etc.,). As reported to VDF, the holders of the | |||
data provided in these databases of potential clients have given their | |||
consent to receive commercial information. However, the circumstance of | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 14 | |||
14/97 | |||
have express consent to receive commercial offers through | |||
electronic communications (email or SMS) has not been accredited, nor | |||
even by statistical procedures such as through samples | |||
representative. | |||
Regarding the mechanics of working with DATACENTRIC, it is the following: | |||
A global order is placed by VDF that is executed monthly. The order | |||
The internal Marketing Department of VDF carries out via email indicating | |||
segmentation (e.g. by zip code, type of access technology | |||
installed in the building…). Received response from DATACENTRIC with the budget, | |||
that has previously transferred the request to its collaborators, it is reported, among | |||
other issues, how long the database can be used. | |||
These databases are already filtered by the general Robinson Listings | |||
(Adigital). | |||
In the second case, the MEYDIS entity provides VDF with databases | |||
published in repertoires of subscribers to telecommunications services. | |||
Generally the period during which the data can be used is one year. In | |||
There is no contract for this service because it is less than the amount determined by | |||
the purchasing department so an order is made according to the conditions | |||
general contracting for this type of amounts. VDF requires MEYDIS to | |||
requirement that the data be adequate to carry out marketing actions. | |||
The databases received by VDF, proceeded to cross with LRI and LRAD. | |||
1.2.3. | |||
(iii) Data obtained through web pages, On / Line Channel, generation of | |||
Leads. | |||
From VDF or third-party web pages (for example, through banners ), | |||
obtain data from potential clients who are interested in VDF services and | |||
provide their contact information by accepting a certain privacy policy, which | |||
It can be for specific products or services on issues raised regarding | |||
to the availability of fiber coverage at your home, or for commercial actions | |||
future. | |||
Also included here is data obtained from callers | |||
directly to VDF requesting information. These personal data thus collected | |||
-called “leads” - they are incorporated into the << lead management tool >> called | |||
DELIO , and then be contacted in accordance with the accepted privacy policy | |||
at the time of providing the data on the VDF website and that may involve two | |||
possibilities, one referring to receiving specific information and another to being a recipient of | |||
future commercial communications. | |||
With the DELIO tool, the user can be answered automatically since | |||
directly view the operator the website or the channel in which the user has made | |||
the query and has accepted the privacy policy. | |||
If the user finally does not contract the service after receiving the call from DELIO, the | |||
create a record in the " lead management" , in accordance with the privacy policy | |||
accepted by the user by providing their contact details. It may happen that the data | |||
have been incorporated to receive information on a specific product or service and, in | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 15 | |||
15/97 | |||
change, the check relative to the use of data in future actions has not been marked | |||
commercial. | |||
These leads are subsequently contacted through different means: calls | |||
from the TVTA platform, SMS or Email. | |||
However, for a lead to join DELIO, it must have occurred at the | |||
minus the contact call. These leads are contacted within a maximum period of 48 | |||
hours, and they are made by prior request of the interested party and, after said period, they are sent | |||
an SMS informing that an unsuccessful attempt has been made to contact by providing a number | |||
where you can contact VDF again. | |||
Regarding the data incorporated after having made a coverage query | |||
fiber, it is observed that the coverage consultation process has been modified | |||
compared to the one existing in July 2019. | |||
In the tests carried out in the month of July 2019, it was verified that it was requested, | |||
In addition to the address regarding the address where the query was intended, the | |||
name, surname and telephone number and a privacy policy was offered with two | |||
possibilities: (i) accept the treatment of the data to respond | |||
exclusively as requested, in this case, whether or not there was fiber optic coverage - | |||
the contact information could be provided through the website itself in that | |||
moment, without the need to know name, surname and telephone number; (ii) in addition to | |||
above, accept the treatment for other commercial purposes. | |||
In the month of September 2019 it is verified that initially it is requested only | |||
data related to the address of the domicile where the query is intended, and if the | |||
process cannot be finalized (for example, the address is not in the base of | |||
coverage data, written in another language or incorrectly, be it a number of | |||
route that does not exist, etc., ..), the website offers the option of a contact system | |||
"Click to call ", and it is at this moment where the name and telephone number are requested, putting | |||
provision, a few check of acceptance of the privacy policy. | |||
With the different sources of data indicated (random, databases rented from | |||
and third generation leads ) the Department of Internal Marketing of VDF filters | |||
data with LRAD and lists of rights exercises, and sends it to the Department | |||
internal TVTA. The TVTA Department re-filters the data a second time | |||
after segmenting them for distribution among the different << call center >> services | |||
Sub-managers of the treatment on behalf of VDF who materially carry out the | |||
calls. Some entities that make up the TVTA platform have their own | |||
LRIs that are also subject to prior confrontation and filtering. In order to avoid that by the | |||
over time there are variations in the database (referring to | |||
people who have subsequently exercised the right to object), the platform for | |||
TVTA will use the databases for one month only. | |||
In short, in the three cases indicated, the owners of the data are | |||
contacted by the Marketing Department or the TVTA Department at | |||
through the different entities that make up the platform, always using the | |||
LRAD leaked databases and lists of users who have exercised their rights. | |||
1.2.4 | |||
(iv) Non-VDF databases used by the | |||
Distributors / Collaborators . | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 16 | |||
16/97 | |||
This possibility is only given in campaigns managed by " third parties" using | |||
personal databases not provided by VDF. | |||
VDF is unaware of the legality of these third-party databases and has not | |||
proven its legality not even indirectly such as by carrying out | |||
samplings in order to verify the consent of the interested parties, since VDF | |||
understands that "it is up to third parties to control their legality as long as | |||
responsible for them ” (origin of the data, actions to prove the | |||
consent, filtered with both LR, attention to the rights exercised, etc.,). | |||
In relation to the calls made by these agents / distributors (and where appropriate, | |||
other sub-processors on behalf of VDF) when a right is exercised | |||
opposition during a call, this exercise is not transferred to VDF, but | |||
included in the LRI of agents / distributors. | |||
The obligation of consultation of LRAD by the distributors, is not foreseen in | |||
the contract signed between VDF and the distributors. Whether or not the LRI lists are contrasted, | |||
LRAD or exercise of rights, it is a circumstance that VDF is not in | |||
willingness to verify and, furthermore, VDF understands - as it affirms it in various | |||
occasions - which is exclusively the responsibility of the distributors in compliance with the | |||
current regulations on data protection. | |||
In the contracts analyzed between the distributors and the sub-managers of the | |||
treatment on behalf of VDF, no clauses have been found that determine this | |||
Obligation of prior consultation of exclusion lists and their filtering. | |||
It is established that the distributors do not previously check the database used | |||
for commercial actions with the VDF LRI. It may happen that an interested party | |||
has exercised the right of opposition to VDF and, despite this, a distributor | |||
repeat the call. | |||
It has also happened that a claim against VDF has been processed before the | |||
AEPD and that it has been resolved by urging VDF to inform the affected party that their | |||
The data has been included in the LRI and, once this circumstance has been communicated to the affected party, with | |||
later the call is repeated by one of these distributors. This is due to | |||
that there is no adequate communication by VDF with distributors and | |||
Sub-managers of the treatment on behalf of VDF. | |||
VDF has established communication protocols through emails | |||
for distributors and sub-processors on behalf of VDF -in case | |||
that they exist- relative to the reminder that they cross the databases to be used with | |||
the LRAD, which is known to have been ineffective. | |||
Regarding the guarantees of legality in the use made by the | |||
distributors / collaborators of the databases, in the letter dated 04/26/2019 | |||
VDF stated that these communications are made with the following content: | |||
<< (…) if the database used by the collaborator is his -of the collaborator- | |||
property, Vodafone requires that, first of all, they have the authorization of | |||
Vodafone to use that database in a campaign carried out on behalf of and by | |||
Vodafone account. Second, they are required to have obtained the | |||
informed consent of the owner. And thirdly, they filter their base of | |||
data with official Robinson listings . | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 17 | |||
17/97 | |||
Likewise, they must provide a simple means for the recipients of the | |||
campaigns can exercise their right to object to continue receiving calls | |||
or commercial communications . (…) >> | |||
In the Inspection carried out at the VDF headquarters on September 18 and 30, the | |||
VDF representatives clarify the following: << (…) (i) there is no authorization | |||
relating to the use of third-party databases, that is, those belonging to the distributors and for | |||
There is therefore no authorization process, but rather information is requested in the case of | |||
that use these databases. (ii) VDF is not in a position to verify that | |||
the holders of the receiving lines have given their consent or have not been | |||
opposite, since it is an obligation that corresponds to the collaborating agents, (iii) | |||
VDF does not ensure that each call provides an effective means of exercising | |||
right of opposition . | |||
1.2.5. | |||
(v) VDF databases used by Distributors / Collaborators /. | |||
Sometimes distributors / partners make use of databases provided | |||
by VDF. In these cases, there are communications (indicated below) by | |||
part of VDF referring to the obligation to use only these databases (for | |||
be already filtered with LRAD and exercise of rights). However, there is no | |||
any procedure enabled or controlled by VDF aimed at verifying that | |||
only its distributors, and not others, use the database that VDF has provided for them. | |||
provided and during the periods indicated. | |||
two. | |||
Measures taken by VDF in relation to the claims received | |||
and after knowledge of the existence of inspection actions initiated by | |||
the AEPD . | |||
Most of the complaints received are for campaigns that it does not manage | |||
directly VDF (those managed directly by VDF are those made through | |||
from your TVTA Department or Marketing Department), but are about | |||
campaigns managed by third parties, that is, distributors / collaborators and in their | |||
case sub-managers of the treatment on behalf of VDF for these. | |||
Regarding the adoption of measures, general measures can be distinguished , and other | |||
more specific in relation to certain claims, consisting of requesting | |||
distributors to include specific numbering in the LRI when it has already been | |||
produced the call (s) or after a request from the AEPD, and are summarized in the | |||
following: | |||
| |||
In the month of November 2018 and in the month of July 2019 , | |||
COMMUNICATIONS to the entities attached to the TVTA platform, and to the | |||
Distributors / Collaborators, respectively, in order to remind them of the obligations | |||
in terms of data protection differentiating two cases: | |||
to) | |||
In case of using VDF databases : these have to be used during the | |||
stipulated time and exclusively for the indicated campaign, since they are filtered | |||
by LRAD and list of exercise of rights. If they are used later in | |||
Future campaigns are advised that they may be out of date. | |||
to) | |||
In case of using databases of the | |||
distributors / collaborators (outside of VDF) : they must ensure that they have | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 18 | |||
18/97 | |||
with the prior and express approval of VDF to make such calls; what | |||
have the data in a lawful way and obtaining the express consent of the | |||
holders, the use of databases that do not meet these requirements is prohibited; | |||
filter your databases with LRAD and don't use media that doesn't | |||
have been consented to by the recipients of the campaign. | |||
In the inspection carried out at the VDF headquarters on September 18 and 30, | |||
2019, the VDF representatives stated that they have not carried out | |||
checks on compliance with the measures indicated in the | |||
previous releases. | |||
In November 2018, VDF created a numbering database | |||
callers ( distributors and their sub-processors on behalf of VDF) in order to | |||
to be able to identify who is making the calls. | |||
In July 2019 this database has increased notably, in the | |||
to the extent that in the contracts signed with the “Presencial Channel 2019-2020” | |||
including a clause that imposes as a mandatory condition the prior identification of | |||
the numbers from which the commercial calls are to be made. | |||
Communications between VDF and its distributors have been added to the file | |||
requesting the identification of the sub-processors on behalf of VDF and | |||
the numbers that they are going to use, all of them from September | |||
2019. This database of numbers has also been added to the file. | |||
Callers updated as of July 2019. | |||
Another measure that is being studied is to carry out to prevent | |||
make calls from unidentified numbers, call routing | |||
only through the internal VDF network, also integrating the "crossing" with the | |||
numberings included in LRAD and list of exercise of rights, so that | |||
have effective control of calls made on your behalf, which goes through the | |||
caller identification and by the exclusion of commercial actions to users | |||
who have expressed their opposition or through their inclusion in files of | |||
exclusion of advertising actions of an internal or external nature. | |||
Therefore, in the future it will be an essential condition to provide the service to VDF | |||
use VDF trunks in order to be able to make certain restrictions, (lines | |||
callers, schedule, LRAD, rights of objection, etc.,). The web interface will connect | |||
with the VDF dialing system to pre-validate the call. | |||
VDF begins to raise this idea at the end of May 2019 and in the months of June | |||
and July is communicated to the collaborating agents. Meetings take place in the month of | |||
September 2019 and in October the tests will begin with an entity to | |||
later implement it in the rest. | |||
In this sense, communications are provided between VDF and collaborators in the following | |||
meaning: << Subject: Meeting this morning the commitments that have been | |||
acquired CASMAR, THREE-QUARTER, SOLIVESA in connection with the shipment of | |||
communicated to the collaborators, the assurance that the bases of | |||
data with LRAD, and the adoption of measures to audit that said collaborators | |||
comply with the processes >>. And it is also quoted that << we will work together to | |||
implement the call routing platform that we have discussed >> . To | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 19 | |||
19/97 | |||
current date there is no evidence that this routing protocol has been implemented | |||
from the VDF trunk and on the date of the initiation agreement, of the 191 claims | |||
filed, 26 claims date from September 2019 to January | |||
2020. | |||
There are other measures related to sending communications by VDF to | |||
distributors on specific complaints in connection with the calls, to | |||
that the numbering of subsequent commercial actions be excluded. | |||
As an example, they are included in the Inspection Act E / 01615/2019 / I-01 as | |||
document number 21, several communications consisting of requesting the | |||
distributors the inclusion of certain numbers in Robinson lists (internal and | |||
AD), when the call / s has already been made and after a request from the AEPD. | |||
VDF reports that it has not filed a complaint with the Police regarding calls | |||
undue to the extent that VDF does not have the certainty of the identity of the owner of the | |||
calling number acting on your behalf. | |||
In the relationship between VDF and the distributors / collaborators it is not a requirement for the | |||
payment of your commission by verifying the number from which the collection has been made | |||
of the customer (calling numbering), but the verifications are limited to the | |||
compliance with the requirements of the contracting of the product or service. | |||
3. Procedure for obtaining data of recipients and exercise of actions of | |||
marketing in relation to the sending of commercial communications by | |||
electronic means (SMS): | |||
The numbering recipients when sending SMS are generated randomly without | |||
any discrimination for which commercial communications have been sent | |||
to potential customers without the concurrence of the requirements provided in the | |||
Article 21 of the LSSI (expressly authorized). SMS sendings are carried out | |||
directly VDF. | |||
4 . Sampling of evidence of non-compliance with current regulations regarding | |||
protection of data obtained in relation to the operation of the process | |||
described in the previous sections. | |||
4.1- Commercial actions after a complaint procedure resolved in the AEPD | |||
where VDF states that it has included the data of the affected party in the LRI. | |||
| |||
On the date of 05/03/2019, by (…) a written document is presented in this agency in which | |||
indicates that “I filed a claim with the Spanish Agency for Data Protection | |||
on September 11, 2018 (Registration number: 193763/2018), which I attach, because | |||
we received unsolicited commercial calls from Vodafone to the landline. Do not | |||
We were and are not customers of Vodafone, and we were and are on the Robinson List. | |||
The AEPD replied (files E / 07212/2018 and E / 05851/2019) that Vodafone | |||
Spain, SAU had informed them "that they have been included in their list | |||
Robinson, in order to ensure that the claimant is not included in future | |||
Vodafone commercial campaigns ", (…) | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 20 | |||
20/97 | |||
Well, the situation, with the inconvenience that it entails, continues to occur, they continue | |||
Calling us at the fixed telephone operators of this company to offer us their | |||
unsolicited commercial services , (...) | |||
On 05/29/2019, by (…) a written document is presented at this agency stating | |||
that (files E / 10150/2018 and E / 07447/2019) VODAFONE, by means of a letter of | |||
On 02/28/2019, you were notified of the inclusion of your data in the internal Robinson list to | |||
in order to prevent your phone number from being included in future campaigns | |||
commercial. He states that from 05/15/2019 to 05/24/2019 they have followed | |||
producing commercial calls from VODAFONE. | |||
Provides a recording of two calls received on 05/24/2019, in which the | |||
check the following: | |||
In the first call, the telemarketer asks for the claimant, and after repeated | |||
Claimant's questions, he identifies himself as (…) of the company ONO VODAFONE | |||
to offer discounts on services, the claimant after explaining that he / she is | |||
on the Robinson list and that VODAFONE sent him a letter communicating such | |||
circumstance, the telemarketer informs that they will continue to call you. | |||
In the second call, the telemarketer asks for the owner of the line, and after | |||
repeated questions from the claimant, he identifies himself as (…) of the ONO company | |||
VODAFONE. the claimant states that he is on the Robinson list. The | |||
teleoperator states that they do not consult the Robinson list file. | |||
| |||
E / 03445/2019, whose affected is (…), denounces the reception of calls from | |||
line 912001212 in February 2019 (files E / 09407/2018 | |||
E / 03445/2019 E / 07055/2019) where it has already identified, among others, as a calling line the | |||
same numbering that continues to make calls, and in whose file | |||
VODAFONE stated the inclusion of their data in the internal Robinson list and the sending of | |||
communicated to their distributors. | |||
| |||
In file E / 03367/2018 (and later E / 03964/2019) the | |||
reception of calls from the lines 911251946 and 955316972, in which | |||
VODAFONE declared the inclusion of their data in the internal Robinson list, and the sending | |||
of notices to its distributors, reiterating the calls again on the date | |||
later. | |||
| |||
E / 03978/2019, report the reception of calls from the phone number | |||
935085190 on 03/11/2019, having as a precedent the procedure of | |||
claim E / 07329/2018 and in whose file VODAFONE stated the inclusion | |||
of your data in the Robinson list, in addition to knowing its inclusion in the Robinson List | |||
Adigital, and the sending of notices to its distributors. | |||
| |||
E / 03980/2019 and E / 07960/2019, whose affected person is (…), denounces the receipt of | |||
calls from the telephone number 954781254 on dates of 03/12/2019 and | |||
04/01/2019, with the claim procedure as a precedent | |||
E / 10149/2018 and in whose file the claim was transferred to VODAFONE | |||
where, in addition to revealing the facts, the inclusion on the list was reported | |||
Robinson from Adigital. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 21 | |||
21/97 | |||
| |||
E / 07106/2019, the claimant receives calls from the numbers | |||
764255362, 953230927, *** TELEPHONE. 2 and 953241849, the last one as of | |||
06/10/2019, being in LRAD since 03/19/2019 and in LRI since 04/08/2019. VDF no | |||
has been able to identify the ownership of the calling lines, as they are not included in the database | |||
data created for this purpose. | |||
4.2- Commercial actions carried out from the numbers *** TELEPHONE. 2 and | |||
954781254 by the distributors CASMAR and THREE QUARTERS FULL SL | |||
Given the volume of claims (191 claims incorporated into the file) | |||
that have the indicated numbering as calling lines, they have been carried out | |||
Proceedings expressly aimed at analyzing VDF's relationship with CASMAR and | |||
THREE QUARTERS FULL SL (hereinafter TQTF), the procedure for obtaining | |||
of the data, and compliance with the obligation of prior consultation with the lists of | |||
exclusion. | |||
17 claimants have been found who manifest commercial actions carried out | |||
from numbering 954781254, and 19 claimants with respect to those made since | |||
the numbering *** TELEPHONE. 2, even though the numbers of the recipients | |||
were included in LRAD, or have exercised their right to object to VDF and | |||
listed on your LRI. | |||
VDF states and insists once again that consultation with LRAD is the responsibility of the | |||
third-party distributors because they are responsible for the databases and that, if | |||
Although this obligation does not appear in the contract, through communications they have made | |||
an awareness-raising effort in this regard. CASMAR states that it is the entity | |||
provider "A-NEXO" which provides the Robinson list and has not transferred | |||
no right of opposition received after making calls. However, in | |||
the contract signed between both entities states that the Robinson listings are | |||
contributed by Casmar. | |||
CASMAR uses different providers, including A-NEXO, both for | |||
provide the database used to make the calls, which at your | |||
Once contracted with commercial sub-managers of the treatment on behalf of VDF to | |||
the effective realization of calls. | |||
This scheme of participants outlines several levels of action: | |||
Level I.- VDF is the one who contracts with the CASMAR entity (and this, where appropriate, with other | |||
collaborators) carrying out commercial actions to attract customers. The | |||
The database to be used can be provided by VDF or by CASMAR that the | |||
You get on your own (from other contributors). | |||
Level II.- CASMAR subcontracts to the entity A-NEXO (and this in its case to other | |||
collaborators) making commercial calls. CASMAR informed the AEPD | |||
that the data used is provided by A-NEXO and, however, in the contract that | |||
provided the figure that the data is provided by CASMAR. | |||
Level III.- A-NEXO in turn subcontracts sales representatives to make calls, | |||
both legal and natural persons. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 22 | |||
22/97 | |||
Level IV- Commercials hired by CASMAR, in turn, make calls for their | |||
bill. | |||
VDF only has a legal relationship with CASMAR and with respect to the rest | |||
levels, it is reported in different temporary spaces and not as part of the contract | |||
of the identity of the other collaborators. About VDF's knowledge of | |||
the sub-managers of the treatment on behalf of VDF, CASMAR provided the | |||
contractual documentation where the list of sub-managers of the | |||
treatment on behalf of VDF that VDF had to approve, stating that it is in | |||
<<blanco>> for the dynamism with which they are replacing and updating the | |||
" Calls centers" . | |||
CASMAR provides a list of sub-managers of the treatment on behalf of VDF | |||
as Annex I to the contract "Canal Presencial 2019 2020" dated 05/01/2019 which has | |||
subscribed with VDF, among which is the entity A-Nexo. | |||
It should be added that in Annex I of the aforementioned contract between Casmar and VDF, there is a | |||
List of 15 entities and subcontracted individuals called “list of the | |||
approved sub-managers ” (sic), among which is the entity A-Nexo, in the | |||
that the “current location of the treatment” (sic) is located in Peru. According | |||
It is stated in the contract signed between Casmar and the subcontractor A-Nexo, the | |||
Exclusion list numbering is provided by Casmar. Said annex I | |||
It is signed by Casmar and VDF on 05/01/2019. It is not credited | |||
that have a contract that contains the mandatory contractual clauses | |||
type of the Commission Decision of February 5, 2010, relating to the clauses | |||
contractual type for the transfer of personal data to those in charge of the | |||
treatment established in third countries. | |||
For its part, TQTF stated that VDF is aware of the sub-managers of the | |||
treatment on behalf of VDF only at the moment in which your access to | |||
the VDF contracting platform. In other words, TQTF requests the registration of the VDF | |||
sub-managers of the treatment on behalf of VDF to be able to carry out the | |||
contracting (VDF provides them with user access to the contracting platform). | |||
Therefore, for the commercial sub-managers of the treatment on behalf of VDF | |||
can register new lines, it is necessary that VDF has granted access to a | |||
certain application of "discharges". VDF does not require any type of verification to | |||
commercial sub-managers of the treatment on behalf of VDF on the data to | |||
to be used in commercial calls, but is limited to creating a user with | |||
password, upon request from CASMAR or TQTF, which is communicated to the salespeople or | |||
to the final distributor to be able to register the contracted lines. | |||
VDF knows the filing of claims before the AEPD, since since the month of | |||
November 2018 they have been transferred from the AEPD and it is not until | |||
month of July 2019 when he communicates it to the distributors (since he already did so in the | |||
November 2018 for the entities that make up the Internal Department | |||
from TVTA). | |||
They are examples of these actions in which they have not used numbering | |||
previously filtered with the advertising exclusion listings or have taken into account | |||
the rights of opposition previously exercised by those affected made before | |||
CASMAR or VDF, the following: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 23 | |||
23/97 | |||
| |||
E / 07147/2019: The claimant receives commercial calls, the last on date | |||
of 06/12/2019 after having exercised the right of deletion against VDF on the date of | |||
05/08/2019, and in the VDF LRI since 05/09/2019. | |||
| |||
E / 07144/2019: The claimant receives commercial calls, the last on date | |||
of 06/05/2019, after having exercised the right of opposition stated in the LRI of VDF | |||
from 04/02/2019, the mobile line, and 08/20/2018 the fixed line. Also in LRAD since | |||
March 2019. | |||
| |||
E / 7765/2019: The claimant receives commercial calls, the last one on the date of | |||
06/07/2019, after having requested the deletion from VDF on 06/02/2019 and | |||
be registered in LRAD since 11/14/2017. | |||
| |||
E / 7758/2019: The claimant receives commercial calls, the last one on the date of | |||
06/26/2019 appearing in LRAD since 10/22/2018. In this case, the dealer | |||
caller is TTQF on behalf of and on behalf of VDF. | |||
These claims show that the distributors and sub-managers of the | |||
treatment by VDF account have not used previously filtered numberings | |||
with the advertising exclusion lists nor have they taken into account the rights of | |||
opposition previously exercised by those affected. | |||
VDF insists again that it does not contemplate in its contracts with distributors | |||
the obligation to consult LRAD to understand that this corresponds to the holders of | |||
the databases to be used, and according to the VDF, the databases used are not | |||
filter with internal exclusion listings. | |||
4.3- Sampling evidence of non-compliance in relation to campaigns | |||
managed directly by VDF. | |||
These actions are considered "directly managed by VDF" since the entity | |||
making the call is one of those that makes up its own TVTA platform. | |||
VDF has a process for both the TVTA platform and the | |||
Marketing Department, use only databases that contain data | |||
of lines that are not registered in LRAD and lists of rights exercises. Do not | |||
However, the data treatment followed by VDF is deficient as stated | |||
accredits below: | |||
From the numbering 607100219, which belongs to KONECTA (belongs to the | |||
TVTA platform), calls have been made that have led to different | |||
claims because the data of the claimants is included in LRAD, to | |||
Examples are listed below: | |||
| |||
E / 03455/2019: the numbering *** TELEPHONE. 3 is registered in LRAD since | |||
March 2017, and calls are made in March 2019. | |||
| |||
E / 1845/2018: which gave rise to the reference sanctioning procedure | |||
PS / 290/2018 for calls made in 2018 to a number that | |||
was registered in LRAD since 2013 and to the new current claim of | |||
reference E / 03821/2019. In the aforementioned sanctioning procedure, the entity recognized | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 24 | |||
24/97 | |||
responsibility for the denounced events and was sanctioned for an infraction with | |||
€ 12,000 fine, taking advantage of a 40% reduction in the amount. | |||
4.4- Sampling of evidence of non-compliance in relation to the sending of | |||
commercial communications by electronic means (LSSICE) by account and name | |||
of VDF. | |||
As indicated in section 4, VDF stated that SMS have been sent to | |||
randomly generated numberings, which prevents verifying compliance with the | |||
provided in art. 21 of the LSSI, specifically the requirement to request “expressly | |||
authorized ” , considering all the recipients << potential clients >>. | |||
Below, of the 25 files of LSSICE, some referring to the | |||
Fraudulent SMS sending: | |||
| |||
E / 03977/2019 | |||
RECEIVER NUMBER: *** PHONE. 4 *** PHONE. 5 | |||
OPPOSITION: 07/05/2018 | |||
DATE OF SMS: | |||
07/05/2018, 10/20/2018, 10/21/2018, 02/11/2019 and 02/15/2019 | |||
| |||
E / 02050/2019 and E / 08132/2018 | |||
RECEIVER NUMBER: *** PHONE. 6 | |||
OPPOSITION: 10/8/2018 ATTENDED BY VDF | |||
DATE OF SMS: | |||
02/04/2019, E / 2050/2019 (Antecedent E / 08123/2018, Dec 27, 2018, letter to | |||
claimant) | |||
NO. RECEIVER: *** PHONE. 7 | |||
OPPOSITION: THROUGH AEPD CLAIM | |||
DATE OF SMS: | |||
12/22/2018, 02/01/2019, 01/30/2019 | |||
| |||
E / 00126/2019 | |||
NO. RECEIVER: *** PHONE. 8 | |||
OPPOSITION: OCTOBER 2018 | |||
DATE OF SMS: | |||
11/05/2018, 11/30/2018, 12/28/2018 | |||
| |||
E / 00084/2019 | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 25 | |||
25/97 | |||
NO. RECEIVER: *** PHONE.9 *** PHONE.10 *** PHONE.11 | |||
OPPOSITION / CANCELLATION: 08/25/2018; 10/07/2018 AND ROBINSON. | |||
DATE OF SMS: | |||
08/25/2018, 09/06/2018, 09/23/2018, 10/30/2018 | |||
5. The face-to-face inspection actions carried out in relation to the | |||
claims received in the AEPD in order to determine the adequacy of the | |||
management procedure for marketing actions carried out by | |||
VDF account and name are attached to the Inspection Certificate and in the documentation | |||
of this file that was duly notified to the representation of the | |||
investigated (VDF). | |||
THIRD: On February 26, 2020 , the Director of the Spanish Agency for | |||
Data Protection agreed to initiate a sanctioning procedure for the claimed party, with | |||
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the | |||
Common Administrative Procedure of Public Administrations (hereinafter, | |||
LPACAP), for the alleged violation of article 28 of the RGPD in relation to the | |||
Article 24 of the RGPD punishable in accordance with article 83.4 of the RGPD, for the alleged | |||
serious violation of article 21 of the LSSICE, classified as serious in article | |||
38.3.d) and c) of said rule, for the alleged infringement of article 48.1.b) of the LGT, | |||
considered serious in article 77.37 of the aforementioned rule. | |||
FOURTH: The aforementioned commencement agreement having been notified, the defendant submitted on | |||
03/04/2020 writing requesting a copy of the file and extension of the term to | |||
object of presenting allegations. Once the extension of the term was granted, the | |||
file to the investigated presenting allegations on 06/9/2020 (when | |||
affected by the suspension of terms as a consequence of the establishment of the | |||
state of alarm) that are set out, in summary, in the following terms: | |||
1. | |||
The files notified include those affected who are persons | |||
legal. | |||
two. | |||
The statement of facts in the Initiation Agreement makes it extremely difficult to analyze and | |||
carry out a detailed examination which may undermine the right to self-defense. | |||
3. | |||
Due diligence in the terms of art 28 of the RGPD refers only to | |||
the contracting phase with the manager and should not be understood with respect to the | |||
subsequent monitoring of the contract. | |||
Four. | |||
The providers contracted by VDF of the internal telesales department | |||
have passed a previous validation process and are subjected to processes of | |||
audits in which the technical and organizational measures are justified with which | |||
they count for the development of the contracted service. | |||
5. | |||
Regarding external providers using their own databases: these | |||
providers do not act as processors but rather as data processors. | |||
responsible for their own databases since these personal data are | |||
collected on behalf of the provider and not on behalf of VDF. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 26 | |||
26/97 | |||
6. | |||
Regarding external providers using databases provided by | |||
VDF: VDF complies with all the requirements when contracting with those in charge | |||
established in article 28 of the RGPD and these providers meet the conditions for | |||
comply with their obligations, there being no lack of the duty of diligence for | |||
that it is not appropriate to question the effective performance of the obligations | |||
contractually assumed. | |||
7. | |||
Regarding regulation of the contract between the person in charge and the person in charge of the | |||
subcontracting carried out by the person in charge, the AEPD Guide | |||
advises the application of certain clauses such as the one used by VDF. In such | |||
clauses indicates that it corresponds to the initial manager to regulate the new relationship and | |||
with the same formal requirements as with the person in charge. | |||
8. | |||
The need for express prior authorization of the sub-processors is not a | |||
mandatory requirement, but article 28.2 indicates that the person in charge must inform the | |||
responsible and, where appropriate, the latter authorize, thus giving the controller the option of | |||
stand against. This aspect is not contemplated in the AEPD Guide (option B). | |||
9. | |||
According to the DT5ª of the LOPDGDD, the contracts prior to 05/25/2018 | |||
will remain valid until 05/25/2022, so their content cannot be | |||
enforceable as it is not applicable. | |||
10. | |||
The exhaustive control of the person in charge over those in charge would prevent “that | |||
can dial an unauthorized telephone number ” , having had VDF the | |||
reasonable diligence. | |||
eleven. | |||
The technical efforts made by VDF have not been taken into account | |||
to implement improvements in the development phase, which were accredited in the | |||
moment of the face-to-face inspection by the AEPD, diminishing the | |||
technical effort in development. | |||
12. | |||
The contact information for telemarketing actions made available to | |||
the providers by VDF have been previously contrasted with the data | |||
contained in the internal Robinson and ADigital listings and specifies the time of | |||
use to avoid outdated data. | |||
13. | |||
The data object of treatment can only be processed by the entities | |||
commissioned in accordance with the VDF instructions that govern the contract, which | |||
clearly establish the conditions under which the treatments of the | |||
personal information. | |||
14. | |||
VDF asks providers to notify it of all oppositions that | |||
may occur during telemerketing actions. | |||
fifteen. | |||
Personal data from the provider's databases are not transferred | |||
at no time to VDF. Only after contracting the service are they included in the | |||
VDF information system. | |||
16. | |||
After hiring, this is validated after a control call for | |||
quality. | |||
17. | |||
VDF has implemented complementary measures to guarantee a control | |||
detailed information on the activity of service providers when they use their | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 27 | |||
27/97 | |||
own databases. This control is estimated to be operational in January 2020 | |||
(new routing system through the VDF trunk). | |||
18. | |||
The alleged infringement of art 21 of the LSSICE, does not proceed since the | |||
Legality of the treatments is based on the legitimate interest, as indicated in the | |||
Recital 47 of the RGPD and this is recognized by the AEPD in its report 0173/2018. | |||
19. | |||
VDF at all times allows the interested party to object to receiving | |||
communications, so it is not appropriate to impute infringement of article 38.3.d). | |||
twenty. | |||
Complaints related to the LSSICE are a minority and far from the | |||
total claims submitted. | |||
twenty-one. | |||
Regarding the infractions related to the LGT, VDF always facilitates the | |||
possibility of exercising the right of opposition to the interested party, as stated in art | |||
48.1.b) of said standard. It also appears that VDF previously filters with the lists of | |||
Advertising exclusion before providing potential customer data to suppliers. | |||
And when the databases are external “ it is not possible to materially prevent the | |||
making a call ” (sic) although control measures are being implemented | |||
based on VozIP technology that prevents calling numbers included in lists | |||
of advertising exclusion. | |||
22. | |||
The AEPD seems to sanction for receiving complaints without verifying the facts | |||
described therein and automatically conclude that they correspond | |||
with illegitimate and contrary actions to the legal system and, therefore, adopting | |||
these decisions contrary to the onus probandi principle that governs the law | |||
sanctioner. | |||
2. 3. | |||
The quantification of sanctions is disproportionate, and it cannot be argued | |||
that VDF's conduct is a repeated and permanent breach, since only | |||
191 interested parties of the 200 million commercial actions could be affected | |||
carried out by VDF. | |||
24. | |||
They consist of prescribed infractions such as that referred to in E / 07180/2019 and others in the | |||
that no evidence of infringement has been provided (E / 01119/2019 and E / 02809/2019). | |||
25. | |||
In general, the Initiation Agreement lacks sufficient motivation to support the | |||
imputation to VDF of the infractions that it relates that is a guarantee against the | |||
arbitrary conduct outlawed in the EC | |||
These allegations have already been answered in the Proposal for Resolution and it is reiterated | |||
in FD III of this Resolution. | |||
FIFTH: After the period of allegations granted in the Agreement of initiation and | |||
submitted allegations, it was agreed to open a period of taking evidence , according to | |||
provided in article 77 of Law 39/2015, of October 1, on the Procedure | |||
Common Administrative of the Public Administrations, agreeing the Instruction | |||
practice the following tests: | |||
1. The claims filed are deemed to have been reproduced for evidentiary purposes and that | |||
work in the file and its documentation, the documents obtained and generated | |||
by the Inspection Services before VODAFONE ESPAÑA, SAU , and the Report of | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 28 | |||
28/97 | |||
Previous Inspection actions that are part of the files E / 01615/2019 | |||
and E / 09541/2018. | |||
2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of | |||
home PS / 00059/2020 presented by VODAFONE ESPAÑA, SAU , and the | |||
accompanying documentation. | |||
3. Request the Spanish Association of Digital Economy, C / Entença, 218 Entlo 7ª | |||
08029 Barcelona, with CIF: G61668505, certifying its inclusion and date | |||
from the following phone numbers: | |||
PHONE NUMBERS TO CERTIFY YOUR INCLUSION AND DATE | |||
IN ADIGITAL'S ROBINSON LISTING | |||
(LISTED WITH 264 PHONE NUMBERS) | |||
Noting that the result of this test may lead to the performance of others. | |||
SIXTH: The investigating body having warned of rectifiable deficiencies in the | |||
documentation of the file sent to the investigated in March 2020, dated | |||
11/13/2020 the deficiencies are corrected by sending the documentation | |||
complete relative to the fifteen files with documentation initially | |||
incomplete, giving a period of 10 days to present the allegations that they deem | |||
convenient. It is clear that on 11/14/2020 this second shipment of | |||
correction of documentation. | |||
SEVENTH: Once the proposed tests have been carried out and the period for formulating | |||
allegations to them and to the aforementioned second shipment of the corrected documentation | |||
Relating to fifteen files, the investigated presented the following allegations: | |||
1.- Two of the files sent correspond to the same claim | |||
2.- Seven of the files submitted were not mentioned in the first | |||
Shipping. | |||
3.- Of the 264 telephone numbers requested from Adigital for verification | |||
In the Robinson list, 33 are not registered, 4 are of a later date, 1 corresponds to | |||
an archived procedure, 1 corresponds to a provider and not a claimant, 1 does not | |||
there are commercial calls received and 1 does not correspond to VDF as an entity | |||
claimed. | |||
These Allegations are answered in the FD III of this Resolution. Nevertheless, | |||
It is anticipated that they were the object of analysis by the investigating body, admitting the | |||
annulment for the purposes of assessment in this procedure of 29 files, | |||
resulting in the remaining files included in the Annex, in the amount of 162. | |||
EIGHTH: On December 22, 2020, the Instruction made a proposal for | |||
resolution that he proposed and submitted to the competent body to resolve, the following | |||
sanctions: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 29 | |||
29/97 | |||
<That the Director of the Spanish Data Protection Agency sanctions | |||
VODAFONE ESPAÑA, SAU, with NIF A80907397, | |||
for violation of article 28 of the RGPD in relation to article 24 of the RGPD | |||
typified in accordance with article 83.4 of the RGPD with administrative sanction of amount | |||
four million euros (€ 4,000,000) considered serious for prescription purposes in | |||
Article 73, sections j), k) and p) of the LOPDGDD, | |||
for violation of article 44 of the RGPD typified in accordance with article 83.5.c) of the | |||
RGPD, with an administrative penalty of two million euros (€ 2,000,000) | |||
considered very serious for the purposes of prescription in article 72.l) of the LOPDGDD, | |||
for violation of article 21 of the LSSICE, classified as serious in article 38.3.d) | |||
and c) of said rule with a sanction of one hundred and fifty thousand euros (€ 150,000) and, | |||
for violation of article 48.1.b) of the LGT, in relation to article 21 of the RGPD, | |||
classified as serious in article 77.37 of the LGT and for violation of article 48.1.b) | |||
of the LGT, in relation to article 23 of the LOPDGDD, classified as serious in the | |||
Article 77.37 of the LGT, with a penalty of two million euros (€ 2,000,000)>. | |||
An Annex was attached to the Proposal for Resolution that listed 162 files after | |||
void assessment of 29 files as a result of deficiencies detected in | |||
the data provided by the complainants or investigated by this AEPD, or, by | |||
estimate of the allegations presented by the defendant. | |||
The aforementioned Annex, which is also attached to this Resolution, consists of the | |||
Next information. | |||
ANNEX (Sorted by date of entry of the claim in the AEPD) | |||
Column legend: | |||
: | |||
Sequential order number | |||
R / D / C: | |||
R óbinson / D igh / C Express onsentimiento | |||
PF / PJ: | |||
Natural Person / Legal Person | |||
LGT / PD / LSSI: | |||
Violated law | |||
F. Robin.credit: | |||
Accredited date inclusion in advertising exclusion lists | |||
LINE: | |||
Sender / Receiver | |||
F. LINE CALL: Date of the advertising action | |||
REFER. AEPD: | |||
Claim reference code in the AEPD | |||
CLAIMANT: | |||
Claimant's name (the number indicates the times claimed) | |||
CLAIM TEXT: Text of the claim submitted by the claimant | |||
NINTH: After the deadline for the presentation of allegations, the | |||
On 01/18/2021, the following allegations to the Proposal for Resolution: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 30 | |||
30/97 | |||
1) | |||
Previous: Reiteration of the allegations presented. | |||
two) | |||
First: Arguments against the Proven Facts. | |||
3) | |||
Second: Relating to the information request files | |||
referenced in the sanctioning procedure. | |||
4) | |||
Third: Rejection by the AEPD of the allegations presented by | |||
Vodafone. | |||
5) | |||
Fourth: Presumed breach of article 24 RGPD. Consideration of | |||
Vodafone as the data controller and responsibility of Vodafone. | |||
6) | |||
Fifth: Presumed breach of article 28 RGPD. Alleged lack of | |||
real, continuous, permanent and audited control of the treatments carried out by | |||
managers. | |||
7) | |||
Sixth: Presumed breach of article 44 RGPD. Transfers | |||
International data. | |||
8) | |||
Seventh: Presumed breach of article 21 LSSICE. Send of | |||
commercial communications without consent and to recipients who have | |||
opposed to such treatment. | |||
9) | |||
Eighth: Presumed breach of the General Telecommunications Law | |||
(LGT). Supposed lack of attention to the right of opposition to not receive communications | |||
commercial. | |||
10) | |||
Ninth: On the Sanction Proposal. Legal basis and | |||
proportionality of this. | |||
These Allegations are answered in the Basis of Law of the present | |||
Resolution. | |||
Of the actions carried out in this procedure and of the documentation | |||
in the record, the following have been accredited | |||
PROVEN FACTS | |||
FIRST: VDF is responsible for the processing of personal data | |||
carried out on their behalf and on behalf of the marketing actions through | |||
phone calls, SMS and emails, both those managed internally | |||
from its own files as well as from the treatments that it entrusts to other entities to | |||
Through rented files or from their own files. | |||
SECOND: VDF does not have implemented methods or | |||
organizational and technical means that verify, not even by procedures | |||
statistics, the legality of the data object of treatment, its origin, its previous filtering | |||
with the internal lists of advertising exclusion and general Róbinson exclusion, nor | |||
with those of the entities to which it has commissioned the treatments (in charge of the | |||
treatment) or opposition rights exercised by those affected before one and the other. | |||
THIRD: There is no evidence that VDF has real, continuous, permanent and audited control | |||
on the development of the processing of personal data of the actions of | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 31 | |||
31/97 | |||
marketing carried out on your behalf and on your behalf, limited to a control | |||
merely formal initial and only in some specific cases referring only to | |||
internal informative communications of a partial nature. | |||
There are no prior written authorizations for the treatment of databases | |||
own of the successive managers of the treatments entrusted to VDF by its | |||
account and name. | |||
FOURTH: VDF has a procedure for prior authorization of entities | |||
attached to the TVTA Department. For this, they are sent a checklist where they are | |||
requests certain information in order to validate whether it is possible to contract with said | |||
Service provider. The aforementioned checklist is limited to answering certain | |||
questions with a "YES" or "NO", without specifying accreditation, guarantees, | |||
content and management of procedures and audits as indicated in art 28 of the | |||
GDPR. | |||
FIFTH: In these cases, VDF is unaware of the subcontracted entities (“ other | |||
telesales and commercial agencies ” ) guarantees of a technical or organizational nature | |||
with which they count. Information regarding the identity of these entities | |||
subcontracted must be included in the annex to the contract (subcontract) established at the | |||
effect, but it only appears once the subcontracting has been carried out and for the mere effects of | |||
facilitate access in the event of consummating the contracting on behalf of VDF, is | |||
that is, VDF is previously unaware of the technical and organizational qualification and identity | |||
of these subcontracted entities as well as their capacity to comply with the | |||
current regulations on data protection. | |||
SIXTH: VDF does not provide detailed documentation regarding guarantees of | |||
data protection of the contract that supports the relationship between the person in charge of the | |||
initial and subcontracted treatment, nor the guarantees for compliance with the | |||
sublet. As reported by VDF, the contract is similar to the one maintained by the | |||
entities initially commissioned by VDF and the initial managers assigned to the | |||
TVTA platform. VDF includes as a generic contractual obligation that is | |||
pass the instructions on to the sub-processors on behalf of VDF | |||
so that the marketing actions are carried out in the terms indicated by | |||
VDF, but without guarantees to prove compliance. | |||
SEVENTH: The contracts between the initial managers of VDF assigned to the | |||
TVTA platform (CASMAR and THE THREE QUARTER FULL, SL -TQF-) and the | |||
Sub-processors are not similar, so the same guarantees do not appear in | |||
against what is stated by VDF and the provisions of art 28 of the RGPD, without prejudice | |||
of content deficiencies detected in contracts with managers | |||
initial, such as the lack of follow-up measures in the execution of the contract. | |||
EIGHTH: Regarding the Casmar entity as in charge of the treatment in | |||
In the name and on behalf of VDF, it states that the subcontracted entity "A-NEXO" is the | |||
provided by the Robinson list and it has not transferred any rights of | |||
opposition received after making calls. However, in the signed contract | |||
between both entities (Casmar and A-Nexo of June 2019) it appears that the lists of | |||
Advertising exclusion and opposition rights are provided by Casmar. I do not know | |||
indicates the management to be carried out on the prior consultation of the exclusion files | |||
advertising or exercise of rights, contrary to the provisions of art 28 of the RGPD. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 32 | |||
32/97 | |||
NINTH: It is established that VDF contracts with TQF and this subcontracts in turn with other | |||
natural and legal persons who are the ones who materially make the calls. In | |||
the contributed contracts signed between TQF -as data processor | |||
on behalf of and on behalf of VDF- and the subcontracted entities are not listed | |||
Indications regarding the obligation of prior consultation and filtering with the files of | |||
advertising exclusion or the exercise of rights by the various entities | |||
intervening in marketing actions in the name and on behalf of VDF. | |||
TENTH: There is no evidence that VDF has knowledge of the rights | |||
exercised by those affected before the entities in charge and sub-in charge, which | |||
originates that before calls of sequential or random type from a certain | |||
numbering calls are repeated to those affected who have previously exercised their | |||
right of opposition, despite, both in the case of files from | |||
VDFs as external, that VDF has previously filtered them to avoid calls | |||
improper. | |||
ELEVENTH: In the case of the DATACENTRIC entity, which is an intermediary between | |||
VDF and the owner of the rented database, there is no evidence that VDF intervenes in the | |||
effective control of verification of the mandatory express authorization of the | |||
affected for email communications and SMS sending. | |||
TWELFTH: In the case of the MEYDIS entity, which provides VDF with bases of | |||
data published in directories of subscribers to telecommunications services, not | |||
There is a contract signed in accordance with article 28 of the RGPD, for not requiring it, according to | |||
manifests VDF, the internal contracting system of both entities, against | |||
the provisions of art 28 of the RGPD. | |||
THIRTEENTH: The obligation to consult the advertising exclusion lists | |||
by managers and sub-managers is not provided for in the contracts | |||
subscribed for this purpose. Whether or not the aforementioned lists are contrasted is a circumstance that VDF | |||
is not in a position to verify. | |||
FOURTEENTH: It is clear that in the event of a claim on actions of | |||
marketing of VDF before the AEPD and that it has been resolved by urging VDF to | |||
inform the data subject that their data has been included in LRI and, once this | |||
circumstance to the affected, afterwards the call is repeated. (PS / 00290/2015). | |||
FIFTEENTH: In the Inspection carried out at the VDF headquarters on the 18th and 30th of | |||
September, the VDF representatives affirm that: << (…) (i) there is no | |||
authorization related to the use of third-party databases, that is, those belonging to | |||
distributors and therefore there is no authorization process, rather it is requested | |||
information in the event that they use these databases. (ii) VDF is not in | |||
conditions of verifying that the holders of the receiving lines have provided their | |||
consent or have not objected, as it is an obligation that corresponds to | |||
collaborating agents, (iii) VDF does not ensure that each call offers a | |||
effective means of exercising the right of opposition . | |||
SIXTEENTH: Regarding the databases provided by VDF and | |||
used by those in charge of the treatment in the name and on behalf of VDF, it consists | |||
that there are communications by VDF regarding the obligation to use | |||
only these databases. However, there is no procedure | |||
enabled or controlled by VDF aimed at verifying managers use | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 33 | |||
33/97 | |||
only the database that VDF has provided them and during the periods | |||
that is indicated to them. In the inspection carried out at the VDF headquarters on the dates of 18 and 30 | |||
September 2019, the VDF representatives stated that they have not | |||
carried out checks on compliance with the measures indicated in the | |||
previous releases. | |||
SEVENTEENTH: Regarding commercial communications via SMS, | |||
are carried out by generating randomly without any discrimination, so | |||
that electronic commercial communications have been sent to potential clients | |||
without the concurrence of the requirements provided for in article 21 of the LSSI | |||
(expressly authorized). SMS sendings are carried out directly by VDF. | |||
EIGHTEENTH: Without prejudice to the provisions of the annex to this Resolution, to | |||
mode of a representative sample, in commercial actions carried out since | |||
the numbers *** TELEPHONE. 2 and 954781254 by the distributors CASMAR and | |||
TQF, respectively; 17 claimants have been found who manifest actions | |||
commercials made from number 954781254, and 19 claimants regarding | |||
of those made from the numbering *** TELEPHONE. 2, even though the numbers | |||
of the recipients were included in LRAD, or have exercised their right to | |||
opposition to VDF and are listed on its LRI. | |||
NINETEENTH: In the scheme of participants in the actions of | |||
marketing carried out by VDF, consist of the following levels of action | |||
in relation to Casmar: | |||
Level I.- VDF is the one who contracts with the CASMAR entity (and this, where appropriate, | |||
subcontracts with others) carrying out commercial actions to attract customers. | |||
The database to be used can be provided by VDF or by CASMAR that the | |||
You get on your own (from other contributors). | |||
Level II.- CASMAR subcontracts to the entity A-NEXO (and this in its case to other | |||
collaborators) making commercial calls. CASMAR informed | |||
AEPD requirement that the data used is provided by A-NEXO and, without | |||
However, the contract you provided states that the data is provided by CASMAR. | |||
Level III.- A-NEXO in turn subcontracts sales representatives to make calls, | |||
both legal and natural persons, | |||
Level IV- Commercials hired by CASMAR, in turn, make calls for their | |||
it counts from its own numbers without informing VDF of them. | |||
On the knowledge by VDF of the sub-managers of the treatment by | |||
VDF account, CASMAR provided the contractual documentation where it appeared “in | |||
Blanco ”(Annex II to the contract on-site channel of 05/01/2019), the list of sub-managers | |||
treatment on behalf of VDF that VDF had to approve, stating that it is in | |||
<<blanco>> for the dynamism with which they are replacing and updating the | |||
"Call centers", that is to say, after the hiring and not previously and that | |||
allow to verify the technical and organizational competence of these | |||
entities. | |||
TWENTIETH: In the contract signed between Casmar and VDF on 05/01/2019 it appears, in | |||
separate annex and of a later date (1) referenced to said contract from which it brings cause | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 34 | |||
34/97 | |||
dated 05/01/2019 between VDF and Casmar, a relationship of 15 legal entities and | |||
natural persons subcontracted by Casmar called "list of sub-managers | |||
approved ” (sic), among which is the entity A-Nexo, which states that | |||
the “current treatment location” (sic) is in Peru. It is not credited | |||
that have a contract that contains the mandatory contractual clauses | |||
type of the Commission Decision of February 5, 2010, relating to the clauses | |||
contractual type for the transfer of personal data to those in charge of the | |||
treatment established in third countries. | |||
(1) | |||
There is a contract dated 06/27/2019 (after the one dated 05/01/209 between VDF and | |||
Camar) between Casmar and A-nexo (on behalf of the entity A-NEXO | |||
CONTACT CENTER SAC, with RUC 20601266530 and address for notification purposes at | |||
Av. De los Precursors 1192, office 303, San Miguel, Lima, Peru.) | |||
TWENTY-FIRST: TQTF affirms at the request of the Inspection of this AEPD | |||
that VDF is aware of the sub-processors on behalf of VDF | |||
only at the moment in which your access to the contracting platform is requested | |||
of VDF and only for these purposes. In other words, TQTF requests the registration of the VDF | |||
Sub-processors in the name and on behalf of VDF to be able to carry out the | |||
contracting (VDF provides access user to the contracting platform), | |||
without requiring any type of verification to the commercial sub-managers of the | |||
treatment in the name and on behalf of VDF on the data to be used in the calls | |||
commercial nor technical and organizational conditions they have, limiting | |||
VDF to generate a user with password, upon request from CASMAR or TQTF, which | |||
It is communicated to the sales representatives or the final distributor (sub-managers) to be | |||
enabled to register lines contracted in VDF systems. | |||
TWENTY-SECOND: VDF knows the filing of claims before the AEPD, | |||
since since November 2018 they have been transferred from | |||
the AEPD and it is not until July 2019 when it is communicated to the | |||
distributors (managers) without stating to date the measures adopted to | |||
avoid improper treatment. | |||
TWENTY-THIRD: Examples of these actions carried out by CASMAR at | |||
numberings registered in LRAD or in VDF LRI, the following: | |||
| |||
E / 07147/2019: The claimant receives commercial calls, the last on date | |||
of 06/12/2019 after having exercised the right of deletion against VDF on the date of | |||
05/08/2019, and in the VDF LRI since 05/09/2019. | |||
| |||
E / 07144/2019: The claimant receives commercial calls, the last on date | |||
of 06/05/2019, after having exercised the right of opposition stated in the LRI of VDF | |||
from 04/02/2019, the mobile line, and 08/20/2018 the fixed line. Also in LRAD since | |||
March 2019. | |||
| |||
E / 7765/2019: The claimant receives commercial calls, the last one on the date of | |||
06/07/2019, after having requested the deletion from VDF on 06/02/2019 and | |||
be registered in LRAD since 11/14/2017. | |||
| |||
E / 7758/2019: The claimant receives commercial calls, the last one on the date of | |||
06/26/2019 appearing in LRAD since 10/22/2018. In this case, the dealer | |||
caller is TTQF on behalf of and on behalf of VDF. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 35 | |||
35/97 | |||
This sample of claims (the totality of evidence appears in the annex to this | |||
Motion for a Resolution) confirms that managers and sub-managers have not | |||
used to carry out the actions of mercadoctecnia on behalf of and on behalf of VDF | |||
numberings previously filtered with the advertising exclusion lists nor have | |||
taking into account the opposition rights previously exercised by those affected, | |||
either before the VDF itself or before the entities in charge or sub-in charge | |||
when they act in the name and on behalf of VDF. Nor does it appear that in the actions | |||
of mercadoctecnia through VDF phone calls have control | |||
appropriate that allows you to validate the possibility of exercising the right to object to the | |||
interested, since VDF is limited to providing managers with a certain legend | |||
without requiring guarantees of its effective reading to those affected. | |||
TWENTY FOURTH. The annex to this Resolution contains the list | |||
complete and detailed of all claims taken into account in the assessment of | |||
the facts imputed in this procedure. | |||
FOUNDATIONS OF LAW | |||
I | |||
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679, of the | |||
European Parliament and of the Council, of 04/27/2016, regarding the Protection of | |||
Individuals with regard to the Processing of Personal and Free Data | |||
Circulation of this Data (General Data Protection Regulation, hereinafter | |||
RGPD) recognizes each Control Authority, and as established in the articles | |||
47, 48, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of | |||
Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the | |||
Director of the Spanish Data Protection Agency is competent to initiate and | |||
solve this procedure. | |||
Article 63.2 of the LOPDGDD determines that: “The procedures processed by the | |||
Spanish Data Protection Agency shall be governed by the provisions of the | |||
Regulation (EU) 2016/679, in this organic law, by the provisions | |||
regulations issued in its development and, insofar as they do not contradict them, in a | |||
subsidiary, by the general rules on administrative procedures. " | |||
In accordance with the provisions of art. 43.1, second paragraph, of the Law | |||
34/2002, of July 11, on Services of the Information Society and Commerce | |||
Electronic (LSSI), the Director of the Spanish Data Protection Agency is | |||
competent to initiate and resolve this sanctioning procedure. | |||
In accordance with the provisions of article 84.3) of Law 9/2014, of May 9, | |||
General of Telecommunications (hereinafter LGT), the Director of the Agency | |||
Spanish Data Protection is competent to initiate and resolve this | |||
sanctioning procedure. | |||
II | |||
Regarding the allegations presented to the commencement agreement, they have already been answered and | |||
the Proposed Resolution, in short, in the following terms: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 36 | |||
36/97 | |||
1. | |||
The files notified include those affected who are persons | |||
legal. | |||
As already indicated, 29 claims have been excluded from the valuation due to the | |||
reasons that were proposed without being in the annex those related to | |||
legal entities and those referenced in the VDF allegations dated 12/1/2020. | |||
It should now be added that the scope of application of the LGT and LSSICE includes the | |||
legal persons and, if 29 files have been excluded from the assessment, it has not been for | |||
this reason. | |||
two. | |||
The statement of facts in the Initiation Agreement makes it extremely difficult to analyze and | |||
carry out a detailed examination which may undermine the right to self-defense. | |||
The terms of the initiation agreement are in accordance with the provisions of article 64 of the Law | |||
39/2015, of October 1, of Common Administrative Procedure of the | |||
Public administrations. In this sense, it should be noted that VDF has not requested practice | |||
of any test after the start-up agreement, which may have been requested if really | |||
considers that it undermines their right to self-defense. | |||
Furthermore, VDF does not explain or accredit how its | |||
right to legitimate defense and what is the real and effective damage that has been | |||
produced. Especially when the facts show us that he has been able to allege after the | |||
initial agreement and throughout the administrative procedure everything that at your | |||
right, carried out, all kinds of allegations with a significant volume | |||
both in their reasoning and in their quantity (including also, in such | |||
consideration of the high number of pages of documents submitted by | |||
VDF). He has also been able to provide all the documentation that he considered relevant | |||
and necessary. The real and effective defense of the defendant has not even been diminished | |||
in any moment. | |||
We must bring up, for all, the Judgment of the National High Court, of 22 | |||
February 2019 (RJCA 2019/63), in which also collecting diverse jurisprudence | |||
of the Constitutional Court, it is exhaustively stated that “consequently, outside of | |||
the assumptions of nullity of full right only have nullifying scope those | |||
infractions of the procedure, which have left the interested party in a situation of | |||
real or material defenselessness for issuing a resolution contrary to their interests without | |||
having been able to allege or not having been able to prove (SS.TC. 155/1988, of July 22 (RTC | |||
1988, 155), FJ 4; 212/1994, of July 13 (RTC 1994, 212), FJ 4; 137/1996, of 16 of | |||
September (RTC 1996, 137), FJ 2; 89/1997, of May 5 (RTC 1997, 89), FJ 3; | |||
78/1999, of April 26 (RTC 1999, 78), FJ 2, among others). […] Now, I don't know | |||
produces helplessness for these purposes, as stated in the Judgment of the Court | |||
Supreme Court of October 11, 2012 (RJ 2012, 11351) - appeal no. 408/2010 -, "if the | |||
interested party has been able to allege and prove in the file how much he has considered | |||
timely in defense of their rights and position assumed, as well as appeal in | |||
replacement, doctrine that is based on article 24.1 CE (RCL 1978, 2836), if it | |||
within the file the allegations it deemed appropriate "(S.TS. February 27, | |||
1991), "if it exercised, in short, all the proceeding resources, both administrative and | |||
the jurisdictional "(S.TS. of July 20, 1992). […] Ultimately, the plaintiff does not | |||
specifies what material helplessness the alleged vices have produced | |||
procedural complaints, and in any case, the ANC has been able to allege and prove, | |||
both in prior administrative and in this judicial way, how much it has estimated | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 37 | |||
37/97 | |||
convenient in defense of their rights and legitimate interests, so that no | |||
violation of their right of defense (article 24.2 CE) ”. | |||
Likewise, the Judgment of the Contentious-Administrative Chamber, Section 1, of the | |||
National High Court of National High Court of April 8, 2019 (RJCA \ 2019 \ 466), | |||
ratifies that the defenselessness must be material, translating into real damage and | |||
effective , since “For this purpose and in general, the | |||
doctrine of the Constitutional Court according to which, to assess the existence of injury | |||
constitutional, the existence of a procedural defect is not enough, but it is | |||
It is equally necessary that this has been translated into material defenselessness, that is, in | |||
a real and effective damage, never potential and abstract, of the possibilities of | |||
defense in a procedure with the necessary guarantees (SSTC 15/1995, of 24 | |||
January and 1/2000, of January 17, among many others). Helplessness concept with | |||
constitutional relevance that, in any case, does not necessarily coincide with | |||
any defenselessness of a merely procedural nature and less with any | |||
infringement of procedural norms, but requires, as an indispensable condition, | |||
that the impossibility of alleging and proving one's rights and interests and refuting the | |||
allegations to the contrary have produced a real and effective impairment of the right | |||
defense of the party, a material damage. Without there being helplessness | |||
material if, despite a procedural breach, the parties | |||
they have been able to defend their rights and legitimate interests (STC 27/2001 of January 29) ”. | |||
3. | |||
Due diligence in the terms of art 28 of the RGPD refers only to | |||
the contracting phase with the manager and should not be understood with respect to the | |||
subsequent monitoring of the contract. | |||
It is answered in the following fundamentals of law | |||
Four. | |||
The providers contracted by VDF of the internal telesales department | |||
have passed a prior validation process and are subjected to audit processes | |||
in which the technical and organizational measures they have for the | |||
development of the contracted service. | |||
The selection process for entities in charge is limited to an initial checklist , without | |||
There is a subsequent evaluation of the contract, as indicated in | |||
later fundamentals of law. | |||
In the face-to-face inspection, it was found that (page 11 of this Resolution), | |||
Regarding the second scenario, Distributors / Collaborators / To people sell to | |||
through stands in shops and on the street, which in turn also reach << agreements | |||
with other telesales and commercial agencies >> (sub-managers of the treatment by | |||
account and on behalf of VDF) for the effective realization of telephone calls and that | |||
they manage << their own lists >> of phone numbers of potential clients. | |||
These subcontracted << other telesales and commercial agencies >> are not subject to | |||
a prior approval process -as do those assigned to the platform of | |||
TVTA- but currently it continues to work with those that already provided the | |||
service in ONO before the merger with VDF (on 01/10/2018) and there is no evidence that | |||
have verified the technical and organizational means available to them. | |||
It should be noted that the decision by VDF to continue working with the | |||
entities in charge of the treatment that already provided the service in ONO before the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 38 | |||
38/97 | |||
merger with VDF (on 01/10/2018), certifies that the person responsible for said | |||
treatments is VDF. | |||
In these cases, VDF does not know the identity of the entities ( other agencies of | |||
telesales and commercial) subcontracted by the Distributor / Collaborator / Agent and | |||
does not know the guarantees of a technical or organizational nature that they have. The | |||
Information regarding the identity of these subcontracted entities must be included in | |||
the annex to the contract (subcontract) established for this purpose, but it only appears once | |||
subcontracting performed, that is, VDF previously does not know the qualification | |||
technical and organizational and the identity of these subcontracted entities as well as their | |||
capacity to comply with current regulations. | |||
Of the clauses of the standard contract called "Canal Presencial 2019-2020" (for | |||
example, with CASMAR of May 1, 2019) signed between VDF and the entities | |||
attached to the TVTA platform, there is an obligation to previously notify | |||
VDF the list of sub-processors on behalf of VDF who will use the | |||
distributors / collaborators / agents . This communication is collected, among others, in the | |||
Clauses 5 (resources) and 6 (characteristics of the activity) of the aforementioned contract ( | |||
included in the file). Only in clauses 13.4 and 13.5 of the aforementioned contract is it made | |||
reference to the obligation to comply with data protection regulations | |||
in the following terms: “… without prejudice to the obligations assumed by the | |||
COLLABORATOR in compliance with the Data Protection legislation in force in | |||
every moment… ”(sic). Clause 13.6 expressly states that the | |||
"Collaborator will be considered the person in charge of the treatment and must | |||
formalize the standard data treatment agreement that is attached as an annex | |||
IV… ”. | |||
However, this communication to VDF of the subcontracted entities has a | |||
declarative character a posteriori and is not subject to prior approval by VDF nor does it | |||
reflected the possibility of exercising the rights of the interested parties. The purpose of | |||
This statement, according to the VDF, is fundamentally to have | |||
information when malpractice is detected. | |||
5. | |||
Regarding external providers using their own databases: these | |||
providers do not act as processors but rather as data processors. | |||
responsible for their own databases since these personal data are | |||
collected on behalf of the provider and not on behalf of VDF. | |||
It is answered in the following fundamentals of law | |||
6. | |||
Regarding external providers using databases provided by | |||
VDF: VDF complies with all the requirements when contracting with those in charge | |||
established in article 28 of the RGPD and these providers meet the conditions for | |||
comply with their obligations, there being no lack of the duty of diligence for | |||
that it is not appropriate to question the effective performance of the obligations | |||
contractually assumed. | |||
It is answered in the following fundamentals of law | |||
7. | |||
Regarding regulation of the contract between the person in charge and the person in charge of the | |||
subcontracting carried out by the person in charge, the AEPD Guide | |||
advises the application of certain clauses such as the one used by VDF. In such | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 39 | |||
39/97 | |||
clauses indicates that it corresponds to the initial manager to regulate the new relationship and | |||
with the same formal requirements as with the person in charge. | |||
The aforementioned Guide tries to summarize the initial conditions that must be met by the | |||
contracts between the person in charge and the person in charge, without prejudice to the follow-up that the | |||
responsible must perform to evaluate the effective compliance with the clauses | |||
subscribed. | |||
It should be considered that the Guide contains guidelines that must be adapted to each | |||
specific case, since the cited guide expressly warns that "This document | |||
aims to identify the key points to keep in mind at the time of | |||
establish the relationship between the controller and the person in charge of the | |||
treatment, as well as identifying the issues that directly affect the | |||
management of the relationship between the two. Likewise, it aims to offer guidance, by way of | |||
of recommendation, to prepare the document that regulates said relationship ”. | |||
In the same sense, it is expressly noted that its Annex I when collecting an example | |||
of what could be the contract of the treatment manager, that "These clauses | |||
are for guidance only and should be adapted to the specific circumstances of the | |||
treatment that is carried out ”; in such a way that, throughout the Guide and by multiple | |||
pathways, it is undoubtedly clear that these are orientations, that they are not | |||
exempt the data controller from carrying out the treatment contract according to the | |||
RGPD in relation to the concurrent circumstances in each individual case | |||
concrete. | |||
8. | |||
The need for express prior authorization of the sub-processors is not a | |||
mandatory requirement, but article 28.2 indicates that the person in charge must inform the | |||
responsible and, where appropriate, the latter authorize, thus giving the controller the option of | |||
stand against. This aspect is not contemplated in the AEPD Guide (option B). | |||
Article 28.2 of the RGPD indicates that “The person in charge of the treatment will not resort to another | |||
commissioned without the prior authorization in writing, specific or general, of the person in charge. | |||
In the latter case, the person in charge will inform the person in charge of any change | |||
provided for in the incorporation or replacement of other managers, thus giving the | |||
responsible for the opportunity to oppose such changes ” . | |||
This implies that prior written authorization will be required for the person in charge | |||
of the treatment can resort to another person in charge. And that said authorization can be | |||
specific (with indication of the subcontracted entity) or general. Only in the latter | |||
Of course, there is already a general authorization from the person responsible for the treatment, | |||
It is when you have to report changes in the incorporation or substitution of other | |||
managers, with respect to which, in addition, the person responsible for the | |||
treatment (for example, if it does not meet the technical or organizational measures that | |||
set in the general authorization). | |||
From the above, it is concluded that prior authorization is always mandatory. | |||
The authorization prior to the outsourcing of managers must evaluate, in any case | |||
and among other issues, the technical and organizational conditions that the | |||
in charge of the treatment to carry out the contract. As configured | |||
in article 28.2 of the RGPD is not a simple communication of a formal nature, but | |||
which constitutes a real material requirement for compliance with the GDPR. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 40 | |||
40/97 | |||
9. | |||
According to the DT5ª of the LOPDGDD, the contracts prior to 05/25/2018 | |||
will remain valid until 05/25/2022, so their content cannot be | |||
enforceable as it is not applicable. | |||
The 5th transitory provision of the LOPDGDD determines that “The contracts of | |||
in charge of the treatment subscribed before May 25, 2018 under the | |||
of the provisions of article 12 of Organic Law 15/1999, of December 13, of | |||
Protection of Personal Data will remain valid until the date of | |||
expiration date indicated in them and in case of having agreed | |||
indefinite, until May 25, 2022. | |||
During these periods, either party may require the other to modify | |||
of the contract so that it is in accordance with the provisions of article 28 of the | |||
Regulation (EU) 2016/679 and in Chapter II of Title V of this organic law ”. | |||
The 5th transitional provision of the LOPDGDD allows "to maintain the validity" of the | |||
treatment manager contracts signed prior to the application of the | |||
GDPR. It refers only to the term of the contract. | |||
This is so because in compliance with one's own proactive responsibility for the | |||
responsible for the treatment, require their material adaptation to the RGPD. The | |||
Obligations arising from the legal text must be fulfilled from the full application | |||
of the same in May 2018. | |||
Well, this Provision also refers to the modification of the contract | |||
so that it is in accordance with the provisions of article 28 of the RGPD. As we have | |||
indicated, we can understand that such modification is restricted to the formal content of the | |||
Article 28 of the RGPD, allowing each of the parties to require the other to | |||
modification of the contract in order to comply with the aforementioned precept. But it does not affect the | |||
application of the principles and material obligations of the RGPD since it is a | |||
norm with direct effect of an imperative nature and no provision could go against | |||
of this character. | |||
Therefore, the validity of the contracts of the person in charge of the treatment until the | |||
05/25/2022 will be maintained as long as its content conforms to the principles | |||
provided in the RGPD and the LOPDGDD. | |||
10. | |||
The exhaustive control of the person in charge over those in charge would prevent “that | |||
can dial an unauthorized telephone number ” , having had VDF the | |||
reasonable diligence. | |||
The control of the data controller over the person in charge must be reasonable | |||
and adequate throughout the development of the contract and in this case include | |||
affected the rights and freedoms of the interested parties repeatedly without VDF | |||
has adopted appropriate corrective measures in order to avoid infractions such as | |||
now analyzed. | |||
eleven. | |||
The technical efforts made by VDF have not been taken into account | |||
to implement improvements in the development phase, which were accredited in the | |||
moment of the face-to-face inspection by the AEPD, diminishing the | |||
technical effort in development. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 41 | |||
41/97 | |||
The technical efforts made by VDF to avoid claims before the AEPD do not | |||
they state that it has been implanted to this day. | |||
12. | |||
The contact information for telemarketing actions made available to | |||
the providers by VDF have been previously contrasted with the data | |||
contained in the internal Robinson and ADigital listings and specifies the time of | |||
use to avoid outdated data. | |||
The data of the interested parties object of advertising actions have not been contrasted | |||
with the advertising exclusion lists and opposition rights, especially when | |||
have been exercised before managers or sub-managers and have not been communicated to the | |||
responsible nor has the latter obliged its communication, especially with regard to | |||
advertising actions that start from random numbers. | |||
13. | |||
The data object of treatment can only be processed by the entities | |||
commissioned in accordance with the VDF instructions that govern the contract, which | |||
clearly establish the conditions under which the treatments of the | |||
personal information. | |||
VDF does not record the monitoring of the execution of the signed contracts | |||
with those in charge in the name and on behalf of the person in charge. | |||
14. | |||
VDF asks providers to notify it of all oppositions that | |||
may occur during telemarketing actions. | |||
There is no evidence that VDF requires managers to communicate the rights of | |||
opposition exercised by the interested parties and has deployed technical and | |||
organizational that allow them to be taken into account in subsequent advertising campaigns. | |||
fifteen. | |||
Personal data from the provider's databases are not transferred | |||
at no time to VDF. Only after contracting the service are they included in the | |||
VDF information system. | |||
The personal data processed by the managers are made on behalf of | |||
and on behalf of VDF as a responsible entity regardless of whether it is | |||
are included in your information system. | |||
16. | |||
After hiring, this is validated after a control call for | |||
quality. | |||
The quality control call is made once the contracting of the | |||
service offered on behalf of VDF, a circumstance that is left out of this | |||
process. | |||
17. | |||
VDF has implemented complementary measures to guarantee a control | |||
detailed information on the activity of service providers when they use their | |||
own databases. This control was estimated to be operational in January | |||
2020 (new routing system through the VDF trunk). | |||
There is no evidence that VDF has implemented technical and organizational measures to guarantee | |||
a detailed control of the activity of those in charge who act on behalf of and | |||
on behalf of VDF as of January 2020. Example of subsequent claims | |||
(January and February 2020) are, among others, the following: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 42 | |||
42/97 | |||
01/22/2020 | |||
E / 02252/2020 | |||
AAA | |||
01/23/2020 | |||
E / 02255/2020 | |||
BBB | |||
01/24/2020 | |||
E / 02262/2020 | |||
CCC | |||
01/25/2020 | |||
E / 02263/2020 | |||
DDD | |||
01/27/2020 | |||
E / 02266/2020 | |||
EEE | |||
01/28/2020 | |||
E / 02269/2020 | |||
FFF | |||
02/03/2020 | |||
E / 02271/2020 | |||
GGG | |||
02/03/2020 | |||
E / 02274/2020 | |||
Hhh | |||
18. | |||
The alleged infringement of art 21 of the LSSICE, does not proceed since the | |||
Legality of the treatments is based on the legitimate interest, as indicated in the | |||
Recital 47 of the RGPD and this is recognized by the AEPD in its report 0173/2018. | |||
The LSSICE requires in article 21 expressly authorized authorization for | |||
electronic advertising communications, and in the present case there is no evidence. | |||
19. | |||
VDF at all times allows the interested party to object to receiving | |||
communications, so it is not appropriate to impute infringement of article 38.3.d). | |||
There is no evidence that both the VDF and the managers and sub-managers who act in | |||
name and on behalf of VDF have the technical and organizational measures that | |||
allow to carry out the right of opposition exercised by the interested party since | |||
the reiteration of advertising actions after the exercise of such right is recorded. | |||
twenty. | |||
Complaints related to the LSSICE are a minority and far from the | |||
total claims submitted. | |||
It appears in the annex to this Proposal that the number of claims for infringement to | |||
the LSSICE amount to twenty-four (24) of the 162 taken into account in this | |||
Resolution. | |||
twenty-one. | |||
Regarding the infractions related to the LGT, VDF always facilitates the | |||
possibility of exercising the right of opposition to the interested party, as stated in art | |||
48.1.b) of said standard. It also appears that VDF previously filters with the lists of | |||
Advertising exclusion before providing potential customer data to suppliers. | |||
And when the databases are external “ it is not possible to materially prevent the | |||
making a call ” (sic) although control measures are being implemented | |||
based on VozIP technology that prevents calling numbers included in lists | |||
of advertising exclusion. | |||
The allegation cannot be accepted since, as stated in the facts | |||
tested and in the attached annex, advertising actions have been carried out on behalf of and in | |||
name of VDF repeatedly even though the interested party is in the relationship of | |||
advertising exclusions or having previously exercised their right to object to | |||
such actions, contrary to the provisions of article 48.1.b) of the LGT. | |||
22. | |||
The AEPD seems to sanction for receiving complaints without verifying the facts | |||
described therein and automatically conclude that they correspond | |||
with illegitimate and contrary actions to the legal system and, therefore, adopting | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 43 | |||
43/97 | |||
these decisions contrary to the onus probandi principle that governs the law | |||
sanctioner. | |||
It appears in the documentation of the file notified to VDF in March 2020 | |||
sufficient reasons to enervate the presumption of innocence since the | |||
VDF in its responses to the information requirements of this AEPD | |||
manifests its error and proceeds to correct it promptly, informing the claimant. Do not | |||
However, this infringing conduct and subsequent adoption of measures allegedly | |||
corrective measures are permanently repeated, and sometimes consist of up to three | |||
subsequent claims of the same affected person after being “supposedly” treated on the | |||
right of opposition to VDF | |||
2. 3. | |||
The quantification of sanctions is disproportionate, and it cannot be argued | |||
that VDF's conduct is a repeated and permanent breach, since only | |||
191 interested parties of the 200 million commercial actions could be affected | |||
carried out by VDF. | |||
Regarding the graduation and final quantification of the proposed sanctions, the | |||
note that, without prejudice to the new amounts indicated in the RGPD and criteria of | |||
graduation applied, and only for comparative purposes with the repealed LOPD, the amount | |||
it would be far superior to the current proposal. Specifically, and for comparative purposes only | |||
With the LOPD, one hundred and forty-one (141) infractions of the RGPD that | |||
would suppose separately and applying the LOPD, an amount close to six | |||
million euros, considering the minimum amount (€ 40,001). In the same sense, | |||
one hundred twenty-four (124) infractions to the LGT and twenty-four (24) to the LSSICE, in | |||
which the amounts have also been weighted jointly. | |||
Furthermore, with respect to the allegation that "they could only be affected | |||
191 interested parties of the 200 million commercial actions carried out by | |||
VDF ”, it should be noted that, as may be the case in this proceeding, | |||
the confluence of various claims of affected individuals is put | |||
shows an action of the person in charge that in general (that is, not | |||
only in the specific cases presented by the claimants) from which it appears that | |||
These specific cases are the reflection of a common guideline or policy applied to all | |||
those affected persons who are in the same case as the interested parties and who are not | |||
are claiming neither before VDF nor before the AEPD. | |||
From the claims presented, a pattern of conduct is inferred in the treatment of | |||
personal data in connection with VDF's marketing operations (which | |||
includes gross negligence in your performance and inaction) that directly impacts, and | |||
in a general and indiscriminate way, in the rights and freedoms of citizens. | |||
24. | |||
They consist of prescribed infractions such as that referred to in E / 07180/2019 and others in the | |||
that no evidence of infringement has been provided (E / 01119/2019 and E / 02809/2019). | |||
The files referred to in the allegation do not appear among the one hundred and sixty-two | |||
(162) valued in this Resolution. | |||
25. | |||
In general, the Initiation Agreement lacks sufficient motivation to support the | |||
imputation to VDF of the infractions that it relates that is a guarantee against the | |||
arbitrary conduct outlawed in the EC | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 44 | |||
44/97 | |||
Motivation is required for the sake of art. 35 of the LPACAP, establishing the Tribunal | |||
Supreme a series of elements must concur for this to be adequate. | |||
Thus, the motivation has a finalist character, that is, that the requirement is met | |||
legal to explain or externalize the nucleus of the administrative decision, from which | |||
the interested party can deploy his means of defense. As determined by the | |||
Judgment of the Contentious-Administrative Chamber, Section 1, of the Hearing | |||
National of September 13, 2019, " The requirement of the motivation of the acts | |||
administrative responds, according to reiterated jurisprudential doctrine, of which it is | |||
exponent of the Judgment of the Supreme Court of July 16, 2001, for the purpose of | |||
that the interested party can know exactly and precisely the when, how and why | |||
of what is established by the Administration, with the necessary breadth for the defense of | |||
their rights and interests, also allowing, in turn, the bodies | |||
jurisdictional knowledge of factual and regulatory data that allow them | |||
resolve the judicial challenge of the act, in the judgment of its power of review and | |||
control of administrative activity; in such a way that the lack of that motivation or its | |||
notorious insufficiency, insofar as they prevent challenging that act with serious | |||
possibility of criticizing the bases and criteria on which it is founded, make up a vice of | |||
voidability, as soon as the interested party is left defenseless. | |||
All this without prejudice to the logical discrepancy of who obtains a resolution | |||
unfavorable to their interests, which does not constitute a lack of motivation, because their | |||
The right does not reach the granting of the request, since no one has the right to be | |||
give the reason, but that the decision offered offers the necessary explanation | |||
so that the administrator can know exactly and precisely the content of the | |||
act >> ”. | |||
The motivation can be brief and succinct, but always sufficient so that | |||
allow the interested party to know the administrative decision-making reasons (STS of 15 | |||
December 1999). | |||
For the motivation to be sufficient, it must be concrete, that is, it must refer to | |||
to the particular case discussed in the specific administrative procedure (STS of 23 | |||
September 2008) and consistent with the decision-making content. If the decision | |||
administrative authority involves the exercise of discretionary powers, it is necessary that | |||
the logical process that determines such decision is made explicit (STS of December 15, | |||
1998). | |||
Regarding the lack of motivation of the initiation agreement, reason for which it is alleged | |||
arbitrariness in the performance of this AEPD, it should be noted that they consist | |||
sufficiently reasoned in the commencement agreement the infractions charged on the basis of | |||
in the documentation that is in the file and that has its origin both in the | |||
face-to-face inspection carried out (whose documentation is known to VDF) at the headquarters of | |||
VDF as in the one attached in the claims of those affected and that appears in the | |||
proceedings. In the same sense, the infraction now imputed of Transfer | |||
International without the appropriate measures required in the RGPD, there is also | |||
documented and accredited of the VDF's own manifestations in the | |||
documentation provided to this AEPD. | |||
The examination of the administrative file and the various resolutions issued in | |||
its bosom, is revealed clearly, in a broad and reasoned, concrete and congruent way, the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 45 | |||
45/97 | |||
why of the administrative decision, complying more than sufficiently with the | |||
prescriptions established by the Law. | |||
III | |||
Regarding the allegations presented to the taking of evidence and the second shipment | |||
of files in order to correct deficiencies in the documentation initially | |||
notified, they are summarized in the following: | |||
1.- Two of the files submitted correspond to the same claim. | |||
2.- Seven of the files submitted were not mentioned in the first | |||
Shipping. | |||
3.- Of the 264 telephone numbers requested from Adigital for verification | |||
In the Robinson list, 33 are not registered, 4 are of a later date, 1 corresponds to | |||
an archived procedure, 1 corresponds to a provider and not a claimant, 1 does not | |||
there are commercial calls received and 1 does not correspond to VDF as an entity | |||
claimed. | |||
In the first place, the allegations made by VDF on 12/1/2020 did not | |||
they detail the procedures to which it refers. However, it is meant that | |||
there are several claims that make up different files of the same | |||
claimant, since for the same facts they have formulated several claims | |||
successive as the VDF continues to carry out the events now charged. | |||
Second, it should be noted that of the initial 191 claims that gave | |||
origin of the present procedure have been eliminated from the valuation, accepting | |||
partially the VDF allegations dated 12/1/2020, twenty-nine claims | |||
(29) for various reasons, such as not including the inclusion of the numbering on time | |||
in the advertising exclusion lists or prior exercise of rights, as well as the lack | |||
numbering of the issuing, incoming call or date of the advertising activity, or that | |||
the claims were directed to entities other than VDF (in two cases). Without | |||
However, if those others in which the VDF itself confirms in its | |||
own written reply to the requirements of the AEPD that the claimant | |||
was included in the advertising exclusion lists or that he had exercised | |||
previously the right of opposition before VDF, and that work in the file. | |||
It should be added that in the Annex of notified files it is true that they appear in | |||
various cases in which some of them do not belong to the present | |||
process. In this sense, it should be clarified that such circumstance is due to the fact that | |||
have also indicated, together with the specific file being assessed in this present | |||
procedure, those previous ones - indicatively and without being added to the | |||
now valued- and with the same claimant for the same facts and already resolved by | |||
Resolution of this Agency in accordance with article 65 of the LOPDGDD, which allows | |||
prove the lack of technical and organizational measures continued over time in | |||
Regarding the attention of the rights exercised by those affected. It can be summed up in | |||
that have also been indicated (without adding to those now valued) the | |||
repeat offenses after resolutions of this Agency in protection of rights | |||
opposition / cancellation previously exercised by the same claimant before VDF. In | |||
The allegations made by VDF on 12/1/2020 do not detail the procedures | |||
to which it refers. All this shows the pattern of behavior, which | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 46 | |||
46/97 | |||
Above we mention, in relation to the obligations of protection of | |||
data corresponding to VDF. | |||
Regarding the 14 numbers sent to Adigital in the practice of tests that VDF | |||
alleges are repeated, it should be noted that, although what they are is not indicated, | |||
correspond to claims that originate from the same telephone number receiving the | |||
the improper call, so it does not affect the facts now valued. | |||
VDF alleges that another 49 numbers are not in the file, without indicating | |||
which, so its analysis is not possible. | |||
VDF adds that 33 numbers of the practice test list do not include registration in | |||
Robinson, without indicating which ones. In this regard, it has already been indicated and this is stated in the | |||
record, that VDF in its own responses to the requirements of this | |||
AEPD claimed that they were included in Robinson. | |||
The rest of the allegations refer to 4 other telephone numbers receiving the | |||
calls, which does not indicate which ones. | |||
Finally, although these allegations refer to merely formal aspects and without | |||
indicate your reference, it is insisted that from now on they will only be taken into account for your | |||
valuation in the present procedure the claims before the AEPD that appear | |||
in the aforementioned Annex (162 claims), having eliminated from the Annex those | |||
claims / files showing defects, even formal ones. | |||
IV | |||
Regarding the allegations presented to the Proposal for Resolution, they are summarized | |||
as indicated above in the fifth antecedent, in the following: | |||
1. Previous: Reiteration of the allegations presented. | |||
2. First: Arguments against the Proven Facts. | |||
3. Second: Relating to the information request files | |||
referenced in the sanctioning procedure. | |||
4. Third: Rejection by the AEPD of the allegations presented by | |||
Vodafone. | |||
5. Fourth: Presumed breach of article 24 RGPD. Consideration of | |||
Vodafone as the data controller and responsibility of Vodafone. | |||
6. Fifth: Presumed breach of article 28 RGPD. Alleged lack of control | |||
real, continuous, permanent and audited of the treatments carried out by | |||
managers. | |||
7. Sixth: Presumed breach of article 44 RGPD. Transfers | |||
International data. | |||
8. Seventh: Presumed breach of article 21 LSSICE. Send of | |||
commercial communications without consent and to recipients who have | |||
opposed to such treatment. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 47 | |||
47/97 | |||
9. Eighth: Presumed non-compliance with the General Telecommunications Law (LGT). | |||
Supposed lack of attention to the right of opposition to not receive communications | |||
commercial. | |||
As a question prior to answering the allegations, and regarding the documentary block | |||
provided by VDF, to point out that it is made up of a series of documents among which | |||
find a “ proposal for VODAFONE the DEVELOPMENT AND | |||
HOSTING to control robinsons in the Door to Door area, following their | |||
instructions based on the Robinsones 2020 List Management Service ”, dated 17 | |||
August 2020. Such document is unsigned between the parties (page 20 | |||
of the aforementioned documentation), in such a way that we are not accredited that indeed such | |||
proposal is implemented. | |||
Likewise, they also provide a contract for the provision of services of the face-to-face channel | |||
between VDF and CASMAR that it seems that they present as a new model to be subscribed with | |||
your suppliers. This contract, although completed with the data of the parties, | |||
it is neither dated nor signed. Nor does it accredit that this contract is | |||
is running at this time or, where appropriate, what are the specific guarantees | |||
implemented on the rights of those affected with which it is being carried out. | |||
Such documents do not prove the installation and current operation of the system. | |||
that they claim to have implemented (which they call "routing"), not even | |||
corroborated by the screenshots presented in the documentation. Furthermore, at the | |||
date continue to initiate sanctioning proceedings for the same facts | |||
as a consequence of the claims presented before this AEPD. | |||
The person responsible for the treatment, derived from his proactive responsibility, must | |||
certify that it has complied, that it complies and that it will comply with the provisions of the | |||
RGPD and LOPDGDD. And to prove that it complies at present, mere | |||
part documents, drafts; it is reliably unknown if it has led to | |||
effect its content. Compliance accreditation must occur through a | |||
certificate of the company itself or with the contribution of the aforementioned documents with | |||
full legal validity (arts. 1254, 1258 and 1261 of the Civil Code). | |||
In relation to this, Report 0064/2020 of the Legal Office of the AEPD attributes | |||
to the person responsible for the treatment, within the obligations of responsibility | |||
proactively, the burden of “… guaranteeing the protection of said right through the | |||
compliance with all the principles contained in article 5.1 of the RGPD, | |||
adequately documenting all the decisions you make in order to be able to | |||
prove it ”. | |||
Notwithstanding the foregoing, we cannot ignore that the fact that they are | |||
implementing this new system indicates that previously they were not | |||
carrying out, that the VDF contributors did not contrast with the Robinson List, | |||
the VDF internal Robinson list or the internal Robinson list of contributors; | |||
and that VDF did not control the contrast process either, that is, it did not know if its | |||
collaborators were complying with his instructions and with the regulations of | |||
Data Protection. | |||
Let us remember that VDF has the obligation to control the treatment of its | |||
collaborators as if he did it himself, implementing all kinds of systems and | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 48 | |||
48/97 | |||
security and monitoring measures that verify compliance with your instructions | |||
and compliance with data protection regulations. | |||
In the new documents provided, they continue with the same approach as the one they have | |||
maintained throughout the procedure in terms of those in charge of the treatment. | |||
That is, they indicate in such documentation that the collaborators with whom they contract | |||
call on behalf of VDF to offer products VDF: "That so | |||
above, the scope of this service provision contract is door-to-door promotion | |||
door of the Services in the name and on behalf of VODAFONE-ES and VODAFONE- | |||
ONO ” (page 24 of the documentation provided). | |||
However, they are forced to present themselves in their own name and as responsible for the | |||
Treatment: “ Likewise, the COLLABORATOR will have its own databases | |||
of potential clients who must comply with the requirements established by the | |||
applicable regulations on data protection and to which the | |||
VODAFONE services in the event that they show interest. Thus, | |||
The COLLABORATOR must present himself to said potential clients on his own | |||
name, as responsible for the treatment of the same, complying with the | |||
applicable regulations regarding the protection of personal data ” (page 30 and 31 of | |||
the documentation provided). | |||
If contributors use their own databases, then VDF considers them | |||
responsible for the treatment until the sale has to be validated. However, | |||
above, VDF has access to these databases through the information that the | |||
telephone numbers that its collaborators use: “ The CONTRIBUTOR must | |||
inform VODAFONE at all times of all those phone numbers that | |||
both the COLLABORATOR and their third-party collaborators use to contact | |||
Clients or possible Clients of VODAFONE in the development of the activity object of the | |||
present contract. In this sense, the use of telephone numbers does not | |||
previously informed VODAFONE will be understood as a breach of the | |||
contract ”(page 33 of the documentation provided). | |||
We can observe a clear incongruity between these manifestations, which | |||
It will result in a lack of definition of who is responsible and in charge of the treatment | |||
between the parties, being able, likewise, to transmit confusing information to the client or | |||
potential customer about who is responsible for the treatment. | |||
The truth is that VDF is responsible for the treatment, since, although the bases | |||
data are not specific to VDF, the company controls them by providing instructions | |||
to carry out the treatments as if they were their own within the framework of a contract in the | |||
that the collaborator acts and processes personal data on behalf of and on behalf of VDF. | |||
Special mention must be made regarding the emails exchanged | |||
by VDF and its collaborators and that have been provided with this documentation. In | |||
an email dated July 30, 2019 VDF indicates to CASMAR, when | |||
use their own databases, which "On the other hand, in the event that they carry out | |||
Calls using their own databases, not provided by Vodafone, must | |||
make sure to: | |||
- That they have the prior and express approval of Vodafone to carry out said | |||
calls. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 49 | |||
49/97 | |||
- That they have the data in a lawful way, informing and obtaining the | |||
consent of the owners to be able to carry out commercial actions on behalf of | |||
Vodafone. We remind you that the use of databases for the purposes of | |||
recruitment on behalf of Vodafone that do not meet this requirement. | |||
- Filter your databases with public Robinson lists, for example the managed one | |||
by ADigital, prior to the start of the campaign. | |||
- Do not use means of communication that have not been consented to by the | |||
campaign recipients ”, (page 54 of the documentation provided). | |||
This shows that they carry out commercial actions on behalf of VDF. The | |||
Collaborator does not have any own interest regarding the result of the operation, | |||
Except for the financial compensation that you will receive for such service. | |||
That, before making the calls, they have to verify that they have the approval | |||
of VDF. The databases, then, are prepared by the collaborators | |||
specifically for VDF, as they must have your prior approval and go through | |||
various filters. At that time the collaborators are already in charge of the treatment. | |||
In the same email they indicate that “In both scenarios -VDF databases and | |||
collaborator databases- , it is essential that the collaborator: | |||
- Provide a simple means for any recipient of the campaign to | |||
communicate your wish not to continue receiving calls or commercial messages | |||
on behalf of Vodafone. | |||
- Immediately transfer to Vodafone the data of those recipients who | |||
have communicated that they do not wish to receive further commercial communications and | |||
make sure they do not contact them again in future broadcasts ”. | |||
This VDF command, whatever databases are used by the VDF | |||
collaborators (own of the collaborators and elaborated for VDF), puts of | |||
I state again that the collaborator is in charge of the treatment from the | |||
beginning. That, although VDF indicates in the new contract model that they are | |||
responsible for the treatment and that “the COLLABORATOR must appear before | |||
said potential clients on their own behalf, as the person responsible for the treatment of | |||
the same ”, the truth is that it commands them that the right of opposition can be exercised | |||
before the collaborator in front of VDF. This circumstance shows that they are | |||
processing personal data on behalf of and on behalf of VDF. | |||
Previous R) | |||
Regarding the reiteration of the allegations presented, it must be | |||
note that they have already been answered in the Proposal for a Resolution and that they appear in | |||
the FD II of this Resolution. | |||
However, it must be emphasized that the 15 files that are the object of the second shipment | |||
notified in November 2020 they do not correspond to fifteen files | |||
additional, but is due to the material correction of incomplete documentation by | |||
so consider the investigating body, in order to correct deficiencies and avoid in all | |||
moment to violate the right to defense for the sake of the principle of transparency that | |||
must preside over all administrative action. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 50 | |||
50/97 | |||
Regarding the lack of evidence and imputation of infractions for mere | |||
assumptions, it should be noted that the documentation in the file is | |||
infers undoubtedly the facts now sanctioned. Not only through | |||
face-to-face inspection carried out in September 2019 at the VDF headquarters | |||
and that this is stated in the Inspection Certificate, but in the documentation attached to the aforementioned | |||
Minutes and in the documentation provided by the claimants and which is completed in the | |||
proceedings. | |||
The lack of motivation, alleged in a generic way, in the answer to the | |||
allegations by the investigating body cannot be admitted since the motivation | |||
has been reasoned and sufficient for each of the allegations presented and | |||
in accordance with the provisions of article 35.1 of Law 39/2015. What has not been | |||
distorted by VDF have been the facts now analyzed after presenting this AEPD | |||
Sufficient evidence to prove the alleged facts. | |||
Regarding classifying all the "collaborators" (sic) as in charge of the | |||
treatment when according to the VDF they are not, it is necessary to insist on the provisions of the | |||
definition of "Responsible for the treatment" and reports of this AEPD and the Committee | |||
European Data Protection and that are detailed and developed in the FD of this | |||
Resolution. | |||
Regarding the allegation that the contracting by VDF of its managers of the | |||
treatment is in accordance with the provisions of art. 28 of the GDPR, it must be rejected | |||
plan, since in the FD of this Resolution (and in the Proposal for | |||
Resolution) explains and details in detail the reasons why VDF has | |||
the aforementioned article 28 has been violated. | |||
VDF also alleges that the violation of article 44 of the RGPD (Transfer | |||
International Data without the due guarantees required by the RGPD) does not appear in the | |||
Initiation Agreement when the AEPD already had all the documentation from the | |||
investigation phase. This allegation must be rejected whenever the agreement of | |||
start complies with the provisions of article 64 of Law 39/2015 of October 1, of the | |||
PACAP, where section 2.b) in fine expressly indicates “… without prejudice to | |||
what results from the instruction ”. Said article is complemented by the provisions of the | |||
Article 89.3 of said rule when it states that “In the proposed resolution, | |||
they will fix in a reasoned way the facts that are considered proven and their exact | |||
legal qualification, the infringement that, where appropriate, they constitute, will be determined, | |||
the person or persons responsible and the sanction proposed, the assessment of | |||
the tests carried out, especially those that constitute the foundations | |||
basic measures of the decision, as well as the provisional measures that, if applicable, | |||
they would have adopted… ”. | |||
VDF also alleges that the specific conditions under which the | |||
make claims related to breach of the LSSICE. The allegation | |||
should be rejected since the accreditation that the electronic communication has | |||
been requested or expressly authorized has not been verified by VDF in any | |||
moment even throughout the present procedure, as indicated in article 21.1 | |||
of said rule. | |||
Regarding the allegation of lack of accreditation of the breach of article | |||
48.1.b) of the LGT, it should be noted that it has been accredited and thus works in the | |||
documentation of the file regarding the tests carried out that in the name and | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 51 | |||
51/97 | |||
On behalf of VDF, commercial calls were made to lines listed in the | |||
advertising exclusion lists (Robinson), contrary to the provisions of article 23 | |||
of the LOPDGDD. | |||
Finally, and grouping the last three previous allegations (9, 10 and 11), it is necessary to | |||
mean that each and every one of the infractions charged in the present | |||
procedure have been sufficiently reasoned and motivated, as well as that in all | |||
At the moment, the proportionality of the sanction has been justified, having, in addition, | |||
VDF warned in the Proposal for Resolution that if files had been initiated | |||
independent, the sanction would be higher. | |||
It also alleges arbitrary action on the part of the AEPD in the processing of the | |||
sanctioning procedure. In this sense, it should be noted that, in the first place, it does not specify | |||
the arbitrary action that it alleges and, secondly, the sanctioning procedure is | |||
has processed in the legally required manner in accordance with the applicable regulations in each | |||
alleged infraction and in accordance with the provisions of the fourth Additional Provision of the | |||
LOPDGDD. Consequently, the claim must be rejected. | |||
1R) | |||
to) | |||
<Regarding the lack of implementation of effective measures, VDF alleges that | |||
has gradually implemented a centralized "routing system" of shares | |||
advertising that guarantees the rights of those affected>. | |||
The allegations are not proven, and if so, the facts to which the | |||
This procedure refers to are prior to the alleged implantation of | |||
said system, so its analysis for the purposes of the infractions does not proceed now | |||
sanctioned, without prejudice to the fact that in the future it will be evaluated in the case of | |||
that its implementation is accredited and is in accordance with the provisions of the RGPD, LGT and | |||
LSSICE. | |||
In addition, it should be noted that the supposed new system implemented for | |||
"Routing" progressively and culminating its supposed implementation in February | |||
of 2020, there is no evidence that it has been effective since they continue to date | |||
receiving claims for the same reasons to this AEPD. And, the greater | |||
abundance, additional or supplemental claims continue to be received from | |||
the now claimants for the same facts without evidence of any action by VDF, | |||
as responsible for the processing of data imputed, to mitigate or | |||
minimize the effects of the violation of their fundamental right to the protection of | |||
data, enshrined in the EC in its article 18.4, and developed in the RGPD and | |||
LOPDGDD, as well as in the LGT and LSSICE, even having knowledge through the | |||
This procedure is their identities and facts that are the subject of the claim. | |||
In this sense, and for informational purposes only, there are new claims | |||
complementary to those already carried out by the following claimants: | |||
Ñ.Ñ.Ñ., E / 10495/2019, dated 09/16/2020, NRE: e2000002161. | |||
OOO, E / 07697/2018 and E / 05544/2019, dated 06/11/2020, NRE: 019495/2020. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 52 | |||
52/97 | |||
PPP, E / 01633/2019, dated 09/30/2020, NRE: e2000003876. | |||
QQQ, E / 07183/2019, E / 04493/2019, dated 09/26/2020, NRE: e2000003364. | |||
RRR, E / 08276/2019, dated 10/28/2020, NRE: e2000007996. | |||
SSS, E / 08043/2019, dated 10/13/2020, NRE: e2000005754. | |||
TTT, E / 08276/2019, dated 10/28/2020, NRE: e2000007996. | |||
UUU, E / 07106/2019, dated 11/17/2020, NRE: e2000010906. | |||
b) <VDF alleges lack of identification of calling numbers and | |||
recipients>. | |||
In this sense, it is insisted that the files in which the action is not credited | |||
undue commercial have been withdrawn from valuation for several reasons already mentioned | |||
previously. It should be clarified once again, which is stated in the documentation of the | |||
file calls to numbers not included in the exclusion systems | |||
advertising, but that in the response to the request of this AEPD has been | |||
manifested by VDF the inclusion in the advertising exclusion systems and / or | |||
in their systems of exclusion of the receiving line, which is why they appear in the | |||
annexed. | |||
This type of affirmations by VDF has given rise, in the files | |||
concrete in which such an affirmation has been made, to a favorable resolution by | |||
part of this AEPD, so now it is not appropriate to allege otherwise at the risk of what | |||
more interested in each moment. VDF adds that the CASMAR entity (by doing so | |||
extensible to the rest of the intervening entities) is responsible for the databases | |||
of the receiving numbers and without the VDF having intervened even though the | |||
responsible for the treatment. This claim should be rejected outright on the basis of | |||
the very definition of "data controller" in article 4.7 of the RGPD, and | |||
because the VDF itself affirms its non-intervention in the treatment when it is the | |||
responsible for this. | |||
c) | |||
<VDF claims that it has a specific procedure to facilitate the | |||
exercise and attention of the right of opposition in advertising campaigns | |||
managed directly by VDF (SMS and email) and can unsubscribe> | |||
In this regard, it should be emphasized that article 21.1 of the LSSICE requires “request or | |||
express authorization " to carry out the advertising action, without prejudice to compliance | |||
of other requirements, and such request or express authorization is not accredited by VDF | |||
that as the person in charge of the treatment is the one obliged to accredit it. | |||
VDF lists a series of file references in which it indicates that the | |||
affected did not exercise any right. In this regard, and analyzed the references | |||
indicated, it means that once the check has been made, or if they are in | |||
the Robinson list, refer to the lack of express authorization, the affected person accredits | |||
have exercised their rights, or VDF did not respond to the request for information | |||
carried out from the Inspection of this Agency (E / 07056/2019 and E / 08284/2019) | |||
being obliged to do so. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 53 | |||
53/97 | |||
VDF adds that it is the managers who must make the appropriate consultations to | |||
advertising exclusion lists. In this regard, it should be emphasized again that the | |||
responsible for the treatment, in this case VDF, is obliged, by virtue of the | |||
provided in article 28 of the RGPD, to be contracted with those entities in charge of | |||
sufficient technical and organizational capacity to carry out the assignment and VDF be | |||
able to monitor all the treatment ordered so that the treatments object | |||
Customs strictly comply with the RGPD and LOPDGDD. | |||
d) | |||
<VDF alleges that in Proven Fact Four, reference is made to a | |||
sanction file of reference PS / 00290/2015, when said file is foreign | |||
to VFD>. | |||
In this sense, the material spelling error must be pointed out and corrected, that said | |||
file refers to the reference PS / 00290/2018 as stated in the Agreement | |||
of Start, and of which VDF has full knowledge from the beginning of the present | |||
process. | |||
and) | |||
VDF alleges that it is accused of a general lack of collaboration with the | |||
AEPD. In this sense, the allegation in section c) above has already been answered, | |||
inasmuch as VDF has not responded to several requests for information in the | |||
prior investigation issued by this AEPD, giving rise to its lack of response to the | |||
start of inspection actions. | |||
F) | |||
<VDF alleges inadmissible to impute lack of action and communication with | |||
collaborators>. | |||
In this regard, it should be noted that during the prior inspection process in 2019, | |||
It was established that VDF did not comply with the duty to inform those in charge of | |||
the deficiencies that VDF should have detected in the treatments ordered or | |||
nor did he impose adequate corrective measures, to which he was obliged in | |||
quality of data controller, to avoid in the future the repetition of the | |||
deficiencies in the treatments, either because I was unaware of them, or because simply | |||
It did not demand its correction and adjustment of measures in accordance with the RGPD. | |||
In this sense, there is an email sent in July 2019 to | |||
some of the managers, not all or even the sub-managers, in which it is | |||
informs them of the obligation to cross their files with the exclusion lists | |||
advertising in which no corrective measures were imposed, when on that date VDF | |||
I was already aware of the claims made by the claimants before this | |||
AEPD. | |||
Likewise, there is another subsequent informative letter, in November 2020, with more | |||
information on the fulfillment of its obligations in which it explains to the | |||
managers, and not sub-managers, the new routing system that is being | |||
implementing, with an end date of February 2020, to carry out actions | |||
of marketing, but continues without requiring and imposing corrective measures | |||
adequate to avoid the recurrence of deficiencies in the future even when, | |||
insists, on that date VDF was already aware of the claims made by | |||
the claimants before this AEPD and the inspection had already been carried out | |||
in person by the Inspection of this AEPD. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 54 | |||
54/97 | |||
In this regard, it should be emphasized that, regarding the first email of July | |||
2019, the information was partial and with no general character to all those in charge, | |||
and that they in turn inform the sub-managers, otherwise it was an email | |||
specific to certain managers who, even so, there is no evidence that the | |||
obligations that it reported or imposed corrective measures, since | |||
the claims continued. | |||
Regarding the second informative letter of November 2020, it should be emphasized in | |||
which is much later than the investigations carried out within the present | |||
proceedings. Consequently, the effectiveness of the aforementioned email was no more | |||
beyond that an informal communication without intention of obligation and distribution | |||
partial since it did not impose corrective measures. | |||
The emails that VDF sends to some of its treatment managers | |||
reminding you of your obligations in terms of Data Protection are insufficient in | |||
the framework of proactive responsibility. The | |||
insufficiency of the “measures” adopted due to the undoubted fact that the | |||
The problem examined in this sanctioning procedure continues to occur without | |||
solution of continuity. | |||
But it is that, in addition, the abandonment of their obligations is shown by the simple | |||
comparison of the measures that VDF would have taken if data processors | |||
have breached any of the terms that constitute the hard core of the | |||
object of the contract (marketing campaigns). VDF would not have limited itself to sending | |||
e-mails reminders that they have to perform the contract, but that there would be | |||
imposed penalties or even proceeded to the termination of the contract. The same | |||
diligence is what has to be applied regarding proactive responsibility and | |||
Data Protection. | |||
Consequently, the allegation must be rejected as the fault has been established | |||
due diligence by the person in charge (VDF) in the follow-up and monitoring of | |||
data processing commissioned. | |||
g) | |||
On the condition of person or persons in charge of the intervening entities | |||
in the treatments carried out in the name and on behalf of VDF, it has already been | |||
answered in the Proposal for a Resolution. However, the answer is reiterated and | |||
expands on the Fundamentals of Law of this resolution. | |||
2R) | |||
< VDF alleges, among others, the existence of files open to persons | |||
legal and that have been withdrawn for this reason>. | |||
It should be noted that this allegation has already been answered, so it insists on | |||
that the scope of application of LGT and LSSICE includes legal persons. The | |||
The fact that files have been withdrawn (29 in total, of the initial 191) has already | |||
been challenged in the sense that the withdrawal is due to uncertainty in | |||
the data, and not for the alleged reason of corresponding to legal persons and always | |||
for the sake of transparency that should govern all administrative action. | |||
<Regarding the existence of numbering or receiving lines that are not | |||
found in the Robinson list>, it has already been answered that the VDF itself in its | |||
briefs in response to the information requirements stated the opposite and | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 55 | |||
55/97 | |||
accepted their inclusion, informing this AEPD that from now on they were included in the | |||
VDF internal listing of exclusions. | |||
Regarding the files outside the VDF, it has already been answered that they only affected | |||
two and have already been withdrawn from valuation in the present procedure, finding | |||
among the 29 omitted in the Annex. | |||
The fact of withdrawing 15% of valuation files does not imply a decrease | |||
of the guilt in the imputed facts, since an infringement of the RGPD is imputed (together | |||
to those of the LGT and LSSICE) typified in article 83.4 in which it is provided as a limit | |||
maximum administrative penalty the amount of 10,000,000 (or 2% of the billing | |||
annual). In addition, it has already been indicated that having initiated procedures | |||
independent sanctioners, the amount would have been greater than that now sanctioned, | |||
even if the repealed LOPD had been applied. Do not forget that the legislator | |||
The European Union has modified the amount of penalties and is now the applicable regulation. | |||
The amount of the sanction is motivated and adjusted to the law within the | |||
discretionary criteria followed by the doctrine of this AEPD without any | |||
moment can be classified as arbitrary. In this sense, it should be added that | |||
RGPD sanctions are different from those of the repealed LOPD, resulting in the | |||
order of fifteen times higher by mandate of the European legislature, so there is no | |||
they are affordable amounts. In addition, article 83.4 RGPD now imputed, allows | |||
impose amounts up to 2% of the global total annual business volume that, in this | |||
In this case, it is of the order of 1,600 million, so the maximum amount established | |||
legally in the RGPD it could be 32 million euros, and double in the case of the | |||
83.5 RGPD, when the one now imposed is 4 and 2 million euros, respectively, | |||
that is, the fifth (or tenth part in the infraction of art 44 of the RGPD) part on the | |||
applicable maximum. Consequently, the amount of the administrative penalty imposed | |||
(art 58.2.i RGPD) is proportional to the alleged facts. | |||
Regarding the alleged files, the following means: | |||
Regarding E / 04471/2018, there is the line in the advertising excursion system | |||
as recorded in the file and accredited by the claimant with registration number | |||
entry (NRE): 199267/2018. | |||
Regarding files E / 07183/2019 and E / 07940/2019, the | |||
codes (first column of the annex) RDC and RD, respectively, and accredited by the | |||
documentation in the file. | |||
<Regarding the different legal personality alleged of the VDF ESPAÑA entities, | |||
VDF ONO, LOWI and VDF Services>, it should be noted that in the Inspection they witness | |||
before VDF it was stated that the aforementioned entities are part of the VDF Group in Spain | |||
and that with regard to marketing actions are governed by the same | |||
procedure and that said Group was represented by Vodafone España SAU, as it was | |||
the person responsible for the decisions of the treatments of the rest. | |||
And so it is stated in the Inspection Certificate: | |||
page 2 Inspection Certificate, | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 56 | |||
56/97 | |||
<< The entities that are part of the Vodafone Group in Spain are VODAFONE | |||
ESPAÑA SAU, (hereinafter VDF) VODAFONE ONO, SAU (VDFONO hereinafter | |||
hereinafter) and VODAFONE ENABLER ESPAÑA, SL (hereinafter LOWI), hereinafter | |||
referred to direct marketing actions, specifically to the management of | |||
recruitment campaigns, in general, are governed by the same process, (with | |||
small differences relating to, for example, teleshopping providers (TVTA in | |||
successive). • | |||
Regarding the process of unifying the information systems between VDF and | |||
VDFONO, the process regarding the segment "individuals" is finalized, while | |||
that the process regarding the “companies” segment is currently on hold | |||
until having the appropriate verifications of its correct operation in the segment | |||
"Individuals". LOWI's Customer Management Systems (CRM hereinafter) | |||
they remain independent >>). | |||
In this regard, it must be emphasized in what has already been said previously that the decision by VDF of | |||
continue currently working with the entities in charge of the treatment that | |||
they already provided the service in ONO before the merger with VDF (on 01/10/2018), | |||
certifies that the person responsible for the treatment operations analyzed in the | |||
This procedure carried out by ONO from that date is VDF. For such | |||
reason, the infractions analyzed in this procedure are imputed | |||
entirely to VDF as it is the entity that decides the ends and means, without prejudice to | |||
that Lowi's customer management information systems continue to be | |||
Independent. | |||
<Regarding the content of the Annex attached to the Proposal for Resolution>, it is | |||
It means that the JJJ acronym claimant has the reference E / 01489/2019. | |||
Regarding the claimant of acronyms LLL, the references E / 07671/2018 correspond | |||
and the subsequent research reference E / 04688/2019, as well as the references | |||
E / 08243/2018 and E / 07690/2018. Regarding the claimant of acronym MMM , | |||
correspond to the reference E / 01633/2019. And regarding the claimant of acronyms NNN | |||
the references E / 10149/2018 and that of the subsequent investigation actions | |||
E / 07960/2019, as well as the file references E / 07775/2019 and | |||
E / 07960/2019. However, this allegation does not affect the merits of the case, limiting itself | |||
to make some corrections when the important thing would have been to enter the file | |||
and settle the issues raised in the claim, which are none other than the | |||
violation of the fundamental right to data protection of the complainants and | |||
correct, now yes, the organizational and technical deficiencies that cause the | |||
claims, or where appropriate, minimize their impact. | |||
<As an allegation of duplication of "procedures" (sic)>, which must refer to | |||
"Files" (section 5), the following should be noted, the same as in the previous | |||
paragraph, which is now corrected, and that the reference file must appear | |||
E / 09407/2018. | |||
However, once the aforementioned material errors have been detected in the Annex, and now | |||
correct, it should be noted that they do not affect either quantitatively or on the | |||
matter raised in this proceeding nor do they cause any defenselessness because the | |||
claimants are the same and are in the heart of this procedure, | |||
Therefore, after its correction in accordance with article 109.2 of Law 39/2015, of PACAP, the | |||
claim must be rejected. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 57 | |||
57/97 | |||
In section 6 of the same allegation, it insists on the lack of documentation of the | |||
reference files E / 07608/2018, E / 07190/2019 and E / 07188/2018 (the latter | |||
has not been found affected by the procedure, so the | |||
reference provided). Regarding the first two, claimants with acronyms FJJN and | |||
FRPM respectively, it should be noted that there is no evidence that the information provided | |||
by this Agency has been incomplete after the correction made by the Instruction | |||
with the second shipment of documentation in November 2020. Consequently, the | |||
claim must be rejected. | |||
Finally, in section 6 of the second claim, it is added that <the AEPD has not | |||
issued to all claimants notice of the agreement to initiate this | |||
procedure, so once again the conduct of the AEPD has been arbitrary>. | |||
In this regard, this Agency does not record the facts referenced, so the | |||
The allegation must be rejected, and regarding arbitrariness it should be noted that the Proposal | |||
Resolution has been reasoned and adjusted both in form and in substance to the | |||
legally established regulations, so that there is no arbitrary behavior or | |||
unfounded by the AEPD. | |||
3R) | |||
VDF alleges, <that DF III of the Proposal for Resolution does not answer with | |||
sufficient motivation for the allegations presented, which undermines the right to | |||
defense of the alleged entity>. | |||
In this regard, it must be added that the reply by the investigating body to the | |||
allegations made by VDF after the agreement to initiate this procedure, | |||
they were answered in their entirety and sufficiently reasoned. We bring back to | |||
this point the reasoning already set out in this resolution on what is really | |||
constitutes lack of motivation and that can produce helplessness, and that, does not occur | |||
in the assumption examined. | |||
However, add that with respect to the claim made by VDF that <” AEPD | |||
does not seem to take into account that these are third-party entities and that the controls have | |||
to respect current regulations on commercial and labor matters. The level of control | |||
intended by the AEPD (continuous, permanent and audited) not only does it not have | |||
legal support, but would imply an interference in the activity of the collaborators | |||
that can hardly be executed without violating these regulations (ie possible | |||
indication of illegal transfer of workers from these companies to companies | |||
main). Especially considering that the AEPD's criteria to assess whether a | |||
control is adequate or not, it is only that of its result and, in his opinion, it only enjoys | |||
of such a condition if it is absolutely infallible ”>, it should be noted that there is no | |||
no transgression in the activities of the collaborators because there is no impact on | |||
its commercial activity, but only in what affects the processing of data of a nature | |||
personal. | |||
The person responsible for the treatment is the one who has the ability to determine the purposes and | |||
the means of the treatment and in this case a contract of manager of the | |||
treatment. Indicate the means of treatment, how the treatment has to be carried out | |||
by means of the corresponding instructions and how to verify that it is | |||
Executing in the manner entrusted does not imply neither more nor less than delimiting | |||
elements of the contracting that is being carried out between both | |||
entities. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 58 | |||
58/97 | |||
There would in no case be that illegal transfer of workers that they allege. First, | |||
because none of the circumstances legally foreseen for | |||
this as it comes from art. 43 of Royal Legislative Decree 2/2015, of October 23, | |||
approving the revised text of the Workers' Statute Law (a | |||
from now on, ET); thus neither the object of the service contracts between the companies | |||
is limited to a mere making available to the workers of the transferring company to | |||
the transferee company, nor does the transferor company lack an activity or a | |||
own and stable organization, or does not have the necessary means for the | |||
development of its activity, or does not exercise the functions inherent to its condition of | |||
entrepreneur: here we find two different legal entities that have their own | |||
own organizational structure, where there is no possible confusion between the two. | |||
And, secondly, because the person responsible for the treatment does not send instructions or orders | |||
to the employees of the manager, but to the manager himself, who will act as | |||
consider the management power over your own employees (art. 20.3 ET). | |||
Without prejudice to expanding the answer to the following sections of the allegation in | |||
the following Fundamentals of Law and those already answered during the | |||
sanctioning procedure and that has already been included above in the present | |||
resolution, we now proceed to answer succinctly: | |||
Regarding the erroneous inclusion of files, it has already been answered, not without insisting | |||
now that the withdrawal of 29 files has not been motivated by the "inclusion | |||
erroneous files ”, but for the sake of transparency, and only in two cases and that | |||
Through the hearing provided to VDF for the instruction to the documentation of the | |||
file has been corrected, | |||
Regarding the confusing and disorderly exposition of the initiation agreement, note that the | |||
allegedly has not requested any practical evidence in order to clarify, in his opinion, | |||
deficiencies that prevent you from exercising your right to defense, which if you have | |||
instructor body in order to avoid it. It should be added that the documentation sent to | |||
VDF in March 2020 is duly ordered in order of entry date | |||
in this AEPD. | |||
Regarding the previous filtering of the VDF database, note, as it has been | |||
accredited (On-site Inspection of September 2020), that in none of the chaos | |||
this filtering has been successful. Not in the databases owned by VDF, every time | |||
that delivered to the managers they did not filter with the exclusion lists | |||
exercised before them, nor in the databases from those in charge of the | |||
they were not filtered with the VDF exclusion listings. In both cases, there was | |||
a total lack of communication between the treatment participants (VDF and | |||
managers and vice versa) as a consequence of poor organizational means and | |||
technicians established in the communication protocols between the entities, which | |||
they simply did not exist, and that their correct implementation was the responsibility of VDF | |||
as responsible for the treatments carried out between the entities | |||
intervening parties. All this has led to the violation of the guarantees and rights of | |||
those affected in a systematic way and without the person in charge (VDF) detecting it and in its | |||
case, correct. Furthermore, it is materially impossible for the managers to follow | |||
the instructions of the person in charge (VDF) simply because these instructions or | |||
they were confusing, or they were rare, or they did not exist, which cannot be accepted | |||
entity such as VDF, which is one of the first telecommunications operators in the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 59 | |||
59/97 | |||
country with millions of subscribers and, at least it is assumed, with sufficient experience and | |||
linked to the performance of personal data processing. In short, VDF does not | |||
intervened, and must imperatively intervene, to oblige those in charge of all | |||
moment to respect the guarantees and rights imposed by the RGPD. | |||
It should be added that, with respect to the LGT, the right to object must be interpreted | |||
according to the RGPD and LOPDGDD, while according to the LSSICE it is necessary | |||
prior authorization for electronic communications. In both cases, neither | |||
the person in charge (VDF) has implemented the appropriate protocols for | |||
communication between the different intervening entities in order to guarantee the | |||
rights of those affected, despite being legally obliged to do so. | |||
Regarding the fact that VDF will implement the rejection of contracts that do not comply with the | |||
protocol established by VDF, it should be noted that, first of all, that protocol | |||
must exist containing detailed instructions and mandates that in a way | |||
clearly avoid any deviation of actions; and secondly, and in what now | |||
affects, it is not enough to reject contracts that violate this type of | |||
established protocols, but what must be avoided is reaching that | |||
situation previously violating the guarantees and rights of those affected. | |||
Regarding the new "routing" system supposedly implemented by VDF of | |||
progressively and with an end date in February 2020, it has already been said in this | |||
Resolution that is neither accredited nor there are indications that it is, since the | |||
own claimants of the files of this procedure have presented with | |||
after that date new claims complementary to the initial one and | |||
the AEPD continues to receive claims for the same events to date, in | |||
concrete one years later. All this denotes that either the new system has not been | |||
implanted, or where appropriate, it is highly inefficient so it should be reconsidered | |||
its structure and operation. The infringement of the rights of the interested parties is | |||
keep producing. | |||
VDF alleges that no corrective measures have been implemented because the facts are | |||
"Sporadic and exceptional" (sic). Just remember the forty plus | |||
disciplinary proceedings initiated in the last two years to VDF by this AEPD and | |||
the high percentage of material and human resources that this AEPD is using | |||
to safeguard or restore the fundamental right to data protection and | |||
guarantees of those affected as a result of the numerous claims that | |||
are reiterated before this AEPD against VDF. Consequently, qualify as “sporadic and | |||
exceptional ” the facts now analyzed cannot be admitted. | |||
Regarding the fact that the AEPD has not accredited the infractions committed, the present | |||
procedure deals with it and thus they are duly documented, and by not | |||
mere assumptions as alleged, but by objective facts that are accredited | |||
from the documentation provided by the claimants as well as from the investigations | |||
carried out by this AEPD, and that VDF has not been able to disprove. | |||
4R) | |||
About the Data Controller as indicated in art 24 of the RGPD, is | |||
a broad concept, which seeks to provide effective and comprehensive protection to | |||
interested. | |||
This has been determined by the case law of the CJEU. For example, the STJUE in the case | |||
Google-Spain of May 13, 2014, C-131/12, considers in a broad sense the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 60 | |||
60/97 | |||
responsible for the treatment to guarantee “ an effective and complete protection of | |||
interested ”. | |||
In the same way, such effective and complete protection must be deployed in the assumption | |||
that the data processing is carried out by the person responsible for the treatment through a | |||
in charge of the treatment, because if not, it would be violating the letter and the purpose of the | |||
GDPR. There would be a "flight" of the right to data protection. | |||
Thus, in the Report of the Legal Office of the AEPD of July 20, 2006, it is found | |||
that “what is important to delimit the concepts of responsible and in charge of | |||
treatment does not turn out to be the cause that motivates the treatment of these, but the sphere | |||
of direction, control or management that the person in charge may exercise over the | |||
treatment of personal data that are in their possession by virtue of | |||
that cause and that it would be entirely forbidden to the person in charge of the treatment ” ; in | |||
In our case, the control, direction and ordering of the treatment corresponds to VDF. | |||
When the managers use their own databases, the control, direction and | |||
ordering of VDF, in whose name and representation they call potential clients. The | |||
The manager does not decide on the purpose of its databases, but it is VDF who | |||
it tells them what they can and should use them for. | |||
The art. 33.2 of the LOPDGDD indicates that they are considered responsible and not in charge | |||
those who "in their own name and without evidence that they act on behalf of another | |||
establish relationships with those affected ” ; which, interpreted in the opposite sense, | |||
assumes that the person in charge is the person who on behalf of the person in charge establishes relations with | |||
the affected. This is regardless of whether it is necessary to access data | |||
on behalf of third parties. | |||
The manager, to be one, has no self-interest in the outcome of the | |||
Treatment object of order, without prejudice to the financial compensation received | |||
for the service provided and what happens in the case under examination. The | |||
managers have no interest of their own, act on behalf of and on behalf of the | |||
responsible, fulfilling his orders and for his purposes, and this is what | |||
determines that they are commissioned from the beginning. The use of own databases or | |||
alien in nothing changes such perception. | |||
In this sense, Report 0064/2020 of the Legal Office of the AEDP (dated | |||
12/18/2020) establishes that “Likewise, another criterion to consider is whether the entity | |||
involved in the treatment does not pursue any purpose of its own in relation to the | |||
treatment, but you are simply paid for the services rendered, since in | |||
in this case, he would act, in principle, as manager rather than responsible | |||
(section 60) ” - Guidelines 07/2020 of the European Data Protection Committee | |||
(CEPD) on the concepts of data controller and processor in the RGPD | |||
(pending final adoption at this time after completing the process | |||
of public consultation) of September 2, 2020-. | |||
Regarding the non-application of the aforementioned STS 1562/2020, we must mean that if | |||
turns out to be applicable to the present case since what it shows is that | |||
For the purposes of data protection regulations, an entity is in charge of | |||
treatment, even if you work with your own databases. The situation is the same | |||
than in which we are now, with the difference that VDF is identical | |||
circumstance has understood that its collaborators are not in charge of treatment | |||
but responsible for the treatment. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 61 | |||
61/97 | |||
It is crystal clear that you are responsible for the treatment when you decide | |||
on the means and purposes of the treatment. VDF claims to the contrary that “it cannot be | |||
responsible for the treatment of practically all the personal data object of | |||
analysis in this procedure, as it is not the entity that provides the bases | |||
of data in question, does not provide the collaborators with the means to carry out the | |||
data processing, nor does it decide, or set in any way, the parameters | |||
identification of the recipients of the commercial action, being this carried out in | |||
completely independently, and in their best judgment, by the | |||
collaborators ”. However, you are determining the means of treatment when | |||
chooses that collaborators use their own databases, specially elaborated | |||
for VDF, and allows them a certain margin of action with respect to the parameters | |||
identification of the recipients of the commercial action. | |||
Ratifying the foregoing, Report 0064/2020 of the AEDP Legal Office (of | |||
dated 12/18/2020) asserts that “In any case, it should be carefully analyzed and in | |||
depth of the legal relationship established between the parties in order to identify | |||
who determines the ends and the means, for which the repeatedly cited | |||
CEPD guidelines give different criteria that can be used to establish these | |||
positions, assuming that the word "determine" implies actually exercising a | |||
influence on the ends and means, for which it is not an obstacle that the service is defined | |||
in a specific way by the person in charge, provided that the person in charge is | |||
present a detailed description and can make the final decision on how to | |||
that the treatment is carried out and to be able to request changes if necessary, without | |||
that the person in charge can subsequently introduce modifications in the elements | |||
essential processing without the approval of the person in charge (section 28) or | |||
give the manager a certain margin of maneuver to make some decisions | |||
in relation to the treatment (section 35) being able to leave to the person in charge the taking of | |||
decisions on non-essential means (paragraph 39), so that the processor does not | |||
you must treat the data in a way other than in accordance with the instructions | |||
of the person in charge, without prejudice to the fact that said instructions may leave a certain degree | |||
of discretion on how to best serve the interests of the controller by allowing the | |||
in charge of choosing the most appropriate technical and organizational measures (section 78) ”. | |||
It is clear that VDF, having examined the specific case of this proceeding | |||
sanctioner, is someone who "really exerts an influence on the ends and the means"; | |||
the simple assertion of VDF that its collaborators are not in charge of the | |||
treatment does not undermine the reality of the facts. It is VDF “who can take the | |||
final decision on the way in which the treatment is carried out and can request | |||
changes". | |||
In relation to the means of treatment, the person in charge of the treatment will establish | |||
the means of treatment to a greater or lesser extent depending on your strategy | |||
commercial. The fact that the person in charge of the treatment Vodafone grants certain | |||
room for maneuver or that your instructions leave you some discretion, do not | |||
obstacle so that you continue to be considered in charge of the treatment. | |||
For all these reasons, VDF collaborators are legally in charge of the treatment | |||
because VDF determines the means (the collaborators' own databases) | |||
although VDF provides them with instructions allowing them a certain margin for this purpose | |||
autonomy in terms of the choice of parameters to make these calls. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 62 | |||
62/97 | |||
Determine what are the means of treatment, what covers with what, how and the | |||
when the treatment is to be carried out, encompasses any decision-making action | |||
of the person responsible for the treatment, regardless of the extent of it. | |||
VDF adds that “ Complementarily to the above, as the AEPD well knows, the | |||
position of advertising service providers is subject to regulation | |||
specific in article 46.2 of the RLOPD regarding the processing of data in | |||
advertising campaigns, regulations that remain in force as long as they do not contradict or | |||
conflicts with the provisions of the RGPD, establishing, in its section 2 b), that: | |||
"In the event that an entity contracts or entrusts third parties to carry out a | |||
specific advertising campaign for your products or services, entrusting you with the | |||
treatment of certain data, the following rules will apply: b) When the | |||
parameters were determined solely by the contracted entity or entities, | |||
said entities will be responsible for the treatment ”. | |||
Well, the sole repealing provision of the LOPDGDD establishes in its section | |||
third that “Likewise, any provisions of equal or lower | |||
rank contradict, oppose, or are incompatible with the provisions of the | |||
Regulation (EU) 2016/679 and in this organic law ”. | |||
Although it does not expressly repeal the RLOPD, it will be understood tacitly repealed | |||
in all those matters that contradict, oppose, or are incompatible | |||
with the provisions of the RGPD and the LOPDGDD. The precept of the RLOPD cited is | |||
surpassed by the RGPD and the LOPDGDD, according to the conceptualization of what it is to be | |||
responsible and in charge of the treatment. | |||
In any case, we are not in a factual situation in which the parameters | |||
they are determined solely by the contracted entities; rather the opposite, it is | |||
VDF who, as the data controller, is setting the parameters. | |||
In summary, in the assumption examined, the collaborators hired to carry out | |||
direct marketing actions, are responsible for the treatment of VDF when carrying out | |||
direct marketing actions in his name and on his behalf. They act under the | |||
VDF brand exclusively. It is VDF who determines the ends and means of the | |||
treatment, being significant that the databases which the person in charge of the | |||
treatment makes available to VDF are prepared specifically for these | |||
last (it is the medium that VDF chooses). And, we cannot forget, even if it is by title | |||
merely illustrative, that the new routing system, which they point out to have | |||
implemented, integrates all those in charge of the treatment in such network of | |||
routing. | |||
5R) | |||
Going to the genesis of the concept of data processor and following the | |||
Opinion 1/2010, of 2/16, of the GT29, “ The concept of data processor does not | |||
contained in Convention 108. The role of the processor was recognized | |||
for the first time in the Commission's first proposal - although it did not introduce | |||
the concept— in order to “avoid situations in which the treatment by third parties | |||
on behalf of the person responsible for the treatment of the file has the effect of reducing the | |||
level of protection enjoyed by the interested party ”. The concept of manager | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 63 | |||
63/97 | |||
treatment is only explicitly and autonomously included in the modified proposal of | |||
the Commission and after a proposal from the European Parliament when, before | |||
cover its current formulation in the Common Position of the Council. like the | |||
definition of the controller, the definition of the controller | |||
encompasses a wide variety of agents who can play this role ('person | |||
physical or legal, public authority, service or any other body »). Existence | |||
of a processor depends on a decision made by the | |||
data controller, who may decide that the data is processed within its | |||
organization, for example by personnel authorized to process data under their | |||
direct authority (see, conversely, article 2.f)), or delegate all or one | |||
part of the processing activities in an external organization, that is - as | |||
stated in the explanatory memorandum to the Commission's amended proposal—, | |||
in "a legally distinct person acting on his own behalf." | |||
Therefore, in order to act as data processor, two | |||
basic conditions: on the one hand, to be a legal entity independent of the | |||
responsible for the treatment and, on the other, carry out the processing of personal data by | |||
account of this one ”. | |||
Regarding the allegation made, VDF answers in it when it indicates that | |||
“Actually, the referred regulation establishes the obligation on the part of the person responsible for | |||
carry out suitability checks during the selection of those suppliers to | |||
those who intend to provide personal data and, likewise, the minimum conditions under | |||
which they must process said personal data, and said | |||
conditions in the corresponding contract that will contemplate all aspects | |||
required in article 28 RGPD… ”, which in the present case has not been done. | |||
Article 28.1 of the RGPD states: “1. When a treatment is to be carried out for | |||
account of a data controller, this will only choose a manager who | |||
offers sufficient guarantees to apply technical and organizational measures | |||
appropriate, so that the treatment is in accordance with the requirements of the | |||
this Regulation and guarantee the protection of the rights of the interested party. " . I know | |||
notes that it refers to the technical and organizational measures that must be | |||
guarantee in all treatment subject to order. That is, since before the order | |||
of the treatment itself, as it is the appropriate choice of the one who will act | |||
as manager, until the end of the service as indicated in the article itself | |||
28.3.g). | |||
And continues article 28.3.h): “will make available to the person in charge all the | |||
information necessary to demonstrate compliance with obligations | |||
established in this article, as well as to allow and contribute to the realization | |||
of audits, including inspections, by the manager or another auditor | |||
authorized by said person in charge ”. | |||
Regarding the performance of audits as an ideal means for the person responsible | |||
of the treatment continuously supervise the person in charge of the treatment, the | |||
Guidelines 07/2020 of the European Data Protection Committee (CEPD) on the | |||
concepts of data controller and processor in the RGPD of 2 of | |||
September 2020 establish that -the translation is ours- “97. The obligation to | |||
use only processors "who provide guarantees | |||
sufficient "contained in article 28, paragraph 1, of the GDPR is an obligation | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 64 | |||
64/97 | |||
keep going. It does not end when the controller and the person in charge of the | |||
treatment enter into a contract or other legal act. Instead, the controller must, at | |||
appropriate intervals, verify processor warranties, including through | |||
audits and inspections where appropriate ". | |||
In the same way that the person responsible for the treatment audits those treatments that | |||
performs directly and by your hand, you must audit the treatments that other | |||
performed by your order. | |||
In the present case, VDF has not complied with either of the transcribed sections, | |||
especially, when being able and having the legal obligation to do so (with audits | |||
and inspections), VDF has not required the data controller to comply with | |||
its obligations, a breach that should be attributed only to VDF as responsible | |||
treatment. | |||
6R) | |||
Regarding the breach of article 44 of the RGPD. | |||
Of the evidence in the documentation of the file and this is reflected in | |||
the TWENTIETH Proven Fact, specifically the treatment manager contract | |||
signed between VDF and Casmar on 05/1/2019, in which VDF as responsible | |||
of the treatment subscribes with Casmar that to carry out the treatment object of | |||
order is made from a third country (Peru) without complying with the due guarantees that | |||
required by the RGPD, by consenting - with full knowledge of the signatory parties since | |||
as stated in the contract- that Casmar will carry it out through the entity | |||
sub-manager (A-Nexo) in the name and on behalf of VDF (according to the signed contract of | |||
date 05/01/2019 between VDF and Casmar and the subsequent contract signed between Casmar and A- | |||
link dated 06/27/2019). In said contract it is stated verbatim: “location of the | |||
treatment: Peru ”(sic). Consequently, the person responsible for this Transfer | |||
International (TI) without the due guarantees agreed between VDF and Casmar through | |||
the sub-commissioned entity based in Peru -A-nexo-, is none other than VDF when acting in | |||
quality of data controller commissioned under the aforementioned conditions | |||
For this reason, VDF is the one obliged to impose and establish the due guarantees so that | |||
that IT can be carried out according to the requirements established in the RGPD. | |||
7R) | |||
Regarding the breach of article 21.1 of the LSSICE. | |||
Article 21 of the LSSICE: " Prohibition of commercial communications made to | |||
via email or equivalent electronic means of communication. | |||
1. The sending of advertising or promotional communications by | |||
email or other equivalent electronic means of communication that | |||
had not previously been requested or expressly authorized by the | |||
recipients of the same. | |||
2. The provisions of the previous section shall not apply when there is a | |||
prior contractual relationship, provided that the provider had obtained lawfully | |||
the recipient's contact details and will use them to send communications | |||
commercial related to products or services of your own company that are | |||
similar to those that were initially contracted with the client. | |||
In any case, the provider must offer the recipient the possibility of opposing the | |||
processing of your data for promotional purposes using a simple procedure | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 65 | |||
65/97 | |||
and free, both at the time of data collection and at each of the | |||
commercial communications that you direct. | |||
When the communications have been sent by email, said | |||
means must necessarily consist of the inclusion of an email address | |||
email or other valid email address where this right can be exercised, | |||
being forbidden the sending of communications that do not include said address ”. | |||
It is already established from the beginning of the procedure that the marketing actions in | |||
name and on behalf of VDF would be made using random numbers (and | |||
e-mail addresses) to "potential clients" in whose domicile or area was available | |||
installed VDF services. It has also been alleged that such numberings | |||
(used to send SMS) were previously crossed with the lists of | |||
advertising exclusion, which at no time is done and without prejudice to | |||
which is explained later. | |||
Now VDF alleges that the SMS sent were made to clients under the | |||
exception of article 21.2 of the LSSICE. | |||
Well, it could be like this in some chaos unrelated to this procedure, but at present | |||
If the opposite has been proven, that is, that the recipients were not customers of | |||
VDF and had even exercised their right of opposition, so the | |||
application of the aforementioned section of article 21 (21.2) of the LSSI. Files | |||
Relating to non-compliance with the LSSICE are indicated with the code “C” in the | |||
column of the Annex to the Proposal for Resolution and which is now also attached. | |||
Consequently, the claim must be rejected. | |||
8R) | |||
Regarding the LGT, VDF alleges alleged non-compliance. | |||
The Preamble of the LOPDGDD states the following: | |||
"In Title IV there are collected" Provisions applicable to specific treatments ", | |||
incorporating a series of assumptions that in no case should be considered | |||
exhaustive of all lawful treatments. Within them it is worth appreciating, firstly | |||
Second, those for which the legislator establishes a presumption "iuris | |||
tantum »of prevalence of the legitimate interest of the person in charge when they are carried out | |||
with a series of requirements, which does not exclude the legality of this type of treatment | |||
when the conditions set forth in the text are not strictly fulfilled, although in | |||
In this case, the person in charge must carry out the legally required weighting, when | |||
not presume the prevalence of their legitimate interest. … " | |||
Article 23.4 of said rule (LOPDGDD) states: | |||
"4. Those who intend to make direct marketing communications must | |||
previously consult the advertising exclusion systems that could affect your | |||
action, excluding from the treatment the data of those affected who had | |||
expressed their opposition or refusal to it. For these purposes, to consider | |||
Once the above obligation has been fulfilled, consulting the exclusion systems will suffice. | |||
included in the list published by the competent control authority. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 66 | |||
66/97 | |||
It will not be necessary to carry out the query referred to in the previous paragraph when the | |||
affected would have provided, in accordance with the provisions of this organic law, its | |||
consent to receive the communication to whoever intends to carry it out. ". | |||
It is already indicated in this Resolution (FD V) and that it is not necessary to reiterate, the reasons | |||
whereby the application of the LGT prevails in Spanish law, as a norm | |||
special, against the RGPD and LOPDGDD as general rules. | |||
In the present case, since the authorization provided in the second | |||
paragraph of the aforementioned section 4 of article 23, because there is no consent of the | |||
claimants, has been sufficiently accredited throughout the procedure that | |||
both VDF, as responsible for the treatment, and those in charge who | |||
they acted on behalf of and on behalf of VDF they did not suppress those receiving lines | |||
that were previously included in the advertising exclusion systems of | |||
your marketing actions. This is reflected in the column of the Annex of the | |||
Motion for a Resolution and which is now also attached with the code "R". | |||
Consequently, VDF has violated the aforementioned article 48.1.b) in relation to the 23 of | |||
the LOPDGDD for which the allegation must be rejected. | |||
9R) | |||
VDF alleges a clear defenseless position during these proceedings | |||
sanctioner. | |||
Regarding the principle of prohibition of arbitrariness, it should be noted that there is no evidence | |||
any action by this AEPD of diversion of legal actions, but that all the | |||
The procedure followed has been adjusted to the legal regulations both in form and in the | |||
motivations for their administrative acts, evidence and other legal guarantees and | |||
constitutional enforceable. | |||
There is no doubt that the present sanctioning procedure is complex and voluminous, | |||
but even so, all the required legal guarantees have been met. Even in the | |||
rectification of material errors as indicated in art. 109 of the LPACAP, in | |||
special in the complementary shipment is rectification -that not of inclusion of new | |||
files-, giving a hearing to the interested party as indicated in the aforementioned norm and art | |||
105 of the EC To which must be added that, while the suspension of deadlines | |||
In accordance with the state of alarm decreed in Spain, the investigating body considered | |||
as an urgent procedure, sending the file (it was carried out in March 2020) in order to avoid | |||
defenselessness and that during the time the defendant was suspended, the defendant ordered | |||
the time needed to analyze the documentation (about ten thousand pages), which in | |||
normal conditions without suspension of terms would have had a maximum of 15 days | |||
deadline for the study and preparation of the defense line. | |||
Regarding the imputation of infringement of article 44 of the RGPD (Transfer | |||
International personal data without the guarantees required in the RGPD) in the | |||
Proposed Resolution, mention has already been made in this Resolution. | |||
Finally, it should be meant that VDF has not requested any test practice | |||
during the sanctioning procedure in support of any line of defense that | |||
considered appropriate in the face of the imputed infractions. The only test practiced | |||
has been requested by the investigating body in order to avoid defenselessness of the claimed, has | |||
proceeded to correct material errors after analyzing the more than ten thousand sheets | |||
of which the file consists and has provided VDF with an Annex with the summary | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 67 | |||
67/97 | |||
structured the facts precisely so that it would have the possibility of treating it | |||
automatically and for the sake of transparency and thus avoid any impediment that | |||
could cause a reduction in their rights, giving the mandatory hearing and | |||
deadline for allegations, as VDF has done. Consequently, it proceeds | |||
reject the allegation as there is no arbitrariness in the actions of the AEPD or | |||
violation of the defense principle, but it is established that during the development of the | |||
This sanctioning procedure has been observed all the legal guarantees | |||
established. | |||
V | |||
Article 2.4 GDPR. Relationship with Directive 2000/31 / EC of the European Parliament and | |||
of the Council of June 8, 2000 regarding certain legal aspects of the | |||
Information society services, in particular electronic commerce in the | |||
internal market (hereinafter Directive 2000/31 / EC). | |||
"4. This Regulation shall be without prejudice to the application of the Directive. | |||
2000/31 / EC, in particular its rules on the liability of providers | |||
intermediary services established in its articles 12 to 15 ”. | |||
In this regard, LSSICE incorporates the aforementioned Directive into the Spanish legal system | |||
2000/31 / EC. | |||
Article 95 GDPR. Relationship with Directive 2002/58 / EC of the European Parliament and of the | |||
Council of July 12, 2002 regarding the processing of personal data and the | |||
protection of privacy in the electronic communications sector (as far as | |||
successive Directive 2002/58 / EC). | |||
"This Regulation will not impose additional obligations on natural persons | |||
or legal matters regarding treatment in the framework of the provision of services | |||
public electronic communications in public communication networks of the | |||
Union in areas where they are subject to specific obligations with the same | |||
objective established in Directive 2002/58 / EC of the European Parliament and of the | |||
Council of July 12, 2002 ”. | |||
In this regard, the LGT incorporates the aforementioned Directive into the Spanish legal system | |||
2002/58 / CE. | |||
In relation to the aforementioned articles of the RGPD mentioned above (articles 2.4 and 95) and the | |||
mentioned LGT and LSSICE, the Legal Report of this AEPD of | |||
reference 0173/2018, already known to the investigated person who alleges it in her writing. | |||
In the same sense, Opinion 5/2019 is pronounced on the interaction between the | |||
Directive on Privacy and Electronic Communications and Regulation | |||
general data protection, in particular with regard to competition, | |||
functions and powers of the data protection authorities Adopted on 12 | |||
March 2019, in paragraphs 66 to 70 and 86 in conclusions, and which are reproduced below | |||
continuation: | |||
<66. In the event that national legislation confers on the protection authority of | |||
competency data for the application of the Directive on privacy and | |||
electronic communications, the legislation should also determine the functions and | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 68 | |||
68/97 | |||
Powers of the data protection authority in relation to the application of the | |||
Directive. The data protection authority cannot automatically trust | |||
the functions and powers provided for in the RGPD to adopt measures to make | |||
comply with national regulations on privacy and communications | |||
electronic, since these functions and powers of the GDPR are linked to the | |||
application of the GDPR. National legislation may assign functions and powers | |||
inspired by the GDPR, but can also grant other functions and powers to the | |||
data protection authority for the application of national regulations on the | |||
privacy and electronic communications in accordance with article 15 bis of | |||
Directive. | |||
67. Discretionary power only exists within the established requirements and limits. | |||
in higher standards. Article 8 (3) of the Charter requires that compliance | |||
of the regulations on the protection of personal data is subject to the control of a | |||
independent authority. | |||
68. When the processing of personal data activates the material scope of application | |||
both the GDPR and the Directive on privacy and communications | |||
electronic data protection authorities are competent to control | |||
subsets of the treatment that are governed by national standards of | |||
transposition of the Directive only if national law confers on them this | |||
competence. However, the competence of the data protection authorities | |||
under the GDPR in any case remains non-exhaustive as regards | |||
processing operations that are not subject to the special rules | |||
contained in the Directive. This demarcation line cannot be modified by the | |||
national legislation transposing the Directive (for example, by extending the | |||
material scope of application beyond what is required by the Directive and granting | |||
exclusive powers for said provision to the national authority of | |||
regulation). | |||
69. Data protection authorities are competent to enforce the | |||
GDPR. The mere fact that a subset of the treatment is included in the | |||
scope of the Directive does not limit the competence of the | |||
data protection under the RGPD. | |||
70. When exclusive jurisdiction has been granted to a body other than the | |||
data protection authority, national procedural law determines what should | |||
occur when interested parties file complaints with the protection authority of | |||
data, in relation, for example, to the processing of personal data in the form of | |||
traffic or location data, unsolicited electronic communications or | |||
collection of personal data through cookies, without also reporting an infringement | |||
(potential) of the GDPR. | |||
86. When the processing of personal data activates the material scope of application | |||
both the GDPR and the Directive on privacy and communications | |||
electronic data protection authorities are competent to control | |||
the data processing operations that are governed by the national regulations of | |||
electronic privacy only if national legislation confers on them this | |||
competence, and such control must take place within the supervisory powers | |||
assigned to the authority by the national legislation that transposes the Directive. >> | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 69 | |||
69/97 | |||
Consequently, in relation to the specific matter regulated by the LGT and the | |||
LSSICE, these laws must prevail by reason of matter against the RGPD and | |||
LOPDGDD, without prejudice to the fact that the former may need to be | |||
complemented by the legal figures developed by the latter. | |||
Without prejudice to the subsequent development of the events now analyzed from the | |||
perspective of the aforementioned special laws (LGT and LSSICE), the | |||
definitions of the legal concepts that the RGPD indicates in article 4: | |||
Article 4 GDPR. Definitions | |||
For the purposes of this Regulation, the following shall be understood as: | |||
1) "personal data": any information about an identified natural person or | |||
identifiable ("the interested party"); an identifiable natural person shall be considered any person | |||
whose identity can be determined, directly or indirectly, in particular by means of | |||
an identifier, such as a name, an identification number, data from | |||
location, an online identifier or one or more elements of the identity | |||
physical, physiological, genetic, psychic, economic, cultural or social of said person; | |||
2) "treatment": any operation or set of operations carried out on | |||
personal data or personal data sets, whether by procedures | |||
automated or not, such as collection, registration, organization, structuring, | |||
conservation, adaptation or modification, extraction, consultation, use, | |||
communication by transmission, broadcast or any other form of authorization of | |||
access, collation or interconnection, limitation, deletion or destruction; | |||
6) "file": any structured set of personal data, accessible in accordance with | |||
to specific criteria, whether centralized, decentralized or distributed in a | |||
functional or geographic; | |||
7) "data controller" or "controller": the natural or legal person, | |||
public authority, service or other body that, alone or together with others, determines the | |||
purposes and means of the treatment; whether the law of the Union or of the Member States | |||
determines the purposes and means of the treatment, the person responsible for the treatment or | |||
Specific criteria for their appointment may be established by Union law. | |||
or from the Member States; | |||
8) "processor" or "processor": the natural or legal person, | |||
public authority, service or other body that processes personal data on behalf of the | |||
responsible for the treatment; | |||
10) "third party": natural or legal person, public authority, service or body | |||
other than the interested party, the person responsible for the treatment, the person in charge of the treatment | |||
and of the persons authorized to process the personal data under the direct authority | |||
of the person in charge or the person in charge; | |||
11) "consent of the interested party": any manifestation of free will, | |||
specific, informed and unequivocal by which the interested party accepts, either through | |||
a statement or a clear affirmative action, the processing of personal data that | |||
they concern you. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 70 | |||
70/97 | |||
18) "company": natural or legal person engaged in an economic activity, | |||
regardless of their legal form, including companies or associations that | |||
regularly carry out an economic activity; | |||
25) "information society service ": any service in accordance with the | |||
definition of Article 1 (1) (b) of Directive (EU) 2015/1535 of the | |||
European Parliament and of the Council. (Directive (EU) 2015/1535 of the Parliament | |||
Council and of 9 September 2015, which establishes a | |||
information procedure on technical regulations and rules | |||
relating to information society services (OJ L 241, 17.9.2015, p. | |||
1)). | |||
SAW | |||
Article 24 Responsibility of the controller | |||
<< 1. Taking into account the nature, scope, context and purposes of the | |||
treatment as well as risks of varying probability and severity to the rights | |||
and freedoms of natural persons, the data controller will apply measures | |||
appropriate technical and organizational techniques in order to ensure and be able to demonstrate that the | |||
treatment is in accordance with this Regulation. These measures will be reviewed and | |||
will update when necessary. | |||
2. When they are provided in relation to the treatment activities, between | |||
the measures mentioned in section 1 shall include the application, by the | |||
responsible for the treatment, the appropriate data protection policies ... >>. | |||
Report 0064/2020 of the Legal Office of the AEPD has emphatically expressed | |||
that “ The RGPD has meant a paradigm shift when addressing the regulation of the | |||
right to the protection of personal data, which is based on the | |||
principle of "accountability" or "proactive responsibility" as stated | |||
repeatedly the AEPD (Report 17/2019, among many others) and is included in the | |||
Explanatory Memorandum of Organic Law 3/2018, of December 5, on the Protection of | |||
Personal Data and guarantee of digital rights (LOPDGDD) ”. | |||
The aforementioned report continues that “… the criteria on how to attribute the different | |||
roles remain the same (section 11), reiterates that these are concepts | |||
functional, which are intended to assign responsibilities according to the roles | |||
of the parties (section 12), which implies that in most cases | |||
should be addressed to the circumstances of the specific case (case by case) according to | |||
their actual activities rather than the formal designation of an actor as | |||
"responsible" or "manager" (for example, in a contract), as well as concepts | |||
self-employed, whose interpretation must be carried out under the protection of European regulations | |||
on the protection of personal data (section 13), and taking into account (section | |||
24) that the need for a factual assessment also means that the role of a | |||
responsible for the treatment does not derive from the nature of an entity that is | |||
processing data but of their specific activities in a specific context… ”. | |||
The concepts of controller and processor are not formal, but | |||
functional and must attend to the specific case. The designation by VDF of | |||
"Responsible for the treatment" to its collaborators, does not automatically grant them | |||
such condition. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 71 | |||
71/97 | |||
The person responsible for the treatment is from the moment he decides the purposes and | |||
means of treatment, not losing this condition the fact of leaving a certain margin of | |||
action to the person in charge of the treatment or for not having access to the databases of the | |||
in charge. | |||
This is undoubtedly expressed in the Guidelines 07/2020 of the European Committee on | |||
Data Protection (CEPD) on the concepts of data controller and | |||
in charge of the RGPD -the translation is ours-, “ A data controller is | |||
who determines the purposes and means of the treatment, that is, the why and the | |||
how of the treatment. The controller must decide on both | |||
purposes and means. However, some more practical aspects of the | |||
implementation ("nonessential media") can be left to the manager | |||
treatment. It is not necessary for the controller to actually have access to the | |||
data that are being processed to qualify as responsible ". | |||
In the present case, it is established that VDF is responsible for the data processing | |||
now analyzed since as defined in article 4.7 of the RGPD is the entity that | |||
determines the purpose and means of the treatments carried out in actions of | |||
direct marketing of the three entities (VDF, ONO, LOWI). So in your | |||
condition of data controller is obliged to comply with the provisions of | |||
the transcript of art 24 of the RGPD and, especially, regarding the effective and continuous control | |||
of “ appropriate technical and organizational measures in order to guarantee and be able to demonstrate | |||
that the treatment is in accordance with this Regulation ” among which are | |||
find those provided in article 28 of the RGPD in relation to those in charge | |||
of the treatments acting in the name and on behalf of VDF. | |||
In this sense, and in relation to the allegation raised by VDF in its brief of | |||
allegations to the initiation agreement that those responsible for the treatments that | |||
the various entities carry out on behalf of VDF and, therefore, those that | |||
they have their own files, they do not act as managers but rather as | |||
responsible for these treatments, it should be noted that in the 07/2020 Guidelines | |||
of the European Data Protection Committee (CEPD) on the concepts of | |||
data controller and person in charge of the RGPD -the translation is ours-, “42. | |||
It is not necessary for the controller to actually have access to the | |||
data being processed. Whoever outsources a treatment activity and, at the | |||
to do so, has a determining influence on the purpose and (essential) means of the | |||
treatment (for example, adjusting the parameters of a service in such a way that | |||
influence whose personal data will be processed), should be considered as | |||
responsible although he will never have real access to the data ”. Remember that VDF | |||
determines who the calls can be made to, as they cannot be made to | |||
who are already clients of the company, as well as filtering regarding lists of | |||
advertising exclusion or whatever corresponds to the exercise of opposition. | |||
Likewise, following the legal report of the AEPD dated 11/20/2019, with | |||
internal reference 0007/2019 and STS 1562/2020 (for all), we must point out that | |||
analyzes the legal figure of the data controller from the perspective of the RGPD | |||
that regulates it exclusively. | |||
<< Article 28 Responsible for the treatment | |||
1. When a treatment is to be carried out on behalf of a person responsible for the | |||
treatment, it will only choose a manager who offers sufficient guarantees | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 72 | |||
72/97 | |||
to apply appropriate technical and organizational measures, so that the | |||
treatment is in accordance with the requirements of this Regulation and guarantees the | |||
protection of the rights of the interested party. | |||
2. The person in charge of the treatment will not resort to another person in charge without prior authorization. | |||
in writing, specific or general, of the person in charge. In the latter case, the person in charge | |||
will inform the person in charge of any change foreseen in the incorporation or | |||
substitution of other managers, thus giving the person in charge the opportunity to oppose | |||
to such changes. | |||
3. The treatment by the person in charge will be governed by a contract or other legal act with | |||
under Union or Member State law, which binds the person in charge | |||
with respect to the person in charge and establish the object, duration, nature and | |||
purpose of the treatment, the type of personal data and categories of interested parties, and the | |||
obligations and rights of the person in charge. Said contract or legal act shall stipulate, in | |||
particular, that the person in charge: | |||
a) will process personal data only following documented instructions from the | |||
responsible, including with respect to transfers of personal data to a | |||
third country or an international organization, unless it is obliged to do so under | |||
of the law of the Union or of the Member States that applies to the processor; in | |||
In such case, the person in charge will inform the person in charge of this legal requirement prior to | |||
treatment, unless such Right prohibits it for important reasons of interest | |||
public; | |||
b) will guarantee that the persons authorized to process personal data have | |||
are committed to respecting confidentiality or are subject to an obligation of | |||
confidentiality of a statutory nature; | |||
c) take all necessary measures in accordance with Article 32; | |||
d) will respect the conditions indicated in sections 2 and 4 to resort to another | |||
in charge of the treatment; | |||
e) will assist the person in charge, taking into account the nature of the treatment, through | |||
appropriate technical and organizational measures, whenever possible, so that this | |||
can fulfill its obligation to respond to requests that have as their object | |||
the exercise of the rights of the interested parties established in chapter III; | |||
f) will help the person in charge to guarantee compliance with the obligations | |||
established in articles 32 to 36, taking into account the nature of the treatment | |||
and the information available to the person in charge; | |||
g) at the discretion of the person in charge, delete or return all personal data a | |||
once the provision of treatment services ends, and will delete the copies | |||
existing unless the preservation of personal data is required under | |||
of the Law of the Union or of the Member States; | |||
h) will make available to the controller all the information necessary to demonstrate | |||
the fulfillment of the obligations established in this article, as well as | |||
to enable and contribute to the performance of audits, including inspections, by | |||
part of the person in charge or another auditor authorized by said person in charge. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 73 | |||
73/97 | |||
In relation to the provisions of letter h) of the first paragraph, the person in charge will inform | |||
immediately to the person responsible if, in his opinion, an instruction violates this | |||
Regulation or other provisions on data protection of the Union or of | |||
Member States. | |||
4. When a processor uses another processor to carry out | |||
certain processing activities on behalf of the controller, will be imposed on | |||
this other person in charge, through a contract or other legal act established in accordance with the | |||
Union or Member State law, the same obligations to | |||
data protection than those stipulated in the contract or other legal act between the | |||
responsible and the person in charge referred to in section 3, in particular the provision | |||
of sufficient guarantees of application of appropriate technical and organizational measures | |||
so that the treatment is in accordance with the provisions of this | |||
Regulation. If that other person in charge breaches their data protection obligations, | |||
The initial manager will remain fully accountable to the person responsible for the | |||
treatment with regard to the fulfillment of the obligations of the other | |||
in charge. | |||
5. The adherence of the person in charge of the treatment to a code of conduct approved by | |||
pursuant to Article 40 or to an approved certification mechanism pursuant to Article | |||
42 may be used as an element to demonstrate the existence of the guarantees | |||
sufficient referred to in sections 1 and 4 of this article. | |||
6. Notwithstanding the fact that the person in charge and the person in charge of the treatment celebrate a | |||
individual contract, the contract or other legal act referred to in sections 3 and 4 | |||
of this article may be based, totally or partially, on the clauses | |||
contractual type referred to in sections 7 and 8 of this article, inclusive | |||
when they are part of a certification granted to the person in charge or in charge of | |||
in accordance with articles 42 and 43. | |||
7. The Commission may establish standard contractual clauses for the matters to which it is | |||
refer to sections 3 and 4 of this article, in accordance with the procedure for | |||
examination referred to in article 93, paragraph 2. | |||
8. A supervisory authority may adopt standard contractual clauses for the | |||
matters referred to in sections 3 and 4 of this article, in accordance with the | |||
coherence mechanism referred to in article 63. >> | |||
9. The contract or other legal act referred to in sections 3 and 4 shall consist of | |||
written, including in electronic format. | |||
10. Without prejudice to the provisions of articles 82, 83 and 84, if a person in charge of the | |||
treatment violates these Regulations by determining the purposes and means of the | |||
treatment, you will be considered responsible for the treatment with respect to said | |||
treatment. >> | |||
The definition of 'processor' includes a wide range of actors, since | |||
be they natural or legal persons, public authorities, agencies or other bodies. | |||
The existence of a data processor depends on a decision taken by the | |||
responsible for the treatment, who may decide to carry out certain | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 74 | |||
74/97 | |||
treatment operations or contract all or part of the treatment with a | |||
in charge. | |||
The essence of the role of "processor" is that personal data | |||
are processed in the name and on behalf of the person responsible for the treatment. In practice, | |||
It is the person in charge who determines the purpose and the means, at least the essential ones, | |||
while the processor has a function of providing services to the | |||
Responsible for the Treatment. In other words, "acting in the name and on behalf of | |||
of the person responsible for the treatment » means that the person in charge of the treatment | |||
service of the interest of the controller in carrying out a task | |||
specific and that, therefore, follows the instructions established by the person responsible for the | |||
treatment, at least as regards the purpose and essential means of the | |||
entrusted treatment. | |||
Article 28, section 1, of the RGPD establishes that “When a | |||
treatment on behalf of a data controller, he will choose only a | |||
manager that offers sufficient guarantees to apply technical measures and | |||
appropriate organizational, so that the treatment is in accordance with the | |||
requirements of this Regulation and guarantee the protection of the rights of the | |||
interested". | |||
The obligation provided for in article 28.1 of the RGPD -to select a person in charge of the | |||
treatment that offers sufficient guarantees to guarantee the application of the | |||
Regulation and the rights and freedoms of the interested party - it is not exhausted in the action | |||
prior to the selection and hiring of the treatment manager. This forces the | |||
responsible for the treatment to be evaluated at all times during the execution of the | |||
contract if the guarantees (technical or organizational) offered by the person in charge of the | |||
treatment are sufficient. | |||
The 07/2020 Guidelines of the European Data Protection Committee (CEPD) on the | |||
concepts of data controller and processor in the RGPD -translation is | |||
our- have, without a doubt, that, -, “ 97. The obligation to use only | |||
the processors "who provide sufficient guarantees" contained in | |||
Article 28 (1) of the GDPR is a continuous obligation. It does not end in the | |||
moment in which the controller and the person in charge of the treatment conclude a contract or | |||
another legal act. Instead, the controller should, at appropriate intervals, verify the | |||
assurances from the manager, including through audits and inspections when | |||
corresponds ”. | |||
And this because the person responsible for the treatment is the one who has the obligation to guarantee | |||
the application of data protection regulations and the protection of the rights of | |||
interested parties, as well as being able to prove it (articles 5.2, 24, 28 and 32 of the | |||
GDPR). Control of compliance with the law extends throughout the | |||
treatment, from start to finish. The person responsible for the treatment must | |||
Act, in any case, diligently, consciously, committed and actively. | |||
That mandate of the legislator is independent of whether the treatment is carried out | |||
directly the person in charge of the treatment or that it carries out using a | |||
in charge of the treatment. Where the Law does not distinguish, we cannot distinguish ourselves. | |||
In addition, the treatment carried out materially by a person in charge of treatment by | |||
account of the person responsible for the treatment belongs to the sphere of action of this | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 75 | |||
75/97 | |||
Lastly, in the same way as if he did it directly himself. The person in charge of | |||
Treatment, in the case examined, is an extension of the person responsible for the | |||
treatment. | |||
The data controller has the obligation to integrate and deploy the protection | |||
of data within everything that constitutes your organization, in all its areas. I know | |||
must bear in mind that ultimately the determining purpose is to | |||
guarantee the protection of the interested party. | |||
Interpret it in the opposite sense - the obligations that article 28 of the RGPD imposes | |||
to the data controller are limited to verifying the capabilities of the processor ab | |||
initio and to sign the contract of data processor - not only would they contravene the | |||
current legislation constituting a clearly fraudulent action, but rather | |||
would violate the spirit and purpose of the GDPR. | |||
In light of the principle of proactive responsibility (art 5.2 RGPD), the person responsible for the | |||
treatment must be able to demonstrate that it has taken into account all the elements | |||
provided for in the RGPD. | |||
The data controller must take into account whether the data controller | |||
provides adequate documentation that demonstrates such compliance, | |||
privacy protection, file management policies, privacy policies, | |||
information security, external audit reports, certifications, | |||
management of the exercise of rights ... etc. | |||
The controller must also take into account the knowledge | |||
specialized technicians of the person in charge of the treatment, the reliability and its resources. | |||
Only if the controller can demonstrate (principle of responsibility | |||
proactive of article 5.2 of the RGPD) that the person in charge of the treatment is adequate during | |||
the entire treatment phase (at all times) to carry out the order | |||
entrusted may enter into a binding agreement that meets the requirements of the | |||
Article 28 of the RGPD, without prejudice to the fact that the controller must follow | |||
complying with the principle of accountability and periodically checking the | |||
compliance of the manager and the measures in use. Before outsourcing a treatment | |||
and in order to avoid possible violations of rights and freedoms of those affected, the | |||
data controller must enter into a contract, other legal act or an agreement | |||
binding with the other entity that establishes clear and precise obligations regarding | |||
of data protection. | |||
The person in charge of the treatment can only carry out treatments on the instructions | |||
documented data of the person in charge, unless he is obliged to do so by Law | |||
of the Union or a Member State, which is not the case. The person in charge of the treatment | |||
It also has the obligation to collaborate with the person in charge in guaranteeing the rights | |||
of the interested parties and comply with the obligations of the person responsible for the treatment of | |||
in accordance with the provisions of the aforementioned article 28 of the RGPD (and related). | |||
Therefore, it is insisted that the person responsible for the treatment must establish | |||
clear modalities for such assistance and give precise instructions to the person in charge of the | |||
treatment on how to comply with them properly and document it prior to | |||
through a contract or another (binding) agreement and check all | |||
moment of the development of the contract its fulfillment in the form established in the | |||
same. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 76 | |||
76/97 | |||
However, despite the obligations of the person in charge, article 28 of the RGPD | |||
seems to suggest that the responsibility of the processor remains | |||
limited compared to the responsibility of the controller. In | |||
In other words, although data controllers may, in principle, be | |||
responsible for the damages derived from any infraction related to the | |||
processing of personal data (including those that have been committed by the | |||
processor) or breach of contract or other agreement (binding) | |||
Managers may be held liable when they have acted upon | |||
margin of the mandate granted by the controller, or have not complied | |||
your own contractual obligations or under the GDPR. In these cases, the | |||
data controller can be considered fully or partially responsible for | |||
the "part" of the processing operation in which you participate. You will only be in charge | |||
fully responsible when fully responsible for the damages | |||
caused in terms of the rights and freedoms of the affected parties; everything | |||
This, without avoiding the responsibility in which the person responsible for the treatment has | |||
incurred in order to avoid them. | |||
In the present case, despite the repeated designation as "third party" entities | |||
by Vodafone España, SAU to the entities | |||
<< collaborators / agents / distributors >>, it should be noted that the correct qualification | |||
legal under the RGPD these entities must be classified as << entrusted | |||
treatment >> , since, according to the definition, they act fully in | |||
name and on behalf of the person in charge (VDF) for all purposes regarding | |||
Data Protection. Consequently, from now on, these entities will be | |||
called those in charge of the treatment with assumption of the responsibilities that | |||
This term entails within the RGPD both for the person in charge and for the | |||
in charge of the treatment operations. Just bring up the | |||
content of the aforementioned STS 1562/2020 (for all), which states the following: | |||
«In this regard, and the Judgment of the Supreme Court of June 5, 2004, which | |||
confirms, in cassation for Unification of Doctrine, that of this AN of October 16, | |||
2003, echoing what was argued by this Chamber, refers to the differentiation of two | |||
responsible depending on whether the decision-making power is directed to the file or to the | |||
data treatment. Thus, the person responsible for the file is the one who decides the creation of the | |||
file and its application, and also its purpose, content and use, that is, who has | |||
decision-making capacity on all the data registered in said file. The | |||
The person responsible for the treatment, however, is the subject to whom the | |||
decisions about the specific activities of a certain data processing, | |||
that is, on a specific application. It would be all those assumptions in | |||
those that the power of decision must be differentiated from the material realization of the | |||
activity that integrates the treatment. With this, as the STS of 26 | |||
of April 2005 (cassation for unification of doctrine 217/2004), the legislator | |||
Spanish aims to adapt to the requirements of Directive 95/46 / EC, which has as its | |||
objective to provide a legal response to the phenomenon, which is becoming more frequent, of the | |||
called outsourcing of computer services, where multiple | |||
operators, many of them insolvent, created with the aim of seeking the | |||
impunity or irresponsibility of those who follow him in the following links of the | |||
chain. Currently, the new Regulation (EU) 2016/679 of the Parliament | |||
Council and Council of April 27, 2016, on the protection of individuals | |||
with regard to the processing of personal data (by which the | |||
Directive 95/46 / CE, and of direct application as of May 25, 2018) distinguishes | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 77 | |||
77/97 | |||
also between the person in charge and the person in charge of the treatment. The | |||
The first is defined in Article 4 (7) as "natural or legal person (...) | |||
that determines the purposes and means of the treatment. "And the person in charge of treatment in the | |||
paragraph 8) of the same article 4 as the one that "treats personal data on behalf of | |||
of the person responsible for the treatment ". | |||
This in relation to Articles 24 and 28 of the same European Regulation of | |||
Data Protection. Responsible for and in charge of the data processing that, without place | |||
doubtless, they are also responsible for infractions in terms of protection | |||
of data, in such a new regulatory framework, in accordance with the provisions of article | |||
82.2 of the repeated Regulation (EU) 2016/679 to which: Any person responsible who | |||
participate in the treatment operation will be liable for damages | |||
caused in the event that said operation does not comply with the provisions of the present | |||
Regulation. A manager will only be liable for damages. | |||
caused by the treatment when it has not complied with the obligations of the | |||
these Regulations specifically addressed to those in charge or has acted at the | |||
margin or against the legal instructions of the person in charge. It detaches from | |||
all of the above that the concurrence, in the present case, of a person in charge of the | |||
ZZZZ treatment at all exempts entity XXXX from liability now | |||
appellant, and this despite the forcefulness of the clauses that appear in the | |||
contract and annex to it signed by both companies (proven facts 9 and 10) | |||
as the personal data processed was for the purpose of carrying out a | |||
advertising campaign regarding car and motorcycle insurance that marketed the | |||
(XXXX), ultimately for the benefit of said XXXX, such plaintiff being the one that, in | |||
last term, determines the purposes and means of repeated data processing, therefore | |||
that it cannot be exonerated of responsibility. >> | |||
The STS continues, in relation to the possible exoneration of alleged responsibility | |||
As for what is subscribed in the contract of "person in charge of the treatment", the following: | |||
« The sanctioned conduct of obstruction or impediment by XXXX of the exercise | |||
by his client of the right of opposition to the processing of his data, is manifested in | |||
that said company did not adopt any kind of measure or precaution to avoid the | |||
sending advertising to your client's email addresses by | |||
those companies to which it entrusted the realization of the advertising campaigns. | |||
The adoption of the necessary measures or precautions to ensure the effectiveness of the | |||
Right to object to the processing of your data by XXXX, such as | |||
responsible for the file, subsist even if the advertising campaigns are not carried out | |||
starting from the data of their own files, but with databases of other | |||
companies hired by XXXX, and in this case it was proven that the appellant | |||
did not inform the companies with which it contracted to perform services of | |||
publicity the opposition of the complainant to receive publicity from the Mutual, nor ultimately | |||
made any provision to ensure the exclusion of its customer from shipments | |||
advertising contracted with third parties. " | |||
Consequently, it must be concluded that in all the treatments analyzed in the | |||
antecedents in its various modalities, the data controller is | |||
Vodafone España, SAU (VDF) and acting as managers those other | |||
entities that act in the name and on behalf of and for the benefit of VDF. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 78 | |||
78/97 | |||
Of the documentation that is in the file that is mentioned in the | |||
this resolution from the information collected by the Inspection of this | |||
AEPD and VDF's own acts and manifestations, the breach is accredited by | |||
VDF as responsible for the treatments entrusted to the effective control and | |||
continued in time of the measures provided in the above transcribed art 28 of the | |||
GDPR. In this regard, add that the obligation provided in article 28.3.h) RGPD, | |||
Using at the beginning the imperative term "put" referring to the person in charge of the | |||
treatment, generates the obligation to «demand» from the controller « compliance with the | |||
obligations established in this article, as well as to allow and contribute to | |||
the performance of audits, including inspections, by the controller or another | |||
auditor authorized by said person in charge. " | |||
Thus, it is established that those in charge of the treatment (and successive sub-processors) who | |||
acting in the name and on behalf of VDF do not offer sufficient guarantees to | |||
apply the appropriate technical and organizational measures to the treatment commissioned by | |||
VDF. And neither are the tasks duly documented by VDF | |||
entrusted to the successive managers who carry out the treatments in | |||
name and on behalf of the person in charge (VDF). Furthermore, they are listed as approved by | |||
VDF treatments that violate the scope of application of the RGPD by allowing | |||
treatments in third countries without adequate legal guarantees. | |||
There is also no prior written authorization from VDF with knowledge of the | |||
technical and organizational measures of successive entities subcontracted to others | |||
managers, since the VDF is only informed once the sub-manager has already | |||
is already chosen for the sole purpose of assigning an access code to the | |||
VDF client management applications. VDF, as the data controller, | |||
does not know in advance who and under what conditions a | |||
manager / sub-manager to act on their own behalf and under their | |||
specific specifications - which do not exist - and accepts without qualms this behavior of | |||
continuously and repeatedly since at least April 2018, even having | |||
knowledge of this anomaly. | |||
Nothing appears in the relationship between VDF and managers and successive sub-managers | |||
with respect to the requirements listed in the aforementioned article 28.3, which, in summary, is | |||
specify in previously defining by the data controller (VDF) the object, | |||
duration, nature, purpose, types of data, categories, obligations and rights of | |||
interested parties, and mandatory powers of continuous control ... etc. Only in | |||
specific occasions it is cited to have informally communicated one or other guidelines | |||
specific actions of action without implying any effective control of VDF with the | |||
treatments entrusted (and in turn sub-entrusted) on their own and in their | |||
Name. | |||
Therefore, non-compliance with data protection regulations must be | |||
fully imputed to the person responsible for the treatment (VDF) by not acting in a | |||
clear, active and effective in stipulating and enforcing the appropriate specifications for | |||
carry out the treatment entrusted on your behalf adequately in time. | |||
There is also no evidence that VDF has carried out continuous monitoring throughout the cycle. | |||
of execution of the treatments commissioned and in turn sub-commissioned by other | |||
entities on their behalf despite numerous known claims and | |||
ongoing investigations carried out by AEPD and of which VDF had | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 79 | |||
79/97 | |||
knowledge, and especially regarding the repeated conduct already sanctioned | |||
previously in PS / 00290/2018. | |||
Consequently, according to the aforementioned, VDF has seriously infringed - reiterated and | |||
systematic- the obligations imposed as the person responsible for the treatments | |||
carried out on his behalf of the provisions of 28 of the RGPD, in relation to the | |||
responsibilities required of all data controller by art 24 of the RGPD, | |||
especially with regard to the principles and proactive responsibility declared | |||
in articles 5.1.f) and 5.2) of the RGPD. | |||
On the other hand, article 44 of the RGPD states the following: | |||
<< Article 44 General principle of transfers | |||
Only transfers of personal data that are subject to treatment will be made | |||
or will be after their transfer to a third country or international organization if, to | |||
reservation of the other provisions of this Regulation, the person in charge and the | |||
in charge of the treatment fulfill the conditions established in the present | |||
chapter, including those relating to subsequent transfers of personal data | |||
from the third country or international organization to another third country or other organization | |||
international. All the provisions of this chapter shall apply in order to | |||
ensure that the level of protection of natural persons guaranteed by this | |||
Regulation is not undermined >>. | |||
In the present case, accredited the International Transfer of data to a third country | |||
(Peru) without the appropriate measures required in the RGPD, there is no evidence that VDF in quality | |||
responsible for the treatment has fulfilled the conditions established in the | |||
Chapter V of the RGPD (Already justified in the answer to claim 6R) on page | |||
65 of this Resolution). | |||
VII | |||
Secondly, it should be noted that from the perspective of the GDPR there are | |||
various legal concepts that directly complement those incorporated in the | |||
LGT and LSSICE. | |||
In this sense, regarding the LGT regarding the right to object (right to | |||
opposition) to receive unwanted calls for commercial communication purposes and to be | |||
informed of this, the concept of opposition will be applied in accordance with the RGPD. I know | |||
must add that, according to the LOPDGDD, Title IV, which includes «Provisions | |||
applicable to specific treatments ” , incorporates a series of assumptions that in no | |||
case should be considered exhaustive of all lawful treatments. Within them | |||
It is worth noting, in the first place, those for which the legislator establishes a | |||
presumption "iuris tantum" of prevalence of the legitimate interest of the person in charge when | |||
are carried out with a series of requirements. Along with these assumptions are collected | |||
others, such as the advertising exclusion files in which the legality of the treatment | |||
comes from the existence of a public interest, in the terms established in the | |||
article 6.1.e) of the RGPD, which requires, in accordance with the provisions of article 8.2, | |||
find contemplated in a norm with the force of law that provides it, that, in | |||
In this case, it is article 23 of the LOPDGDD itself that regulates the “systems of | |||
advertising exclusion ” . | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 80 | |||
80/97 | |||
This is provided by art 21 of the RGPD: | |||
<< Right of opposition | |||
1. The interested party will have the right to object at any time, for reasons | |||
related to your particular situation, what personal data concerning you | |||
are subject to a treatment based on the provisions of Article 6 (1), | |||
letters e) or f), including profiling based on these provisions. | |||
The data controller will stop processing personal data, unless | |||
prove compelling legitimate reasons for the treatment that prevail over the | |||
interests, rights and freedoms of the interested party, or for the formulation, the | |||
exercise or defense of claims. | |||
2. When the purpose of the processing of personal data is marketing | |||
direct, the interested party will have the right to object at any time to the treatment of | |||
personal data concerning you, including profiling in the | |||
insofar as it is related to the aforementioned marketing. | |||
3. When the interested party opposes the treatment for direct marketing purposes, | |||
personal data will no longer be processed for these purposes. | |||
4. At the latest at the time of the first communication with the interested party, the | |||
right indicated in sections 1 and 2 will be explicitly mentioned to the interested party | |||
and it will be presented clearly and apart from any other information. | |||
5. In the context of the use of information society services, and not | |||
Notwithstanding the provisions of Directive 2002/58 / EC, the interested party may exercise their | |||
right to object by automated means that apply specifications | |||
techniques. | |||
6. When personal data is processed for scientific research purposes or | |||
historical or statistical purposes in accordance with Article 89 (1), the | |||
interested party will have the right, for reasons related to their particular situation, to | |||
oppose the processing of personal data concerning you, unless it is | |||
necessary for the fulfillment of a mission carried out for reasons of interest | |||
public >>. | |||
The foregoing, without prejudice to the sanctioning regime being the one regulated in the | |||
LGT. | |||
Regarding the LSSICE, the need for express authorization by the recipients of | |||
commercial communications by electronic means are specifically collected | |||
in art 21.1 of the LSSICE, which states: | |||
<< Article 21. Prohibition of commercial communications made through | |||
email or equivalent electronic means of communication. | |||
1. The sending of advertising or promotional communications by | |||
email or other equivalent electronic means of communication that | |||
had not previously been requested or expressly authorized by the | |||
recipients of the same >>, | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 81 | |||
81/97 | |||
Without prejudice to the fact that for the formal purposes of obtaining authorization, the norm | |||
applicable is the provisions of art 4.11, in relation to art 19 of the LSSICE, which | |||
has: | |||
<< 1. Commercial communications and promotional offers will be governed, in addition | |||
of by this Law, by its own regulations and those in force in commercial matters and | |||
advertising. | |||
2. In any case, Organic Law 15/1999, of December 13, of | |||
Protection of Personal Data, and its implementing regulations, especially, | |||
Regarding the obtaining of personal data, the information to the | |||
interested parties and the creation and maintenance of personal data files >>. | |||
However, regarding the right to object, article 21.2 of the LSSICE | |||
establishes the obligation to offer the recipient the possibility of opposing the | |||
processing of your data for promotional purposes using a simple procedure | |||
and free, both at the time of data collection and at each of the | |||
commercial communications that direct you. | |||
<< Article 21.2. Prohibition of commercial communications made through | |||
email or equivalent electronic means of communication. | |||
(…) | |||
2. The provisions of the previous section shall not apply when there is a | |||
prior contractual relationship, provided that the provider had obtained lawfully | |||
the recipient's contact details and will use them to send communications | |||
commercial related to products or services of your own company that are | |||
similar to those that were initially contracted with the client. | |||
In any case, the provider must offer the recipient the possibility of opposing the | |||
processing of your data for promotional purposes using a simple procedure | |||
and free, both at the time of data collection and at each of the | |||
commercial communications that you direct. | |||
When the communications have been sent by email, said | |||
means must necessarily consist of the inclusion of an email address | |||
email or other valid email address where this right can be exercised, | |||
It is forbidden to send communications that do not include said address >>. | |||
In this sense, this modality of exercise of the right of opposition constitutes a | |||
specific obligation in the field of commercial communications made to | |||
through electronic means. By virtue of article 95 of the RGPD, no | |||
impose additional obligations that have the same objective, as it would be, in this | |||
case, the duty to consult the advertising exclusion systems provided for in article | |||
23.4 of the LOPDGDD, which, for this reason, is not applicable. | |||
In any case, the offense is regulated in the sanctioning regime of the LSSICE. | |||
Regarding the rights exercised by those affected to avoid being recipients of | |||
direct marketing actions. | |||
Recital 70 of the RGPD. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 82 | |||
82/97 | |||
<< If personal data are processed for direct marketing purposes, the | |||
interested party must have the right to object to said treatment, including the | |||
profiling insofar as it is related to such marketing | |||
direct, either with respect to an initial or subsequent treatment, and this in any | |||
moment and at no cost. Said right must be explicitly communicated to the | |||
interested and present clearly and apart from any other information >>. | |||
Likewise, the aforementioned legal concepts indicated by the RGPD (including the | |||
provided in art 21 RGPD transcribed above) and directly applicable to the LGT, it is | |||
They also incorporate into the LOPDGDD as follows: | |||
Art 23 LOPDGDD. | |||
Article 23. Advertising exclusion systems. | |||
<< 1. The processing of personal data that is intended to prevent the sending | |||
of commercial communications to those who have expressed their refusal or | |||
opposition to receiving them. For this purpose, information systems may be created, general | |||
or sectoral, in which only the data essential to identify | |||
the affected. These systems may also include preference services, | |||
by which those affected limit the reception of commercial communications | |||
those from certain companies. | |||
2. The entities responsible for the advertising exclusion systems will notify | |||
the competent control authority its creation, its general or sectoral nature, as well | |||
as the way in which those affected can join them and, where appropriate, | |||
assert your preferences. The competent control authority will make public in its | |||
electronic headquarters a list of the systems of this nature that were | |||
communicated, incorporating the information mentioned in the previous paragraph. To such | |||
In effect, the competent control authority to which the creation has been communicated | |||
of the system will make it known to the other control authorities for their | |||
publication by all of them. | |||
3. When an affected party expresses to a person in charge his wish that his data not | |||
are processed for the referral of commercial communications, it must inform you | |||
of the existing advertising exclusion systems, being able to refer to the | |||
information published by the competent control authority. | |||
4. Those who intend to make direct marketing communications must | |||
previously consult the advertising exclusion systems that could affect your | |||
action, excluding from the treatment the data of those affected who had | |||
expressed their opposition or refusal to it. For these purposes, to consider | |||
Once the above obligation has been fulfilled, consulting the exclusion systems will suffice. | |||
included in the list published by the competent control authority. | |||
It will not be necessary to carry out the query referred to in the previous paragraph when the | |||
affected would have provided, in accordance with the provisions of this organic law, its | |||
consent to receive the communication to whoever intends to make it. >> | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 83 | |||
83/97 | |||
VIII | |||
In the event of an infringement of the RGPD precepts, among the | |||
corrective powers available to the Spanish Data Protection Agency, | |||
As a supervisory authority, Article 58.2 of said Regulation contemplates the | |||
following: | |||
“2 Each supervisory authority shall have all the following corrective powers | |||
listed below: | |||
(…) | |||
b) punish any person responsible or in charge of the treatment with warning | |||
when the processing operations have infringed the provisions of this | |||
Regulation;" | |||
(...) | |||
d) order the person in charge of the treatment that the operations of | |||
treatment comply with the provisions of this Regulation, where appropriate, | |||
in a certain way and within a specified time; | |||
(…) | |||
i) impose an administrative fine in accordance with article 83, in addition to or instead of | |||
the measures mentioned in this section, according to the circumstances of each | |||
particular case;". | |||
According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) | |||
above is compatible with the sanction consisting of an administrative fine. | |||
IX | |||
Therefore, VDF as responsible for the treatments carried out on behalf of and | |||
on your behalf and in accordance with the evidence available in the | |||
present moment, it is considered that the facts presented could violate the | |||
established in article 28, with the scope expressed in the Fundamentals of | |||
Previous rights, which, if confirmed, could entail the commission of a | |||
offense typified in article 83.4.a) of the RGPD, which under the heading " Conditions | |||
general rules for the imposition of administrative fines ” provides the following: | |||
Article 83.4.a) of the RGPD, | |||
"4. Violations of the following provisions will be sanctioned, in accordance with the | |||
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, | |||
in the case of a company, an amount equivalent to a maximum of 2% of the | |||
total annual global business volume of the previous financial year, opting for | |||
the highest amount: | |||
a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a | |||
39, 42 and 43 ". | |||
Considered serious for the purposes of prescription in article 73 of the LOPDGDD. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 84 | |||
84/97 | |||
Article 83.5.c) of the RGPD, | |||
"5. Violations of the following provisions will be sanctioned, in accordance with the | |||
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, | |||
in the case of a company, an amount equivalent to a maximum of 4% of the | |||
total annual global business volume of the previous financial year, opting for | |||
the highest amount: | |||
c) transfers of personal data to a recipient in a third country or a | |||
international organization according to articles 44 to 49 ”. | |||
In the present case, the performance by VDF in the capacity of | |||
responsible for the treatment of an international transfer of data to a third country | |||
(Peru) by consenting to Casmar to carry out for A-Nexo the actions of | |||
marketing in the name and on behalf of VDF, according to the signed contract dated | |||
05/01/2019 between VDF and Casmar and the subsequent contract signed between Casmar and A-nexo | |||
dated 06/27/2019; Infringement considered very serious for the purposes of prescription in the | |||
art 72.l) of the LOPDGDD. | |||
X | |||
Article 71 of the LOPDGDD. Infractions. | |||
The acts and conducts referred to in sections 4, 5 constitute offenses. | |||
and 6 of Article 83 of Regulation (EU) 2016/679, as well as those resulting | |||
contrary to the present organic law. | |||
Article 72.1.l) Violations considered very serious. | |||
<< 1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, | |||
considered very serious and will prescribe after three years the infractions that suppose | |||
a substantial violation of the articles mentioned therein and, in particular, the | |||
following: | |||
l) The international transfer of personal data to a recipient who is | |||
find in a third country or an international organization, when there is no | |||
the guarantees, requirements or exceptions established in articles 44 to 49 of the | |||
Regulation (EU) 2016/679. >> | |||
Article 73 LOPDGDD. Violations considered serious. | |||
<< Based on what is established in article 83.4 of Regulation (EU) 2016/679, | |||
considered serious and will prescribe after two years the infractions that suppose a | |||
substantial violation of the articles mentioned therein and, in particular, the | |||
following: | |||
j) The hiring by the person in charge of the treatment of a person in charge of treatment | |||
that does not offer sufficient guarantees to apply the technical measures and | |||
appropriate organizational arrangements in accordance with the provisions of Chapter IV of the Regulations | |||
(EU) 2016/679. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 85 | |||
85/97 | |||
k) Entrusting the processing of data to a third party without the prior formalization of a | |||
contract or other written legal act with the content required by article 28.3 of the | |||
Regulation (EU) 2016/679. | |||
p) The processing of personal data without carrying out a prior assessment of the | |||
elements mentioned in article 28 of this organic law. | |||
In the present case, VDF is charged with the violation of article 28 of the RGPD, | |||
punishable in accordance with article 83.4.a) of the RGPD, offense typified in Article | |||
73 of the LOPDGDD, sections j), k), p), and classified as serious for the purposes of | |||
prescription. | |||
In order to determine the administrative fine to be imposed, the | |||
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state : | |||
"1. Each supervisory authority will guarantee that the imposition of fines | |||
administrative under this article for the infractions of this | |||
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case | |||
effective, proportionate and dissuasive. | |||
2. Administrative fines will be imposed, depending on the circumstances of each | |||
individual case, as an additional or substitute title for the measures contemplated in the | |||
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine | |||
administrative and its amount in each individual case will be duly taken into account: | |||
a) the nature, severity and duration of the offense, taking into account the | |||
nature, scope or purpose of the processing operation in question as well | |||
such as the number of interested parties affected and the level of damages that | |||
have suffered; | |||
b) intentionality or negligence in the infringement; | |||
d) the degree of responsibility of the person in charge or the person in charge of the treatment, | |||
taking into account the technical or organizational measures that have been applied by virtue of | |||
of articles 25 and 32; | |||
h) the way in which the supervisory authority learned of the infringement, in | |||
in particular if the person in charge or the person in charge notified the infringement and, if so, in what | |||
measure; | |||
i) when the measures indicated in article 58, paragraph 2, have been ordered | |||
previously against the person in charge or the person in charge in relation to the | |||
same issue, compliance with said measures (…); | |||
k) any other aggravating or mitigating factor applicable to the circumstances of the case, | |||
such as financial benefits obtained or losses avoided, direct or | |||
indirectly, through the infringement. | |||
For its part, in relation to article 83.2.k) RGPD, article 76 “ Sanctions and measures | |||
corrective measures ”of the LOPDGDD provides: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 86 | |||
86/97 | |||
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation | |||
(EU) 2016/679 will be applied taking into account the graduation criteria | |||
established in section 2 of the aforementioned article. | |||
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 | |||
The following may also be taken into account: | |||
a) The continuing nature of the offense. | |||
b) The linking of the activity of the offender with the performance of treatment of | |||
personal information. | |||
c) The benefits obtained as a result of the commission of the offense. | |||
(…) | |||
In accordance with the transcribed precepts, and derived from the instruction of the | |||
procedure for the purpose of setting the amount of the penalty for infringement of article 28 of | |||
RGPD to VDF as responsible for the aforementioned offense typified in article 83.4.a) | |||
of the RGPD, the fine that should be imposed should be graduated as follows: | |||
Infringement for breach of the provisions of article 28 in relation to the 24 | |||
of the RGPD, typified in article 83.4.a) and classified as serious for the purposes of | |||
prescription in article 73, sections j), k), p) of the LOPDGDD: | |||
In the present case, the following graduation criteria are considered concurrent: | |||
. The nature, severity and duration of the offense, taking into account the nature, | |||
scope or purpose of the processing operations in question; refering to | |||
nature and severity, it is established that the treatments object of analysis respond to a | |||
Manifest situation of imbalance to the detriment of the rights of the interested parties. | |||
. The intentionality or negligence appreciated in the commission of the infraction; at | |||
present case, there is serious negligence in the conduct of VDF since after | |||
repeated claims and knowing the facts now analyzed continues without | |||
apply appropriate corrective measures. | |||
. The continuing nature of the offense. In the case under examination, it is proven | |||
an offense and of long duration, from the second quarter of 2018 to date. | |||
. The high link of the activity of the offender with the performance of treatment of | |||
personal information. It is known that VDF is an entity with more than fifteen million | |||
of clients whose personal data are systematically processed in the exercise of | |||
its attributions as one of the main telecommunications operators. | |||
. The benefits obtained as a result of the commission of the offense. Is | |||
It is obvious that the treatments of the marketing actions now analyzed | |||
They respond to profit making. | |||
. The status of the responsible entity as a large company and its turnover | |||
(according to the audited annual accounts report corresponding to the March period | |||
2018 to March 2019, more than 1,600 million euros of turnover and with more than | |||
4,000 employees). | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 87 | |||
87/97 | |||
. High volume of data and processing that constitutes the object of the file. | |||
It consists of the documentation provided by VDF that the treatment of the shares | |||
of marketing exceed two hundred million. | |||
. High number of affected. They comprise, at least, the 162 claimants. | |||
. The imputed entity (VDF) does not have adequate procedures for | |||
performance in the hiring and effective monitoring of those in charge of the treatment | |||
so that the infringement is not the consequence of a specific anomaly in the | |||
operation of these procedures but a persistent and continuous defect of the | |||
personal data management system designed by the person in charge in terms of | |||
the treatments delegated to those in charge of these. | |||
Considering the exposed factors, the initial assessment that reaches the amount of the | |||
The fine for the infringement charged by art 28 of the RGPD is € 4,000,000 (four | |||
million euros) and for the infringement charged by art 44 of the RGPD, typified in the | |||
Article 83.5.c) of the RGPD is € 2,000,000 (two million euros). | |||
XI | |||
Both the initiation agreement and the proposed resolution warned of the | |||
following: | |||
“If the infringement is confirmed, it could also be agreed to impose the person responsible | |||
(Vodafone España, SAU) the adoption of appropriate measures to adjust its | |||
action to the regulations mentioned in this act, in accordance with the provisions of | |||
the aforementioned article 58.2.d) of the RGPD, according to which each control authority may | |||
“Order the person in charge of the treatment that the operations of | |||
treatment comply with the provisions of this Regulation, where appropriate, | |||
in a certain way and within a specified period… ”. | |||
In this case, in the resolution adopted, this Agency may require the entity to | |||
responsible so that, within the period to be determined, it adapts to the regulations of | |||
protection of personal data processing operations delegated to the | |||
managers and all this with the scope expressed in the Fundamentals of Law of the | |||
present agreement and without prejudice to what results from the instruction. | |||
It is noted that not meeting the requirements of this body may be | |||
considered as a serious administrative offense by “not cooperating with the Authority | |||
of control ”in view of the requirements made, and such conduct may be assessed at | |||
the time of the opening of an administrative procedure punishable by a fine | |||
pecuniary ”. | |||
In the present case, VDF is ordered in the operative part of this | |||
Resolution, by virtue of the corrective powers indicated in article 58.2.d) of the | |||
RGPD, order VDF that within six months from the notification of | |||
this Resolution, accredit to this AEPD that you have adjusted to the provisions of the | |||
RGPD and LOPDGDD all the treatment operations analyzed in the present | |||
procedure referred to in articles 17, 21, 24, 28 and 44 to 49 of the RGPD and 12, 15, 18, | |||
23, 40 to 43 of the LOPDGDD. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 88 | |||
88/97 | |||
XII | |||
Article 21 of the LSSICE. Prohibition of commercial communications made to | |||
via email or equivalent electronic means of communication. | |||
<< 1. The sending of advertising or promotional communications by | |||
email or other equivalent electronic means of communication that | |||
had not previously been requested or expressly authorized by the | |||
recipients of the same. | |||
2. The provisions of the previous section shall not apply when there is a | |||
prior contractual relationship, provided that the provider had obtained lawfully | |||
the recipient's contact details and will use them to send communications | |||
commercial related to products or services of your own company that are | |||
similar to those that were initially contracted with the client. Throughout | |||
In this case, the provider must offer the recipient the possibility of opposing the | |||
processing of your data for promotional purposes using a simple procedure | |||
and free, both at the time of data collection and at each of the | |||
commercial communications that you direct. | |||
When the communications have been sent by email, said | |||
means must necessarily consist of the inclusion of an email address | |||
email or other valid email address where this right can be exercised, | |||
It is forbidden to send communications that do not include said address. >> | |||
In the present case, it is established that the treatments carried out by sending | |||
electronic communications (SMS, email) through the different channels used | |||
they lack the express authorization of the recipients. Communications made to | |||
via SMS were carried out without offering the recipient the possibility of effective and | |||
proven to object to the treatment. This possibility was not implemented until | |||
November 2018 through a link to an exclusive website for this purpose, without | |||
that it became effective every time the opposition exercises were not attended. | |||
In addition, it is clear that commercial communications have been made in the name and by | |||
VDF account by electronic means to recipients who had not authorized them | |||
expressly and that they had no commercial relationship with VDF. | |||
From the evidence obtained, it is observed that the VDF procedure for the | |||
carrying out direct marketing actions through communications | |||
electronic commercials to potential clients, does not guarantee compliance with the | |||
Article 21 of the LSSICE, when addressing the actions of sending SMS to numbers and | |||
randomly generated addresses, which prevents verifying the existence of | |||
prior and express authorization or, failing that, the existence of a commercial relationship | |||
prior similar services. | |||
XIII | |||
Article 38 of the LSSICE. Infractions. | |||
"1. Violations of the precepts of this Law will be classified as very serious, | |||
severe and mild. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 89 | |||
89/97 | |||
2. The following are very serious offenses: a) (No content) b) Failure to comply with the | |||
obligation to suspend transmission, data hosting, access to the network or the | |||
provision of any other equivalent intermediation service, when a body | |||
competent administrative authority orders it, by virtue of the provisions of article 11. c) | |||
(Repealed) d) (Repealed) | |||
3. The following are serious offenses: | |||
c) The massive sending of commercial communications by email or other means | |||
equivalent electronic communication, or its insistent or systematic sending to a | |||
same recipient of the service when the requirements are not met in said shipments | |||
established in article 21. | |||
d) The significant breach of the obligation of the service provider | |||
established in section 1 of article 22, in relation to the procedures for | |||
revoke the consent given by the recipients. | |||
XIV | |||
Article 39 of the LSSICE. Sanctions | |||
<< Sanctions. 1. For the commission of the infractions included in the previous article, | |||
The following sanctions will be imposed: | |||
a) For the commission of very serious offenses, a fine of 150,001 to 600,000 euros. | |||
The reiteration within three years of two or more very serious offenses, | |||
sanctioned with firm character, may give rise, depending on their circumstances, to the | |||
sanction of prohibition of action in Spain, for a maximum period of two | |||
years. | |||
b) For the commission of serious offenses, a fine of 30,001 to 150,000 euros. >> | |||
Article 40 of the LSSICE. Grading of the amount of penalties. | |||
"The amount of fines that are imposed will be graduated according to the following | |||
criteria: | |||
a) The existence of intentionality. | |||
b) Period of time during which the offense has been committed. | |||
c) The recidivism by commission of infractions of the same nature, when thus | |||
has been declared by final resolution. | |||
d) The nature and amount of the damages caused. | |||
e) The benefits obtained by the infringement. | |||
f) Billing volume affected by the infringement committed. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 90 | |||
90/97 | |||
g) Adherence to a code of conduct or an advertising self-regulation system | |||
applicable with respect to the offense committed, which complies with the provisions of article | |||
18 or in the eighth final provision and that has been favorably informed by the | |||
competent body or bodies ”. | |||
In the present case, the aggravating factors from a) to f) are assessed against the VDF entity. | |||
indicated in the above transcribed art 40 of the LSSICE. | |||
XV | |||
Article 45 of the LSSICE. Prescription. | |||
"Very serious infractions will prescribe after three years, serious ones after two years and | |||
mild ones at six months; the sanctions imposed for very serious offenses will prescribe | |||
at three years, those imposed for serious offenses at two years and those imposed by | |||
minor absences per year ”. | |||
In the present case, there is no statute of limitations for serious offenses committed. | |||
by VDF. | |||
XVI | |||
The facts presented could imply for Vodafone España, SAU the commission of | |||
infringement of article 21 of the LSSICE. | |||
These offenses are classified as serious in article 38.3.c) and d) of the aforementioned | |||
Law, each may be sanctioned with a fine of € 30,001 to € 150,000, of | |||
in accordance with article 39 of the aforementioned LSSICE. | |||
XVII | |||
After the evidence obtained in the preliminary investigations and instruction phase, the | |||
considers that the sanction to be imposed should be adjusted in accordance with the following | |||
criteria established by art. 40 of the LSSI: | |||
- The existence of intentionality, an expression that must be interpreted as equivalent | |||
to the degree of guilt according to the Judgment of the National Court of | |||
11/12/2007 relapse to Appeal no. 351/2006, corresponding to the entity | |||
denounced the determination of a system for obtaining informed consent | |||
that conforms to the mandate of the LSSICE (section a). | |||
- Period of time during which the offense has been committed, since it is the | |||
claim of May 2018, (section b). | |||
- The recidivism by commission of infractions of the same nature, when thus | |||
has been declared by final resolution as the recidivism has been accredited | |||
of the same conduct that was sanctioned in the reference procedure | |||
PS / 00290/2018 (section c). | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 91 | |||
91/97 | |||
- The nature and amount of the damages caused, in relation to the volume of | |||
users affected by the infringement, more than 12 million commercial actions of | |||
marketing, (section d) and more than 200 million commercial actions. | |||
- The benefits obtained by the infringement, in relation to the volume of users to whom | |||
that affects the offense (section e). | |||
- Billing volume affected by the infringement committed, since it exceeds one thousand | |||
six hundred million euros in the accounting period from March 31, 2018 to March 31, | |||
2019 (section f). | |||
In accordance with these criteria, it is deemed appropriate to impose on Vodafone Spain, | |||
SAU for violation of article 21 of the LSSI a penalty of € 150,000 (one hundred | |||
fifty thousand euros). | |||
XVIII | |||
Article 48.1.b) of the LGT | |||
<< Article 48. Right to the protection of personal data and privacy in relation | |||
with unsolicited communications, with traffic and location data and with | |||
subscriber guides. | |||
1. Regarding the protection of personal data and privacy in relation to | |||
unsolicited communications end users of communications services | |||
electronic companies will have the following rights: | |||
b) To oppose receiving unwanted calls for commercial communication purposes | |||
that are carried out through systems other than those established in the previous letter and | |||
be informed of this right >>. | |||
In the present case, it is proven that commercial actions have been carried out by | |||
account and on behalf of VDF through calls to recipients (end users) who | |||
had expressed their opposition, either in front of the calling entity, or prior | |||
inclusion in Adigital's Robinson exclusion list and / or internal lists of | |||
exclusion of each of the entities involved in the entrusted treatment | |||
by VDF in its own name. | |||
From the evidence obtained, indicated in the antecedents, it is observed that the | |||
VDF procedure to carry out direct marketing actions to | |||
through telephone calls does not guarantee compliance with the right of opposition | |||
of the end users with whom it contacts not to receive commercial calls, nor in the | |||
case of: | |||
1. | |||
campaigns managed directly by VDF, nor in, | |||
1. | |||
campaigns managed by managers and sub-managers, either | |||
using VDF's own database which does not verify that they are used | |||
complying with its instructions, either by using the databases of | |||
those in charge of the treatment hired on behalf of and on behalf of VDF. VDF | |||
does not know how the treatment is carried out by the managers and their | |||
sub-managers. He does not know the contracts between them, and therefore does not have information | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 92 | |||
92/97 | |||
on the origin of the data or who assumes, in this subcontracting, the obliged | |||
consultation of files of exclusion of advertising actions. | |||
It is also established that VDF does not communicate an exercise of the right of opposition that | |||
satisfied at the request of an affected party or after the resolution of a claim in the | |||
AEPD to those in charge and that these in turn subcontract the material realization of | |||
the calls. This situation has the consequence of reducing the | |||
exercise of the right of opposition provided for in the aforementioned precepts, and makes | |||
the opposition procedure ineffective as nothing prevents them from being carried out again | |||
commercial calls to those affected who are in the cases described. | |||
XIX | |||
Article 77.37 LGT. Serious offenses. | |||
<< The following are considered serious offenses: | |||
37. The serious violation of the rights of consumers and end users, | |||
as established in Title III of the Law and its implementing regulations. | |||
In the present case, the facts analyzed are considered a serious infraction given the great | |||
volume of marketing actions carried out and claims received in | |||
this AEPD as a consequence of the rights violated to the interested parties, as well | |||
as for the excessive and continuous duration of the marketing actions | |||
carried out in the name and on behalf of VDF. | |||
Article 83. Prescription | |||
<< 1. The infractions regulated in this Law will prescribe, the very serious ones, to the three | |||
years; the serious ones, after two years, and the minor ones, after one year. | |||
The statute of limitations for infringements will begin to run from the day on | |||
that had been committed. Initiation will interrupt the prescription, knowingly | |||
of the interested party, of the sanctioning procedure. The limitation period will revert to | |||
run if the sanctioning file was paralyzed for more than a month for | |||
cause not attributable to the presumed responsible. | |||
In the event of continued infringement, the initial date of the computation will be that in | |||
that the infringing activity or that of the last act with which the infringement | |||
is consumed. However, it will be understood that the offense persists as long as the | |||
equipment, apparatus or facilities that are the subject of the file are not | |||
disposition of the Administration or there is reliable evidence of its impossibility of | |||
use. | |||
2. The sanctions imposed for very serious offenses will prescribe after three years; the | |||
imposed for serious offenses, after two years, and those imposed for minor offenses, after one year. The | |||
limitation period of sanctions will begin to be computed from the day | |||
following the one in which the resolution imposing the | |||
sanction. The prescription shall be interrupted by the initiation, with the knowledge of the interested party, of the | |||
execution procedure, running the term again if it is paralyzed | |||
for more than a month for reasons not attributable to the offender. >> | |||
XX | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 93 | |||
93/97 | |||
Article 79.1, c) LGT. Sanctions . | |||
1. For the commission of the offenses typified in the previous articles, | |||
will impose the following sanctions: | |||
c) For the commission of serious offenses, the offender will be fined a fine of | |||
up to two million euros. >> | |||
XXI | |||
The facts presented, suppose the commission by VDF, of an infraction of the | |||
Article 48.1.b) of the LGT Law, contained in its Title III, which indicates the right: (…) b) | |||
To object to receiving unwanted calls for commercial communication purposes that | |||
are carried out through systems other than those established in the previous letter and to be | |||
informed of this right ”. | |||
Although the aforementioned article does not explicitly configure such right, you should go to | |||
the data protection regulations already indicated in the previous Fundamentals in the | |||
that regulates the right of opposition: article 21 of the RGPD, and article 23 of the | |||
LOPDGDD. | |||
This offense is classified as "serious" in article 77.37) of said | |||
norm, which considers as such: “ 37. The serious violation of the rights of | |||
consumers and end users, as established in title III of the Law and its | |||
development regulations ”. may be sanctioned with a fine of up to € 2,000,000, of | |||
in accordance with article 79.1.c) of the aforementioned LGT. | |||
In accordance with the indicated precepts, in order to set the amount of the sanction to | |||
impose in the present case, it is considered that the sanction to be imposed should be graduated | |||
in accordance with the following criteria established in article 80.1) and 2) of the LGT: | |||
<< 1. The amount of the penalty imposed, within the limits indicated, is | |||
will graduate taking into account, in addition to the provisions of article 131.3 of the Law | |||
30/1992, of November 26, on the Legal Regime of public administrations and | |||
of the Common Administrative Procedure (it must be understood as referring to article 29 of the | |||
40/2015, October 1, from RJSP) , the following: | |||
a) The seriousness of the offenses previously committed by the subject to whom the | |||
sanctions. b) The social repercussion of the infractions. | |||
c) The benefit that has been reported to the offender by the fact that is the subject of the offense. | |||
d) The damage caused and its repair. | |||
e) Voluntary compliance with the precautionary measures that, where appropriate, are imposed | |||
in the sanctioning procedure. | |||
f) Refusal or obstruction of access to the facilities or to provide information or | |||
required documentation. | |||
g) The cessation of the infringing activity, previously or during the processing of the | |||
sanctioning file. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 94 | |||
94/97 | |||
2. The financial situation will also be taken into account when setting the sanction. | |||
of the offender, derived from their assets, their income, their possible charges | |||
family and other personal circumstances that prove that they affect you. The | |||
The offender will be obliged, where appropriate, to pay the fees that he would have owed | |||
satisfy in the event of having made the notification referred to in the article | |||
6 or having enjoyed a title for the use of the public domain | |||
radioelectric >>. | |||
In the specific case, the following aggravating factors are indicated to quantify the sanction | |||
fine: | |||
a) The seriousness of the offenses previously committed by the subject to whom the | |||
sanctions. It is clear that the entity has been sanctioned with a fine or warning since | |||
January 2018 to February 2020 more than 50 times. | |||
b) The social repercussion of the infractions. The fact that there are 162 claims in | |||
the term of just under two years as stated in the AEPD and the large number of | |||
marketing actions through phone calls (about two hundred million | |||
of marketing actions) allows the strong repercussion | |||
of the treatments now analyzed. | |||
c) The benefit that has been reported to the offender by the fact that is the subject of the offense. All | |||
commercial actions are aimed at increasing profits | |||
reported that can be estimated in the increase in customers between 2018 and | |||
2020: | |||
| |||
In mobile telephony, the number of mobile telephone contract Clients | |||
it amounted to 11.4 million at the end of the quarter. | |||
| |||
In fixed broadband, the Customer base grew again to reach 3.2 | |||
millions. | |||
| |||
In fiber, it increased by 60,000 to close the year with 2.9 million. | |||
| |||
On Vodafone TV, the number of Clients grew by 36,000 and exceeded at the close | |||
1.3 million in the last quarter. | |||
d) The damage caused and its repair. The damage caused to the | |||
privacy of those affected, that even having exercised their right of exclusion to | |||
marketing actions, were contacted again for the same purpose, | |||
sometimes repeatedly and insistently. | |||
f) Refusal or obstruction of access to the facilities or to provide information or | |||
required documentation. It is clear that VDF has not met the latest requirements | |||
of information issued by this AEPD. (E / 07056/2019 and E / 08284/2019). | |||
g) There is also no evidence of the cessation of the infringing activity, previously or during the | |||
processing of the investigation file and even after the inspection | |||
face-to-face at the VDF premises in September 2019, since they consist of | |||
subsequent claims before this AEPD for the same facts. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 95 | |||
95/97 | |||
In relation to the financial situation of the offender, it is clear that VDF is one of the | |||
largest telecommunications operators with annual turnover of more than 1,600 | |||
million euros and more than 4,000 employees. | |||
After the evidence obtained in the preliminary investigations phase, it is considered that | |||
The penalty to be imposed should be graduated in the amount of € 2,000,000 (two million | |||
euros). | |||
Therefore, in accordance with the applicable legislation and assessed the criteria of | |||
graduation of the sanctions whose existence has been accredited, the Director of the | |||
Spanish Agency for Data Protection RESOLVES: | |||
FIRST: | |||
IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for an offense | |||
of Article 28 of the RGPD in relation to Article 24 of the RGPD, typified according to | |||
Article 83.4.a) of the RGPD with an administrative penalty of four million | |||
euros (€ 4,000,000). | |||
IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for infringement of the | |||
Article 44 of the RGPD typified in accordance with article 83.5.c) of the RGPD, with sanction | |||
administrative amount of two million euros (€ 2,000,000). | |||
IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for infringement of the | |||
Article 21 of the LSSICE, classified as serious in Article 38.3.d) and c) of said | |||
regulation with a sanction of one hundred and fifty thousand euros (€ 150,000) | |||
IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for infringement of the | |||
article 48.1.b) of the LGT, in relation to article 21 of the RGPD and article 23 of the | |||
LOPDGDD, classified as serious in article 77.37 of the LGT with sanction of | |||
amount of two million euros (€ 2,000,000). | |||
SORT to VODAFONE SPAIN, SAU , with NIF A80907397 , so that in the | |||
period of six months from the notification of this Resolution, certify | |||
before this AEPD that has adjusted to the provisions of the RGPD and LOPDGDD all the | |||
treatment operations analyzed in this procedure referring to the | |||
Articles 17, 21, 24, 28 and 44 to 49 of the RGPD and 12, 15, 18, 23, 40 to 43 of the LOPDGDD. | |||
SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, SAU, with | |||
NIF A80907397, with address at Avda. De América 115, 28042 Madrid. | |||
THIRD: Warn the sanctioned person that the sanction imposed by a | |||
Once this resolution is enforceable, in accordance with the provisions of the | |||
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure | |||
Common of Public Administrations (hereinafter LPACAP), within the payment period | |||
voluntary established in art. 68 of the General Collection Regulations, approved | |||
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, | |||
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number | |||
procedure that appears in the heading of this document, in the account | |||
restricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the Agency | |||
Spanish for Data Protection in the banking entity CAIXABANK, SA. In case | |||
Otherwise, it will be collected in the executive period. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 96 | |||
96/97 | |||
Received the notification and once executive, if the date of execution is found | |||
Between the 1st and the 15th of each month, both inclusive, the deadline to make the payment | |||
volunteer will be until the 20th of the following or immediately subsequent business month, and if | |||
between the 16th and the last day of each month, both inclusive, the payment term | |||
It will be until the 5th of the second following or immediate business month. | |||
In accordance with the provisions of article 50 of the LOPDGDD, this | |||
Resolution will be made public once it has been notified to the interested parties. | |||
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the | |||
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the | |||
Interested parties may optionally file an appeal for reconsideration before the | |||
Director of the Spanish Agency for Data Protection within a month to | |||
counting from the day after the notification of this resolution or directly | |||
contentious-administrative appeal before the Contentious-Administrative Chamber of the | |||
National High Court, in accordance with the provisions of article 25 and section 5 of | |||
the fourth additional provision of Law 29/1998, of July 13, regulating the | |||
Contentious-administrative jurisdiction, within two months from the | |||
day following notification of this act, as provided in article 46.1 of the | |||
referred to Law. | |||
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, | |||
may provisionally suspend the final resolution through administrative channels if the | |||
interested party expresses his intention to file a contentious-administrative appeal. | |||
If this is the case, the interested party must formally communicate this fact through | |||
writing addressed to the Spanish Agency for Data Protection, presenting it through | |||
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- | |||
web /], or through any of the other records provided for in art. 16.4 of the | |||
cited Law 39/2015, of October 1. You must also transfer to the Agency the | |||
documentation that proves the effective filing of the contentious appeal- | |||
administrative. If the Agency was not aware of the filing of the appeal | |||
contentious-administrative within a period of two months from the day following the | |||
notification of this resolution would terminate the precautionary suspension. | |||
Mar Spain Martí | |||
Director of the Spanish Agency for Data Protection | |||
ANNEX (Sorted by date of entry of the claim in the AEPD) | |||
Column legend: | |||
: | |||
Sequential order number | |||
R / D / C: | |||
R óbinson / D igh / C Express onsentimiento | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 97 | |||
97/97 | |||
PF / PJ: | |||
Natural Person / Legal Person | |||
LGT / PD / LSSI: | |||
Violated law | |||
F. Robin.credit: | |||
Accredited date inclusion in advertising exclusion lists | |||
LINE: | |||
Sender / Receiver | |||
F. LINE CALL: Date of the advertising action | |||
REFER. AEPD: | |||
Claim reference code in the AEPD | |||
CLAIMANT: | |||
Claimant's name (the number indicates the times claimed) | |||
CLAIM TEXT: Text of the claim submitted by the claimant | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
</pre> | </pre> |
Latest revision as of 13:53, 13 December 2023
AEPD - PS/00059/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 28 GDPR Article 44 GDPR § 21 LSSI § 48(1) LGT |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 10.03.2021 |
Fine: | 8125000 EUR |
Parties: | Vodafone España, S.A.U. |
National Case Number/Name: | PS/00059/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | n/a |
The Spanish Data Protection Authority (AEPD) imposed a record fine of €8,125,000 on Vodafone España due to the continuous and numerous violations of several provisions, including Articles 28 and 44 GDPR, the Spanish Information Society Services Act implementing the e-Privacy Directive and the Spanish Telecommunications Act.
English Summary
Facts
The AEPD launched an investigation on Vodafone due to the high number of complaints received regarding unsolicited commercial communications. The AEPD found that 191 claimants held these complaints because Vodafone had sent the communications without previous consent or after they had exercised their right to object (mainly by soliciting to be included in the internal or general Robinson list), which would be an infringement of Article 21 LSSI (the Spanish Information Society Services Act). Additionally, the fact that Vodafone did not facilitate or gave an option to the claimants to exercise the right to object, and the unsolicited communications per se, supposed a breach of Article 48(1) LGT (the Spanish Telecommunications Act).
The AEPD also notes that Vodafone has already been sanctioned several times in a short period of time (2 years) for the same reasons, and that they however have not been able to rectify the infringing behaviour. The AEPD has continued to receive claims based on the same facts by a high number of data subjects.
The AEPD also discovered that there was lack of real, continuous, permanent and audited control of the processing operations carried out by the processors in which they relied to carry out part of their commercial actions. Many of the contracts or agreements performed between them were merely a checklist, and there was no further control or verification by Vodafone on whether they provided the adequate level of protection, measures and safeguards for the processing.
Additionally, it was also found that Vodafone contracted with a processor that would carry processing of data in Peru, therefore transferring data to a third country, without ensuring an adequate level of protection in any way, as the contract did not make any reference to any kind of mechanism related to international transfers of data.
Dispute
Does the continuous sending of unsolicited communications to different data subjects, some of which have already opposed, constitute a violation of the LSSI and the LGT? Does the lack of control and verification of Vodafone on the obligations of the processors they contract with suppose a violation of Article 28 GDPR? Does the contracting with a Peruvian processor without ensuring the adequate level of protection constitute a violation of Article 44 GDPR?
Holding
The AEPD imposed on Vodafone the following sanctions, resulting in a record fine of € 8 125 000:
- A € 4 000 000 fine for the infringement of Article 28 GDPR: due to the hiring of processors who do not comply with adequate safeguards, and the lack of control by Vodafone on that;
- A € 2 000 000 fine for the infringement of Article 44 GDPR: due to the carrying out of international transfers without implementing adequate safeguards (first significant sanction by the AEPD for this reason under GDPR);
- A € 150 000 fine for the infringement of Article 21 LSSI: due to the sending of unsolicited electronic commercial communications;
- A € 2 000 000 fine for the infringement of Article 48(1) LGT + Article 21 LSSI: due to the making of unsolicited commercial calls, after several claimants having expressed their opposition or after being included in the general or internal Robinson list. Vodafone did not guarantee the effective exercise of the right to object.
The aggravating factors used to modulate the sanction are of special relevance in this case, taking especially into account the high number of complaints in a quite short period of time. Among the aggravating factors used by the AEPD to graduate the sanctions, the following stand out:
a) The fact that the company had already been sanctioned with a fine or warning, from January 2018 to February 2020, in more than 50 occasions;
b) The fact that there were 161 complaints in a period of just two years;
c) The large number of marketing actions via telephone calls (around 200 000 000).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/97 Procedure No.: PS / 00059/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and with based on the following BACKGROUND FIRST. Since the second quarter of 2018 they have been received in this Agency 191 claims as of the date of the commencement agreement 02/26/2020 (23 of which between on October 1, 2019 and February 2020) against the entity VODAFONE ESPAÑA, SAU (hereinafter VODAFONE or VDF), with NIF A80907397, in which denounces the carrying out of marketing and commercial prospecting actions in name and on behalf of VDF through telephone calls and by sending electronic commercial communications (SMS messages and emails). Such actions could violate both the regulations Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), Law 34/2002, of July 11, on services of the information society and electronic commerce (hereinafter LSSICE), such as Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantees of Digital Rights (hereinafter LOPDGD). The above, because these denounced electronic communications are produced, for one side and with regard to the LSSICE, without having been requested or expressly authorized and / or without attending to the exercise of the right to oppose the shipment of new notifications; on the other, regarding the LGT, without facilitating the possibility of exercise the right of opposition or, once the affected party has exercised previously your right of opposition through its inclusion in the file of internal advertising exclusion of the indicated entities (hereinafter Robinson List Internal -LRI-), or through the common general advertising exclusion system named Robinson Adigital Listing -LRAD-; and, finally, as regards the LOPDGDD without adapting the procedures and guarantees established for the execution of marketing actions in the content of the contracts with those in charge of the treatments that act in the name and on behalf of the person in charge (VDF) and without offer the interested party the necessary, sufficient and appropriate means that guarantee the protection of your rights and freedoms. Likewise, it should be made clear that the analysis of the answers to the information requirements of this Agency evacuated by the claimed entity are In summary, it follows the following: They do not explain the reason why the events happen and continue to happen object of claim. The origin of the data relating to the telephone line number or e-mail address of the recipients. The reason why there are claimants who have exercised the right to object to receive marketing actions and / or appear in your LRI or LRAD and, nevertheless, commercial actions have been carried out again. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 2 2/97 They do not explain the reasons why the rights exercised by the complainants nor do they propose effective actions aimed at avoiding this type of behavior. Marketing actions continue after AEPD resolutions in protection of the rights exercised and previous procedural resolutions sanctioners urging the cancellation of commercial actions and sanctioning the same facts now analyzed. Regarding the process for the admission of claims provided for in article 65 of the LOPDGDD it appears that although a satisfactory answer has been obtained for the claimant in certain claims having stated the entity claimed that the claimant's data were incorporated into the exclusion files of publicity actions of the entities (LRI) (despite already being incorporated in the LRAD), it becomes clear that the procedure carried out is not decisive. Marketing actions continue, and may involve conduct regular and permanent violation of the rights and freedoms of the interested in the field of direct marketing actions, customer service rights recognized in the aforementioned regulations (LGT, LSSICE and LOPDGDD) and absence of appropriate technical and organizational measures for the effective implementation of the principles and guarantees of the interested parties as indicated by current regulations above. To which must be added, for the purposes of lack of collaboration, that the last claims before this Agency during the process of admission for processing have not been attended by the entity, or they have been after the expiration of the period of 3 months, which has given rise to its admission for processing by imperative of article 65.5 of the LOPDGDD. It consists of the documentation received from VDF on 04/26/2019 (in pendrive given the large volume of information, with entry registration number 021640/2019) that the volume of commercial actions carried out in the name and on behalf of VDF from May 2018 to March 2019 it is 200,000,000 (two hundred million). It also consists of the balance of annual accounts (March 2018-March 2019) presented by VDF that the net amount of the turnover exceeds 1,600 million euros and has 4,000 employees. Consequently, it was deemed necessary to initiate investigation actions by the Subdirectorate General for Data Inspection aimed at clarifying the responsibilities regarding data protection (RGPD and LOPDGDD) the person responsible for the treatment object of the claims may have incurred in their marketing actions and attention to the exercise of rights established in Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons in what regarding the processing of personal data and the free circulation of these data and by which repeals Directive 95/46 / CE (hereinafter RGPD). It was also deemed necessary to investigate the facts denounced in order to resolve the responsibilities that may have been incurred by the person responsible for the actions of marketing in relation to the provisions of article 48 of Law 9/2014, of 9 of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 3 3/97 May, General Telecommunications (LGT) and article 21 of Law 34/2002, of 11 July, services of the information society and electronic commerce (LSSICE). SECOND: In view of the above, the Director of the Spanish Protection Agency of Data urged the Subdirectorate General for Data Inspection to proceed to carry out investigative actions necessary to clarify the facts in denounced, by virtue of the powers of investigation granted to the authorities of control in article 57.1 of the RGPD, and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: On 02/26/2019, it was agreed to initiate investigative actions in order to prove the possible existence of a regular and continued conduct of violation of the data protection regulations (RGPD and LOPDGDD), LGT and LSSICE in the field of direct marketing actions by the entity now investigated (VDF). The object of the research actions to be carried out is framed in the analysis of the internally designed procedures for the data processing carried out in the field of direct marketing in the name and on behalf of VDF, since the data is incorporated into the information systems for which it is responsible until which is no longer used for these purposes. This implies that the origin of the processed data is clarified, the subsequent treatment of these and the relationship with those in charge of the treatments, the prior verification of inclusion in the internal or general advertising exclusion system of those affected (internal Robinson and General Adigital listings), the management of the rights of opposition and deletion, as well as the technical and organizational measures implemented and their degree of compliance for the protection of the rights and freedoms of interested. INVESTIGATED ENTITIES During these proceedings, investigations have been carried out into the following entities: VODAFONE ONO, SAU VODAFONE ESPAÑA, SAU VODAFONE ENABLER ESPAÑA, SL TELEFONICA DE ESPAÑA, SAU TELEFONICA MOVILES ESPAÑA, SAU LYCA MOBILE, SL XTRA TELECOM INTERACTIVE SERVICES DIALOGUE FLASH MEDIA EUROPE, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 4 4/97 ORANGE ESPAÑA, SAU GLOBALIA CALL CENTER, SA MARKTEL GLOBAL SERVICES, SA ENGINYERIA INFORMATICA OLOT, SL CASMAR TELECOM, SL (hereinafter Casmar) THREE-QUARTERS FULL, SL (hereinafter TQF) RESULT OF RESEARCH ACTIONS 1. From the beginning of the investigative actions that are in the file reference E / 01615/2019, 191 claims have been incorporated through the reference file E / 09541/2018, of which 23 received since October 2019 to February 2020. On the dates of 02/27/2019, 03/08/2019, 03/18/2019, 06/07/2019 information requirements to VODAFONE ESPAÑA, SAU and on dates of 09/18/2019 and 09/30/2019 a face-to-face inspection is carried out (whose Minutes and documentation is incorporated into the file) at the VDF headquarters in order to be able to contrast with the current regulations the general procedure of management of the relative data processing to direct marketing actions through phone calls, SMS and emails, having knowledge of the following: 1.1 In general, marketing actions can be classified attending to several criteria. 1.1.1. Campaigns managed directly by VDF and Campaigns managed by others entities by account and name of VDF. The difference between campaigns managed directly by VDF from those that are managed by other entities on behalf of and on behalf of VDF is the following: That in the first (VDF), the databases of the recipients of the actions commercial actions are provided by VDF and commercial actions are carried out, or the internal Marketing Department or the internal Telesales Department (Hereinafter TVTA), the latter through entities contracted by VDF that make up what they call the TVTA Platform. And the second (entities that act on behalf and on behalf of VDF) are carried out in in its entirety by the so-called Distributors / Collaborators / Agents (who sometimes, In turn, they subcontract the management and data processing of affected persons for the effective performance of marketing actions in the name and on behalf of VDF) being able, in this case, to use the databases provided by the VDF or its own databases being in charge, according to VDF, said distributors / collaborators / agents of the filtered data with both lists Robinson (internal, LRI and Adigital, LRAD). Regarding the "campaigns managed by other entities on behalf of VDF" , no It is clear that VDF has the technical and organizational control over the treatments and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 5 5/97 databases used by these entities, since not even when the "Distributor / collaborator / agent" uses its own databases or when it uses those provided by the VDF itself, VDF does not have implanted methods or technical means and organizational that verify the legality, the origin of these or their effective prior filtering with LRIs or LRADs, nor for how long they are used. There is also no evidence that VDF has real control over the commercial actions themselves. themselves (calls, SMS and emails), but only has a formal control based on the contractual obligations that distributors / collaborators / agents acquire with VDF and referred only to internal informative communications, not of prior authorizations to carry out marketing actions, in the case that they use their own databases of distributors / collaborators / agents and therefore unrelated to VDF. In this sense, it should be noted that from the documentation required to VDF and to these entities it is inferred that control over marketing actions It is a posteriori, that is, once the deficiency has been detected or a claim has been filed Before the AEPD, the acting entities are informed and indicate, where appropriate, corrective actions. The internal VDF department that contracts with the entities distributors / collaborators / agents that make up this second set of is the called "Distribution / agents" that is divided into several sales channels, between others: << Door to Door channel >> (hereinafter D2D), << online channel >>, << corners physical in shopping centers and establishments >>. 1.1.2. Classification according to who materially performs the commercial actions: These may be those carried out by: (A) VDF's internal Marketing Department through VDF's own means. (B) Internal Telesales Department of VDF through the entities that make up the TVTA Platform. (C) Department of Distributors / Collaborators / Agents through its network of distributors / agents / collaborators . A.- VDF's internal Marketing Department carries out its own actions of advertising from their own databases, without prejudice to having competencies and functions that are projected onto the TVTA department. B.- The VDF TVTA Department is made up of the following platforms outsourced: For LOWI the telesales platforms are: Global Sales Solutions Line, SL (GSS) Emergia Contact Center, SL (Emergia) Konecta Bto, SL (Konecta) For VDF and ONO, the teleshopping platforms are: Global Sales Solutions Line, SL (GSS) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 6 6/97 Emergia Contact Center, SL (Emergia) Konecta Bto, SL (Konecta) Telecyl, SA (Madison) Atento Teleservicios Spain Branch in Morocco / Atento Teleservicios Spain, SL (Attentive) Marktel Servicios de Marketing Telefónico, SA (Marktel) Unísono Soluciones de Negocios, SA (Unísono) VDF states that for each of the platforms that make up the Department internal TVTA, there is << a data protection framework agreement >> adapted to the RGPD and, as a minimum, a contract for the provision of services which regulates the rights and obligations, although only from the commercial sphere. All these contracts are negotiated by the Vodafone Group purchasing center which is located in Luxembourg (Vodafone Procurement, Sarl). For their part, all the aforementioned entities that make up the platform of the TVTA Department, prior to being hired, must pass a process of << supplier approval >> which is managed by the Vodafone Group located in Budapest, Hungary. For this, they are sent a checklist where they are asked for a certain information in order to validate whether it is possible to contract with said provider. The quoted checklist is limited to answering certain questions with a "YES" or "NO", without accreditation or content of the responses and procedures management is specified to follow. The content of the form / checklist is as follows: << GOVERNMENT POLICIES A.1 Where is your headquarters located? A.2 Do you have a person responsible for the privacy of personal data? BUT A.3 If yes, what is your address? A.4 Do you have a person responsible for GDPR? BUT A.5 If yes, what is your address? A.6 Do they have defined and documented policies and procedures for the management of personal data? YES DO NOT A.7 Do the policies and procedures include a statement of commitment to the protection of data and privacy? BUT A.8 Do the policies and procedures have transversal rules, established profiles and responsibilities defined on data protection and privacy? BUT A.9 Do the policies and procedures contemplate disciplinary processes in the event of gaps in security including appropriate escalation to report to management? BUT A.10 Are any changes to the data protection policy informed to the management? BUT A.11 Is the management informed of the privacy policy and the data protection procedures on a regular basis, eg annually? BUT C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 7 7/97 A.12 If you are asked to have a record of the personal data process, would it be valid and would it be updated? BUT EVALUATION AND MODIFICATIONS OF THE PROCESSING OF PERSONAL DATA B.1 Is there a procedure to assess whether a requirement or instruction from Vodafone regarding the Vodafone's personal data processing is legitimate? BUT B.2 Are you prepared to notify Vodafone if your assessment of the instruction or requirement on the processing of personal data received from Vodafone is illegitimate or could lead to a regulatory breach of the law on data protection and privacy? BUT B.3 Have you defined a process to ensure that if there are significant changes in the way it is process Vodafone's personal data, contact Vodafone to obtain preliminary approval when appropriate? BUT B.4 Would you be willing to obtain Vodafone's prior written consent before dealing with the Vodafone personal data with an outsourced third party? BUT B.5 Would you be willing to help Vodafone carry out the impact assessment on the privacy of personal data for those processes that Vodafone has classified as High Risk as stated in the GDPR regulations? BUT B.6.1 Will it allow Vodafone to carry out audits of its Policies and procedures for the protection of data, security and privacy? BUT B.6.2 Will it allow Vodafone to carry out audits of the systems used to process the data Vodafone personal? BUT B.6.3 Will it allow Vodafone to carry out audits of the physical locations in which they are processed said Vodafone personal data? BUT B.7 Do you have defined processes to document the processing of personal data that you carry out on behalf of Vodafone? BUT B.8 Do you have defined procedures for the erasure of Vodafone's personal data in concordance with the information retention policy or instructions provided by Vodafone? BUT B.9 In the absence of data retention guidelines established by Vodafone, is there a policy data retention and erasure standard? BUT B.10 Are there processes in place to ensure that once the contract with Vodafone has expired, all Vodafone personal data is retrieved from all systems and returned to Vodafone and removed from all systems? BUT B.11 Has a procedure been established by which to identify and communicate to Vodafone any regulation or regulatory obligation to which you are subject and that requires you to retain personal data after the end of the contract with Vodafone? BUT KNOWLEDGE ABOUT DATA PROTECTION OR PRIVACY AND PREPARATION OF THE DIRECTORS INVOLVED IN THE PROCESSING OF PERSONAL DATA C.1 Do the contracts signed by their management oblige them to protect and properly manage the personal information? BUT C.2 Do the contracts signed by your management oblige you to extend the responsibilities over the data personal activities beyond the working day and after terminating the employment relationship with your company? BUT C.3 Do the contracts signed by your employees contemplate disciplinary measures as a result of a failed in its responsibilities with respect to personal data? BUT C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 8 8/97 C.4 Have you communicated to your management and information systems personnel that you are handling data personal data (through the appropriate channel) the data protection policy and procedures and Privacy? BUT C.5 Is the privacy and data protection policy communicated to all those new workers and to the management when there is a change in professional profile that would in turn produce new responsibilities regarding the processing of personal data? BUT C.6 Is defined and implemented training and training available on data protection and data protection privacy for all personnel involved in the processing of Vodafone personal data with in order to ensure that all personnel and management have adequate knowledge of the requirements for the processing of personal data? BUT C.7 Can you demonstrate that training has been provided to all new employees and to management existing when there are changes in the responsibilities regarding the handling of personal data? YES DO NOT C.8 Is the training and awareness program developed on a regular basis, eg annually? BUT RIGHTS OF INDIVIDUALS D.1 In the event of a request for access from an individual, or any other requirement on personal data (including any Supervisory Entity), do you have a procedure to give coverage to Vodafone or, if required by Vodafone, meet the request directly? BUT D.2 Is there a procedure in place to assist Vodafone in correcting personal data processed in the systems for which you are responsible? BUT D.3 Does the procedure have escalation processes in the communication of information to those responsible with time limits and local rectification mechanisms? BUT D.4 Do you have defined procedures that allow Vodafone to extract personal data from Vodafone of the systems for which you are responsible so that Vodafone can comply with the obligations on the portability of information of a client or an employee? BUT D.5 Do you have a procedure that would allow Vodafone to block an individual's access to its personal information? BUT D.6 Could Vodafone permanently block a subject's access to personal data individual? BUT D.7 Could Vodafone be able to block access to an individual's personal data in a way that temporary? BUT D.8 Would you be in a position to meet the requirements that Vodafone may have regarding pseudo-anonymization and anonymization of personal data? BUT DATA SECURITY GAP-INCIDENT AND NOTIFICATION MANAGEMENT E.1 Do you have defined processes for monitoring logs (activity) and reporting to Vodafone of security incidents in relation to Vodafone's personal data? BUT E.2 Are the processes for reporting security incidents and tracking logs on personal data of Vodafone communicate in your organization? BUT E.3 Are reports of security incidents and breaches investigated internally on a regular basis? security of personal data, including reviewing lessons learned and identifying how many incidents have occurred in the last 12 months? BUT E.4 If there has been a security incident in the last 12 months that has impacted on the Vodafone personal data Has Vodafone been notified? BUT C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 9 9/97 E.5 Is anyone in your organization responsible for managing incidents and reporting the same to Vodafone? BUT E.6 Does the process include the obligation to notify affected customers within 24 hours, such as Vodafone to allow customers to investigate and make the corresponding notifications to the regulators before the 72 hours established by GDPR? BUT SUBPROCESSES F.1 Is there evidence of due diligence processes for the selection of subcontractors that include a review of the technical, physical administrative controls concerning data protection personal? BUT F.2 Do you ensure that you have the agreements and contracts with your subcontractors with the same or equivalent obligations, as required in the contract with Vodafone, in relation to the processing of personal information? BUT F.3 Would you provide Vodafone with the list of threads involved or who would be involved? in the processing of Vodafone's personal data? BUT F.4 Is there a procedure to inform clients when there is a change in a used thread by the main process in the processing of personal data? BUT F.5 Is there a return strategy with all subcontracts to return personal data used by the thread? BUT LOCATION OF THE PROCESSED PERSONAL DATA G.1 Are the employees who process Vodafone's personal data in the Economic Union European? BUT G.2 Are the employees who process Vodafone's personal data outside the Economic Union European? BUT G.3 Are the employees who process Vodafone's personal data both in the Economic Union European as outside the European Economic Union? BUT G.4 Do you process Vodafone's personal data in your own data centers located in Europe? BUT G.5 Do you process Vodafone's personal data in your own data centers located outside of Europe? BUT G.6 Do you process Vodafone personal data in third party data centers located in Europe? YES DO NOT G.7 Do you process Vodafone's personal data in third-party data centers located outside of Europe? BUT G.8 Do you process Vodafone's personal data in Amazon AWS-type public cloud data centers? BUT G.9 Do you know the location of all Vodafone personal data and how / when it is used in all the jurisdictions where it operates? BUT G.10 Do you ensure that all standards and procedures in the locations / jurisdictions where you or its subcontractors operate are appropriate and in any case are at least comparable to the standards and procedures that you agreed with Vodafone? BUT G.11 Do you transfer Vodafone personal data to a country outside the European Union? BUT G.12 If personal data from Vodafone is transferred to a location such as: Non-belonging countries to the European Union or countries that are not included in the list of "Safe Countries" by the European Union, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 10 10/97 Are you ready to sign a data transfer agreement with Vodafone based on the clauses of the European Union Model for export and import? BUT DISCLOSURE TO THIRD PARTIES H.1 Is there a defined procedure to evaluate the legitimacy or legality of the requirements for disclosure of personal data received from third parties including bodies in charge of ensure compliance with the Law? BUT H.2 Are the employees who receive and process such requests aware of that process? YES DO NOT H.3 Does the process have all the guarantees to be safely registered? BUT H.4 Does the process require an assessment to be performed to allow notification to the client of the Requirement of third parties on the request for access or on the disclosure of the personal data of the client? BUT H.5 Does the process establish who could notify the client of the third party's requirement to access or disclose the customer's personal data? BUT CONTRACTS AND RESOURCES I.1 Would your company be willing to sign a data treatment agreement with Vodafone in the terms established by Vodafone to regulate the process? BUT I.2 Would your company formalize an agreement with unlimited liability for the breaking of obligations contractual in the processing of personal data? YES NO >> Therefore, any entity that requests to join the TVTA platform has to carry out this homologation before contracting with VDF and joining the platform by TVTA. This homologation process consists of filling in a form where you get an " OK" (valid) or " KO" (invalid) response . In the event that the The result of the form is "OK", VDF generates a code called "SAP" which is the which is attributed as an identifier to the new entity and allows it to carry out contracts in VDF name. VDF has the services of a third company that performs quality audits (not specifically in terms of data protection) to verify the correct proceed from the contracted entities and compliance with the processes defined in the contracts. C.- The Department of Distributors / Collaborators / Agents is divided into several sales channels: “Door to Door” channel (hereinafter D2D), “online channel”, “corneres physical in shopping centers and establishments ”, among others. There are exclusive agents who sign with VDF << Agency contracts >> , in where a general content annex is always included regarding compliance with the data protection regulations, delegating responsibilities over the compliance with legal obligations to agents. There are also entities that do not sign an agency contract. Regarding the D2D channel , two scenarios must be distinguished when analyzing its performance, one referred to before the acquisition by VDF of ONO (on the date 01/10/2018), and another later. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 11 11/97 In the first scenario, VDF agents carry out recruitment actions “at the door cold ” to potential clients in whose homes there is the possibility of installing VDF fiber optic technology. Upon acceptance of the offer by the potential client, the agent shows on his tablet the contractual conditions of the service to contract that are accepted by the user, and subsequently occurs a verification call by the verification body Marktel. In the second scenario, the Distributors / Collaborators / To people sell through of stands in shops and on the street, which in turn also reach << agreements with other telesales and commercial agencies >> (sub-managers of the treatment by VDF account) for the effective realization of telephone calls and that they manage << your own listings >> of potential customer phone numbers. These subcontracted << other telesales and commercial agencies >> are not subject to a prior approval process -as do those assigned to the platform of TVTA- but currently it continues to work with those that already provided the service in ONO before the merger with VDF (on 01/10/2018) and there is no evidence that have verified the technical and organizational means available to them. In these cases, VDF does not know the identity of the entities ( other agencies of telesales and commercial) subcontracted by the Distributor / Collaborator / Agent and does not know the guarantees of a technical or organizational nature that they have. The Information regarding the identity of these subcontracted entities must be included in the annex to the contract (subcontract) established for this purpose, but it only appears once subcontracting performed, that is, VDF previously does not know the qualification technical and organizational and the identity of these subcontracted entities as well as their capacity to comply with current regulations. Of the clauses of the standard contract called "Canal Presencial 2019-2020" (for example, with CASMAR of May 1, 2019) signed between VDF and the entities attached to the TVTA platform, there is an obligation to previously notify VDF the list of sub-processors on behalf of VDF who will use the distributors / collaborators / agents . This communication is collected, among others, in the Clauses 5 (resources) and 6 (characteristics of the activity) of the aforementioned contract ( included in the file). Only in clauses 13.4 and 13.5 of the aforementioned contract is it made reference to the obligation to comply with data protection regulations in the following terms: “… without prejudice to the obligations assumed by the COLLABORATOR in compliance with the Data Protection legislation in force in every moment… ”(sic). Clause 13.6 expressly states that the "Collaborator will be considered the person in charge of the treatment and must formalize the standard data treatment agreement that is attached as an annex IV… ”. However, this communication to VDF of the subcontracted entities has a declarative character a posteriori and is not subject to prior approval by VDF nor does it reflected the possibility of exercising the rights of the interested parties. The purpose of This statement, according to the VDF, is fundamentally to have information when malpractice is detected. The contracts, allegations and communications between two of the distributors / Collaborators / agents (CASMAR and THE THREE QUARTERS FULL SL,) as well as the process by virtue of which VDF is aware of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 12 12/97 entities in turn subcontracted by those, and it is concluded that it does not comply with the requirement of prior authorization by VDF, but VDF has knowledge in the moment of contracting after completing the informative ANNEX established at the effect as it becomes necessary to give <<alta>> to the intervening parties (sub-managers treatment on behalf of VDF). Once the aforementioned ANNEX has been completed, the VDF registration of the entity to be subcontracted is requested and are collected: name and surname (or company name), CIF / NIF and email, and it is in that moment when VDF has knowledge of the entity's identity outsourced. No evidence has been found that clauses 5 and 6 of the contract called "Canal Presencial 2019-2020" signed between VDF and the entities attached to the TVTA platform. It is recalled that said clauses, (they appear in the documentation of the file) are in the "contract of provision of face-to-face channel services ”between VDF and Casmar dated 05/01/2019, and which, according to the VDF, is a standard contract signed with the entities in charge. In turn, there is also the contract between Casmar and A-Nexo Contact Center SAC, of date 02/01/2017, in which the services of sale of products from VDF through telephone telemarketing offers, according to the script provided by Casmar. VDF does not provide detailed documentation regarding the protection guarantees of data of the contract that supports the relationship between the initial distributor and the subcontracted or the guarantees for the fulfillment of the order. As reported VDF, the contract is similar to that held by VDF and the initial affiliated distributors to the TVTA platform. VDF includes as a generic contractual obligation that is transfer the instructions to the << third parties >> ( sub-managers of the treatment by VDF account ), so that marketing actions are carried out under the terms indicated by VDF, but without guarantees to prove compliance. The contracts between the VDF distributors (CASMAR and THE THREE QUARTER FULL, SL) with << third parties >> (sub-managers of the treatment by VDF account) and it is verified that they are not similar to the one VDF has with the distributors attached to the TVTA platform. Two modalities can be differentiated in relation to the determination of the origin of the data and the obligation to consult and Filtering of exclusion files and exercise of rights (opposition): The first, in which VDF contracts with CASMAR and the latter subcontracts with A-NEXO, which in turn subcontracts with other natural and legal persons who are the ones who they materially make the calls. In this case, the data used for the making calls, according to CASMAR, is provided by A-NEXO; However, in the contract states that CASMAR is the one who provides the data. In this sense, Marketing actions that are the object of this contract are carried out by A-NEXO with a data file provided by CASMAR and nothing is indicated on consultation previous and filtered with the files of exclusion or exercise of rights. In saying contract (seventh clause) contains the express prohibition of subcontracting with natural or legal persons without the prior express written consent of CASMAR. It is recorded as a reply by CASMAR to the request for information made by the Inspection of this AEPD on 09/11/2019, that calls from the numbering *** TELEPHONE. 2 and 954781254 were made by A-NEXO. Regarding the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 13 13/97 destination numberings, CASMAR states that they are random. They are contributed to the file at sample title, four emails between CASMAR management and A-NEXO on complaints to the AEPD of improper calls being included numbering in exclusion lists. Among others, from the numbers of CASMAR 920211348, 951117277, 958146834, 679905774 and 954781254, to the numbers *** PHONE. 1, *** PHONE. 2. The second, in which VDF contracts with THE THREE QUARTERS FULL, SL and this subcontracts in turn with other natural and legal persons who are the ones who carry out materially calls. In the contributed contracts signed between THE THREE QUARTERS FULL and the sub-processors on behalf of VDF is not listed any indication regarding the obligation of prior consultation and filtering with the exclusion files or those for the exercise of rights. Nor does the origin of the data for making commercial calls. 1.2. Origin of the data used by VDF for the actions of marketing and filtering obligation with Internal Robinson List and with Lista Robinson from Adigital The origin of the data used by VDF for marketing actions can be grouped into five large groups: (i) generation of random numbers (ii) databases rented to third parties (iii) records generated through the online channel (web`s) (iv) non-VDF databases of distributors / collaborators and (v) VDF databases used by distributors / partners 1.2.1. (i) Generation of random numbers: Numbers are generated from different numerical ranges at the discretion of VDF, either for fixed or mobile numbering. In these cases it may happen that a user has exercised the right of deletion / opposition and after the random generation the data relating to the landline or mobile phone is included again in another campaign. Many of these called numbers do not exist or are not assigned to any person. In any case, these generated numbering databases randomly, before being used for commercial actions they are crossed by VDF both with internal Robinson and LRAD lists, as long as the exercise of the right VDF has been informed of a specific collaborator , the latter circumstance that does not appear in the signed contracts nor is it proven accredited, so in this case calls are repeated. 1.2.2. (ii) Databases "rented" to third parties. Databases << rented to third parties >> are used . In this section you can basically differentiate between two origins: those coming from DATACENTRIC PDM, SA and those from MEYDIS SL In the first case, the DATACENTRIC entity is an intermediary between VDF and the database owner (there are various owners who provide this service to DATACENTRIC, such as: WEBPILOT, BELEADER, ADSLASA, EGENTIC, LNVISTO, PRESENTE SERVICE, NETSALES, etc.,). As reported to VDF, the holders of the data provided in these databases of potential clients have given their consent to receive commercial information. However, the circumstance of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 14 14/97 have express consent to receive commercial offers through electronic communications (email or SMS) has not been accredited, nor even by statistical procedures such as through samples representative. Regarding the mechanics of working with DATACENTRIC, it is the following: A global order is placed by VDF that is executed monthly. The order The internal Marketing Department of VDF carries out via email indicating segmentation (e.g. by zip code, type of access technology installed in the building…). Received response from DATACENTRIC with the budget, that has previously transferred the request to its collaborators, it is reported, among other issues, how long the database can be used. These databases are already filtered by the general Robinson Listings (Adigital). In the second case, the MEYDIS entity provides VDF with databases published in repertoires of subscribers to telecommunications services. Generally the period during which the data can be used is one year. In There is no contract for this service because it is less than the amount determined by the purchasing department so an order is made according to the conditions general contracting for this type of amounts. VDF requires MEYDIS to requirement that the data be adequate to carry out marketing actions. The databases received by VDF, proceeded to cross with LRI and LRAD. 1.2.3. (iii) Data obtained through web pages, On / Line Channel, generation of Leads. From VDF or third-party web pages (for example, through banners ), obtain data from potential clients who are interested in VDF services and provide their contact information by accepting a certain privacy policy, which It can be for specific products or services on issues raised regarding to the availability of fiber coverage at your home, or for commercial actions future. Also included here is data obtained from callers directly to VDF requesting information. These personal data thus collected -called “leads” - they are incorporated into the << lead management tool >> called DELIO , and then be contacted in accordance with the accepted privacy policy at the time of providing the data on the VDF website and that may involve two possibilities, one referring to receiving specific information and another to being a recipient of future commercial communications. With the DELIO tool, the user can be answered automatically since directly view the operator the website or the channel in which the user has made the query and has accepted the privacy policy. If the user finally does not contract the service after receiving the call from DELIO, the create a record in the " lead management" , in accordance with the privacy policy accepted by the user by providing their contact details. It may happen that the data have been incorporated to receive information on a specific product or service and, in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 15 15/97 change, the check relative to the use of data in future actions has not been marked commercial. These leads are subsequently contacted through different means: calls from the TVTA platform, SMS or Email. However, for a lead to join DELIO, it must have occurred at the minus the contact call. These leads are contacted within a maximum period of 48 hours, and they are made by prior request of the interested party and, after said period, they are sent an SMS informing that an unsuccessful attempt has been made to contact by providing a number where you can contact VDF again. Regarding the data incorporated after having made a coverage query fiber, it is observed that the coverage consultation process has been modified compared to the one existing in July 2019. In the tests carried out in the month of July 2019, it was verified that it was requested, In addition to the address regarding the address where the query was intended, the name, surname and telephone number and a privacy policy was offered with two possibilities: (i) accept the treatment of the data to respond exclusively as requested, in this case, whether or not there was fiber optic coverage - the contact information could be provided through the website itself in that moment, without the need to know name, surname and telephone number; (ii) in addition to above, accept the treatment for other commercial purposes. In the month of September 2019 it is verified that initially it is requested only data related to the address of the domicile where the query is intended, and if the process cannot be finalized (for example, the address is not in the base of coverage data, written in another language or incorrectly, be it a number of route that does not exist, etc., ..), the website offers the option of a contact system "Click to call ", and it is at this moment where the name and telephone number are requested, putting provision, a few check of acceptance of the privacy policy. With the different sources of data indicated (random, databases rented from and third generation leads ) the Department of Internal Marketing of VDF filters data with LRAD and lists of rights exercises, and sends it to the Department internal TVTA. The TVTA Department re-filters the data a second time after segmenting them for distribution among the different << call center >> services Sub-managers of the treatment on behalf of VDF who materially carry out the calls. Some entities that make up the TVTA platform have their own LRIs that are also subject to prior confrontation and filtering. In order to avoid that by the over time there are variations in the database (referring to people who have subsequently exercised the right to object), the platform for TVTA will use the databases for one month only. In short, in the three cases indicated, the owners of the data are contacted by the Marketing Department or the TVTA Department at through the different entities that make up the platform, always using the LRAD leaked databases and lists of users who have exercised their rights. 1.2.4 (iv) Non-VDF databases used by the Distributors / Collaborators . C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 16 16/97 This possibility is only given in campaigns managed by " third parties" using personal databases not provided by VDF. VDF is unaware of the legality of these third-party databases and has not proven its legality not even indirectly such as by carrying out samplings in order to verify the consent of the interested parties, since VDF understands that "it is up to third parties to control their legality as long as responsible for them ” (origin of the data, actions to prove the consent, filtered with both LR, attention to the rights exercised, etc.,). In relation to the calls made by these agents / distributors (and where appropriate, other sub-processors on behalf of VDF) when a right is exercised opposition during a call, this exercise is not transferred to VDF, but included in the LRI of agents / distributors. The obligation of consultation of LRAD by the distributors, is not foreseen in the contract signed between VDF and the distributors. Whether or not the LRI lists are contrasted, LRAD or exercise of rights, it is a circumstance that VDF is not in willingness to verify and, furthermore, VDF understands - as it affirms it in various occasions - which is exclusively the responsibility of the distributors in compliance with the current regulations on data protection. In the contracts analyzed between the distributors and the sub-managers of the treatment on behalf of VDF, no clauses have been found that determine this Obligation of prior consultation of exclusion lists and their filtering. It is established that the distributors do not previously check the database used for commercial actions with the VDF LRI. It may happen that an interested party has exercised the right of opposition to VDF and, despite this, a distributor repeat the call. It has also happened that a claim against VDF has been processed before the AEPD and that it has been resolved by urging VDF to inform the affected party that their The data has been included in the LRI and, once this circumstance has been communicated to the affected party, with later the call is repeated by one of these distributors. This is due to that there is no adequate communication by VDF with distributors and Sub-managers of the treatment on behalf of VDF. VDF has established communication protocols through emails for distributors and sub-processors on behalf of VDF -in case that they exist- relative to the reminder that they cross the databases to be used with the LRAD, which is known to have been ineffective. Regarding the guarantees of legality in the use made by the distributors / collaborators of the databases, in the letter dated 04/26/2019 VDF stated that these communications are made with the following content: << (…) if the database used by the collaborator is his -of the collaborator- property, Vodafone requires that, first of all, they have the authorization of Vodafone to use that database in a campaign carried out on behalf of and by Vodafone account. Second, they are required to have obtained the informed consent of the owner. And thirdly, they filter their base of data with official Robinson listings . C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 17 17/97 Likewise, they must provide a simple means for the recipients of the campaigns can exercise their right to object to continue receiving calls or commercial communications . (…) >> In the Inspection carried out at the VDF headquarters on September 18 and 30, the VDF representatives clarify the following: << (…) (i) there is no authorization relating to the use of third-party databases, that is, those belonging to the distributors and for There is therefore no authorization process, but rather information is requested in the case of that use these databases. (ii) VDF is not in a position to verify that the holders of the receiving lines have given their consent or have not been opposite, since it is an obligation that corresponds to the collaborating agents, (iii) VDF does not ensure that each call provides an effective means of exercising right of opposition . 1.2.5. (v) VDF databases used by Distributors / Collaborators /. Sometimes distributors / partners make use of databases provided by VDF. In these cases, there are communications (indicated below) by part of VDF referring to the obligation to use only these databases (for be already filtered with LRAD and exercise of rights). However, there is no any procedure enabled or controlled by VDF aimed at verifying that only its distributors, and not others, use the database that VDF has provided for them. provided and during the periods indicated. two. Measures taken by VDF in relation to the claims received and after knowledge of the existence of inspection actions initiated by the AEPD . Most of the complaints received are for campaigns that it does not manage directly VDF (those managed directly by VDF are those made through from your TVTA Department or Marketing Department), but are about campaigns managed by third parties, that is, distributors / collaborators and in their case sub-managers of the treatment on behalf of VDF for these. Regarding the adoption of measures, general measures can be distinguished , and other more specific in relation to certain claims, consisting of requesting distributors to include specific numbering in the LRI when it has already been produced the call (s) or after a request from the AEPD, and are summarized in the following: In the month of November 2018 and in the month of July 2019 , COMMUNICATIONS to the entities attached to the TVTA platform, and to the Distributors / Collaborators, respectively, in order to remind them of the obligations in terms of data protection differentiating two cases: to) In case of using VDF databases : these have to be used during the stipulated time and exclusively for the indicated campaign, since they are filtered by LRAD and list of exercise of rights. If they are used later in Future campaigns are advised that they may be out of date. to) In case of using databases of the distributors / collaborators (outside of VDF) : they must ensure that they have C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 18 18/97 with the prior and express approval of VDF to make such calls; what have the data in a lawful way and obtaining the express consent of the holders, the use of databases that do not meet these requirements is prohibited; filter your databases with LRAD and don't use media that doesn't have been consented to by the recipients of the campaign. In the inspection carried out at the VDF headquarters on September 18 and 30, 2019, the VDF representatives stated that they have not carried out checks on compliance with the measures indicated in the previous releases. In November 2018, VDF created a numbering database callers ( distributors and their sub-processors on behalf of VDF) in order to to be able to identify who is making the calls. In July 2019 this database has increased notably, in the to the extent that in the contracts signed with the “Presencial Channel 2019-2020” including a clause that imposes as a mandatory condition the prior identification of the numbers from which the commercial calls are to be made. Communications between VDF and its distributors have been added to the file requesting the identification of the sub-processors on behalf of VDF and the numbers that they are going to use, all of them from September 2019. This database of numbers has also been added to the file. Callers updated as of July 2019. Another measure that is being studied is to carry out to prevent make calls from unidentified numbers, call routing only through the internal VDF network, also integrating the "crossing" with the numberings included in LRAD and list of exercise of rights, so that have effective control of calls made on your behalf, which goes through the caller identification and by the exclusion of commercial actions to users who have expressed their opposition or through their inclusion in files of exclusion of advertising actions of an internal or external nature. Therefore, in the future it will be an essential condition to provide the service to VDF use VDF trunks in order to be able to make certain restrictions, (lines callers, schedule, LRAD, rights of objection, etc.,). The web interface will connect with the VDF dialing system to pre-validate the call. VDF begins to raise this idea at the end of May 2019 and in the months of June and July is communicated to the collaborating agents. Meetings take place in the month of September 2019 and in October the tests will begin with an entity to later implement it in the rest. In this sense, communications are provided between VDF and collaborators in the following meaning: << Subject: Meeting this morning the commitments that have been acquired CASMAR, THREE-QUARTER, SOLIVESA in connection with the shipment of communicated to the collaborators, the assurance that the bases of data with LRAD, and the adoption of measures to audit that said collaborators comply with the processes >>. And it is also quoted that << we will work together to implement the call routing platform that we have discussed >> . To C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 19 19/97 current date there is no evidence that this routing protocol has been implemented from the VDF trunk and on the date of the initiation agreement, of the 191 claims filed, 26 claims date from September 2019 to January 2020. There are other measures related to sending communications by VDF to distributors on specific complaints in connection with the calls, to that the numbering of subsequent commercial actions be excluded. As an example, they are included in the Inspection Act E / 01615/2019 / I-01 as document number 21, several communications consisting of requesting the distributors the inclusion of certain numbers in Robinson lists (internal and AD), when the call / s has already been made and after a request from the AEPD. VDF reports that it has not filed a complaint with the Police regarding calls undue to the extent that VDF does not have the certainty of the identity of the owner of the calling number acting on your behalf. In the relationship between VDF and the distributors / collaborators it is not a requirement for the payment of your commission by verifying the number from which the collection has been made of the customer (calling numbering), but the verifications are limited to the compliance with the requirements of the contracting of the product or service. 3. Procedure for obtaining data of recipients and exercise of actions of marketing in relation to the sending of commercial communications by electronic means (SMS): The numbering recipients when sending SMS are generated randomly without any discrimination for which commercial communications have been sent to potential customers without the concurrence of the requirements provided in the Article 21 of the LSSI (expressly authorized). SMS sendings are carried out directly VDF. 4 . Sampling of evidence of non-compliance with current regulations regarding protection of data obtained in relation to the operation of the process described in the previous sections. 4.1- Commercial actions after a complaint procedure resolved in the AEPD where VDF states that it has included the data of the affected party in the LRI. On the date of 05/03/2019, by (…) a written document is presented in this agency in which indicates that “I filed a claim with the Spanish Agency for Data Protection on September 11, 2018 (Registration number: 193763/2018), which I attach, because we received unsolicited commercial calls from Vodafone to the landline. Do not We were and are not customers of Vodafone, and we were and are on the Robinson List. The AEPD replied (files E / 07212/2018 and E / 05851/2019) that Vodafone Spain, SAU had informed them "that they have been included in their list Robinson, in order to ensure that the claimant is not included in future Vodafone commercial campaigns ", (…) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 20 20/97 Well, the situation, with the inconvenience that it entails, continues to occur, they continue Calling us at the fixed telephone operators of this company to offer us their unsolicited commercial services , (...) On 05/29/2019, by (…) a written document is presented at this agency stating that (files E / 10150/2018 and E / 07447/2019) VODAFONE, by means of a letter of On 02/28/2019, you were notified of the inclusion of your data in the internal Robinson list to in order to prevent your phone number from being included in future campaigns commercial. He states that from 05/15/2019 to 05/24/2019 they have followed producing commercial calls from VODAFONE. Provides a recording of two calls received on 05/24/2019, in which the check the following: In the first call, the telemarketer asks for the claimant, and after repeated Claimant's questions, he identifies himself as (…) of the company ONO VODAFONE to offer discounts on services, the claimant after explaining that he / she is on the Robinson list and that VODAFONE sent him a letter communicating such circumstance, the telemarketer informs that they will continue to call you. In the second call, the telemarketer asks for the owner of the line, and after repeated questions from the claimant, he identifies himself as (…) of the ONO company VODAFONE. the claimant states that he is on the Robinson list. The teleoperator states that they do not consult the Robinson list file. E / 03445/2019, whose affected is (…), denounces the reception of calls from line 912001212 in February 2019 (files E / 09407/2018 E / 03445/2019 E / 07055/2019) where it has already identified, among others, as a calling line the same numbering that continues to make calls, and in whose file VODAFONE stated the inclusion of their data in the internal Robinson list and the sending of communicated to their distributors. In file E / 03367/2018 (and later E / 03964/2019) the reception of calls from the lines 911251946 and 955316972, in which VODAFONE declared the inclusion of their data in the internal Robinson list, and the sending of notices to its distributors, reiterating the calls again on the date later. E / 03978/2019, report the reception of calls from the phone number 935085190 on 03/11/2019, having as a precedent the procedure of claim E / 07329/2018 and in whose file VODAFONE stated the inclusion of your data in the Robinson list, in addition to knowing its inclusion in the Robinson List Adigital, and the sending of notices to its distributors. E / 03980/2019 and E / 07960/2019, whose affected person is (…), denounces the receipt of calls from the telephone number 954781254 on dates of 03/12/2019 and 04/01/2019, with the claim procedure as a precedent E / 10149/2018 and in whose file the claim was transferred to VODAFONE where, in addition to revealing the facts, the inclusion on the list was reported Robinson from Adigital. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 21 21/97 E / 07106/2019, the claimant receives calls from the numbers 764255362, 953230927, *** TELEPHONE. 2 and 953241849, the last one as of 06/10/2019, being in LRAD since 03/19/2019 and in LRI since 04/08/2019. VDF no has been able to identify the ownership of the calling lines, as they are not included in the database data created for this purpose. 4.2- Commercial actions carried out from the numbers *** TELEPHONE. 2 and 954781254 by the distributors CASMAR and THREE QUARTERS FULL SL Given the volume of claims (191 claims incorporated into the file) that have the indicated numbering as calling lines, they have been carried out Proceedings expressly aimed at analyzing VDF's relationship with CASMAR and THREE QUARTERS FULL SL (hereinafter TQTF), the procedure for obtaining of the data, and compliance with the obligation of prior consultation with the lists of exclusion. 17 claimants have been found who manifest commercial actions carried out from numbering 954781254, and 19 claimants with respect to those made since the numbering *** TELEPHONE. 2, even though the numbers of the recipients were included in LRAD, or have exercised their right to object to VDF and listed on your LRI. VDF states and insists once again that consultation with LRAD is the responsibility of the third-party distributors because they are responsible for the databases and that, if Although this obligation does not appear in the contract, through communications they have made an awareness-raising effort in this regard. CASMAR states that it is the entity provider "A-NEXO" which provides the Robinson list and has not transferred no right of opposition received after making calls. However, in the contract signed between both entities states that the Robinson listings are contributed by Casmar. CASMAR uses different providers, including A-NEXO, both for provide the database used to make the calls, which at your Once contracted with commercial sub-managers of the treatment on behalf of VDF to the effective realization of calls. This scheme of participants outlines several levels of action: Level I.- VDF is the one who contracts with the CASMAR entity (and this, where appropriate, with other collaborators) carrying out commercial actions to attract customers. The The database to be used can be provided by VDF or by CASMAR that the You get on your own (from other contributors). Level II.- CASMAR subcontracts to the entity A-NEXO (and this in its case to other collaborators) making commercial calls. CASMAR informed the AEPD that the data used is provided by A-NEXO and, however, in the contract that provided the figure that the data is provided by CASMAR. Level III.- A-NEXO in turn subcontracts sales representatives to make calls, both legal and natural persons. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 22 22/97 Level IV- Commercials hired by CASMAR, in turn, make calls for their bill. VDF only has a legal relationship with CASMAR and with respect to the rest levels, it is reported in different temporary spaces and not as part of the contract of the identity of the other collaborators. About VDF's knowledge of the sub-managers of the treatment on behalf of VDF, CASMAR provided the contractual documentation where the list of sub-managers of the treatment on behalf of VDF that VDF had to approve, stating that it is in <<blanco>> for the dynamism with which they are replacing and updating the " Calls centers" . CASMAR provides a list of sub-managers of the treatment on behalf of VDF as Annex I to the contract "Canal Presencial 2019 2020" dated 05/01/2019 which has subscribed with VDF, among which is the entity A-Nexo. It should be added that in Annex I of the aforementioned contract between Casmar and VDF, there is a List of 15 entities and subcontracted individuals called “list of the approved sub-managers ” (sic), among which is the entity A-Nexo, in the that the “current location of the treatment” (sic) is located in Peru. According It is stated in the contract signed between Casmar and the subcontractor A-Nexo, the Exclusion list numbering is provided by Casmar. Said annex I It is signed by Casmar and VDF on 05/01/2019. It is not credited that have a contract that contains the mandatory contractual clauses type of the Commission Decision of February 5, 2010, relating to the clauses contractual type for the transfer of personal data to those in charge of the treatment established in third countries. For its part, TQTF stated that VDF is aware of the sub-managers of the treatment on behalf of VDF only at the moment in which your access to the VDF contracting platform. In other words, TQTF requests the registration of the VDF sub-managers of the treatment on behalf of VDF to be able to carry out the contracting (VDF provides them with user access to the contracting platform). Therefore, for the commercial sub-managers of the treatment on behalf of VDF can register new lines, it is necessary that VDF has granted access to a certain application of "discharges". VDF does not require any type of verification to commercial sub-managers of the treatment on behalf of VDF on the data to to be used in commercial calls, but is limited to creating a user with password, upon request from CASMAR or TQTF, which is communicated to the salespeople or to the final distributor to be able to register the contracted lines. VDF knows the filing of claims before the AEPD, since since the month of November 2018 they have been transferred from the AEPD and it is not until month of July 2019 when he communicates it to the distributors (since he already did so in the November 2018 for the entities that make up the Internal Department from TVTA). They are examples of these actions in which they have not used numbering previously filtered with the advertising exclusion listings or have taken into account the rights of opposition previously exercised by those affected made before CASMAR or VDF, the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 23 23/97 E / 07147/2019: The claimant receives commercial calls, the last on date of 06/12/2019 after having exercised the right of deletion against VDF on the date of 05/08/2019, and in the VDF LRI since 05/09/2019. E / 07144/2019: The claimant receives commercial calls, the last on date of 06/05/2019, after having exercised the right of opposition stated in the LRI of VDF from 04/02/2019, the mobile line, and 08/20/2018 the fixed line. Also in LRAD since March 2019. E / 7765/2019: The claimant receives commercial calls, the last one on the date of 06/07/2019, after having requested the deletion from VDF on 06/02/2019 and be registered in LRAD since 11/14/2017. E / 7758/2019: The claimant receives commercial calls, the last one on the date of 06/26/2019 appearing in LRAD since 10/22/2018. In this case, the dealer caller is TTQF on behalf of and on behalf of VDF. These claims show that the distributors and sub-managers of the treatment by VDF account have not used previously filtered numberings with the advertising exclusion lists nor have they taken into account the rights of opposition previously exercised by those affected. VDF insists again that it does not contemplate in its contracts with distributors the obligation to consult LRAD to understand that this corresponds to the holders of the databases to be used, and according to the VDF, the databases used are not filter with internal exclusion listings. 4.3- Sampling evidence of non-compliance in relation to campaigns managed directly by VDF. These actions are considered "directly managed by VDF" since the entity making the call is one of those that makes up its own TVTA platform. VDF has a process for both the TVTA platform and the Marketing Department, use only databases that contain data of lines that are not registered in LRAD and lists of rights exercises. Do not However, the data treatment followed by VDF is deficient as stated accredits below: From the numbering 607100219, which belongs to KONECTA (belongs to the TVTA platform), calls have been made that have led to different claims because the data of the claimants is included in LRAD, to Examples are listed below: E / 03455/2019: the numbering *** TELEPHONE. 3 is registered in LRAD since March 2017, and calls are made in March 2019. E / 1845/2018: which gave rise to the reference sanctioning procedure PS / 290/2018 for calls made in 2018 to a number that was registered in LRAD since 2013 and to the new current claim of reference E / 03821/2019. In the aforementioned sanctioning procedure, the entity recognized C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 24 24/97 responsibility for the denounced events and was sanctioned for an infraction with € 12,000 fine, taking advantage of a 40% reduction in the amount. 4.4- Sampling of evidence of non-compliance in relation to the sending of commercial communications by electronic means (LSSICE) by account and name of VDF. As indicated in section 4, VDF stated that SMS have been sent to randomly generated numberings, which prevents verifying compliance with the provided in art. 21 of the LSSI, specifically the requirement to request “expressly authorized ” , considering all the recipients << potential clients >>. Below, of the 25 files of LSSICE, some referring to the Fraudulent SMS sending: E / 03977/2019 RECEIVER NUMBER: *** PHONE. 4 *** PHONE. 5 OPPOSITION: 07/05/2018 DATE OF SMS: 07/05/2018, 10/20/2018, 10/21/2018, 02/11/2019 and 02/15/2019 E / 02050/2019 and E / 08132/2018 RECEIVER NUMBER: *** PHONE. 6 OPPOSITION: 10/8/2018 ATTENDED BY VDF DATE OF SMS: 02/04/2019, E / 2050/2019 (Antecedent E / 08123/2018, Dec 27, 2018, letter to claimant) NO. RECEIVER: *** PHONE. 7 OPPOSITION: THROUGH AEPD CLAIM DATE OF SMS: 12/22/2018, 02/01/2019, 01/30/2019 E / 00126/2019 NO. RECEIVER: *** PHONE. 8 OPPOSITION: OCTOBER 2018 DATE OF SMS: 11/05/2018, 11/30/2018, 12/28/2018 E / 00084/2019 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 25 25/97 NO. RECEIVER: *** PHONE.9 *** PHONE.10 *** PHONE.11 OPPOSITION / CANCELLATION: 08/25/2018; 10/07/2018 AND ROBINSON. DATE OF SMS: 08/25/2018, 09/06/2018, 09/23/2018, 10/30/2018 5. The face-to-face inspection actions carried out in relation to the claims received in the AEPD in order to determine the adequacy of the management procedure for marketing actions carried out by VDF account and name are attached to the Inspection Certificate and in the documentation of this file that was duly notified to the representation of the investigated (VDF). THIRD: On February 26, 2020 , the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for the claimed party, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of article 28 of the RGPD in relation to the Article 24 of the RGPD punishable in accordance with article 83.4 of the RGPD, for the alleged serious violation of article 21 of the LSSICE, classified as serious in article 38.3.d) and c) of said rule, for the alleged infringement of article 48.1.b) of the LGT, considered serious in article 77.37 of the aforementioned rule. FOURTH: The aforementioned commencement agreement having been notified, the defendant submitted on 03/04/2020 writing requesting a copy of the file and extension of the term to object of presenting allegations. Once the extension of the term was granted, the file to the investigated presenting allegations on 06/9/2020 (when affected by the suspension of terms as a consequence of the establishment of the state of alarm) that are set out, in summary, in the following terms: 1. The files notified include those affected who are persons legal. two. The statement of facts in the Initiation Agreement makes it extremely difficult to analyze and carry out a detailed examination which may undermine the right to self-defense. 3. Due diligence in the terms of art 28 of the RGPD refers only to the contracting phase with the manager and should not be understood with respect to the subsequent monitoring of the contract. Four. The providers contracted by VDF of the internal telesales department have passed a previous validation process and are subjected to processes of audits in which the technical and organizational measures are justified with which they count for the development of the contracted service. 5. Regarding external providers using their own databases: these providers do not act as processors but rather as data processors. responsible for their own databases since these personal data are collected on behalf of the provider and not on behalf of VDF. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 26 26/97 6. Regarding external providers using databases provided by VDF: VDF complies with all the requirements when contracting with those in charge established in article 28 of the RGPD and these providers meet the conditions for comply with their obligations, there being no lack of the duty of diligence for that it is not appropriate to question the effective performance of the obligations contractually assumed. 7. Regarding regulation of the contract between the person in charge and the person in charge of the subcontracting carried out by the person in charge, the AEPD Guide advises the application of certain clauses such as the one used by VDF. In such clauses indicates that it corresponds to the initial manager to regulate the new relationship and with the same formal requirements as with the person in charge. 8. The need for express prior authorization of the sub-processors is not a mandatory requirement, but article 28.2 indicates that the person in charge must inform the responsible and, where appropriate, the latter authorize, thus giving the controller the option of stand against. This aspect is not contemplated in the AEPD Guide (option B). 9. According to the DT5ª of the LOPDGDD, the contracts prior to 05/25/2018 will remain valid until 05/25/2022, so their content cannot be enforceable as it is not applicable. 10. The exhaustive control of the person in charge over those in charge would prevent “that can dial an unauthorized telephone number ” , having had VDF the reasonable diligence. eleven. The technical efforts made by VDF have not been taken into account to implement improvements in the development phase, which were accredited in the moment of the face-to-face inspection by the AEPD, diminishing the technical effort in development. 12. The contact information for telemarketing actions made available to the providers by VDF have been previously contrasted with the data contained in the internal Robinson and ADigital listings and specifies the time of use to avoid outdated data. 13. The data object of treatment can only be processed by the entities commissioned in accordance with the VDF instructions that govern the contract, which clearly establish the conditions under which the treatments of the personal information. 14. VDF asks providers to notify it of all oppositions that may occur during telemerketing actions. fifteen. Personal data from the provider's databases are not transferred at no time to VDF. Only after contracting the service are they included in the VDF information system. 16. After hiring, this is validated after a control call for quality. 17. VDF has implemented complementary measures to guarantee a control detailed information on the activity of service providers when they use their C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 27 27/97 own databases. This control is estimated to be operational in January 2020 (new routing system through the VDF trunk). 18. The alleged infringement of art 21 of the LSSICE, does not proceed since the Legality of the treatments is based on the legitimate interest, as indicated in the Recital 47 of the RGPD and this is recognized by the AEPD in its report 0173/2018. 19. VDF at all times allows the interested party to object to receiving communications, so it is not appropriate to impute infringement of article 38.3.d). twenty. Complaints related to the LSSICE are a minority and far from the total claims submitted. twenty-one. Regarding the infractions related to the LGT, VDF always facilitates the possibility of exercising the right of opposition to the interested party, as stated in art 48.1.b) of said standard. It also appears that VDF previously filters with the lists of Advertising exclusion before providing potential customer data to suppliers. And when the databases are external “ it is not possible to materially prevent the making a call ” (sic) although control measures are being implemented based on VozIP technology that prevents calling numbers included in lists of advertising exclusion. 22. The AEPD seems to sanction for receiving complaints without verifying the facts described therein and automatically conclude that they correspond with illegitimate and contrary actions to the legal system and, therefore, adopting these decisions contrary to the onus probandi principle that governs the law sanctioner. 2. 3. The quantification of sanctions is disproportionate, and it cannot be argued that VDF's conduct is a repeated and permanent breach, since only 191 interested parties of the 200 million commercial actions could be affected carried out by VDF. 24. They consist of prescribed infractions such as that referred to in E / 07180/2019 and others in the that no evidence of infringement has been provided (E / 01119/2019 and E / 02809/2019). 25. In general, the Initiation Agreement lacks sufficient motivation to support the imputation to VDF of the infractions that it relates that is a guarantee against the arbitrary conduct outlawed in the EC These allegations have already been answered in the Proposal for Resolution and it is reiterated in FD III of this Resolution. FIFTH: After the period of allegations granted in the Agreement of initiation and submitted allegations, it was agreed to open a period of taking evidence , according to provided in article 77 of Law 39/2015, of October 1, on the Procedure Common Administrative of the Public Administrations, agreeing the Instruction practice the following tests: 1. The claims filed are deemed to have been reproduced for evidentiary purposes and that work in the file and its documentation, the documents obtained and generated by the Inspection Services before VODAFONE ESPAÑA, SAU , and the Report of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 28 28/97 Previous Inspection actions that are part of the files E / 01615/2019 and E / 09541/2018. 2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of home PS / 00059/2020 presented by VODAFONE ESPAÑA, SAU , and the accompanying documentation. 3. Request the Spanish Association of Digital Economy, C / Entença, 218 Entlo 7ª 08029 Barcelona, with CIF: G61668505, certifying its inclusion and date from the following phone numbers: PHONE NUMBERS TO CERTIFY YOUR INCLUSION AND DATE IN ADIGITAL'S ROBINSON LISTING (LISTED WITH 264 PHONE NUMBERS) Noting that the result of this test may lead to the performance of others. SIXTH: The investigating body having warned of rectifiable deficiencies in the documentation of the file sent to the investigated in March 2020, dated 11/13/2020 the deficiencies are corrected by sending the documentation complete relative to the fifteen files with documentation initially incomplete, giving a period of 10 days to present the allegations that they deem convenient. It is clear that on 11/14/2020 this second shipment of correction of documentation. SEVENTH: Once the proposed tests have been carried out and the period for formulating allegations to them and to the aforementioned second shipment of the corrected documentation Relating to fifteen files, the investigated presented the following allegations: 1.- Two of the files sent correspond to the same claim 2.- Seven of the files submitted were not mentioned in the first Shipping. 3.- Of the 264 telephone numbers requested from Adigital for verification In the Robinson list, 33 are not registered, 4 are of a later date, 1 corresponds to an archived procedure, 1 corresponds to a provider and not a claimant, 1 does not there are commercial calls received and 1 does not correspond to VDF as an entity claimed. These Allegations are answered in the FD III of this Resolution. Nevertheless, It is anticipated that they were the object of analysis by the investigating body, admitting the annulment for the purposes of assessment in this procedure of 29 files, resulting in the remaining files included in the Annex, in the amount of 162. EIGHTH: On December 22, 2020, the Instruction made a proposal for resolution that he proposed and submitted to the competent body to resolve, the following sanctions: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 29 29/97 <That the Director of the Spanish Data Protection Agency sanctions VODAFONE ESPAÑA, SAU, with NIF A80907397, for violation of article 28 of the RGPD in relation to article 24 of the RGPD typified in accordance with article 83.4 of the RGPD with administrative sanction of amount four million euros (€ 4,000,000) considered serious for prescription purposes in Article 73, sections j), k) and p) of the LOPDGDD, for violation of article 44 of the RGPD typified in accordance with article 83.5.c) of the RGPD, with an administrative penalty of two million euros (€ 2,000,000) considered very serious for the purposes of prescription in article 72.l) of the LOPDGDD, for violation of article 21 of the LSSICE, classified as serious in article 38.3.d) and c) of said rule with a sanction of one hundred and fifty thousand euros (€ 150,000) and, for violation of article 48.1.b) of the LGT, in relation to article 21 of the RGPD, classified as serious in article 77.37 of the LGT and for violation of article 48.1.b) of the LGT, in relation to article 23 of the LOPDGDD, classified as serious in the Article 77.37 of the LGT, with a penalty of two million euros (€ 2,000,000)>. An Annex was attached to the Proposal for Resolution that listed 162 files after void assessment of 29 files as a result of deficiencies detected in the data provided by the complainants or investigated by this AEPD, or, by estimate of the allegations presented by the defendant. The aforementioned Annex, which is also attached to this Resolution, consists of the Next information. ANNEX (Sorted by date of entry of the claim in the AEPD) Column legend: : Sequential order number R / D / C: R óbinson / D igh / C Express onsentimiento PF / PJ: Natural Person / Legal Person LGT / PD / LSSI: Violated law F. Robin.credit: Accredited date inclusion in advertising exclusion lists LINE: Sender / Receiver F. LINE CALL: Date of the advertising action REFER. AEPD: Claim reference code in the AEPD CLAIMANT: Claimant's name (the number indicates the times claimed) CLAIM TEXT: Text of the claim submitted by the claimant NINTH: After the deadline for the presentation of allegations, the On 01/18/2021, the following allegations to the Proposal for Resolution: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 30 30/97 1) Previous: Reiteration of the allegations presented. two) First: Arguments against the Proven Facts. 3) Second: Relating to the information request files referenced in the sanctioning procedure. 4) Third: Rejection by the AEPD of the allegations presented by Vodafone. 5) Fourth: Presumed breach of article 24 RGPD. Consideration of Vodafone as the data controller and responsibility of Vodafone. 6) Fifth: Presumed breach of article 28 RGPD. Alleged lack of real, continuous, permanent and audited control of the treatments carried out by managers. 7) Sixth: Presumed breach of article 44 RGPD. Transfers International data. 8) Seventh: Presumed breach of article 21 LSSICE. Send of commercial communications without consent and to recipients who have opposed to such treatment. 9) Eighth: Presumed breach of the General Telecommunications Law (LGT). Supposed lack of attention to the right of opposition to not receive communications commercial. 10) Ninth: On the Sanction Proposal. Legal basis and proportionality of this. These Allegations are answered in the Basis of Law of the present Resolution. Of the actions carried out in this procedure and of the documentation in the record, the following have been accredited PROVEN FACTS FIRST: VDF is responsible for the processing of personal data carried out on their behalf and on behalf of the marketing actions through phone calls, SMS and emails, both those managed internally from its own files as well as from the treatments that it entrusts to other entities to Through rented files or from their own files. SECOND: VDF does not have implemented methods or organizational and technical means that verify, not even by procedures statistics, the legality of the data object of treatment, its origin, its previous filtering with the internal lists of advertising exclusion and general Róbinson exclusion, nor with those of the entities to which it has commissioned the treatments (in charge of the treatment) or opposition rights exercised by those affected before one and the other. THIRD: There is no evidence that VDF has real, continuous, permanent and audited control on the development of the processing of personal data of the actions of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 31 31/97 marketing carried out on your behalf and on your behalf, limited to a control merely formal initial and only in some specific cases referring only to internal informative communications of a partial nature. There are no prior written authorizations for the treatment of databases own of the successive managers of the treatments entrusted to VDF by its account and name. FOURTH: VDF has a procedure for prior authorization of entities attached to the TVTA Department. For this, they are sent a checklist where they are requests certain information in order to validate whether it is possible to contract with said Service provider. The aforementioned checklist is limited to answering certain questions with a "YES" or "NO", without specifying accreditation, guarantees, content and management of procedures and audits as indicated in art 28 of the GDPR. FIFTH: In these cases, VDF is unaware of the subcontracted entities (“ other telesales and commercial agencies ” ) guarantees of a technical or organizational nature with which they count. Information regarding the identity of these entities subcontracted must be included in the annex to the contract (subcontract) established at the effect, but it only appears once the subcontracting has been carried out and for the mere effects of facilitate access in the event of consummating the contracting on behalf of VDF, is that is, VDF is previously unaware of the technical and organizational qualification and identity of these subcontracted entities as well as their capacity to comply with the current regulations on data protection. SIXTH: VDF does not provide detailed documentation regarding guarantees of data protection of the contract that supports the relationship between the person in charge of the initial and subcontracted treatment, nor the guarantees for compliance with the sublet. As reported by VDF, the contract is similar to the one maintained by the entities initially commissioned by VDF and the initial managers assigned to the TVTA platform. VDF includes as a generic contractual obligation that is pass the instructions on to the sub-processors on behalf of VDF so that the marketing actions are carried out in the terms indicated by VDF, but without guarantees to prove compliance. SEVENTH: The contracts between the initial managers of VDF assigned to the TVTA platform (CASMAR and THE THREE QUARTER FULL, SL -TQF-) and the Sub-processors are not similar, so the same guarantees do not appear in against what is stated by VDF and the provisions of art 28 of the RGPD, without prejudice of content deficiencies detected in contracts with managers initial, such as the lack of follow-up measures in the execution of the contract. EIGHTH: Regarding the Casmar entity as in charge of the treatment in In the name and on behalf of VDF, it states that the subcontracted entity "A-NEXO" is the provided by the Robinson list and it has not transferred any rights of opposition received after making calls. However, in the signed contract between both entities (Casmar and A-Nexo of June 2019) it appears that the lists of Advertising exclusion and opposition rights are provided by Casmar. I do not know indicates the management to be carried out on the prior consultation of the exclusion files advertising or exercise of rights, contrary to the provisions of art 28 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 32 32/97 NINTH: It is established that VDF contracts with TQF and this subcontracts in turn with other natural and legal persons who are the ones who materially make the calls. In the contributed contracts signed between TQF -as data processor on behalf of and on behalf of VDF- and the subcontracted entities are not listed Indications regarding the obligation of prior consultation and filtering with the files of advertising exclusion or the exercise of rights by the various entities intervening in marketing actions in the name and on behalf of VDF. TENTH: There is no evidence that VDF has knowledge of the rights exercised by those affected before the entities in charge and sub-in charge, which originates that before calls of sequential or random type from a certain numbering calls are repeated to those affected who have previously exercised their right of opposition, despite, both in the case of files from VDFs as external, that VDF has previously filtered them to avoid calls improper. ELEVENTH: In the case of the DATACENTRIC entity, which is an intermediary between VDF and the owner of the rented database, there is no evidence that VDF intervenes in the effective control of verification of the mandatory express authorization of the affected for email communications and SMS sending. TWELFTH: In the case of the MEYDIS entity, which provides VDF with bases of data published in directories of subscribers to telecommunications services, not There is a contract signed in accordance with article 28 of the RGPD, for not requiring it, according to manifests VDF, the internal contracting system of both entities, against the provisions of art 28 of the RGPD. THIRTEENTH: The obligation to consult the advertising exclusion lists by managers and sub-managers is not provided for in the contracts subscribed for this purpose. Whether or not the aforementioned lists are contrasted is a circumstance that VDF is not in a position to verify. FOURTEENTH: It is clear that in the event of a claim on actions of marketing of VDF before the AEPD and that it has been resolved by urging VDF to inform the data subject that their data has been included in LRI and, once this circumstance to the affected, afterwards the call is repeated. (PS / 00290/2015). FIFTEENTH: In the Inspection carried out at the VDF headquarters on the 18th and 30th of September, the VDF representatives affirm that: << (…) (i) there is no authorization related to the use of third-party databases, that is, those belonging to distributors and therefore there is no authorization process, rather it is requested information in the event that they use these databases. (ii) VDF is not in conditions of verifying that the holders of the receiving lines have provided their consent or have not objected, as it is an obligation that corresponds to collaborating agents, (iii) VDF does not ensure that each call offers a effective means of exercising the right of opposition . SIXTEENTH: Regarding the databases provided by VDF and used by those in charge of the treatment in the name and on behalf of VDF, it consists that there are communications by VDF regarding the obligation to use only these databases. However, there is no procedure enabled or controlled by VDF aimed at verifying managers use C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 33 33/97 only the database that VDF has provided them and during the periods that is indicated to them. In the inspection carried out at the VDF headquarters on the dates of 18 and 30 September 2019, the VDF representatives stated that they have not carried out checks on compliance with the measures indicated in the previous releases. SEVENTEENTH: Regarding commercial communications via SMS, are carried out by generating randomly without any discrimination, so that electronic commercial communications have been sent to potential clients without the concurrence of the requirements provided for in article 21 of the LSSI (expressly authorized). SMS sendings are carried out directly by VDF. EIGHTEENTH: Without prejudice to the provisions of the annex to this Resolution, to mode of a representative sample, in commercial actions carried out since the numbers *** TELEPHONE. 2 and 954781254 by the distributors CASMAR and TQF, respectively; 17 claimants have been found who manifest actions commercials made from number 954781254, and 19 claimants regarding of those made from the numbering *** TELEPHONE. 2, even though the numbers of the recipients were included in LRAD, or have exercised their right to opposition to VDF and are listed on its LRI. NINETEENTH: In the scheme of participants in the actions of marketing carried out by VDF, consist of the following levels of action in relation to Casmar: Level I.- VDF is the one who contracts with the CASMAR entity (and this, where appropriate, subcontracts with others) carrying out commercial actions to attract customers. The database to be used can be provided by VDF or by CASMAR that the You get on your own (from other contributors). Level II.- CASMAR subcontracts to the entity A-NEXO (and this in its case to other collaborators) making commercial calls. CASMAR informed AEPD requirement that the data used is provided by A-NEXO and, without However, the contract you provided states that the data is provided by CASMAR. Level III.- A-NEXO in turn subcontracts sales representatives to make calls, both legal and natural persons, Level IV- Commercials hired by CASMAR, in turn, make calls for their it counts from its own numbers without informing VDF of them. On the knowledge by VDF of the sub-managers of the treatment by VDF account, CASMAR provided the contractual documentation where it appeared “in Blanco ”(Annex II to the contract on-site channel of 05/01/2019), the list of sub-managers treatment on behalf of VDF that VDF had to approve, stating that it is in <<blanco>> for the dynamism with which they are replacing and updating the "Call centers", that is to say, after the hiring and not previously and that allow to verify the technical and organizational competence of these entities. TWENTIETH: In the contract signed between Casmar and VDF on 05/01/2019 it appears, in separate annex and of a later date (1) referenced to said contract from which it brings cause C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 34 34/97 dated 05/01/2019 between VDF and Casmar, a relationship of 15 legal entities and natural persons subcontracted by Casmar called "list of sub-managers approved ” (sic), among which is the entity A-Nexo, which states that the “current treatment location” (sic) is in Peru. It is not credited that have a contract that contains the mandatory contractual clauses type of the Commission Decision of February 5, 2010, relating to the clauses contractual type for the transfer of personal data to those in charge of the treatment established in third countries. (1) There is a contract dated 06/27/2019 (after the one dated 05/01/209 between VDF and Camar) between Casmar and A-nexo (on behalf of the entity A-NEXO CONTACT CENTER SAC, with RUC 20601266530 and address for notification purposes at Av. De los Precursors 1192, office 303, San Miguel, Lima, Peru.) TWENTY-FIRST: TQTF affirms at the request of the Inspection of this AEPD that VDF is aware of the sub-processors on behalf of VDF only at the moment in which your access to the contracting platform is requested of VDF and only for these purposes. In other words, TQTF requests the registration of the VDF Sub-processors in the name and on behalf of VDF to be able to carry out the contracting (VDF provides access user to the contracting platform), without requiring any type of verification to the commercial sub-managers of the treatment in the name and on behalf of VDF on the data to be used in the calls commercial nor technical and organizational conditions they have, limiting VDF to generate a user with password, upon request from CASMAR or TQTF, which It is communicated to the sales representatives or the final distributor (sub-managers) to be enabled to register lines contracted in VDF systems. TWENTY-SECOND: VDF knows the filing of claims before the AEPD, since since November 2018 they have been transferred from the AEPD and it is not until July 2019 when it is communicated to the distributors (managers) without stating to date the measures adopted to avoid improper treatment. TWENTY-THIRD: Examples of these actions carried out by CASMAR at numberings registered in LRAD or in VDF LRI, the following: E / 07147/2019: The claimant receives commercial calls, the last on date of 06/12/2019 after having exercised the right of deletion against VDF on the date of 05/08/2019, and in the VDF LRI since 05/09/2019. E / 07144/2019: The claimant receives commercial calls, the last on date of 06/05/2019, after having exercised the right of opposition stated in the LRI of VDF from 04/02/2019, the mobile line, and 08/20/2018 the fixed line. Also in LRAD since March 2019. E / 7765/2019: The claimant receives commercial calls, the last one on the date of 06/07/2019, after having requested the deletion from VDF on 06/02/2019 and be registered in LRAD since 11/14/2017. E / 7758/2019: The claimant receives commercial calls, the last one on the date of 06/26/2019 appearing in LRAD since 10/22/2018. In this case, the dealer caller is TTQF on behalf of and on behalf of VDF. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 35 35/97 This sample of claims (the totality of evidence appears in the annex to this Motion for a Resolution) confirms that managers and sub-managers have not used to carry out the actions of mercadoctecnia on behalf of and on behalf of VDF numberings previously filtered with the advertising exclusion lists nor have taking into account the opposition rights previously exercised by those affected, either before the VDF itself or before the entities in charge or sub-in charge when they act in the name and on behalf of VDF. Nor does it appear that in the actions of mercadoctecnia through VDF phone calls have control appropriate that allows you to validate the possibility of exercising the right to object to the interested, since VDF is limited to providing managers with a certain legend without requiring guarantees of its effective reading to those affected. TWENTY FOURTH. The annex to this Resolution contains the list complete and detailed of all claims taken into account in the assessment of the facts imputed in this procedure. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Individuals with regard to the Processing of Personal and Free Data Circulation of this Data (General Data Protection Regulation, hereinafter RGPD) recognizes each Control Authority, and as established in the articles 47, 48, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and solve this procedure. Article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of the Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, insofar as they do not contradict them, in a subsidiary, by the general rules on administrative procedures. " In accordance with the provisions of art. 43.1, second paragraph, of the Law 34/2002, of July 11, on Services of the Information Society and Commerce Electronic (LSSI), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this sanctioning procedure. In accordance with the provisions of article 84.3) of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), the Director of the Agency Spanish Data Protection is competent to initiate and resolve this sanctioning procedure. II Regarding the allegations presented to the commencement agreement, they have already been answered and the Proposed Resolution, in short, in the following terms: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 36 36/97 1. The files notified include those affected who are persons legal. As already indicated, 29 claims have been excluded from the valuation due to the reasons that were proposed without being in the annex those related to legal entities and those referenced in the VDF allegations dated 12/1/2020. It should now be added that the scope of application of the LGT and LSSICE includes the legal persons and, if 29 files have been excluded from the assessment, it has not been for this reason. two. The statement of facts in the Initiation Agreement makes it extremely difficult to analyze and carry out a detailed examination which may undermine the right to self-defense. The terms of the initiation agreement are in accordance with the provisions of article 64 of the Law 39/2015, of October 1, of Common Administrative Procedure of the Public administrations. In this sense, it should be noted that VDF has not requested practice of any test after the start-up agreement, which may have been requested if really considers that it undermines their right to self-defense. Furthermore, VDF does not explain or accredit how its right to legitimate defense and what is the real and effective damage that has been produced. Especially when the facts show us that he has been able to allege after the initial agreement and throughout the administrative procedure everything that at your right, carried out, all kinds of allegations with a significant volume both in their reasoning and in their quantity (including also, in such consideration of the high number of pages of documents submitted by VDF). He has also been able to provide all the documentation that he considered relevant and necessary. The real and effective defense of the defendant has not even been diminished in any moment. We must bring up, for all, the Judgment of the National High Court, of 22 February 2019 (RJCA 2019/63), in which also collecting diverse jurisprudence of the Constitutional Court, it is exhaustively stated that “consequently, outside of the assumptions of nullity of full right only have nullifying scope those infractions of the procedure, which have left the interested party in a situation of real or material defenselessness for issuing a resolution contrary to their interests without having been able to allege or not having been able to prove (SS.TC. 155/1988, of July 22 (RTC 1988, 155), FJ 4; 212/1994, of July 13 (RTC 1994, 212), FJ 4; 137/1996, of 16 of September (RTC 1996, 137), FJ 2; 89/1997, of May 5 (RTC 1997, 89), FJ 3; 78/1999, of April 26 (RTC 1999, 78), FJ 2, among others). […] Now, I don't know produces helplessness for these purposes, as stated in the Judgment of the Court Supreme Court of October 11, 2012 (RJ 2012, 11351) - appeal no. 408/2010 -, "if the interested party has been able to allege and prove in the file how much he has considered timely in defense of their rights and position assumed, as well as appeal in replacement, doctrine that is based on article 24.1 CE (RCL 1978, 2836), if it within the file the allegations it deemed appropriate "(S.TS. February 27, 1991), "if it exercised, in short, all the proceeding resources, both administrative and the jurisdictional "(S.TS. of July 20, 1992). […] Ultimately, the plaintiff does not specifies what material helplessness the alleged vices have produced procedural complaints, and in any case, the ANC has been able to allege and prove, both in prior administrative and in this judicial way, how much it has estimated C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 37 37/97 convenient in defense of their rights and legitimate interests, so that no violation of their right of defense (article 24.2 CE) ”. Likewise, the Judgment of the Contentious-Administrative Chamber, Section 1, of the National High Court of National High Court of April 8, 2019 (RJCA \ 2019 \ 466), ratifies that the defenselessness must be material, translating into real damage and effective , since “For this purpose and in general, the doctrine of the Constitutional Court according to which, to assess the existence of injury constitutional, the existence of a procedural defect is not enough, but it is It is equally necessary that this has been translated into material defenselessness, that is, in a real and effective damage, never potential and abstract, of the possibilities of defense in a procedure with the necessary guarantees (SSTC 15/1995, of 24 January and 1/2000, of January 17, among many others). Helplessness concept with constitutional relevance that, in any case, does not necessarily coincide with any defenselessness of a merely procedural nature and less with any infringement of procedural norms, but requires, as an indispensable condition, that the impossibility of alleging and proving one's rights and interests and refuting the allegations to the contrary have produced a real and effective impairment of the right defense of the party, a material damage. Without there being helplessness material if, despite a procedural breach, the parties they have been able to defend their rights and legitimate interests (STC 27/2001 of January 29) ”. 3. Due diligence in the terms of art 28 of the RGPD refers only to the contracting phase with the manager and should not be understood with respect to the subsequent monitoring of the contract. It is answered in the following fundamentals of law Four. The providers contracted by VDF of the internal telesales department have passed a prior validation process and are subjected to audit processes in which the technical and organizational measures they have for the development of the contracted service. The selection process for entities in charge is limited to an initial checklist , without There is a subsequent evaluation of the contract, as indicated in later fundamentals of law. In the face-to-face inspection, it was found that (page 11 of this Resolution), Regarding the second scenario, Distributors / Collaborators / To people sell to through stands in shops and on the street, which in turn also reach << agreements with other telesales and commercial agencies >> (sub-managers of the treatment by account and on behalf of VDF) for the effective realization of telephone calls and that they manage << their own lists >> of phone numbers of potential clients. These subcontracted << other telesales and commercial agencies >> are not subject to a prior approval process -as do those assigned to the platform of TVTA- but currently it continues to work with those that already provided the service in ONO before the merger with VDF (on 01/10/2018) and there is no evidence that have verified the technical and organizational means available to them. It should be noted that the decision by VDF to continue working with the entities in charge of the treatment that already provided the service in ONO before the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 38 38/97 merger with VDF (on 01/10/2018), certifies that the person responsible for said treatments is VDF. In these cases, VDF does not know the identity of the entities ( other agencies of telesales and commercial) subcontracted by the Distributor / Collaborator / Agent and does not know the guarantees of a technical or organizational nature that they have. The Information regarding the identity of these subcontracted entities must be included in the annex to the contract (subcontract) established for this purpose, but it only appears once subcontracting performed, that is, VDF previously does not know the qualification technical and organizational and the identity of these subcontracted entities as well as their capacity to comply with current regulations. Of the clauses of the standard contract called "Canal Presencial 2019-2020" (for example, with CASMAR of May 1, 2019) signed between VDF and the entities attached to the TVTA platform, there is an obligation to previously notify VDF the list of sub-processors on behalf of VDF who will use the distributors / collaborators / agents . This communication is collected, among others, in the Clauses 5 (resources) and 6 (characteristics of the activity) of the aforementioned contract ( included in the file). Only in clauses 13.4 and 13.5 of the aforementioned contract is it made reference to the obligation to comply with data protection regulations in the following terms: “… without prejudice to the obligations assumed by the COLLABORATOR in compliance with the Data Protection legislation in force in every moment… ”(sic). Clause 13.6 expressly states that the "Collaborator will be considered the person in charge of the treatment and must formalize the standard data treatment agreement that is attached as an annex IV… ”. However, this communication to VDF of the subcontracted entities has a declarative character a posteriori and is not subject to prior approval by VDF nor does it reflected the possibility of exercising the rights of the interested parties. The purpose of This statement, according to the VDF, is fundamentally to have information when malpractice is detected. 5. Regarding external providers using their own databases: these providers do not act as processors but rather as data processors. responsible for their own databases since these personal data are collected on behalf of the provider and not on behalf of VDF. It is answered in the following fundamentals of law 6. Regarding external providers using databases provided by VDF: VDF complies with all the requirements when contracting with those in charge established in article 28 of the RGPD and these providers meet the conditions for comply with their obligations, there being no lack of the duty of diligence for that it is not appropriate to question the effective performance of the obligations contractually assumed. It is answered in the following fundamentals of law 7. Regarding regulation of the contract between the person in charge and the person in charge of the subcontracting carried out by the person in charge, the AEPD Guide advises the application of certain clauses such as the one used by VDF. In such C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 39 39/97 clauses indicates that it corresponds to the initial manager to regulate the new relationship and with the same formal requirements as with the person in charge. The aforementioned Guide tries to summarize the initial conditions that must be met by the contracts between the person in charge and the person in charge, without prejudice to the follow-up that the responsible must perform to evaluate the effective compliance with the clauses subscribed. It should be considered that the Guide contains guidelines that must be adapted to each specific case, since the cited guide expressly warns that "This document aims to identify the key points to keep in mind at the time of establish the relationship between the controller and the person in charge of the treatment, as well as identifying the issues that directly affect the management of the relationship between the two. Likewise, it aims to offer guidance, by way of of recommendation, to prepare the document that regulates said relationship ”. In the same sense, it is expressly noted that its Annex I when collecting an example of what could be the contract of the treatment manager, that "These clauses are for guidance only and should be adapted to the specific circumstances of the treatment that is carried out ”; in such a way that, throughout the Guide and by multiple pathways, it is undoubtedly clear that these are orientations, that they are not exempt the data controller from carrying out the treatment contract according to the RGPD in relation to the concurrent circumstances in each individual case concrete. 8. The need for express prior authorization of the sub-processors is not a mandatory requirement, but article 28.2 indicates that the person in charge must inform the responsible and, where appropriate, the latter authorize, thus giving the controller the option of stand against. This aspect is not contemplated in the AEPD Guide (option B). Article 28.2 of the RGPD indicates that “The person in charge of the treatment will not resort to another commissioned without the prior authorization in writing, specific or general, of the person in charge. In the latter case, the person in charge will inform the person in charge of any change provided for in the incorporation or replacement of other managers, thus giving the responsible for the opportunity to oppose such changes ” . This implies that prior written authorization will be required for the person in charge of the treatment can resort to another person in charge. And that said authorization can be specific (with indication of the subcontracted entity) or general. Only in the latter Of course, there is already a general authorization from the person responsible for the treatment, It is when you have to report changes in the incorporation or substitution of other managers, with respect to which, in addition, the person responsible for the treatment (for example, if it does not meet the technical or organizational measures that set in the general authorization). From the above, it is concluded that prior authorization is always mandatory. The authorization prior to the outsourcing of managers must evaluate, in any case and among other issues, the technical and organizational conditions that the in charge of the treatment to carry out the contract. As configured in article 28.2 of the RGPD is not a simple communication of a formal nature, but which constitutes a real material requirement for compliance with the GDPR. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 40 40/97 9. According to the DT5ª of the LOPDGDD, the contracts prior to 05/25/2018 will remain valid until 05/25/2022, so their content cannot be enforceable as it is not applicable. The 5th transitory provision of the LOPDGDD determines that “The contracts of in charge of the treatment subscribed before May 25, 2018 under the of the provisions of article 12 of Organic Law 15/1999, of December 13, of Protection of Personal Data will remain valid until the date of expiration date indicated in them and in case of having agreed indefinite, until May 25, 2022. During these periods, either party may require the other to modify of the contract so that it is in accordance with the provisions of article 28 of the Regulation (EU) 2016/679 and in Chapter II of Title V of this organic law ”. The 5th transitional provision of the LOPDGDD allows "to maintain the validity" of the treatment manager contracts signed prior to the application of the GDPR. It refers only to the term of the contract. This is so because in compliance with one's own proactive responsibility for the responsible for the treatment, require their material adaptation to the RGPD. The Obligations arising from the legal text must be fulfilled from the full application of the same in May 2018. Well, this Provision also refers to the modification of the contract so that it is in accordance with the provisions of article 28 of the RGPD. As we have indicated, we can understand that such modification is restricted to the formal content of the Article 28 of the RGPD, allowing each of the parties to require the other to modification of the contract in order to comply with the aforementioned precept. But it does not affect the application of the principles and material obligations of the RGPD since it is a norm with direct effect of an imperative nature and no provision could go against of this character. Therefore, the validity of the contracts of the person in charge of the treatment until the 05/25/2022 will be maintained as long as its content conforms to the principles provided in the RGPD and the LOPDGDD. 10. The exhaustive control of the person in charge over those in charge would prevent “that can dial an unauthorized telephone number ” , having had VDF the reasonable diligence. The control of the data controller over the person in charge must be reasonable and adequate throughout the development of the contract and in this case include affected the rights and freedoms of the interested parties repeatedly without VDF has adopted appropriate corrective measures in order to avoid infractions such as now analyzed. eleven. The technical efforts made by VDF have not been taken into account to implement improvements in the development phase, which were accredited in the moment of the face-to-face inspection by the AEPD, diminishing the technical effort in development. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 41 41/97 The technical efforts made by VDF to avoid claims before the AEPD do not they state that it has been implanted to this day. 12. The contact information for telemarketing actions made available to the providers by VDF have been previously contrasted with the data contained in the internal Robinson and ADigital listings and specifies the time of use to avoid outdated data. The data of the interested parties object of advertising actions have not been contrasted with the advertising exclusion lists and opposition rights, especially when have been exercised before managers or sub-managers and have not been communicated to the responsible nor has the latter obliged its communication, especially with regard to advertising actions that start from random numbers. 13. The data object of treatment can only be processed by the entities commissioned in accordance with the VDF instructions that govern the contract, which clearly establish the conditions under which the treatments of the personal information. VDF does not record the monitoring of the execution of the signed contracts with those in charge in the name and on behalf of the person in charge. 14. VDF asks providers to notify it of all oppositions that may occur during telemarketing actions. There is no evidence that VDF requires managers to communicate the rights of opposition exercised by the interested parties and has deployed technical and organizational that allow them to be taken into account in subsequent advertising campaigns. fifteen. Personal data from the provider's databases are not transferred at no time to VDF. Only after contracting the service are they included in the VDF information system. The personal data processed by the managers are made on behalf of and on behalf of VDF as a responsible entity regardless of whether it is are included in your information system. 16. After hiring, this is validated after a control call for quality. The quality control call is made once the contracting of the service offered on behalf of VDF, a circumstance that is left out of this process. 17. VDF has implemented complementary measures to guarantee a control detailed information on the activity of service providers when they use their own databases. This control was estimated to be operational in January 2020 (new routing system through the VDF trunk). There is no evidence that VDF has implemented technical and organizational measures to guarantee a detailed control of the activity of those in charge who act on behalf of and on behalf of VDF as of January 2020. Example of subsequent claims (January and February 2020) are, among others, the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 42 42/97 01/22/2020 E / 02252/2020 AAA 01/23/2020 E / 02255/2020 BBB 01/24/2020 E / 02262/2020 CCC 01/25/2020 E / 02263/2020 DDD 01/27/2020 E / 02266/2020 EEE 01/28/2020 E / 02269/2020 FFF 02/03/2020 E / 02271/2020 GGG 02/03/2020 E / 02274/2020 Hhh 18. The alleged infringement of art 21 of the LSSICE, does not proceed since the Legality of the treatments is based on the legitimate interest, as indicated in the Recital 47 of the RGPD and this is recognized by the AEPD in its report 0173/2018. The LSSICE requires in article 21 expressly authorized authorization for electronic advertising communications, and in the present case there is no evidence. 19. VDF at all times allows the interested party to object to receiving communications, so it is not appropriate to impute infringement of article 38.3.d). There is no evidence that both the VDF and the managers and sub-managers who act in name and on behalf of VDF have the technical and organizational measures that allow to carry out the right of opposition exercised by the interested party since the reiteration of advertising actions after the exercise of such right is recorded. twenty. Complaints related to the LSSICE are a minority and far from the total claims submitted. It appears in the annex to this Proposal that the number of claims for infringement to the LSSICE amount to twenty-four (24) of the 162 taken into account in this Resolution. twenty-one. Regarding the infractions related to the LGT, VDF always facilitates the possibility of exercising the right of opposition to the interested party, as stated in art 48.1.b) of said standard. It also appears that VDF previously filters with the lists of Advertising exclusion before providing potential customer data to suppliers. And when the databases are external “ it is not possible to materially prevent the making a call ” (sic) although control measures are being implemented based on VozIP technology that prevents calling numbers included in lists of advertising exclusion. The allegation cannot be accepted since, as stated in the facts tested and in the attached annex, advertising actions have been carried out on behalf of and in name of VDF repeatedly even though the interested party is in the relationship of advertising exclusions or having previously exercised their right to object to such actions, contrary to the provisions of article 48.1.b) of the LGT. 22. The AEPD seems to sanction for receiving complaints without verifying the facts described therein and automatically conclude that they correspond with illegitimate and contrary actions to the legal system and, therefore, adopting C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 43 43/97 these decisions contrary to the onus probandi principle that governs the law sanctioner. It appears in the documentation of the file notified to VDF in March 2020 sufficient reasons to enervate the presumption of innocence since the VDF in its responses to the information requirements of this AEPD manifests its error and proceeds to correct it promptly, informing the claimant. Do not However, this infringing conduct and subsequent adoption of measures allegedly corrective measures are permanently repeated, and sometimes consist of up to three subsequent claims of the same affected person after being “supposedly” treated on the right of opposition to VDF 2. 3. The quantification of sanctions is disproportionate, and it cannot be argued that VDF's conduct is a repeated and permanent breach, since only 191 interested parties of the 200 million commercial actions could be affected carried out by VDF. Regarding the graduation and final quantification of the proposed sanctions, the note that, without prejudice to the new amounts indicated in the RGPD and criteria of graduation applied, and only for comparative purposes with the repealed LOPD, the amount it would be far superior to the current proposal. Specifically, and for comparative purposes only With the LOPD, one hundred and forty-one (141) infractions of the RGPD that would suppose separately and applying the LOPD, an amount close to six million euros, considering the minimum amount (€ 40,001). In the same sense, one hundred twenty-four (124) infractions to the LGT and twenty-four (24) to the LSSICE, in which the amounts have also been weighted jointly. Furthermore, with respect to the allegation that "they could only be affected 191 interested parties of the 200 million commercial actions carried out by VDF ”, it should be noted that, as may be the case in this proceeding, the confluence of various claims of affected individuals is put shows an action of the person in charge that in general (that is, not only in the specific cases presented by the claimants) from which it appears that These specific cases are the reflection of a common guideline or policy applied to all those affected persons who are in the same case as the interested parties and who are not are claiming neither before VDF nor before the AEPD. From the claims presented, a pattern of conduct is inferred in the treatment of personal data in connection with VDF's marketing operations (which includes gross negligence in your performance and inaction) that directly impacts, and in a general and indiscriminate way, in the rights and freedoms of citizens. 24. They consist of prescribed infractions such as that referred to in E / 07180/2019 and others in the that no evidence of infringement has been provided (E / 01119/2019 and E / 02809/2019). The files referred to in the allegation do not appear among the one hundred and sixty-two (162) valued in this Resolution. 25. In general, the Initiation Agreement lacks sufficient motivation to support the imputation to VDF of the infractions that it relates that is a guarantee against the arbitrary conduct outlawed in the EC C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 44 44/97 Motivation is required for the sake of art. 35 of the LPACAP, establishing the Tribunal Supreme a series of elements must concur for this to be adequate. Thus, the motivation has a finalist character, that is, that the requirement is met legal to explain or externalize the nucleus of the administrative decision, from which the interested party can deploy his means of defense. As determined by the Judgment of the Contentious-Administrative Chamber, Section 1, of the Hearing National of September 13, 2019, " The requirement of the motivation of the acts administrative responds, according to reiterated jurisprudential doctrine, of which it is exponent of the Judgment of the Supreme Court of July 16, 2001, for the purpose of that the interested party can know exactly and precisely the when, how and why of what is established by the Administration, with the necessary breadth for the defense of their rights and interests, also allowing, in turn, the bodies jurisdictional knowledge of factual and regulatory data that allow them resolve the judicial challenge of the act, in the judgment of its power of review and control of administrative activity; in such a way that the lack of that motivation or its notorious insufficiency, insofar as they prevent challenging that act with serious possibility of criticizing the bases and criteria on which it is founded, make up a vice of voidability, as soon as the interested party is left defenseless. All this without prejudice to the logical discrepancy of who obtains a resolution unfavorable to their interests, which does not constitute a lack of motivation, because their The right does not reach the granting of the request, since no one has the right to be give the reason, but that the decision offered offers the necessary explanation so that the administrator can know exactly and precisely the content of the act >> ”. The motivation can be brief and succinct, but always sufficient so that allow the interested party to know the administrative decision-making reasons (STS of 15 December 1999). For the motivation to be sufficient, it must be concrete, that is, it must refer to to the particular case discussed in the specific administrative procedure (STS of 23 September 2008) and consistent with the decision-making content. If the decision administrative authority involves the exercise of discretionary powers, it is necessary that the logical process that determines such decision is made explicit (STS of December 15, 1998). Regarding the lack of motivation of the initiation agreement, reason for which it is alleged arbitrariness in the performance of this AEPD, it should be noted that they consist sufficiently reasoned in the commencement agreement the infractions charged on the basis of in the documentation that is in the file and that has its origin both in the face-to-face inspection carried out (whose documentation is known to VDF) at the headquarters of VDF as in the one attached in the claims of those affected and that appears in the proceedings. In the same sense, the infraction now imputed of Transfer International without the appropriate measures required in the RGPD, there is also documented and accredited of the VDF's own manifestations in the documentation provided to this AEPD. The examination of the administrative file and the various resolutions issued in its bosom, is revealed clearly, in a broad and reasoned, concrete and congruent way, the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 45 45/97 why of the administrative decision, complying more than sufficiently with the prescriptions established by the Law. III Regarding the allegations presented to the taking of evidence and the second shipment of files in order to correct deficiencies in the documentation initially notified, they are summarized in the following: 1.- Two of the files submitted correspond to the same claim. 2.- Seven of the files submitted were not mentioned in the first Shipping. 3.- Of the 264 telephone numbers requested from Adigital for verification In the Robinson list, 33 are not registered, 4 are of a later date, 1 corresponds to an archived procedure, 1 corresponds to a provider and not a claimant, 1 does not there are commercial calls received and 1 does not correspond to VDF as an entity claimed. In the first place, the allegations made by VDF on 12/1/2020 did not they detail the procedures to which it refers. However, it is meant that there are several claims that make up different files of the same claimant, since for the same facts they have formulated several claims successive as the VDF continues to carry out the events now charged. Second, it should be noted that of the initial 191 claims that gave origin of the present procedure have been eliminated from the valuation, accepting partially the VDF allegations dated 12/1/2020, twenty-nine claims (29) for various reasons, such as not including the inclusion of the numbering on time in the advertising exclusion lists or prior exercise of rights, as well as the lack numbering of the issuing, incoming call or date of the advertising activity, or that the claims were directed to entities other than VDF (in two cases). Without However, if those others in which the VDF itself confirms in its own written reply to the requirements of the AEPD that the claimant was included in the advertising exclusion lists or that he had exercised previously the right of opposition before VDF, and that work in the file. It should be added that in the Annex of notified files it is true that they appear in various cases in which some of them do not belong to the present process. In this sense, it should be clarified that such circumstance is due to the fact that have also indicated, together with the specific file being assessed in this present procedure, those previous ones - indicatively and without being added to the now valued- and with the same claimant for the same facts and already resolved by Resolution of this Agency in accordance with article 65 of the LOPDGDD, which allows prove the lack of technical and organizational measures continued over time in Regarding the attention of the rights exercised by those affected. It can be summed up in that have also been indicated (without adding to those now valued) the repeat offenses after resolutions of this Agency in protection of rights opposition / cancellation previously exercised by the same claimant before VDF. In The allegations made by VDF on 12/1/2020 do not detail the procedures to which it refers. All this shows the pattern of behavior, which C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 46 46/97 Above we mention, in relation to the obligations of protection of data corresponding to VDF. Regarding the 14 numbers sent to Adigital in the practice of tests that VDF alleges are repeated, it should be noted that, although what they are is not indicated, correspond to claims that originate from the same telephone number receiving the the improper call, so it does not affect the facts now valued. VDF alleges that another 49 numbers are not in the file, without indicating which, so its analysis is not possible. VDF adds that 33 numbers of the practice test list do not include registration in Robinson, without indicating which ones. In this regard, it has already been indicated and this is stated in the record, that VDF in its own responses to the requirements of this AEPD claimed that they were included in Robinson. The rest of the allegations refer to 4 other telephone numbers receiving the calls, which does not indicate which ones. Finally, although these allegations refer to merely formal aspects and without indicate your reference, it is insisted that from now on they will only be taken into account for your valuation in the present procedure the claims before the AEPD that appear in the aforementioned Annex (162 claims), having eliminated from the Annex those claims / files showing defects, even formal ones. IV Regarding the allegations presented to the Proposal for Resolution, they are summarized as indicated above in the fifth antecedent, in the following: 1. Previous: Reiteration of the allegations presented. 2. First: Arguments against the Proven Facts. 3. Second: Relating to the information request files referenced in the sanctioning procedure. 4. Third: Rejection by the AEPD of the allegations presented by Vodafone. 5. Fourth: Presumed breach of article 24 RGPD. Consideration of Vodafone as the data controller and responsibility of Vodafone. 6. Fifth: Presumed breach of article 28 RGPD. Alleged lack of control real, continuous, permanent and audited of the treatments carried out by managers. 7. Sixth: Presumed breach of article 44 RGPD. Transfers International data. 8. Seventh: Presumed breach of article 21 LSSICE. Send of commercial communications without consent and to recipients who have opposed to such treatment. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 47 47/97 9. Eighth: Presumed non-compliance with the General Telecommunications Law (LGT). Supposed lack of attention to the right of opposition to not receive communications commercial. As a question prior to answering the allegations, and regarding the documentary block provided by VDF, to point out that it is made up of a series of documents among which find a “ proposal for VODAFONE the DEVELOPMENT AND HOSTING to control robinsons in the Door to Door area, following their instructions based on the Robinsones 2020 List Management Service ”, dated 17 August 2020. Such document is unsigned between the parties (page 20 of the aforementioned documentation), in such a way that we are not accredited that indeed such proposal is implemented. Likewise, they also provide a contract for the provision of services of the face-to-face channel between VDF and CASMAR that it seems that they present as a new model to be subscribed with your suppliers. This contract, although completed with the data of the parties, it is neither dated nor signed. Nor does it accredit that this contract is is running at this time or, where appropriate, what are the specific guarantees implemented on the rights of those affected with which it is being carried out. Such documents do not prove the installation and current operation of the system. that they claim to have implemented (which they call "routing"), not even corroborated by the screenshots presented in the documentation. Furthermore, at the date continue to initiate sanctioning proceedings for the same facts as a consequence of the claims presented before this AEPD. The person responsible for the treatment, derived from his proactive responsibility, must certify that it has complied, that it complies and that it will comply with the provisions of the RGPD and LOPDGDD. And to prove that it complies at present, mere part documents, drafts; it is reliably unknown if it has led to effect its content. Compliance accreditation must occur through a certificate of the company itself or with the contribution of the aforementioned documents with full legal validity (arts. 1254, 1258 and 1261 of the Civil Code). In relation to this, Report 0064/2020 of the Legal Office of the AEPD attributes to the person responsible for the treatment, within the obligations of responsibility proactively, the burden of “… guaranteeing the protection of said right through the compliance with all the principles contained in article 5.1 of the RGPD, adequately documenting all the decisions you make in order to be able to prove it ”. Notwithstanding the foregoing, we cannot ignore that the fact that they are implementing this new system indicates that previously they were not carrying out, that the VDF contributors did not contrast with the Robinson List, the VDF internal Robinson list or the internal Robinson list of contributors; and that VDF did not control the contrast process either, that is, it did not know if its collaborators were complying with his instructions and with the regulations of Data Protection. Let us remember that VDF has the obligation to control the treatment of its collaborators as if he did it himself, implementing all kinds of systems and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 48 48/97 security and monitoring measures that verify compliance with your instructions and compliance with data protection regulations. In the new documents provided, they continue with the same approach as the one they have maintained throughout the procedure in terms of those in charge of the treatment. That is, they indicate in such documentation that the collaborators with whom they contract call on behalf of VDF to offer products VDF: "That so above, the scope of this service provision contract is door-to-door promotion door of the Services in the name and on behalf of VODAFONE-ES and VODAFONE- ONO ” (page 24 of the documentation provided). However, they are forced to present themselves in their own name and as responsible for the Treatment: “ Likewise, the COLLABORATOR will have its own databases of potential clients who must comply with the requirements established by the applicable regulations on data protection and to which the VODAFONE services in the event that they show interest. Thus, The COLLABORATOR must present himself to said potential clients on his own name, as responsible for the treatment of the same, complying with the applicable regulations regarding the protection of personal data ” (page 30 and 31 of the documentation provided). If contributors use their own databases, then VDF considers them responsible for the treatment until the sale has to be validated. However, above, VDF has access to these databases through the information that the telephone numbers that its collaborators use: “ The CONTRIBUTOR must inform VODAFONE at all times of all those phone numbers that both the COLLABORATOR and their third-party collaborators use to contact Clients or possible Clients of VODAFONE in the development of the activity object of the present contract. In this sense, the use of telephone numbers does not previously informed VODAFONE will be understood as a breach of the contract ”(page 33 of the documentation provided). We can observe a clear incongruity between these manifestations, which It will result in a lack of definition of who is responsible and in charge of the treatment between the parties, being able, likewise, to transmit confusing information to the client or potential customer about who is responsible for the treatment. The truth is that VDF is responsible for the treatment, since, although the bases data are not specific to VDF, the company controls them by providing instructions to carry out the treatments as if they were their own within the framework of a contract in the that the collaborator acts and processes personal data on behalf of and on behalf of VDF. Special mention must be made regarding the emails exchanged by VDF and its collaborators and that have been provided with this documentation. In an email dated July 30, 2019 VDF indicates to CASMAR, when use their own databases, which "On the other hand, in the event that they carry out Calls using their own databases, not provided by Vodafone, must make sure to: - That they have the prior and express approval of Vodafone to carry out said calls. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 49 49/97 - That they have the data in a lawful way, informing and obtaining the consent of the owners to be able to carry out commercial actions on behalf of Vodafone. We remind you that the use of databases for the purposes of recruitment on behalf of Vodafone that do not meet this requirement. - Filter your databases with public Robinson lists, for example the managed one by ADigital, prior to the start of the campaign. - Do not use means of communication that have not been consented to by the campaign recipients ”, (page 54 of the documentation provided). This shows that they carry out commercial actions on behalf of VDF. The Collaborator does not have any own interest regarding the result of the operation, Except for the financial compensation that you will receive for such service. That, before making the calls, they have to verify that they have the approval of VDF. The databases, then, are prepared by the collaborators specifically for VDF, as they must have your prior approval and go through various filters. At that time the collaborators are already in charge of the treatment. In the same email they indicate that “In both scenarios -VDF databases and collaborator databases- , it is essential that the collaborator: - Provide a simple means for any recipient of the campaign to communicate your wish not to continue receiving calls or commercial messages on behalf of Vodafone. - Immediately transfer to Vodafone the data of those recipients who have communicated that they do not wish to receive further commercial communications and make sure they do not contact them again in future broadcasts ”. This VDF command, whatever databases are used by the VDF collaborators (own of the collaborators and elaborated for VDF), puts of I state again that the collaborator is in charge of the treatment from the beginning. That, although VDF indicates in the new contract model that they are responsible for the treatment and that “the COLLABORATOR must appear before said potential clients on their own behalf, as the person responsible for the treatment of the same ”, the truth is that it commands them that the right of opposition can be exercised before the collaborator in front of VDF. This circumstance shows that they are processing personal data on behalf of and on behalf of VDF. Previous R) Regarding the reiteration of the allegations presented, it must be note that they have already been answered in the Proposal for a Resolution and that they appear in the FD II of this Resolution. However, it must be emphasized that the 15 files that are the object of the second shipment notified in November 2020 they do not correspond to fifteen files additional, but is due to the material correction of incomplete documentation by so consider the investigating body, in order to correct deficiencies and avoid in all moment to violate the right to defense for the sake of the principle of transparency that must preside over all administrative action. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 50 50/97 Regarding the lack of evidence and imputation of infractions for mere assumptions, it should be noted that the documentation in the file is infers undoubtedly the facts now sanctioned. Not only through face-to-face inspection carried out in September 2019 at the VDF headquarters and that this is stated in the Inspection Certificate, but in the documentation attached to the aforementioned Minutes and in the documentation provided by the claimants and which is completed in the proceedings. The lack of motivation, alleged in a generic way, in the answer to the allegations by the investigating body cannot be admitted since the motivation has been reasoned and sufficient for each of the allegations presented and in accordance with the provisions of article 35.1 of Law 39/2015. What has not been distorted by VDF have been the facts now analyzed after presenting this AEPD Sufficient evidence to prove the alleged facts. Regarding classifying all the "collaborators" (sic) as in charge of the treatment when according to the VDF they are not, it is necessary to insist on the provisions of the definition of "Responsible for the treatment" and reports of this AEPD and the Committee European Data Protection and that are detailed and developed in the FD of this Resolution. Regarding the allegation that the contracting by VDF of its managers of the treatment is in accordance with the provisions of art. 28 of the GDPR, it must be rejected plan, since in the FD of this Resolution (and in the Proposal for Resolution) explains and details in detail the reasons why VDF has the aforementioned article 28 has been violated. VDF also alleges that the violation of article 44 of the RGPD (Transfer International Data without the due guarantees required by the RGPD) does not appear in the Initiation Agreement when the AEPD already had all the documentation from the investigation phase. This allegation must be rejected whenever the agreement of start complies with the provisions of article 64 of Law 39/2015 of October 1, of the PACAP, where section 2.b) in fine expressly indicates “… without prejudice to what results from the instruction ”. Said article is complemented by the provisions of the Article 89.3 of said rule when it states that “In the proposed resolution, they will fix in a reasoned way the facts that are considered proven and their exact legal qualification, the infringement that, where appropriate, they constitute, will be determined, the person or persons responsible and the sanction proposed, the assessment of the tests carried out, especially those that constitute the foundations basic measures of the decision, as well as the provisional measures that, if applicable, they would have adopted… ”. VDF also alleges that the specific conditions under which the make claims related to breach of the LSSICE. The allegation should be rejected since the accreditation that the electronic communication has been requested or expressly authorized has not been verified by VDF in any moment even throughout the present procedure, as indicated in article 21.1 of said rule. Regarding the allegation of lack of accreditation of the breach of article 48.1.b) of the LGT, it should be noted that it has been accredited and thus works in the documentation of the file regarding the tests carried out that in the name and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 51 51/97 On behalf of VDF, commercial calls were made to lines listed in the advertising exclusion lists (Robinson), contrary to the provisions of article 23 of the LOPDGDD. Finally, and grouping the last three previous allegations (9, 10 and 11), it is necessary to mean that each and every one of the infractions charged in the present procedure have been sufficiently reasoned and motivated, as well as that in all At the moment, the proportionality of the sanction has been justified, having, in addition, VDF warned in the Proposal for Resolution that if files had been initiated independent, the sanction would be higher. It also alleges arbitrary action on the part of the AEPD in the processing of the sanctioning procedure. In this sense, it should be noted that, in the first place, it does not specify the arbitrary action that it alleges and, secondly, the sanctioning procedure is has processed in the legally required manner in accordance with the applicable regulations in each alleged infraction and in accordance with the provisions of the fourth Additional Provision of the LOPDGDD. Consequently, the claim must be rejected. 1R) to) <Regarding the lack of implementation of effective measures, VDF alleges that has gradually implemented a centralized "routing system" of shares advertising that guarantees the rights of those affected>. The allegations are not proven, and if so, the facts to which the This procedure refers to are prior to the alleged implantation of said system, so its analysis for the purposes of the infractions does not proceed now sanctioned, without prejudice to the fact that in the future it will be evaluated in the case of that its implementation is accredited and is in accordance with the provisions of the RGPD, LGT and LSSICE. In addition, it should be noted that the supposed new system implemented for "Routing" progressively and culminating its supposed implementation in February of 2020, there is no evidence that it has been effective since they continue to date receiving claims for the same reasons to this AEPD. And, the greater abundance, additional or supplemental claims continue to be received from the now claimants for the same facts without evidence of any action by VDF, as responsible for the processing of data imputed, to mitigate or minimize the effects of the violation of their fundamental right to the protection of data, enshrined in the EC in its article 18.4, and developed in the RGPD and LOPDGDD, as well as in the LGT and LSSICE, even having knowledge through the This procedure is their identities and facts that are the subject of the claim. In this sense, and for informational purposes only, there are new claims complementary to those already carried out by the following claimants: Ñ.Ñ.Ñ., E / 10495/2019, dated 09/16/2020, NRE: e2000002161. OOO, E / 07697/2018 and E / 05544/2019, dated 06/11/2020, NRE: 019495/2020. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 52 52/97 PPP, E / 01633/2019, dated 09/30/2020, NRE: e2000003876. QQQ, E / 07183/2019, E / 04493/2019, dated 09/26/2020, NRE: e2000003364. RRR, E / 08276/2019, dated 10/28/2020, NRE: e2000007996. SSS, E / 08043/2019, dated 10/13/2020, NRE: e2000005754. TTT, E / 08276/2019, dated 10/28/2020, NRE: e2000007996. UUU, E / 07106/2019, dated 11/17/2020, NRE: e2000010906. b) <VDF alleges lack of identification of calling numbers and recipients>. In this sense, it is insisted that the files in which the action is not credited undue commercial have been withdrawn from valuation for several reasons already mentioned previously. It should be clarified once again, which is stated in the documentation of the file calls to numbers not included in the exclusion systems advertising, but that in the response to the request of this AEPD has been manifested by VDF the inclusion in the advertising exclusion systems and / or in their systems of exclusion of the receiving line, which is why they appear in the annexed. This type of affirmations by VDF has given rise, in the files concrete in which such an affirmation has been made, to a favorable resolution by part of this AEPD, so now it is not appropriate to allege otherwise at the risk of what more interested in each moment. VDF adds that the CASMAR entity (by doing so extensible to the rest of the intervening entities) is responsible for the databases of the receiving numbers and without the VDF having intervened even though the responsible for the treatment. This claim should be rejected outright on the basis of the very definition of "data controller" in article 4.7 of the RGPD, and because the VDF itself affirms its non-intervention in the treatment when it is the responsible for this. c) <VDF claims that it has a specific procedure to facilitate the exercise and attention of the right of opposition in advertising campaigns managed directly by VDF (SMS and email) and can unsubscribe> In this regard, it should be emphasized that article 21.1 of the LSSICE requires “request or express authorization " to carry out the advertising action, without prejudice to compliance of other requirements, and such request or express authorization is not accredited by VDF that as the person in charge of the treatment is the one obliged to accredit it. VDF lists a series of file references in which it indicates that the affected did not exercise any right. In this regard, and analyzed the references indicated, it means that once the check has been made, or if they are in the Robinson list, refer to the lack of express authorization, the affected person accredits have exercised their rights, or VDF did not respond to the request for information carried out from the Inspection of this Agency (E / 07056/2019 and E / 08284/2019) being obliged to do so. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 53 53/97 VDF adds that it is the managers who must make the appropriate consultations to advertising exclusion lists. In this regard, it should be emphasized again that the responsible for the treatment, in this case VDF, is obliged, by virtue of the provided in article 28 of the RGPD, to be contracted with those entities in charge of sufficient technical and organizational capacity to carry out the assignment and VDF be able to monitor all the treatment ordered so that the treatments object Customs strictly comply with the RGPD and LOPDGDD. d) <VDF alleges that in Proven Fact Four, reference is made to a sanction file of reference PS / 00290/2015, when said file is foreign to VFD>. In this sense, the material spelling error must be pointed out and corrected, that said file refers to the reference PS / 00290/2018 as stated in the Agreement of Start, and of which VDF has full knowledge from the beginning of the present process. and) VDF alleges that it is accused of a general lack of collaboration with the AEPD. In this sense, the allegation in section c) above has already been answered, inasmuch as VDF has not responded to several requests for information in the prior investigation issued by this AEPD, giving rise to its lack of response to the start of inspection actions. F) <VDF alleges inadmissible to impute lack of action and communication with collaborators>. In this regard, it should be noted that during the prior inspection process in 2019, It was established that VDF did not comply with the duty to inform those in charge of the deficiencies that VDF should have detected in the treatments ordered or nor did he impose adequate corrective measures, to which he was obliged in quality of data controller, to avoid in the future the repetition of the deficiencies in the treatments, either because I was unaware of them, or because simply It did not demand its correction and adjustment of measures in accordance with the RGPD. In this sense, there is an email sent in July 2019 to some of the managers, not all or even the sub-managers, in which it is informs them of the obligation to cross their files with the exclusion lists advertising in which no corrective measures were imposed, when on that date VDF I was already aware of the claims made by the claimants before this AEPD. Likewise, there is another subsequent informative letter, in November 2020, with more information on the fulfillment of its obligations in which it explains to the managers, and not sub-managers, the new routing system that is being implementing, with an end date of February 2020, to carry out actions of marketing, but continues without requiring and imposing corrective measures adequate to avoid the recurrence of deficiencies in the future even when, insists, on that date VDF was already aware of the claims made by the claimants before this AEPD and the inspection had already been carried out in person by the Inspection of this AEPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 54 54/97 In this regard, it should be emphasized that, regarding the first email of July 2019, the information was partial and with no general character to all those in charge, and that they in turn inform the sub-managers, otherwise it was an email specific to certain managers who, even so, there is no evidence that the obligations that it reported or imposed corrective measures, since the claims continued. Regarding the second informative letter of November 2020, it should be emphasized in which is much later than the investigations carried out within the present proceedings. Consequently, the effectiveness of the aforementioned email was no more beyond that an informal communication without intention of obligation and distribution partial since it did not impose corrective measures. The emails that VDF sends to some of its treatment managers reminding you of your obligations in terms of Data Protection are insufficient in the framework of proactive responsibility. The insufficiency of the “measures” adopted due to the undoubted fact that the The problem examined in this sanctioning procedure continues to occur without solution of continuity. But it is that, in addition, the abandonment of their obligations is shown by the simple comparison of the measures that VDF would have taken if data processors have breached any of the terms that constitute the hard core of the object of the contract (marketing campaigns). VDF would not have limited itself to sending e-mails reminders that they have to perform the contract, but that there would be imposed penalties or even proceeded to the termination of the contract. The same diligence is what has to be applied regarding proactive responsibility and Data Protection. Consequently, the allegation must be rejected as the fault has been established due diligence by the person in charge (VDF) in the follow-up and monitoring of data processing commissioned. g) On the condition of person or persons in charge of the intervening entities in the treatments carried out in the name and on behalf of VDF, it has already been answered in the Proposal for a Resolution. However, the answer is reiterated and expands on the Fundamentals of Law of this resolution. 2R) < VDF alleges, among others, the existence of files open to persons legal and that have been withdrawn for this reason>. It should be noted that this allegation has already been answered, so it insists on that the scope of application of LGT and LSSICE includes legal persons. The The fact that files have been withdrawn (29 in total, of the initial 191) has already been challenged in the sense that the withdrawal is due to uncertainty in the data, and not for the alleged reason of corresponding to legal persons and always for the sake of transparency that should govern all administrative action. <Regarding the existence of numbering or receiving lines that are not found in the Robinson list>, it has already been answered that the VDF itself in its briefs in response to the information requirements stated the opposite and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 55 55/97 accepted their inclusion, informing this AEPD that from now on they were included in the VDF internal listing of exclusions. Regarding the files outside the VDF, it has already been answered that they only affected two and have already been withdrawn from valuation in the present procedure, finding among the 29 omitted in the Annex. The fact of withdrawing 15% of valuation files does not imply a decrease of the guilt in the imputed facts, since an infringement of the RGPD is imputed (together to those of the LGT and LSSICE) typified in article 83.4 in which it is provided as a limit maximum administrative penalty the amount of 10,000,000 (or 2% of the billing annual). In addition, it has already been indicated that having initiated procedures independent sanctioners, the amount would have been greater than that now sanctioned, even if the repealed LOPD had been applied. Do not forget that the legislator The European Union has modified the amount of penalties and is now the applicable regulation. The amount of the sanction is motivated and adjusted to the law within the discretionary criteria followed by the doctrine of this AEPD without any moment can be classified as arbitrary. In this sense, it should be added that RGPD sanctions are different from those of the repealed LOPD, resulting in the order of fifteen times higher by mandate of the European legislature, so there is no they are affordable amounts. In addition, article 83.4 RGPD now imputed, allows impose amounts up to 2% of the global total annual business volume that, in this In this case, it is of the order of 1,600 million, so the maximum amount established legally in the RGPD it could be 32 million euros, and double in the case of the 83.5 RGPD, when the one now imposed is 4 and 2 million euros, respectively, that is, the fifth (or tenth part in the infraction of art 44 of the RGPD) part on the applicable maximum. Consequently, the amount of the administrative penalty imposed (art 58.2.i RGPD) is proportional to the alleged facts. Regarding the alleged files, the following means: Regarding E / 04471/2018, there is the line in the advertising excursion system as recorded in the file and accredited by the claimant with registration number entry (NRE): 199267/2018. Regarding files E / 07183/2019 and E / 07940/2019, the codes (first column of the annex) RDC and RD, respectively, and accredited by the documentation in the file. <Regarding the different legal personality alleged of the VDF ESPAÑA entities, VDF ONO, LOWI and VDF Services>, it should be noted that in the Inspection they witness before VDF it was stated that the aforementioned entities are part of the VDF Group in Spain and that with regard to marketing actions are governed by the same procedure and that said Group was represented by Vodafone España SAU, as it was the person responsible for the decisions of the treatments of the rest. And so it is stated in the Inspection Certificate: page 2 Inspection Certificate, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 56 56/97 << The entities that are part of the Vodafone Group in Spain are VODAFONE ESPAÑA SAU, (hereinafter VDF) VODAFONE ONO, SAU (VDFONO hereinafter hereinafter) and VODAFONE ENABLER ESPAÑA, SL (hereinafter LOWI), hereinafter referred to direct marketing actions, specifically to the management of recruitment campaigns, in general, are governed by the same process, (with small differences relating to, for example, teleshopping providers (TVTA in successive). • Regarding the process of unifying the information systems between VDF and VDFONO, the process regarding the segment "individuals" is finalized, while that the process regarding the “companies” segment is currently on hold until having the appropriate verifications of its correct operation in the segment "Individuals". LOWI's Customer Management Systems (CRM hereinafter) they remain independent >>). In this regard, it must be emphasized in what has already been said previously that the decision by VDF of continue currently working with the entities in charge of the treatment that they already provided the service in ONO before the merger with VDF (on 01/10/2018), certifies that the person responsible for the treatment operations analyzed in the This procedure carried out by ONO from that date is VDF. For such reason, the infractions analyzed in this procedure are imputed entirely to VDF as it is the entity that decides the ends and means, without prejudice to that Lowi's customer management information systems continue to be Independent. <Regarding the content of the Annex attached to the Proposal for Resolution>, it is It means that the JJJ acronym claimant has the reference E / 01489/2019. Regarding the claimant of acronyms LLL, the references E / 07671/2018 correspond and the subsequent research reference E / 04688/2019, as well as the references E / 08243/2018 and E / 07690/2018. Regarding the claimant of acronym MMM , correspond to the reference E / 01633/2019. And regarding the claimant of acronyms NNN the references E / 10149/2018 and that of the subsequent investigation actions E / 07960/2019, as well as the file references E / 07775/2019 and E / 07960/2019. However, this allegation does not affect the merits of the case, limiting itself to make some corrections when the important thing would have been to enter the file and settle the issues raised in the claim, which are none other than the violation of the fundamental right to data protection of the complainants and correct, now yes, the organizational and technical deficiencies that cause the claims, or where appropriate, minimize their impact. <As an allegation of duplication of "procedures" (sic)>, which must refer to "Files" (section 5), the following should be noted, the same as in the previous paragraph, which is now corrected, and that the reference file must appear E / 09407/2018. However, once the aforementioned material errors have been detected in the Annex, and now correct, it should be noted that they do not affect either quantitatively or on the matter raised in this proceeding nor do they cause any defenselessness because the claimants are the same and are in the heart of this procedure, Therefore, after its correction in accordance with article 109.2 of Law 39/2015, of PACAP, the claim must be rejected. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 57 57/97 In section 6 of the same allegation, it insists on the lack of documentation of the reference files E / 07608/2018, E / 07190/2019 and E / 07188/2018 (the latter has not been found affected by the procedure, so the reference provided). Regarding the first two, claimants with acronyms FJJN and FRPM respectively, it should be noted that there is no evidence that the information provided by this Agency has been incomplete after the correction made by the Instruction with the second shipment of documentation in November 2020. Consequently, the claim must be rejected. Finally, in section 6 of the second claim, it is added that <the AEPD has not issued to all claimants notice of the agreement to initiate this procedure, so once again the conduct of the AEPD has been arbitrary>. In this regard, this Agency does not record the facts referenced, so the The allegation must be rejected, and regarding arbitrariness it should be noted that the Proposal Resolution has been reasoned and adjusted both in form and in substance to the legally established regulations, so that there is no arbitrary behavior or unfounded by the AEPD. 3R) VDF alleges, <that DF III of the Proposal for Resolution does not answer with sufficient motivation for the allegations presented, which undermines the right to defense of the alleged entity>. In this regard, it must be added that the reply by the investigating body to the allegations made by VDF after the agreement to initiate this procedure, they were answered in their entirety and sufficiently reasoned. We bring back to this point the reasoning already set out in this resolution on what is really constitutes lack of motivation and that can produce helplessness, and that, does not occur in the assumption examined. However, add that with respect to the claim made by VDF that <” AEPD does not seem to take into account that these are third-party entities and that the controls have to respect current regulations on commercial and labor matters. The level of control intended by the AEPD (continuous, permanent and audited) not only does it not have legal support, but would imply an interference in the activity of the collaborators that can hardly be executed without violating these regulations (ie possible indication of illegal transfer of workers from these companies to companies main). Especially considering that the AEPD's criteria to assess whether a control is adequate or not, it is only that of its result and, in his opinion, it only enjoys of such a condition if it is absolutely infallible ”>, it should be noted that there is no no transgression in the activities of the collaborators because there is no impact on its commercial activity, but only in what affects the processing of data of a nature personal. The person responsible for the treatment is the one who has the ability to determine the purposes and the means of the treatment and in this case a contract of manager of the treatment. Indicate the means of treatment, how the treatment has to be carried out by means of the corresponding instructions and how to verify that it is Executing in the manner entrusted does not imply neither more nor less than delimiting elements of the contracting that is being carried out between both entities. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 58 58/97 There would in no case be that illegal transfer of workers that they allege. First, because none of the circumstances legally foreseen for this as it comes from art. 43 of Royal Legislative Decree 2/2015, of October 23, approving the revised text of the Workers' Statute Law (a from now on, ET); thus neither the object of the service contracts between the companies is limited to a mere making available to the workers of the transferring company to the transferee company, nor does the transferor company lack an activity or a own and stable organization, or does not have the necessary means for the development of its activity, or does not exercise the functions inherent to its condition of entrepreneur: here we find two different legal entities that have their own own organizational structure, where there is no possible confusion between the two. And, secondly, because the person responsible for the treatment does not send instructions or orders to the employees of the manager, but to the manager himself, who will act as consider the management power over your own employees (art. 20.3 ET). Without prejudice to expanding the answer to the following sections of the allegation in the following Fundamentals of Law and those already answered during the sanctioning procedure and that has already been included above in the present resolution, we now proceed to answer succinctly: Regarding the erroneous inclusion of files, it has already been answered, not without insisting now that the withdrawal of 29 files has not been motivated by the "inclusion erroneous files ”, but for the sake of transparency, and only in two cases and that Through the hearing provided to VDF for the instruction to the documentation of the file has been corrected, Regarding the confusing and disorderly exposition of the initiation agreement, note that the allegedly has not requested any practical evidence in order to clarify, in his opinion, deficiencies that prevent you from exercising your right to defense, which if you have instructor body in order to avoid it. It should be added that the documentation sent to VDF in March 2020 is duly ordered in order of entry date in this AEPD. Regarding the previous filtering of the VDF database, note, as it has been accredited (On-site Inspection of September 2020), that in none of the chaos this filtering has been successful. Not in the databases owned by VDF, every time that delivered to the managers they did not filter with the exclusion lists exercised before them, nor in the databases from those in charge of the they were not filtered with the VDF exclusion listings. In both cases, there was a total lack of communication between the treatment participants (VDF and managers and vice versa) as a consequence of poor organizational means and technicians established in the communication protocols between the entities, which they simply did not exist, and that their correct implementation was the responsibility of VDF as responsible for the treatments carried out between the entities intervening parties. All this has led to the violation of the guarantees and rights of those affected in a systematic way and without the person in charge (VDF) detecting it and in its case, correct. Furthermore, it is materially impossible for the managers to follow the instructions of the person in charge (VDF) simply because these instructions or they were confusing, or they were rare, or they did not exist, which cannot be accepted entity such as VDF, which is one of the first telecommunications operators in the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 59 59/97 country with millions of subscribers and, at least it is assumed, with sufficient experience and linked to the performance of personal data processing. In short, VDF does not intervened, and must imperatively intervene, to oblige those in charge of all moment to respect the guarantees and rights imposed by the RGPD. It should be added that, with respect to the LGT, the right to object must be interpreted according to the RGPD and LOPDGDD, while according to the LSSICE it is necessary prior authorization for electronic communications. In both cases, neither the person in charge (VDF) has implemented the appropriate protocols for communication between the different intervening entities in order to guarantee the rights of those affected, despite being legally obliged to do so. Regarding the fact that VDF will implement the rejection of contracts that do not comply with the protocol established by VDF, it should be noted that, first of all, that protocol must exist containing detailed instructions and mandates that in a way clearly avoid any deviation of actions; and secondly, and in what now affects, it is not enough to reject contracts that violate this type of established protocols, but what must be avoided is reaching that situation previously violating the guarantees and rights of those affected. Regarding the new "routing" system supposedly implemented by VDF of progressively and with an end date in February 2020, it has already been said in this Resolution that is neither accredited nor there are indications that it is, since the own claimants of the files of this procedure have presented with after that date new claims complementary to the initial one and the AEPD continues to receive claims for the same events to date, in concrete one years later. All this denotes that either the new system has not been implanted, or where appropriate, it is highly inefficient so it should be reconsidered its structure and operation. The infringement of the rights of the interested parties is keep producing. VDF alleges that no corrective measures have been implemented because the facts are "Sporadic and exceptional" (sic). Just remember the forty plus disciplinary proceedings initiated in the last two years to VDF by this AEPD and the high percentage of material and human resources that this AEPD is using to safeguard or restore the fundamental right to data protection and guarantees of those affected as a result of the numerous claims that are reiterated before this AEPD against VDF. Consequently, qualify as “sporadic and exceptional ” the facts now analyzed cannot be admitted. Regarding the fact that the AEPD has not accredited the infractions committed, the present procedure deals with it and thus they are duly documented, and by not mere assumptions as alleged, but by objective facts that are accredited from the documentation provided by the claimants as well as from the investigations carried out by this AEPD, and that VDF has not been able to disprove. 4R) About the Data Controller as indicated in art 24 of the RGPD, is a broad concept, which seeks to provide effective and comprehensive protection to interested. This has been determined by the case law of the CJEU. For example, the STJUE in the case Google-Spain of May 13, 2014, C-131/12, considers in a broad sense the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 60 60/97 responsible for the treatment to guarantee “ an effective and complete protection of interested ”. In the same way, such effective and complete protection must be deployed in the assumption that the data processing is carried out by the person responsible for the treatment through a in charge of the treatment, because if not, it would be violating the letter and the purpose of the GDPR. There would be a "flight" of the right to data protection. Thus, in the Report of the Legal Office of the AEPD of July 20, 2006, it is found that “what is important to delimit the concepts of responsible and in charge of treatment does not turn out to be the cause that motivates the treatment of these, but the sphere of direction, control or management that the person in charge may exercise over the treatment of personal data that are in their possession by virtue of that cause and that it would be entirely forbidden to the person in charge of the treatment ” ; in In our case, the control, direction and ordering of the treatment corresponds to VDF. When the managers use their own databases, the control, direction and ordering of VDF, in whose name and representation they call potential clients. The The manager does not decide on the purpose of its databases, but it is VDF who it tells them what they can and should use them for. The art. 33.2 of the LOPDGDD indicates that they are considered responsible and not in charge those who "in their own name and without evidence that they act on behalf of another establish relationships with those affected ” ; which, interpreted in the opposite sense, assumes that the person in charge is the person who on behalf of the person in charge establishes relations with the affected. This is regardless of whether it is necessary to access data on behalf of third parties. The manager, to be one, has no self-interest in the outcome of the Treatment object of order, without prejudice to the financial compensation received for the service provided and what happens in the case under examination. The managers have no interest of their own, act on behalf of and on behalf of the responsible, fulfilling his orders and for his purposes, and this is what determines that they are commissioned from the beginning. The use of own databases or alien in nothing changes such perception. In this sense, Report 0064/2020 of the Legal Office of the AEDP (dated 12/18/2020) establishes that “Likewise, another criterion to consider is whether the entity involved in the treatment does not pursue any purpose of its own in relation to the treatment, but you are simply paid for the services rendered, since in in this case, he would act, in principle, as manager rather than responsible (section 60) ” - Guidelines 07/2020 of the European Data Protection Committee (CEPD) on the concepts of data controller and processor in the RGPD (pending final adoption at this time after completing the process of public consultation) of September 2, 2020-. Regarding the non-application of the aforementioned STS 1562/2020, we must mean that if turns out to be applicable to the present case since what it shows is that For the purposes of data protection regulations, an entity is in charge of treatment, even if you work with your own databases. The situation is the same than in which we are now, with the difference that VDF is identical circumstance has understood that its collaborators are not in charge of treatment but responsible for the treatment. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 61 61/97 It is crystal clear that you are responsible for the treatment when you decide on the means and purposes of the treatment. VDF claims to the contrary that “it cannot be responsible for the treatment of practically all the personal data object of analysis in this procedure, as it is not the entity that provides the bases of data in question, does not provide the collaborators with the means to carry out the data processing, nor does it decide, or set in any way, the parameters identification of the recipients of the commercial action, being this carried out in completely independently, and in their best judgment, by the collaborators ”. However, you are determining the means of treatment when chooses that collaborators use their own databases, specially elaborated for VDF, and allows them a certain margin of action with respect to the parameters identification of the recipients of the commercial action. Ratifying the foregoing, Report 0064/2020 of the AEDP Legal Office (of dated 12/18/2020) asserts that “In any case, it should be carefully analyzed and in depth of the legal relationship established between the parties in order to identify who determines the ends and the means, for which the repeatedly cited CEPD guidelines give different criteria that can be used to establish these positions, assuming that the word "determine" implies actually exercising a influence on the ends and means, for which it is not an obstacle that the service is defined in a specific way by the person in charge, provided that the person in charge is present a detailed description and can make the final decision on how to that the treatment is carried out and to be able to request changes if necessary, without that the person in charge can subsequently introduce modifications in the elements essential processing without the approval of the person in charge (section 28) or give the manager a certain margin of maneuver to make some decisions in relation to the treatment (section 35) being able to leave to the person in charge the taking of decisions on non-essential means (paragraph 39), so that the processor does not you must treat the data in a way other than in accordance with the instructions of the person in charge, without prejudice to the fact that said instructions may leave a certain degree of discretion on how to best serve the interests of the controller by allowing the in charge of choosing the most appropriate technical and organizational measures (section 78) ”. It is clear that VDF, having examined the specific case of this proceeding sanctioner, is someone who "really exerts an influence on the ends and the means"; the simple assertion of VDF that its collaborators are not in charge of the treatment does not undermine the reality of the facts. It is VDF “who can take the final decision on the way in which the treatment is carried out and can request changes". In relation to the means of treatment, the person in charge of the treatment will establish the means of treatment to a greater or lesser extent depending on your strategy commercial. The fact that the person in charge of the treatment Vodafone grants certain room for maneuver or that your instructions leave you some discretion, do not obstacle so that you continue to be considered in charge of the treatment. For all these reasons, VDF collaborators are legally in charge of the treatment because VDF determines the means (the collaborators' own databases) although VDF provides them with instructions allowing them a certain margin for this purpose autonomy in terms of the choice of parameters to make these calls. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 62 62/97 Determine what are the means of treatment, what covers with what, how and the when the treatment is to be carried out, encompasses any decision-making action of the person responsible for the treatment, regardless of the extent of it. VDF adds that “ Complementarily to the above, as the AEPD well knows, the position of advertising service providers is subject to regulation specific in article 46.2 of the RLOPD regarding the processing of data in advertising campaigns, regulations that remain in force as long as they do not contradict or conflicts with the provisions of the RGPD, establishing, in its section 2 b), that: "In the event that an entity contracts or entrusts third parties to carry out a specific advertising campaign for your products or services, entrusting you with the treatment of certain data, the following rules will apply: b) When the parameters were determined solely by the contracted entity or entities, said entities will be responsible for the treatment ”. Well, the sole repealing provision of the LOPDGDD establishes in its section third that “Likewise, any provisions of equal or lower rank contradict, oppose, or are incompatible with the provisions of the Regulation (EU) 2016/679 and in this organic law ”. Although it does not expressly repeal the RLOPD, it will be understood tacitly repealed in all those matters that contradict, oppose, or are incompatible with the provisions of the RGPD and the LOPDGDD. The precept of the RLOPD cited is surpassed by the RGPD and the LOPDGDD, according to the conceptualization of what it is to be responsible and in charge of the treatment. In any case, we are not in a factual situation in which the parameters they are determined solely by the contracted entities; rather the opposite, it is VDF who, as the data controller, is setting the parameters. In summary, in the assumption examined, the collaborators hired to carry out direct marketing actions, are responsible for the treatment of VDF when carrying out direct marketing actions in his name and on his behalf. They act under the VDF brand exclusively. It is VDF who determines the ends and means of the treatment, being significant that the databases which the person in charge of the treatment makes available to VDF are prepared specifically for these last (it is the medium that VDF chooses). And, we cannot forget, even if it is by title merely illustrative, that the new routing system, which they point out to have implemented, integrates all those in charge of the treatment in such network of routing. 5R) Going to the genesis of the concept of data processor and following the Opinion 1/2010, of 2/16, of the GT29, “ The concept of data processor does not contained in Convention 108. The role of the processor was recognized for the first time in the Commission's first proposal - although it did not introduce the concept— in order to “avoid situations in which the treatment by third parties on behalf of the person responsible for the treatment of the file has the effect of reducing the level of protection enjoyed by the interested party ”. The concept of manager C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 63 63/97 treatment is only explicitly and autonomously included in the modified proposal of the Commission and after a proposal from the European Parliament when, before cover its current formulation in the Common Position of the Council. like the definition of the controller, the definition of the controller encompasses a wide variety of agents who can play this role ('person physical or legal, public authority, service or any other body »). Existence of a processor depends on a decision made by the data controller, who may decide that the data is processed within its organization, for example by personnel authorized to process data under their direct authority (see, conversely, article 2.f)), or delegate all or one part of the processing activities in an external organization, that is - as stated in the explanatory memorandum to the Commission's amended proposal—, in "a legally distinct person acting on his own behalf." Therefore, in order to act as data processor, two basic conditions: on the one hand, to be a legal entity independent of the responsible for the treatment and, on the other, carry out the processing of personal data by account of this one ”. Regarding the allegation made, VDF answers in it when it indicates that “Actually, the referred regulation establishes the obligation on the part of the person responsible for carry out suitability checks during the selection of those suppliers to those who intend to provide personal data and, likewise, the minimum conditions under which they must process said personal data, and said conditions in the corresponding contract that will contemplate all aspects required in article 28 RGPD… ”, which in the present case has not been done. Article 28.1 of the RGPD states: “1. When a treatment is to be carried out for account of a data controller, this will only choose a manager who offers sufficient guarantees to apply technical and organizational measures appropriate, so that the treatment is in accordance with the requirements of the this Regulation and guarantee the protection of the rights of the interested party. " . I know notes that it refers to the technical and organizational measures that must be guarantee in all treatment subject to order. That is, since before the order of the treatment itself, as it is the appropriate choice of the one who will act as manager, until the end of the service as indicated in the article itself 28.3.g). And continues article 28.3.h): “will make available to the person in charge all the information necessary to demonstrate compliance with obligations established in this article, as well as to allow and contribute to the realization of audits, including inspections, by the manager or another auditor authorized by said person in charge ”. Regarding the performance of audits as an ideal means for the person responsible of the treatment continuously supervise the person in charge of the treatment, the Guidelines 07/2020 of the European Data Protection Committee (CEPD) on the concepts of data controller and processor in the RGPD of 2 of September 2020 establish that -the translation is ours- “97. The obligation to use only processors "who provide guarantees sufficient "contained in article 28, paragraph 1, of the GDPR is an obligation C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 64 64/97 keep going. It does not end when the controller and the person in charge of the treatment enter into a contract or other legal act. Instead, the controller must, at appropriate intervals, verify processor warranties, including through audits and inspections where appropriate ". In the same way that the person responsible for the treatment audits those treatments that performs directly and by your hand, you must audit the treatments that other performed by your order. In the present case, VDF has not complied with either of the transcribed sections, especially, when being able and having the legal obligation to do so (with audits and inspections), VDF has not required the data controller to comply with its obligations, a breach that should be attributed only to VDF as responsible treatment. 6R) Regarding the breach of article 44 of the RGPD. Of the evidence in the documentation of the file and this is reflected in the TWENTIETH Proven Fact, specifically the treatment manager contract signed between VDF and Casmar on 05/1/2019, in which VDF as responsible of the treatment subscribes with Casmar that to carry out the treatment object of order is made from a third country (Peru) without complying with the due guarantees that required by the RGPD, by consenting - with full knowledge of the signatory parties since as stated in the contract- that Casmar will carry it out through the entity sub-manager (A-Nexo) in the name and on behalf of VDF (according to the signed contract of date 05/01/2019 between VDF and Casmar and the subsequent contract signed between Casmar and A- link dated 06/27/2019). In said contract it is stated verbatim: “location of the treatment: Peru ”(sic). Consequently, the person responsible for this Transfer International (TI) without the due guarantees agreed between VDF and Casmar through the sub-commissioned entity based in Peru -A-nexo-, is none other than VDF when acting in quality of data controller commissioned under the aforementioned conditions For this reason, VDF is the one obliged to impose and establish the due guarantees so that that IT can be carried out according to the requirements established in the RGPD. 7R) Regarding the breach of article 21.1 of the LSSICE. Article 21 of the LSSICE: " Prohibition of commercial communications made to via email or equivalent electronic means of communication. 1. The sending of advertising or promotional communications by email or other equivalent electronic means of communication that had not previously been requested or expressly authorized by the recipients of the same. 2. The provisions of the previous section shall not apply when there is a prior contractual relationship, provided that the provider had obtained lawfully the recipient's contact details and will use them to send communications commercial related to products or services of your own company that are similar to those that were initially contracted with the client. In any case, the provider must offer the recipient the possibility of opposing the processing of your data for promotional purposes using a simple procedure C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 65 65/97 and free, both at the time of data collection and at each of the commercial communications that you direct. When the communications have been sent by email, said means must necessarily consist of the inclusion of an email address email or other valid email address where this right can be exercised, being forbidden the sending of communications that do not include said address ”. It is already established from the beginning of the procedure that the marketing actions in name and on behalf of VDF would be made using random numbers (and e-mail addresses) to "potential clients" in whose domicile or area was available installed VDF services. It has also been alleged that such numberings (used to send SMS) were previously crossed with the lists of advertising exclusion, which at no time is done and without prejudice to which is explained later. Now VDF alleges that the SMS sent were made to clients under the exception of article 21.2 of the LSSICE. Well, it could be like this in some chaos unrelated to this procedure, but at present If the opposite has been proven, that is, that the recipients were not customers of VDF and had even exercised their right of opposition, so the application of the aforementioned section of article 21 (21.2) of the LSSI. Files Relating to non-compliance with the LSSICE are indicated with the code “C” in the column of the Annex to the Proposal for Resolution and which is now also attached. Consequently, the claim must be rejected. 8R) Regarding the LGT, VDF alleges alleged non-compliance. The Preamble of the LOPDGDD states the following: "In Title IV there are collected" Provisions applicable to specific treatments ", incorporating a series of assumptions that in no case should be considered exhaustive of all lawful treatments. Within them it is worth appreciating, firstly Second, those for which the legislator establishes a presumption "iuris tantum »of prevalence of the legitimate interest of the person in charge when they are carried out with a series of requirements, which does not exclude the legality of this type of treatment when the conditions set forth in the text are not strictly fulfilled, although in In this case, the person in charge must carry out the legally required weighting, when not presume the prevalence of their legitimate interest. … " Article 23.4 of said rule (LOPDGDD) states: "4. Those who intend to make direct marketing communications must previously consult the advertising exclusion systems that could affect your action, excluding from the treatment the data of those affected who had expressed their opposition or refusal to it. For these purposes, to consider Once the above obligation has been fulfilled, consulting the exclusion systems will suffice. included in the list published by the competent control authority. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 66 66/97 It will not be necessary to carry out the query referred to in the previous paragraph when the affected would have provided, in accordance with the provisions of this organic law, its consent to receive the communication to whoever intends to carry it out. ". It is already indicated in this Resolution (FD V) and that it is not necessary to reiterate, the reasons whereby the application of the LGT prevails in Spanish law, as a norm special, against the RGPD and LOPDGDD as general rules. In the present case, since the authorization provided in the second paragraph of the aforementioned section 4 of article 23, because there is no consent of the claimants, has been sufficiently accredited throughout the procedure that both VDF, as responsible for the treatment, and those in charge who they acted on behalf of and on behalf of VDF they did not suppress those receiving lines that were previously included in the advertising exclusion systems of your marketing actions. This is reflected in the column of the Annex of the Motion for a Resolution and which is now also attached with the code "R". Consequently, VDF has violated the aforementioned article 48.1.b) in relation to the 23 of the LOPDGDD for which the allegation must be rejected. 9R) VDF alleges a clear defenseless position during these proceedings sanctioner. Regarding the principle of prohibition of arbitrariness, it should be noted that there is no evidence any action by this AEPD of diversion of legal actions, but that all the The procedure followed has been adjusted to the legal regulations both in form and in the motivations for their administrative acts, evidence and other legal guarantees and constitutional enforceable. There is no doubt that the present sanctioning procedure is complex and voluminous, but even so, all the required legal guarantees have been met. Even in the rectification of material errors as indicated in art. 109 of the LPACAP, in special in the complementary shipment is rectification -that not of inclusion of new files-, giving a hearing to the interested party as indicated in the aforementioned norm and art 105 of the EC To which must be added that, while the suspension of deadlines In accordance with the state of alarm decreed in Spain, the investigating body considered as an urgent procedure, sending the file (it was carried out in March 2020) in order to avoid defenselessness and that during the time the defendant was suspended, the defendant ordered the time needed to analyze the documentation (about ten thousand pages), which in normal conditions without suspension of terms would have had a maximum of 15 days deadline for the study and preparation of the defense line. Regarding the imputation of infringement of article 44 of the RGPD (Transfer International personal data without the guarantees required in the RGPD) in the Proposed Resolution, mention has already been made in this Resolution. Finally, it should be meant that VDF has not requested any test practice during the sanctioning procedure in support of any line of defense that considered appropriate in the face of the imputed infractions. The only test practiced has been requested by the investigating body in order to avoid defenselessness of the claimed, has proceeded to correct material errors after analyzing the more than ten thousand sheets of which the file consists and has provided VDF with an Annex with the summary C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 67 67/97 structured the facts precisely so that it would have the possibility of treating it automatically and for the sake of transparency and thus avoid any impediment that could cause a reduction in their rights, giving the mandatory hearing and deadline for allegations, as VDF has done. Consequently, it proceeds reject the allegation as there is no arbitrariness in the actions of the AEPD or violation of the defense principle, but it is established that during the development of the This sanctioning procedure has been observed all the legal guarantees established. V Article 2.4 GDPR. Relationship with Directive 2000/31 / EC of the European Parliament and of the Council of June 8, 2000 regarding certain legal aspects of the Information society services, in particular electronic commerce in the internal market (hereinafter Directive 2000/31 / EC). "4. This Regulation shall be without prejudice to the application of the Directive. 2000/31 / EC, in particular its rules on the liability of providers intermediary services established in its articles 12 to 15 ”. In this regard, LSSICE incorporates the aforementioned Directive into the Spanish legal system 2000/31 / EC. Article 95 GDPR. Relationship with Directive 2002/58 / EC of the European Parliament and of the Council of July 12, 2002 regarding the processing of personal data and the protection of privacy in the electronic communications sector (as far as successive Directive 2002/58 / EC). "This Regulation will not impose additional obligations on natural persons or legal matters regarding treatment in the framework of the provision of services public electronic communications in public communication networks of the Union in areas where they are subject to specific obligations with the same objective established in Directive 2002/58 / EC of the European Parliament and of the Council of July 12, 2002 ”. In this regard, the LGT incorporates the aforementioned Directive into the Spanish legal system 2002/58 / CE. In relation to the aforementioned articles of the RGPD mentioned above (articles 2.4 and 95) and the mentioned LGT and LSSICE, the Legal Report of this AEPD of reference 0173/2018, already known to the investigated person who alleges it in her writing. In the same sense, Opinion 5/2019 is pronounced on the interaction between the Directive on Privacy and Electronic Communications and Regulation general data protection, in particular with regard to competition, functions and powers of the data protection authorities Adopted on 12 March 2019, in paragraphs 66 to 70 and 86 in conclusions, and which are reproduced below continuation: <66. In the event that national legislation confers on the protection authority of competency data for the application of the Directive on privacy and electronic communications, the legislation should also determine the functions and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 68 68/97 Powers of the data protection authority in relation to the application of the Directive. The data protection authority cannot automatically trust the functions and powers provided for in the RGPD to adopt measures to make comply with national regulations on privacy and communications electronic, since these functions and powers of the GDPR are linked to the application of the GDPR. National legislation may assign functions and powers inspired by the GDPR, but can also grant other functions and powers to the data protection authority for the application of national regulations on the privacy and electronic communications in accordance with article 15 bis of Directive. 67. Discretionary power only exists within the established requirements and limits. in higher standards. Article 8 (3) of the Charter requires that compliance of the regulations on the protection of personal data is subject to the control of a independent authority. 68. When the processing of personal data activates the material scope of application both the GDPR and the Directive on privacy and communications electronic data protection authorities are competent to control subsets of the treatment that are governed by national standards of transposition of the Directive only if national law confers on them this competence. However, the competence of the data protection authorities under the GDPR in any case remains non-exhaustive as regards processing operations that are not subject to the special rules contained in the Directive. This demarcation line cannot be modified by the national legislation transposing the Directive (for example, by extending the material scope of application beyond what is required by the Directive and granting exclusive powers for said provision to the national authority of regulation). 69. Data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the treatment is included in the scope of the Directive does not limit the competence of the data protection under the RGPD. 70. When exclusive jurisdiction has been granted to a body other than the data protection authority, national procedural law determines what should occur when interested parties file complaints with the protection authority of data, in relation, for example, to the processing of personal data in the form of traffic or location data, unsolicited electronic communications or collection of personal data through cookies, without also reporting an infringement (potential) of the GDPR. 86. When the processing of personal data activates the material scope of application both the GDPR and the Directive on privacy and communications electronic data protection authorities are competent to control the data processing operations that are governed by the national regulations of electronic privacy only if national legislation confers on them this competence, and such control must take place within the supervisory powers assigned to the authority by the national legislation that transposes the Directive. >> C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 69 69/97 Consequently, in relation to the specific matter regulated by the LGT and the LSSICE, these laws must prevail by reason of matter against the RGPD and LOPDGDD, without prejudice to the fact that the former may need to be complemented by the legal figures developed by the latter. Without prejudice to the subsequent development of the events now analyzed from the perspective of the aforementioned special laws (LGT and LSSICE), the definitions of the legal concepts that the RGPD indicates in article 4: Article 4 GDPR. Definitions For the purposes of this Regulation, the following shall be understood as: 1) "personal data": any information about an identified natural person or identifiable ("the interested party"); an identifiable natural person shall be considered any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements of the identity physical, physiological, genetic, psychic, economic, cultural or social of said person; 2) "treatment": any operation or set of operations carried out on personal data or personal data sets, whether by procedures automated or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction; 6) "file": any structured set of personal data, accessible in accordance with to specific criteria, whether centralized, decentralized or distributed in a functional or geographic; 7) "data controller" or "controller": the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the treatment; whether the law of the Union or of the Member States determines the purposes and means of the treatment, the person responsible for the treatment or Specific criteria for their appointment may be established by Union law. or from the Member States; 8) "processor" or "processor": the natural or legal person, public authority, service or other body that processes personal data on behalf of the responsible for the treatment; 10) "third party": natural or legal person, public authority, service or body other than the interested party, the person responsible for the treatment, the person in charge of the treatment and of the persons authorized to process the personal data under the direct authority of the person in charge or the person in charge; 11) "consent of the interested party": any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data that they concern you. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 70 70/97 18) "company": natural or legal person engaged in an economic activity, regardless of their legal form, including companies or associations that regularly carry out an economic activity; 25) "information society service ": any service in accordance with the definition of Article 1 (1) (b) of Directive (EU) 2015/1535 of the European Parliament and of the Council. (Directive (EU) 2015/1535 of the Parliament Council and of 9 September 2015, which establishes a information procedure on technical regulations and rules relating to information society services (OJ L 241, 17.9.2015, p. 1)). SAW Article 24 Responsibility of the controller << 1. Taking into account the nature, scope, context and purposes of the treatment as well as risks of varying probability and severity to the rights and freedoms of natural persons, the data controller will apply measures appropriate technical and organizational techniques in order to ensure and be able to demonstrate that the treatment is in accordance with this Regulation. These measures will be reviewed and will update when necessary. 2. When they are provided in relation to the treatment activities, between the measures mentioned in section 1 shall include the application, by the responsible for the treatment, the appropriate data protection policies ... >>. Report 0064/2020 of the Legal Office of the AEPD has emphatically expressed that “ The RGPD has meant a paradigm shift when addressing the regulation of the right to the protection of personal data, which is based on the principle of "accountability" or "proactive responsibility" as stated repeatedly the AEPD (Report 17/2019, among many others) and is included in the Explanatory Memorandum of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD) ”. The aforementioned report continues that “… the criteria on how to attribute the different roles remain the same (section 11), reiterates that these are concepts functional, which are intended to assign responsibilities according to the roles of the parties (section 12), which implies that in most cases should be addressed to the circumstances of the specific case (case by case) according to their actual activities rather than the formal designation of an actor as "responsible" or "manager" (for example, in a contract), as well as concepts self-employed, whose interpretation must be carried out under the protection of European regulations on the protection of personal data (section 13), and taking into account (section 24) that the need for a factual assessment also means that the role of a responsible for the treatment does not derive from the nature of an entity that is processing data but of their specific activities in a specific context… ”. The concepts of controller and processor are not formal, but functional and must attend to the specific case. The designation by VDF of "Responsible for the treatment" to its collaborators, does not automatically grant them such condition. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 71 71/97 The person responsible for the treatment is from the moment he decides the purposes and means of treatment, not losing this condition the fact of leaving a certain margin of action to the person in charge of the treatment or for not having access to the databases of the in charge. This is undoubtedly expressed in the Guidelines 07/2020 of the European Committee on Data Protection (CEPD) on the concepts of data controller and in charge of the RGPD -the translation is ours-, “ A data controller is who determines the purposes and means of the treatment, that is, the why and the how of the treatment. The controller must decide on both purposes and means. However, some more practical aspects of the implementation ("nonessential media") can be left to the manager treatment. It is not necessary for the controller to actually have access to the data that are being processed to qualify as responsible ". In the present case, it is established that VDF is responsible for the data processing now analyzed since as defined in article 4.7 of the RGPD is the entity that determines the purpose and means of the treatments carried out in actions of direct marketing of the three entities (VDF, ONO, LOWI). So in your condition of data controller is obliged to comply with the provisions of the transcript of art 24 of the RGPD and, especially, regarding the effective and continuous control of “ appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the treatment is in accordance with this Regulation ” among which are find those provided in article 28 of the RGPD in relation to those in charge of the treatments acting in the name and on behalf of VDF. In this sense, and in relation to the allegation raised by VDF in its brief of allegations to the initiation agreement that those responsible for the treatments that the various entities carry out on behalf of VDF and, therefore, those that they have their own files, they do not act as managers but rather as responsible for these treatments, it should be noted that in the 07/2020 Guidelines of the European Data Protection Committee (CEPD) on the concepts of data controller and person in charge of the RGPD -the translation is ours-, “42. It is not necessary for the controller to actually have access to the data being processed. Whoever outsources a treatment activity and, at the to do so, has a determining influence on the purpose and (essential) means of the treatment (for example, adjusting the parameters of a service in such a way that influence whose personal data will be processed), should be considered as responsible although he will never have real access to the data ”. Remember that VDF determines who the calls can be made to, as they cannot be made to who are already clients of the company, as well as filtering regarding lists of advertising exclusion or whatever corresponds to the exercise of opposition. Likewise, following the legal report of the AEPD dated 11/20/2019, with internal reference 0007/2019 and STS 1562/2020 (for all), we must point out that analyzes the legal figure of the data controller from the perspective of the RGPD that regulates it exclusively. << Article 28 Responsible for the treatment 1. When a treatment is to be carried out on behalf of a person responsible for the treatment, it will only choose a manager who offers sufficient guarantees C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 72 72/97 to apply appropriate technical and organizational measures, so that the treatment is in accordance with the requirements of this Regulation and guarantees the protection of the rights of the interested party. 2. The person in charge of the treatment will not resort to another person in charge without prior authorization. in writing, specific or general, of the person in charge. In the latter case, the person in charge will inform the person in charge of any change foreseen in the incorporation or substitution of other managers, thus giving the person in charge the opportunity to oppose to such changes. 3. The treatment by the person in charge will be governed by a contract or other legal act with under Union or Member State law, which binds the person in charge with respect to the person in charge and establish the object, duration, nature and purpose of the treatment, the type of personal data and categories of interested parties, and the obligations and rights of the person in charge. Said contract or legal act shall stipulate, in particular, that the person in charge: a) will process personal data only following documented instructions from the responsible, including with respect to transfers of personal data to a third country or an international organization, unless it is obliged to do so under of the law of the Union or of the Member States that applies to the processor; in In such case, the person in charge will inform the person in charge of this legal requirement prior to treatment, unless such Right prohibits it for important reasons of interest public; b) will guarantee that the persons authorized to process personal data have are committed to respecting confidentiality or are subject to an obligation of confidentiality of a statutory nature; c) take all necessary measures in accordance with Article 32; d) will respect the conditions indicated in sections 2 and 4 to resort to another in charge of the treatment; e) will assist the person in charge, taking into account the nature of the treatment, through appropriate technical and organizational measures, whenever possible, so that this can fulfill its obligation to respond to requests that have as their object the exercise of the rights of the interested parties established in chapter III; f) will help the person in charge to guarantee compliance with the obligations established in articles 32 to 36, taking into account the nature of the treatment and the information available to the person in charge; g) at the discretion of the person in charge, delete or return all personal data a once the provision of treatment services ends, and will delete the copies existing unless the preservation of personal data is required under of the Law of the Union or of the Member States; h) will make available to the controller all the information necessary to demonstrate the fulfillment of the obligations established in this article, as well as to enable and contribute to the performance of audits, including inspections, by part of the person in charge or another auditor authorized by said person in charge. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 73 73/97 In relation to the provisions of letter h) of the first paragraph, the person in charge will inform immediately to the person responsible if, in his opinion, an instruction violates this Regulation or other provisions on data protection of the Union or of Member States. 4. When a processor uses another processor to carry out certain processing activities on behalf of the controller, will be imposed on this other person in charge, through a contract or other legal act established in accordance with the Union or Member State law, the same obligations to data protection than those stipulated in the contract or other legal act between the responsible and the person in charge referred to in section 3, in particular the provision of sufficient guarantees of application of appropriate technical and organizational measures so that the treatment is in accordance with the provisions of this Regulation. If that other person in charge breaches their data protection obligations, The initial manager will remain fully accountable to the person responsible for the treatment with regard to the fulfillment of the obligations of the other in charge. 5. The adherence of the person in charge of the treatment to a code of conduct approved by pursuant to Article 40 or to an approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate the existence of the guarantees sufficient referred to in sections 1 and 4 of this article. 6. Notwithstanding the fact that the person in charge and the person in charge of the treatment celebrate a individual contract, the contract or other legal act referred to in sections 3 and 4 of this article may be based, totally or partially, on the clauses contractual type referred to in sections 7 and 8 of this article, inclusive when they are part of a certification granted to the person in charge or in charge of in accordance with articles 42 and 43. 7. The Commission may establish standard contractual clauses for the matters to which it is refer to sections 3 and 4 of this article, in accordance with the procedure for examination referred to in article 93, paragraph 2. 8. A supervisory authority may adopt standard contractual clauses for the matters referred to in sections 3 and 4 of this article, in accordance with the coherence mechanism referred to in article 63. >> 9. The contract or other legal act referred to in sections 3 and 4 shall consist of written, including in electronic format. 10. Without prejudice to the provisions of articles 82, 83 and 84, if a person in charge of the treatment violates these Regulations by determining the purposes and means of the treatment, you will be considered responsible for the treatment with respect to said treatment. >> The definition of 'processor' includes a wide range of actors, since be they natural or legal persons, public authorities, agencies or other bodies. The existence of a data processor depends on a decision taken by the responsible for the treatment, who may decide to carry out certain C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 74 74/97 treatment operations or contract all or part of the treatment with a in charge. The essence of the role of "processor" is that personal data are processed in the name and on behalf of the person responsible for the treatment. In practice, It is the person in charge who determines the purpose and the means, at least the essential ones, while the processor has a function of providing services to the Responsible for the Treatment. In other words, "acting in the name and on behalf of of the person responsible for the treatment » means that the person in charge of the treatment service of the interest of the controller in carrying out a task specific and that, therefore, follows the instructions established by the person responsible for the treatment, at least as regards the purpose and essential means of the entrusted treatment. Article 28, section 1, of the RGPD establishes that “When a treatment on behalf of a data controller, he will choose only a manager that offers sufficient guarantees to apply technical measures and appropriate organizational, so that the treatment is in accordance with the requirements of this Regulation and guarantee the protection of the rights of the interested". The obligation provided for in article 28.1 of the RGPD -to select a person in charge of the treatment that offers sufficient guarantees to guarantee the application of the Regulation and the rights and freedoms of the interested party - it is not exhausted in the action prior to the selection and hiring of the treatment manager. This forces the responsible for the treatment to be evaluated at all times during the execution of the contract if the guarantees (technical or organizational) offered by the person in charge of the treatment are sufficient. The 07/2020 Guidelines of the European Data Protection Committee (CEPD) on the concepts of data controller and processor in the RGPD -translation is our- have, without a doubt, that, -, “ 97. The obligation to use only the processors "who provide sufficient guarantees" contained in Article 28 (1) of the GDPR is a continuous obligation. It does not end in the moment in which the controller and the person in charge of the treatment conclude a contract or another legal act. Instead, the controller should, at appropriate intervals, verify the assurances from the manager, including through audits and inspections when corresponds ”. And this because the person responsible for the treatment is the one who has the obligation to guarantee the application of data protection regulations and the protection of the rights of interested parties, as well as being able to prove it (articles 5.2, 24, 28 and 32 of the GDPR). Control of compliance with the law extends throughout the treatment, from start to finish. The person responsible for the treatment must Act, in any case, diligently, consciously, committed and actively. That mandate of the legislator is independent of whether the treatment is carried out directly the person in charge of the treatment or that it carries out using a in charge of the treatment. Where the Law does not distinguish, we cannot distinguish ourselves. In addition, the treatment carried out materially by a person in charge of treatment by account of the person responsible for the treatment belongs to the sphere of action of this C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 75 75/97 Lastly, in the same way as if he did it directly himself. The person in charge of Treatment, in the case examined, is an extension of the person responsible for the treatment. The data controller has the obligation to integrate and deploy the protection of data within everything that constitutes your organization, in all its areas. I know must bear in mind that ultimately the determining purpose is to guarantee the protection of the interested party. Interpret it in the opposite sense - the obligations that article 28 of the RGPD imposes to the data controller are limited to verifying the capabilities of the processor ab initio and to sign the contract of data processor - not only would they contravene the current legislation constituting a clearly fraudulent action, but rather would violate the spirit and purpose of the GDPR. In light of the principle of proactive responsibility (art 5.2 RGPD), the person responsible for the treatment must be able to demonstrate that it has taken into account all the elements provided for in the RGPD. The data controller must take into account whether the data controller provides adequate documentation that demonstrates such compliance, privacy protection, file management policies, privacy policies, information security, external audit reports, certifications, management of the exercise of rights ... etc. The controller must also take into account the knowledge specialized technicians of the person in charge of the treatment, the reliability and its resources. Only if the controller can demonstrate (principle of responsibility proactive of article 5.2 of the RGPD) that the person in charge of the treatment is adequate during the entire treatment phase (at all times) to carry out the order entrusted may enter into a binding agreement that meets the requirements of the Article 28 of the RGPD, without prejudice to the fact that the controller must follow complying with the principle of accountability and periodically checking the compliance of the manager and the measures in use. Before outsourcing a treatment and in order to avoid possible violations of rights and freedoms of those affected, the data controller must enter into a contract, other legal act or an agreement binding with the other entity that establishes clear and precise obligations regarding of data protection. The person in charge of the treatment can only carry out treatments on the instructions documented data of the person in charge, unless he is obliged to do so by Law of the Union or a Member State, which is not the case. The person in charge of the treatment It also has the obligation to collaborate with the person in charge in guaranteeing the rights of the interested parties and comply with the obligations of the person responsible for the treatment of in accordance with the provisions of the aforementioned article 28 of the RGPD (and related). Therefore, it is insisted that the person responsible for the treatment must establish clear modalities for such assistance and give precise instructions to the person in charge of the treatment on how to comply with them properly and document it prior to through a contract or another (binding) agreement and check all moment of the development of the contract its fulfillment in the form established in the same. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 76 76/97 However, despite the obligations of the person in charge, article 28 of the RGPD seems to suggest that the responsibility of the processor remains limited compared to the responsibility of the controller. In In other words, although data controllers may, in principle, be responsible for the damages derived from any infraction related to the processing of personal data (including those that have been committed by the processor) or breach of contract or other agreement (binding) Managers may be held liable when they have acted upon margin of the mandate granted by the controller, or have not complied your own contractual obligations or under the GDPR. In these cases, the data controller can be considered fully or partially responsible for the "part" of the processing operation in which you participate. You will only be in charge fully responsible when fully responsible for the damages caused in terms of the rights and freedoms of the affected parties; everything This, without avoiding the responsibility in which the person responsible for the treatment has incurred in order to avoid them. In the present case, despite the repeated designation as "third party" entities by Vodafone España, SAU to the entities << collaborators / agents / distributors >>, it should be noted that the correct qualification legal under the RGPD these entities must be classified as << entrusted treatment >> , since, according to the definition, they act fully in name and on behalf of the person in charge (VDF) for all purposes regarding Data Protection. Consequently, from now on, these entities will be called those in charge of the treatment with assumption of the responsibilities that This term entails within the RGPD both for the person in charge and for the in charge of the treatment operations. Just bring up the content of the aforementioned STS 1562/2020 (for all), which states the following: «In this regard, and the Judgment of the Supreme Court of June 5, 2004, which confirms, in cassation for Unification of Doctrine, that of this AN of October 16, 2003, echoing what was argued by this Chamber, refers to the differentiation of two responsible depending on whether the decision-making power is directed to the file or to the data treatment. Thus, the person responsible for the file is the one who decides the creation of the file and its application, and also its purpose, content and use, that is, who has decision-making capacity on all the data registered in said file. The The person responsible for the treatment, however, is the subject to whom the decisions about the specific activities of a certain data processing, that is, on a specific application. It would be all those assumptions in those that the power of decision must be differentiated from the material realization of the activity that integrates the treatment. With this, as the STS of 26 of April 2005 (cassation for unification of doctrine 217/2004), the legislator Spanish aims to adapt to the requirements of Directive 95/46 / EC, which has as its objective to provide a legal response to the phenomenon, which is becoming more frequent, of the called outsourcing of computer services, where multiple operators, many of them insolvent, created with the aim of seeking the impunity or irresponsibility of those who follow him in the following links of the chain. Currently, the new Regulation (EU) 2016/679 of the Parliament Council and Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data (by which the Directive 95/46 / CE, and of direct application as of May 25, 2018) distinguishes C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 77 77/97 also between the person in charge and the person in charge of the treatment. The The first is defined in Article 4 (7) as "natural or legal person (...) that determines the purposes and means of the treatment. "And the person in charge of treatment in the paragraph 8) of the same article 4 as the one that "treats personal data on behalf of of the person responsible for the treatment ". This in relation to Articles 24 and 28 of the same European Regulation of Data Protection. Responsible for and in charge of the data processing that, without place doubtless, they are also responsible for infractions in terms of protection of data, in such a new regulatory framework, in accordance with the provisions of article 82.2 of the repeated Regulation (EU) 2016/679 to which: Any person responsible who participate in the treatment operation will be liable for damages caused in the event that said operation does not comply with the provisions of the present Regulation. A manager will only be liable for damages. caused by the treatment when it has not complied with the obligations of the these Regulations specifically addressed to those in charge or has acted at the margin or against the legal instructions of the person in charge. It detaches from all of the above that the concurrence, in the present case, of a person in charge of the ZZZZ treatment at all exempts entity XXXX from liability now appellant, and this despite the forcefulness of the clauses that appear in the contract and annex to it signed by both companies (proven facts 9 and 10) as the personal data processed was for the purpose of carrying out a advertising campaign regarding car and motorcycle insurance that marketed the (XXXX), ultimately for the benefit of said XXXX, such plaintiff being the one that, in last term, determines the purposes and means of repeated data processing, therefore that it cannot be exonerated of responsibility. >> The STS continues, in relation to the possible exoneration of alleged responsibility As for what is subscribed in the contract of "person in charge of the treatment", the following: « The sanctioned conduct of obstruction or impediment by XXXX of the exercise by his client of the right of opposition to the processing of his data, is manifested in that said company did not adopt any kind of measure or precaution to avoid the sending advertising to your client's email addresses by those companies to which it entrusted the realization of the advertising campaigns. The adoption of the necessary measures or precautions to ensure the effectiveness of the Right to object to the processing of your data by XXXX, such as responsible for the file, subsist even if the advertising campaigns are not carried out starting from the data of their own files, but with databases of other companies hired by XXXX, and in this case it was proven that the appellant did not inform the companies with which it contracted to perform services of publicity the opposition of the complainant to receive publicity from the Mutual, nor ultimately made any provision to ensure the exclusion of its customer from shipments advertising contracted with third parties. " Consequently, it must be concluded that in all the treatments analyzed in the antecedents in its various modalities, the data controller is Vodafone España, SAU (VDF) and acting as managers those other entities that act in the name and on behalf of and for the benefit of VDF. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 78 78/97 Of the documentation that is in the file that is mentioned in the this resolution from the information collected by the Inspection of this AEPD and VDF's own acts and manifestations, the breach is accredited by VDF as responsible for the treatments entrusted to the effective control and continued in time of the measures provided in the above transcribed art 28 of the GDPR. In this regard, add that the obligation provided in article 28.3.h) RGPD, Using at the beginning the imperative term "put" referring to the person in charge of the treatment, generates the obligation to «demand» from the controller « compliance with the obligations established in this article, as well as to allow and contribute to the performance of audits, including inspections, by the controller or another auditor authorized by said person in charge. " Thus, it is established that those in charge of the treatment (and successive sub-processors) who acting in the name and on behalf of VDF do not offer sufficient guarantees to apply the appropriate technical and organizational measures to the treatment commissioned by VDF. And neither are the tasks duly documented by VDF entrusted to the successive managers who carry out the treatments in name and on behalf of the person in charge (VDF). Furthermore, they are listed as approved by VDF treatments that violate the scope of application of the RGPD by allowing treatments in third countries without adequate legal guarantees. There is also no prior written authorization from VDF with knowledge of the technical and organizational measures of successive entities subcontracted to others managers, since the VDF is only informed once the sub-manager has already is already chosen for the sole purpose of assigning an access code to the VDF client management applications. VDF, as the data controller, does not know in advance who and under what conditions a manager / sub-manager to act on their own behalf and under their specific specifications - which do not exist - and accepts without qualms this behavior of continuously and repeatedly since at least April 2018, even having knowledge of this anomaly. Nothing appears in the relationship between VDF and managers and successive sub-managers with respect to the requirements listed in the aforementioned article 28.3, which, in summary, is specify in previously defining by the data controller (VDF) the object, duration, nature, purpose, types of data, categories, obligations and rights of interested parties, and mandatory powers of continuous control ... etc. Only in specific occasions it is cited to have informally communicated one or other guidelines specific actions of action without implying any effective control of VDF with the treatments entrusted (and in turn sub-entrusted) on their own and in their Name. Therefore, non-compliance with data protection regulations must be fully imputed to the person responsible for the treatment (VDF) by not acting in a clear, active and effective in stipulating and enforcing the appropriate specifications for carry out the treatment entrusted on your behalf adequately in time. There is also no evidence that VDF has carried out continuous monitoring throughout the cycle. of execution of the treatments commissioned and in turn sub-commissioned by other entities on their behalf despite numerous known claims and ongoing investigations carried out by AEPD and of which VDF had C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 79 79/97 knowledge, and especially regarding the repeated conduct already sanctioned previously in PS / 00290/2018. Consequently, according to the aforementioned, VDF has seriously infringed - reiterated and systematic- the obligations imposed as the person responsible for the treatments carried out on his behalf of the provisions of 28 of the RGPD, in relation to the responsibilities required of all data controller by art 24 of the RGPD, especially with regard to the principles and proactive responsibility declared in articles 5.1.f) and 5.2) of the RGPD. On the other hand, article 44 of the RGPD states the following: << Article 44 General principle of transfers Only transfers of personal data that are subject to treatment will be made or will be after their transfer to a third country or international organization if, to reservation of the other provisions of this Regulation, the person in charge and the in charge of the treatment fulfill the conditions established in the present chapter, including those relating to subsequent transfers of personal data from the third country or international organization to another third country or other organization international. All the provisions of this chapter shall apply in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined >>. In the present case, accredited the International Transfer of data to a third country (Peru) without the appropriate measures required in the RGPD, there is no evidence that VDF in quality responsible for the treatment has fulfilled the conditions established in the Chapter V of the RGPD (Already justified in the answer to claim 6R) on page 65 of this Resolution). VII Secondly, it should be noted that from the perspective of the GDPR there are various legal concepts that directly complement those incorporated in the LGT and LSSICE. In this sense, regarding the LGT regarding the right to object (right to opposition) to receive unwanted calls for commercial communication purposes and to be informed of this, the concept of opposition will be applied in accordance with the RGPD. I know must add that, according to the LOPDGDD, Title IV, which includes «Provisions applicable to specific treatments ” , incorporates a series of assumptions that in no case should be considered exhaustive of all lawful treatments. Within them It is worth noting, in the first place, those for which the legislator establishes a presumption "iuris tantum" of prevalence of the legitimate interest of the person in charge when are carried out with a series of requirements. Along with these assumptions are collected others, such as the advertising exclusion files in which the legality of the treatment comes from the existence of a public interest, in the terms established in the article 6.1.e) of the RGPD, which requires, in accordance with the provisions of article 8.2, find contemplated in a norm with the force of law that provides it, that, in In this case, it is article 23 of the LOPDGDD itself that regulates the “systems of advertising exclusion ” . C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 80 80/97 This is provided by art 21 of the RGPD: << Right of opposition 1. The interested party will have the right to object at any time, for reasons related to your particular situation, what personal data concerning you are subject to a treatment based on the provisions of Article 6 (1), letters e) or f), including profiling based on these provisions. The data controller will stop processing personal data, unless prove compelling legitimate reasons for the treatment that prevail over the interests, rights and freedoms of the interested party, or for the formulation, the exercise or defense of claims. 2. When the purpose of the processing of personal data is marketing direct, the interested party will have the right to object at any time to the treatment of personal data concerning you, including profiling in the insofar as it is related to the aforementioned marketing. 3. When the interested party opposes the treatment for direct marketing purposes, personal data will no longer be processed for these purposes. 4. At the latest at the time of the first communication with the interested party, the right indicated in sections 1 and 2 will be explicitly mentioned to the interested party and it will be presented clearly and apart from any other information. 5. In the context of the use of information society services, and not Notwithstanding the provisions of Directive 2002/58 / EC, the interested party may exercise their right to object by automated means that apply specifications techniques. 6. When personal data is processed for scientific research purposes or historical or statistical purposes in accordance with Article 89 (1), the interested party will have the right, for reasons related to their particular situation, to oppose the processing of personal data concerning you, unless it is necessary for the fulfillment of a mission carried out for reasons of interest public >>. The foregoing, without prejudice to the sanctioning regime being the one regulated in the LGT. Regarding the LSSICE, the need for express authorization by the recipients of commercial communications by electronic means are specifically collected in art 21.1 of the LSSICE, which states: << Article 21. Prohibition of commercial communications made through email or equivalent electronic means of communication. 1. The sending of advertising or promotional communications by email or other equivalent electronic means of communication that had not previously been requested or expressly authorized by the recipients of the same >>, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 81 81/97 Without prejudice to the fact that for the formal purposes of obtaining authorization, the norm applicable is the provisions of art 4.11, in relation to art 19 of the LSSICE, which has: << 1. Commercial communications and promotional offers will be governed, in addition of by this Law, by its own regulations and those in force in commercial matters and advertising. 2. In any case, Organic Law 15/1999, of December 13, of Protection of Personal Data, and its implementing regulations, especially, Regarding the obtaining of personal data, the information to the interested parties and the creation and maintenance of personal data files >>. However, regarding the right to object, article 21.2 of the LSSICE establishes the obligation to offer the recipient the possibility of opposing the processing of your data for promotional purposes using a simple procedure and free, both at the time of data collection and at each of the commercial communications that direct you. << Article 21.2. Prohibition of commercial communications made through email or equivalent electronic means of communication. (…) 2. The provisions of the previous section shall not apply when there is a prior contractual relationship, provided that the provider had obtained lawfully the recipient's contact details and will use them to send communications commercial related to products or services of your own company that are similar to those that were initially contracted with the client. In any case, the provider must offer the recipient the possibility of opposing the processing of your data for promotional purposes using a simple procedure and free, both at the time of data collection and at each of the commercial communications that you direct. When the communications have been sent by email, said means must necessarily consist of the inclusion of an email address email or other valid email address where this right can be exercised, It is forbidden to send communications that do not include said address >>. In this sense, this modality of exercise of the right of opposition constitutes a specific obligation in the field of commercial communications made to through electronic means. By virtue of article 95 of the RGPD, no impose additional obligations that have the same objective, as it would be, in this case, the duty to consult the advertising exclusion systems provided for in article 23.4 of the LOPDGDD, which, for this reason, is not applicable. In any case, the offense is regulated in the sanctioning regime of the LSSICE. Regarding the rights exercised by those affected to avoid being recipients of direct marketing actions. Recital 70 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 82 82/97 << If personal data are processed for direct marketing purposes, the interested party must have the right to object to said treatment, including the profiling insofar as it is related to such marketing direct, either with respect to an initial or subsequent treatment, and this in any moment and at no cost. Said right must be explicitly communicated to the interested and present clearly and apart from any other information >>. Likewise, the aforementioned legal concepts indicated by the RGPD (including the provided in art 21 RGPD transcribed above) and directly applicable to the LGT, it is They also incorporate into the LOPDGDD as follows: Art 23 LOPDGDD. Article 23. Advertising exclusion systems. << 1. The processing of personal data that is intended to prevent the sending of commercial communications to those who have expressed their refusal or opposition to receiving them. For this purpose, information systems may be created, general or sectoral, in which only the data essential to identify the affected. These systems may also include preference services, by which those affected limit the reception of commercial communications those from certain companies. 2. The entities responsible for the advertising exclusion systems will notify the competent control authority its creation, its general or sectoral nature, as well as the way in which those affected can join them and, where appropriate, assert your preferences. The competent control authority will make public in its electronic headquarters a list of the systems of this nature that were communicated, incorporating the information mentioned in the previous paragraph. To such In effect, the competent control authority to which the creation has been communicated of the system will make it known to the other control authorities for their publication by all of them. 3. When an affected party expresses to a person in charge his wish that his data not are processed for the referral of commercial communications, it must inform you of the existing advertising exclusion systems, being able to refer to the information published by the competent control authority. 4. Those who intend to make direct marketing communications must previously consult the advertising exclusion systems that could affect your action, excluding from the treatment the data of those affected who had expressed their opposition or refusal to it. For these purposes, to consider Once the above obligation has been fulfilled, consulting the exclusion systems will suffice. included in the list published by the competent control authority. It will not be necessary to carry out the query referred to in the previous paragraph when the affected would have provided, in accordance with the provisions of this organic law, its consent to receive the communication to whoever intends to make it. >> C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 83 83/97 VIII In the event of an infringement of the RGPD precepts, among the corrective powers available to the Spanish Data Protection Agency, As a supervisory authority, Article 58.2 of said Regulation contemplates the following: “2 Each supervisory authority shall have all the following corrective powers listed below: (…) b) punish any person responsible or in charge of the treatment with warning when the processing operations have infringed the provisions of this Regulation;" (...) d) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified time; (…) i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case;". According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) above is compatible with the sanction consisting of an administrative fine. IX Therefore, VDF as responsible for the treatments carried out on behalf of and on your behalf and in accordance with the evidence available in the present moment, it is considered that the facts presented could violate the established in article 28, with the scope expressed in the Fundamentals of Previous rights, which, if confirmed, could entail the commission of a offense typified in article 83.4.a) of the RGPD, which under the heading " Conditions general rules for the imposition of administrative fines ” provides the following: Article 83.4.a) of the RGPD, "4. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43 ". Considered serious for the purposes of prescription in article 73 of the LOPDGDD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 84 84/97 Article 83.5.c) of the RGPD, "5. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: c) transfers of personal data to a recipient in a third country or a international organization according to articles 44 to 49 ”. In the present case, the performance by VDF in the capacity of responsible for the treatment of an international transfer of data to a third country (Peru) by consenting to Casmar to carry out for A-Nexo the actions of marketing in the name and on behalf of VDF, according to the signed contract dated 05/01/2019 between VDF and Casmar and the subsequent contract signed between Casmar and A-nexo dated 06/27/2019; Infringement considered very serious for the purposes of prescription in the art 72.l) of the LOPDGDD. X Article 71 of the LOPDGDD. Infractions. The acts and conducts referred to in sections 4, 5 constitute offenses. and 6 of Article 83 of Regulation (EU) 2016/679, as well as those resulting contrary to the present organic law. Article 72.1.l) Violations considered very serious. << 1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: l) The international transfer of personal data to a recipient who is find in a third country or an international organization, when there is no the guarantees, requirements or exceptions established in articles 44 to 49 of the Regulation (EU) 2016/679. >> Article 73 LOPDGDD. Violations considered serious. << Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: j) The hiring by the person in charge of the treatment of a person in charge of treatment that does not offer sufficient guarantees to apply the technical measures and appropriate organizational arrangements in accordance with the provisions of Chapter IV of the Regulations (EU) 2016/679. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 85 85/97 k) Entrusting the processing of data to a third party without the prior formalization of a contract or other written legal act with the content required by article 28.3 of the Regulation (EU) 2016/679. p) The processing of personal data without carrying out a prior assessment of the elements mentioned in article 28 of this organic law. In the present case, VDF is charged with the violation of article 28 of the RGPD, punishable in accordance with article 83.4.a) of the RGPD, offense typified in Article 73 of the LOPDGDD, sections j), k), p), and classified as serious for the purposes of prescription. In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, provisions that state : "1. Each supervisory authority will guarantee that the imposition of fines administrative under this article for the infractions of this Regulations indicated in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute title for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have been applied by virtue of of articles 25 and 32; h) the way in which the supervisory authority learned of the infringement, in in particular if the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same issue, compliance with said measures (…); k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the infringement. For its part, in relation to article 83.2.k) RGPD, article 76 “ Sanctions and measures corrective measures ”of the LOPDGDD provides: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 86 86/97 "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 The following may also be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of treatment of personal information. c) The benefits obtained as a result of the commission of the offense. (…) In accordance with the transcribed precepts, and derived from the instruction of the procedure for the purpose of setting the amount of the penalty for infringement of article 28 of RGPD to VDF as responsible for the aforementioned offense typified in article 83.4.a) of the RGPD, the fine that should be imposed should be graduated as follows: Infringement for breach of the provisions of article 28 in relation to the 24 of the RGPD, typified in article 83.4.a) and classified as serious for the purposes of prescription in article 73, sections j), k), p) of the LOPDGDD: In the present case, the following graduation criteria are considered concurrent: . The nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operations in question; refering to nature and severity, it is established that the treatments object of analysis respond to a Manifest situation of imbalance to the detriment of the rights of the interested parties. . The intentionality or negligence appreciated in the commission of the infraction; at present case, there is serious negligence in the conduct of VDF since after repeated claims and knowing the facts now analyzed continues without apply appropriate corrective measures. . The continuing nature of the offense. In the case under examination, it is proven an offense and of long duration, from the second quarter of 2018 to date. . The high link of the activity of the offender with the performance of treatment of personal information. It is known that VDF is an entity with more than fifteen million of clients whose personal data are systematically processed in the exercise of its attributions as one of the main telecommunications operators. . The benefits obtained as a result of the commission of the offense. Is It is obvious that the treatments of the marketing actions now analyzed They respond to profit making. . The status of the responsible entity as a large company and its turnover (according to the audited annual accounts report corresponding to the March period 2018 to March 2019, more than 1,600 million euros of turnover and with more than 4,000 employees). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 87 87/97 . High volume of data and processing that constitutes the object of the file. It consists of the documentation provided by VDF that the treatment of the shares of marketing exceed two hundred million. . High number of affected. They comprise, at least, the 162 claimants. . The imputed entity (VDF) does not have adequate procedures for performance in the hiring and effective monitoring of those in charge of the treatment so that the infringement is not the consequence of a specific anomaly in the operation of these procedures but a persistent and continuous defect of the personal data management system designed by the person in charge in terms of the treatments delegated to those in charge of these. Considering the exposed factors, the initial assessment that reaches the amount of the The fine for the infringement charged by art 28 of the RGPD is € 4,000,000 (four million euros) and for the infringement charged by art 44 of the RGPD, typified in the Article 83.5.c) of the RGPD is € 2,000,000 (two million euros). XI Both the initiation agreement and the proposed resolution warned of the following: “If the infringement is confirmed, it could also be agreed to impose the person responsible (Vodafone España, SAU) the adoption of appropriate measures to adjust its action to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, according to which each control authority may “Order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period… ”. In this case, in the resolution adopted, this Agency may require the entity to responsible so that, within the period to be determined, it adapts to the regulations of protection of personal data processing operations delegated to the managers and all this with the scope expressed in the Fundamentals of Law of the present agreement and without prejudice to what results from the instruction. It is noted that not meeting the requirements of this body may be considered as a serious administrative offense by “not cooperating with the Authority of control ”in view of the requirements made, and such conduct may be assessed at the time of the opening of an administrative procedure punishable by a fine pecuniary ”. In the present case, VDF is ordered in the operative part of this Resolution, by virtue of the corrective powers indicated in article 58.2.d) of the RGPD, order VDF that within six months from the notification of this Resolution, accredit to this AEPD that you have adjusted to the provisions of the RGPD and LOPDGDD all the treatment operations analyzed in the present procedure referred to in articles 17, 21, 24, 28 and 44 to 49 of the RGPD and 12, 15, 18, 23, 40 to 43 of the LOPDGDD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 88 88/97 XII Article 21 of the LSSICE. Prohibition of commercial communications made to via email or equivalent electronic means of communication. << 1. The sending of advertising or promotional communications by email or other equivalent electronic means of communication that had not previously been requested or expressly authorized by the recipients of the same. 2. The provisions of the previous section shall not apply when there is a prior contractual relationship, provided that the provider had obtained lawfully the recipient's contact details and will use them to send communications commercial related to products or services of your own company that are similar to those that were initially contracted with the client. Throughout In this case, the provider must offer the recipient the possibility of opposing the processing of your data for promotional purposes using a simple procedure and free, both at the time of data collection and at each of the commercial communications that you direct. When the communications have been sent by email, said means must necessarily consist of the inclusion of an email address email or other valid email address where this right can be exercised, It is forbidden to send communications that do not include said address. >> In the present case, it is established that the treatments carried out by sending electronic communications (SMS, email) through the different channels used they lack the express authorization of the recipients. Communications made to via SMS were carried out without offering the recipient the possibility of effective and proven to object to the treatment. This possibility was not implemented until November 2018 through a link to an exclusive website for this purpose, without that it became effective every time the opposition exercises were not attended. In addition, it is clear that commercial communications have been made in the name and by VDF account by electronic means to recipients who had not authorized them expressly and that they had no commercial relationship with VDF. From the evidence obtained, it is observed that the VDF procedure for the carrying out direct marketing actions through communications electronic commercials to potential clients, does not guarantee compliance with the Article 21 of the LSSICE, when addressing the actions of sending SMS to numbers and randomly generated addresses, which prevents verifying the existence of prior and express authorization or, failing that, the existence of a commercial relationship prior similar services. XIII Article 38 of the LSSICE. Infractions. "1. Violations of the precepts of this Law will be classified as very serious, severe and mild. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 89 89/97 2. The following are very serious offenses: a) (No content) b) Failure to comply with the obligation to suspend transmission, data hosting, access to the network or the provision of any other equivalent intermediation service, when a body competent administrative authority orders it, by virtue of the provisions of article 11. c) (Repealed) d) (Repealed) 3. The following are serious offenses: c) The massive sending of commercial communications by email or other means equivalent electronic communication, or its insistent or systematic sending to a same recipient of the service when the requirements are not met in said shipments established in article 21. d) The significant breach of the obligation of the service provider established in section 1 of article 22, in relation to the procedures for revoke the consent given by the recipients. XIV Article 39 of the LSSICE. Sanctions << Sanctions. 1. For the commission of the infractions included in the previous article, The following sanctions will be imposed: a) For the commission of very serious offenses, a fine of 150,001 to 600,000 euros. The reiteration within three years of two or more very serious offenses, sanctioned with firm character, may give rise, depending on their circumstances, to the sanction of prohibition of action in Spain, for a maximum period of two years. b) For the commission of serious offenses, a fine of 30,001 to 150,000 euros. >> Article 40 of the LSSICE. Grading of the amount of penalties. "The amount of fines that are imposed will be graduated according to the following criteria: a) The existence of intentionality. b) Period of time during which the offense has been committed. c) The recidivism by commission of infractions of the same nature, when thus has been declared by final resolution. d) The nature and amount of the damages caused. e) The benefits obtained by the infringement. f) Billing volume affected by the infringement committed. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 90 90/97 g) Adherence to a code of conduct or an advertising self-regulation system applicable with respect to the offense committed, which complies with the provisions of article 18 or in the eighth final provision and that has been favorably informed by the competent body or bodies ”. In the present case, the aggravating factors from a) to f) are assessed against the VDF entity. indicated in the above transcribed art 40 of the LSSICE. XV Article 45 of the LSSICE. Prescription. "Very serious infractions will prescribe after three years, serious ones after two years and mild ones at six months; the sanctions imposed for very serious offenses will prescribe at three years, those imposed for serious offenses at two years and those imposed by minor absences per year ”. In the present case, there is no statute of limitations for serious offenses committed. by VDF. XVI The facts presented could imply for Vodafone España, SAU the commission of infringement of article 21 of the LSSICE. These offenses are classified as serious in article 38.3.c) and d) of the aforementioned Law, each may be sanctioned with a fine of € 30,001 to € 150,000, of in accordance with article 39 of the aforementioned LSSICE. XVII After the evidence obtained in the preliminary investigations and instruction phase, the considers that the sanction to be imposed should be adjusted in accordance with the following criteria established by art. 40 of the LSSI: - The existence of intentionality, an expression that must be interpreted as equivalent to the degree of guilt according to the Judgment of the National Court of 11/12/2007 relapse to Appeal no. 351/2006, corresponding to the entity denounced the determination of a system for obtaining informed consent that conforms to the mandate of the LSSICE (section a). - Period of time during which the offense has been committed, since it is the claim of May 2018, (section b). - The recidivism by commission of infractions of the same nature, when thus has been declared by final resolution as the recidivism has been accredited of the same conduct that was sanctioned in the reference procedure PS / 00290/2018 (section c). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 91 91/97 - The nature and amount of the damages caused, in relation to the volume of users affected by the infringement, more than 12 million commercial actions of marketing, (section d) and more than 200 million commercial actions. - The benefits obtained by the infringement, in relation to the volume of users to whom that affects the offense (section e). - Billing volume affected by the infringement committed, since it exceeds one thousand six hundred million euros in the accounting period from March 31, 2018 to March 31, 2019 (section f). In accordance with these criteria, it is deemed appropriate to impose on Vodafone Spain, SAU for violation of article 21 of the LSSI a penalty of € 150,000 (one hundred fifty thousand euros). XVIII Article 48.1.b) of the LGT << Article 48. Right to the protection of personal data and privacy in relation with unsolicited communications, with traffic and location data and with subscriber guides. 1. Regarding the protection of personal data and privacy in relation to unsolicited communications end users of communications services electronic companies will have the following rights: b) To oppose receiving unwanted calls for commercial communication purposes that are carried out through systems other than those established in the previous letter and be informed of this right >>. In the present case, it is proven that commercial actions have been carried out by account and on behalf of VDF through calls to recipients (end users) who had expressed their opposition, either in front of the calling entity, or prior inclusion in Adigital's Robinson exclusion list and / or internal lists of exclusion of each of the entities involved in the entrusted treatment by VDF in its own name. From the evidence obtained, indicated in the antecedents, it is observed that the VDF procedure to carry out direct marketing actions to through telephone calls does not guarantee compliance with the right of opposition of the end users with whom it contacts not to receive commercial calls, nor in the case of: 1. campaigns managed directly by VDF, nor in, 1. campaigns managed by managers and sub-managers, either using VDF's own database which does not verify that they are used complying with its instructions, either by using the databases of those in charge of the treatment hired on behalf of and on behalf of VDF. VDF does not know how the treatment is carried out by the managers and their sub-managers. He does not know the contracts between them, and therefore does not have information C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 92 92/97 on the origin of the data or who assumes, in this subcontracting, the obliged consultation of files of exclusion of advertising actions. It is also established that VDF does not communicate an exercise of the right of opposition that satisfied at the request of an affected party or after the resolution of a claim in the AEPD to those in charge and that these in turn subcontract the material realization of the calls. This situation has the consequence of reducing the exercise of the right of opposition provided for in the aforementioned precepts, and makes the opposition procedure ineffective as nothing prevents them from being carried out again commercial calls to those affected who are in the cases described. XIX Article 77.37 LGT. Serious offenses. << The following are considered serious offenses: 37. The serious violation of the rights of consumers and end users, as established in Title III of the Law and its implementing regulations. In the present case, the facts analyzed are considered a serious infraction given the great volume of marketing actions carried out and claims received in this AEPD as a consequence of the rights violated to the interested parties, as well as for the excessive and continuous duration of the marketing actions carried out in the name and on behalf of VDF. Article 83. Prescription << 1. The infractions regulated in this Law will prescribe, the very serious ones, to the three years; the serious ones, after two years, and the minor ones, after one year. The statute of limitations for infringements will begin to run from the day on that had been committed. Initiation will interrupt the prescription, knowingly of the interested party, of the sanctioning procedure. The limitation period will revert to run if the sanctioning file was paralyzed for more than a month for cause not attributable to the presumed responsible. In the event of continued infringement, the initial date of the computation will be that in that the infringing activity or that of the last act with which the infringement is consumed. However, it will be understood that the offense persists as long as the equipment, apparatus or facilities that are the subject of the file are not disposition of the Administration or there is reliable evidence of its impossibility of use. 2. The sanctions imposed for very serious offenses will prescribe after three years; the imposed for serious offenses, after two years, and those imposed for minor offenses, after one year. The limitation period of sanctions will begin to be computed from the day following the one in which the resolution imposing the sanction. The prescription shall be interrupted by the initiation, with the knowledge of the interested party, of the execution procedure, running the term again if it is paralyzed for more than a month for reasons not attributable to the offender. >> XX C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 93 93/97 Article 79.1, c) LGT. Sanctions . 1. For the commission of the offenses typified in the previous articles, will impose the following sanctions: c) For the commission of serious offenses, the offender will be fined a fine of up to two million euros. >> XXI The facts presented, suppose the commission by VDF, of an infraction of the Article 48.1.b) of the LGT Law, contained in its Title III, which indicates the right: (…) b) To object to receiving unwanted calls for commercial communication purposes that are carried out through systems other than those established in the previous letter and to be informed of this right ”. Although the aforementioned article does not explicitly configure such right, you should go to the data protection regulations already indicated in the previous Fundamentals in the that regulates the right of opposition: article 21 of the RGPD, and article 23 of the LOPDGDD. This offense is classified as "serious" in article 77.37) of said norm, which considers as such: “ 37. The serious violation of the rights of consumers and end users, as established in title III of the Law and its development regulations ”. may be sanctioned with a fine of up to € 2,000,000, of in accordance with article 79.1.c) of the aforementioned LGT. In accordance with the indicated precepts, in order to set the amount of the sanction to impose in the present case, it is considered that the sanction to be imposed should be graduated in accordance with the following criteria established in article 80.1) and 2) of the LGT: << 1. The amount of the penalty imposed, within the limits indicated, is will graduate taking into account, in addition to the provisions of article 131.3 of the Law 30/1992, of November 26, on the Legal Regime of public administrations and of the Common Administrative Procedure (it must be understood as referring to article 29 of the 40/2015, October 1, from RJSP) , the following: a) The seriousness of the offenses previously committed by the subject to whom the sanctions. b) The social repercussion of the infractions. c) The benefit that has been reported to the offender by the fact that is the subject of the offense. d) The damage caused and its repair. e) Voluntary compliance with the precautionary measures that, where appropriate, are imposed in the sanctioning procedure. f) Refusal or obstruction of access to the facilities or to provide information or required documentation. g) The cessation of the infringing activity, previously or during the processing of the sanctioning file. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 94 94/97 2. The financial situation will also be taken into account when setting the sanction. of the offender, derived from their assets, their income, their possible charges family and other personal circumstances that prove that they affect you. The The offender will be obliged, where appropriate, to pay the fees that he would have owed satisfy in the event of having made the notification referred to in the article 6 or having enjoyed a title for the use of the public domain radioelectric >>. In the specific case, the following aggravating factors are indicated to quantify the sanction fine: a) The seriousness of the offenses previously committed by the subject to whom the sanctions. It is clear that the entity has been sanctioned with a fine or warning since January 2018 to February 2020 more than 50 times. b) The social repercussion of the infractions. The fact that there are 162 claims in the term of just under two years as stated in the AEPD and the large number of marketing actions through phone calls (about two hundred million of marketing actions) allows the strong repercussion of the treatments now analyzed. c) The benefit that has been reported to the offender by the fact that is the subject of the offense. All commercial actions are aimed at increasing profits reported that can be estimated in the increase in customers between 2018 and 2020: In mobile telephony, the number of mobile telephone contract Clients it amounted to 11.4 million at the end of the quarter. In fixed broadband, the Customer base grew again to reach 3.2 millions. In fiber, it increased by 60,000 to close the year with 2.9 million. On Vodafone TV, the number of Clients grew by 36,000 and exceeded at the close 1.3 million in the last quarter. d) The damage caused and its repair. The damage caused to the privacy of those affected, that even having exercised their right of exclusion to marketing actions, were contacted again for the same purpose, sometimes repeatedly and insistently. f) Refusal or obstruction of access to the facilities or to provide information or required documentation. It is clear that VDF has not met the latest requirements of information issued by this AEPD. (E / 07056/2019 and E / 08284/2019). g) There is also no evidence of the cessation of the infringing activity, previously or during the processing of the investigation file and even after the inspection face-to-face at the VDF premises in September 2019, since they consist of subsequent claims before this AEPD for the same facts. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 95 95/97 In relation to the financial situation of the offender, it is clear that VDF is one of the largest telecommunications operators with annual turnover of more than 1,600 million euros and more than 4,000 employees. After the evidence obtained in the preliminary investigations phase, it is considered that The penalty to be imposed should be graduated in the amount of € 2,000,000 (two million euros). Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for an offense of Article 28 of the RGPD in relation to Article 24 of the RGPD, typified according to Article 83.4.a) of the RGPD with an administrative penalty of four million euros (€ 4,000,000). IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for infringement of the Article 44 of the RGPD typified in accordance with article 83.5.c) of the RGPD, with sanction administrative amount of two million euros (€ 2,000,000). IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for infringement of the Article 21 of the LSSICE, classified as serious in Article 38.3.d) and c) of said regulation with a sanction of one hundred and fifty thousand euros (€ 150,000) IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for infringement of the article 48.1.b) of the LGT, in relation to article 21 of the RGPD and article 23 of the LOPDGDD, classified as serious in article 77.37 of the LGT with sanction of amount of two million euros (€ 2,000,000). SORT to VODAFONE SPAIN, SAU , with NIF A80907397 , so that in the period of six months from the notification of this Resolution, certify before this AEPD that has adjusted to the provisions of the RGPD and LOPDGDD all the treatment operations analyzed in this procedure referring to the Articles 17, 21, 24, 28 and 44 to 49 of the RGPD and 12, 15, 18, 23, 40 to 43 of the LOPDGDD. SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, SAU, with NIF A80907397, with address at Avda. De América 115, 28042 Madrid. THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the Agency Spanish for Data Protection in the banking entity CAIXABANK, SA. In case Otherwise, it will be collected in the executive period. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 96 96/97 Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline to make the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred to Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection ANNEX (Sorted by date of entry of the claim in the AEPD) Column legend: : Sequential order number R / D / C: R óbinson / D igh / C Express onsentimiento C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 97 97/97 PF / PJ: Natural Person / Legal Person LGT / PD / LSSI: Violated law F. Robin.credit: Accredited date inclusion in advertising exclusion lists LINE: Sender / Receiver F. LINE CALL: Date of the advertising action REFER. AEPD: Claim reference code in the AEPD CLAIMANT: Claimant's name (the number indicates the times claimed) CLAIM TEXT: Text of the claim submitted by the claimant C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es