AEPD (Spain) - PS/00433/2020: Difference between revisions

From GDPRhub
No edit summary
 
(No difference)

Latest revision as of 14:40, 13 December 2023

AEPD - PS/00433/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 58(2)(c) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 03.02.2021
Fine: 24.000 EUR
Parties: Xfera Móviles, S.A. (MásMóvil)
National Case Number/Name: PS/00433/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish DPA (AEPD) finalised the sanction procedure against Xfera Móviles, S.A. (the defendant) for infringing Article 58(2) GDPR due to an alleged infraction of the right of access by a data subject. The defendant agreed to an early and guilty voluntary payment of €24,000 instead of the initial fine suggested by the AEPD (€40,000).

English Summary

Facts

The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen (the claimant) stating that, although he had requested his right of access referring to his registration as new customer, the defendant did not answer such requirement nor handed him the recording of their phone calls referring to the registration.

Dispute

The AEPD requested the defendant twice to answer the requirement by the claimant, but the defendant did not answer nor made any action, so the AEPD started the corresponding sanction procedure.

Holding

Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have breached article 58(2)(c) GDPR: on the basis of the available evidence, the defendant did not answer the requirements of the AEPD regarding the exercise of rights by the claimant. Consequently, after considering some aggravating/mitigating circumstances [(i) the defendant has not obtained direct benefits, (ii) former infractions by the defendant, (iii) the total absence of cooperation with the AEPD in order to fix this situation], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 40,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine, with two possible discounts based on acknowledgement of guiltiness (32,000 €) and earliness (24,000€). The defendant agreed to both, so it paid 24,000 € and the sanction procedure was closed by the AEPD.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Page 1
1/11 Procedure No.: PS / 00433/2020RESOLUTION R / 00065/2021 FOR THE TERMINATION OF THE PROCEDURE FOR PAYMENTVOLUNTARYIn the sanctioning procedure PS / 00433/2020, instructed by the Spanish Agency forData Protection to XFERA MÓVILES, SA , considering the complaint filed byAAA , and based on the following,BACKGROUNDFIRST: On January 20, 2021, the Director of the Spanish Agency forData Protection agreed to initiate a sanctioning procedure against XFERA MÓVILES,SA (hereinafter, the defendant), through the Agreement that is transcribed:<<Procedure Nº: PS / 00433/2020AGREEMENT TO INITIATE THE SANCTIONING PROCEDUREOf the actions carried out by the Spanish Agency for Data Protection and inbased on the following:BACKGROUNDFIRST: The Spanish Agency for Data Protection proceeded to open theguardianship of law, TD / 00169/2019, upon having knowledge of the following facts:On January 9, 2019, D . AAA (hereinafter the claimant) exercisedright of access to XFERA MÓVILES, SA with NIF A82528548 (asthe claimed one), without your request having received the answer legallyestablished.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/11The claimant provided various documentation related to the claimraised before this Agency and on the exercise of the right exercised and indicates that thecomplained refuses to provide the recordings that were made when carrying out thehigh portability, as well as the cancellation of the contracting of services.The claim transferred and notified on February 28 and May 17of 2019 , did not present allegations.SECOND: The Director of the Spanish Agency for Data Protection, issued on 23September 2019 resolution of legal protection TD / 00169/2019,proceeding to the claim lodged by D . AAA and urge theentity XFERA MÓVILES, SA with NIF A82528548 so that, within tenbusiness days following notification of this resolution, send the claimantcertification stating that you have met the right of access exercisedfor this one. Actions carried out as a consequence of this ResolutionThey must be communicated to this Agency within the same period. Failure to comply with thisresolution could lead to the commission of the offense considered in article72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with art. 58.2 GDPR.Said agreement was notified to the respondent on October 15, 2019.THIRD: Dates January 8, 2020 and November 17, 2020, were receivedin this Agency two separate writings of the claimant in which he states thatafter the deadlines granted to the respondent, she failed to comply with the aforementioned resolution.FOURTH: It is established that, on February 18, 2020, XFERA was required againMÓVILES, SA, compliance with the above-referenced resolution, as evidenced by thepractice of notification through postal services. Being delivered thenotification to the respondent on February 20, 2020.Once the term granted for compliance with the aforementionedResolution, compliance with this Agency does not appear.ACTS:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/11SOLE: The entity XFERA MÓVILES, SA has not sent the complainant certificationin which it is stated that you have met the right of access exercised by him,Despite the resolution of protection of right TD / 00169/2019 issued by the Director of theSpanish Agency for Data Protection.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of Regulation (EU) 2016/679, of theEuropean Parliament and of the Council, of April 27, 2016, regarding the Protection ofIndividuals with regard to the Processing of Personal Data and theFree Circulation of this Data (General Data Protection Regulation, inhereinafter RGPD) recognizes each control authority and, as established in theArticles 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on ProtectionPersonal Data and Guarantee of Digital Rights (hereinafter LOPDGDD),the Director of the Spanish Data Protection Agency is competent to initiatethis procedure.IIArticle 58 of the RGPD, " Powers ", says:“2 Each supervisory authority shall have all the following powerscorrective measures listed below:(…)b) sanction any person responsible or in charge of the treatment with warningwhen the treatment operations have infringed the provisions of thisRegulation;(...)d) order the person in charge of the treatment that the operations oftreatment are in accordance with the provisions of this Regulation, where appropriate,in a certain way and within a specified time frame.(…)C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/11i) impose an administrative fine in accordance with article 83, in addition to or instead ofthe measures mentioned in this section, depending on the circumstances of the caseparticular.IIIThe RGPD deals in its article 58 with the powers of each authority ofcontrol. Section 1.a) provides:"one. Each supervisory authority will have all investigative powerslisted below:a) order the controller and the person in charge of the treatment and, where appropriate, therepresentative of the person in charge or the person in charge, who provide any informationrequired for the performance of their duties.The infringement for which the IBERIA responsible entity is held responsible, isis typified in article 83 of the RGPD that, under the heading " Conditionsgeneral rules for the imposition of administrative fines ”, it states:"5 . Violations of the following provisions will be sanctioned, in accordancewith section 2, with administrative fines of a maximum of 20,000,000 Euros or,in the case of a company, an amount equivalent to a maximum of 4% of thetotal annual global business volume of the previous financial year, opting forthe highest amount:e) failure to comply with a resolution or a temporary or definitive limitationtreatment or suspension of data flows by the authority ofcontrol pursuant to Article 58 (2), or failure to provide access in breachof article 58, paragraph 1. "Organic Law 3/2018, on the Protection of Personal Data and Guarantee ofDigital Rights (LOPDGDD) in its article 72.1 m), under the heading “ Infractionsconsidered very serious ” provides:"one. Based on what is established in article 83.5 of the Regulation (EU)2016/679 are considered very serious and will prescribe after three years the infractions thatsuppose a substantial violation of the articles mentioned in that and, inC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/11in particular, the following:(…)m) Failure to comply with the resolutions issued by the protection authorityof data competent in exercise of the powers conferred on it by article 58.2of Regulation (EU) 2016/679 . "IVIn the case analyzed here, it has been proven that the claimant exercisedyour right of access to the defendant entity, your request did not obtain the answerlegally enforceable.Likewise, after the evidence obtained, it is established that the claimed party did notHe complied with the right of access or informed this Agency of the actions carried out,the claimant exercised the right of access to some voice recordings in front of theclaimed and this is denied unless they are requested by claimraised before this Agency. Regarding the latter, it should be noted thatmeet the right when it is exercised and not when a claim is filed beforethis Agency.On the other hand, the claim was transferred to the defendant and did not reply tothis Agency.VIn order to determine the administrative fine to be imposed, theprovisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate :"Each supervisory authority will guarantee that the imposition of finesadministrative under this article for the infractions of thisRegulations indicated in paragraphs 4, 9 and 6 are in each individual caseeffective, proportionate and dissuasive. "C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/11" Administrative fines will be imposed, depending on the circumstances ofeach individual case, as an additional or substitute for the measures contemplated in theArticle 58, paragraph 2, letters a) to h) and j). When deciding to impose a fineadministrative and its amount in each individual case will be duly taken into account:a) the nature, severity and duration of the offense, taking into account thenature, scope or purpose of the processing operation in questionas well as the number of affected stakeholders and the level of damage anddamages they have suffered;b) intentionality or negligence in the infringement;c) any measure taken by the controller or processorto mitigate the damages suffered by the interested parties;d) the degree of responsibility of the person in charge of thetreatment, taking into account the technical or organizational measures that haveapplied by virtue of articles 25 and 32;e) any previous infringement committed by the person in charge or the person in charge of thetreatment;f) the degree of cooperation with the supervisory authority in order toremedy the violation and mitigate the possible adverse effects of the violation;g) the categories of personal data affected by the infringement;h) the way in which the supervisory authority learned of the infringement,in particular if the person in charge or the person in charge notified the infraction and, in suchcase, to what extent;i) when the measures indicated in Article 58 (2) have beenpreviously ordered against the person in charge or the person in chargein relation to the same matter, compliance with said measures;j) adherence to codes of conduct under article 40 or to mechanismscertification approved in accordance with Article 42, andk) any other aggravating or mitigating factor applicable to thecircumstances of the case, such as the financial benefits obtained or thelosses avoided, directly or indirectly, through the infringement. "Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76," Sanctions and corrective measures", provides:"2. In accordance with the provisions of article 83.2.k) of Regulation (EU)2016/679 may also be taken into account:a) The continuing nature of the offense.b) The linking of the offender's activity with the performance of treatmentsC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
7/11of personal data.c) The benefits obtained as a result of the commission of the offense.d) The possibility that the affected person's conduct could have led to thecommission of the offense.e) The existence of a merger process by absorption after the commissionof the infringement, which cannot be attributed to the absorbing entity.f) Affecting the rights of minors.g) To have, when not mandatory, a delegate for the protection ofdata.h) The submission by the person in charge or in charge, with charactervoluntary, to alternative dispute resolution mechanisms, in thoseassumptions in which there are controversies between those and any interested party. "In accordance with the transcribed precepts, and without prejudice to what results from theinstruction of the procedure, in order to fix the amount of the fine sanction toimpose in the present case the claimed entity as responsible for ainfraction typified in article 83.5.e) of the RGPD, in an initial assessment,the following factors are considered concurrent:- Has not obtained direct benefits (83.2 k) RGPD and 76.2.c) LOPDGDD).-Any previous infraction committed by the person in charge or in charge of thetreatment (83.2 e, of the RGPD).-The null cooperation with the AEPD in order to remedy the infractionand mitigate its effects (article 83.2.f, of the RGPD).It is appropriate to graduate the sanction to impose on the claimed and set it at the amount of€ 40,000 for the violation of article 58.2 of the RGPD.Therefore, based on the foregoing, by the Director of theSpanish Agency for Data Protection, IT IS AGREED:FIRST: INITIATE SANCTIONING PROCEDURE against XFERA MÓVILES, SA,with NIF A82528548, for the alleged violation of article 58.2 of the RGPD, typifiedin art. 83.5 e) of the RGPD.SECOND: ORDER XFERA MÓVILES, SA, with NIF A82528548, in accordancewith the provisions of article 58.2 d) of the RGPD, so that within one monthproceed to send the complainant a certification stating that he has attendedthe right of access exercised by the latter, despite the resolution of legal protectionC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
8/11TD / 00169/2019 issued by the Director of the Spanish Agency for the Protection ofData..THIRD: APPOINT Mr. BBB as instructor and Ms. BBB as secretary . CCC ,indicating that any of them may be challenged, if applicable, in accordance with theestablished in articles 23 and 24 of Law 40/2015, of October 1, on the RegimePublic Sector Legal (LRJSP).FOURTH: INCORPORATE to the sanctioning file, for evidentiary purposes, theclaim filed by the claimant and his documentation, the documentsobtained and generated by the General Subdirectorate for Data Inspection during theinvestigation phase, as well as the report of previous Inspection actions.FIFTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1October, of the Common Administrative Procedure of Public Administrations, theThe penalty that may correspond would be 40,000 euros, without prejudice to whatresult of the instruction.SIX: NOTIFY this agreement to XFERA MÓVILES, SA, with NIFA82528548, granting a hearing period of ten business days to formulatethe allegations and present the evidence that it deems appropriate. In his writing ofallegations, you must provide your NIF and the procedure number that appears in theheading of this document.If within the stipulated period it does not make allegations to this initiation agreement, the sameIt may be considered a resolution proposal, as established in article64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure ofthe Public Administrations (hereinafter, LPACAP).In accordance with the provisions of article 85 of the LPACAP, in the event that thepenalty to be imposed would be a fine, you may recognize your responsibility within theterm granted for the formulation of allegations to the present initiation agreement; thewhich will entail a reduction of 20% of the sanction to be imposed inthe present procedure, equivalent in this case to 8,000 euros. With the appC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 9
9/11of this reduction, the penalty would be established at 32,0000 euros, resolving theprocedure with the imposition of this sanction.In the same way, you may, at any time prior to the resolution of thisprocedure, carry out the voluntary payment of the proposed sanction, whichwill mean a reduction of 20% of its amount, equivalent in this case to8,000 euros. With the application of this reduction, the sanction would be established in32,000 euros and its payment will imply the termination of the procedure.The reduction for the voluntary payment of the penalty is cumulative to the correspondingapply for the recognition of responsibility, provided that this recognitionof responsibility is made manifest within the period granted to formulateallegations at the opening of the procedure. The voluntary payment of the referred amountin the previous paragraph it may be done at any time prior to the resolution. InIn this case, if both reductions should be applied, the amount of the penalty would beset at 24,000 euros.In any case, the effectiveness of either of the two mentioned reductions will beconditioned to the withdrawal or resignation of any action or remedy inadministrative against the sanction.In case you choose to proceed to the voluntary payment of any of the amountsindicated above (32,0000 euros or 24,000) euros, you must make it effectiveby entering the account number ES00 0000 0000 0000 0000 0000 open toname of the Spanish Data Protection Agency in Banco CAIXABANK,SA, indicating in the concept the reference number of the procedure that appears inthe heading of this document and the cause of reduction of the amount to whichwelcomes.Likewise, you must send proof of admission to the Subdirectorate General ofInspection to continue the procedure according to the quantityentered.The procedure will have a maximum duration of nine months from the date ofdate of the initiation agreement or, where appropriate, the draft initiation agreement.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 10
10/11After this period, its expiration will occur and, consequently, the file ofperformances; in accordance with the provisions of article 64 of the LOPDGDD.Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,There is no administrative appeal against this act.
Mar España Martí
Director of the Spanish Agency for Data Protection

>>SECOND : On January 28, 2021, the defendant has proceeded to pay thesanction in the amount of 24,000 euros making use of the two planned reductionsin the Initiation Agreement transcribed above, which implies the recognition of theresponsibility.THIRD : The payment made, within the period granted to formulate allegations tothe opening of the procedure, entails the waiver of any action or appeal in the processadministrative against the sanction and the recognition of responsibility in relation tothe facts to which the Initiation Agreement refers.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each authority ofcontrol, and as established in art. 47 of Organic Law 3/2018, of 5December, Protection of Personal Data and guarantee of digital rights (inhereinafter LOPDGDD), the Director of the Spanish Agency for Data Protectionis competent to sanction the infractions that are committed against saidRegulation; infractions of article 48 of Law 9/2014, of May 9, Generalof Telecommunications (hereinafter LGT), in accordance with the provisions of thearticle 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of theinformation and electronic commerce (hereinafter LSSI), as provided in article43.1 of said Law.IIArticle 85 of Law 39/2015, of October 1, on Administrative ProcedureCommon of Public Administrations (hereinafter, LPACAP), under the rubric" Termination of sanctioning procedures " provides the following:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 11
11/11"one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,the procedure may be resolved with the imposition of the appropriate sanction.2. When the sanction is solely of a pecuniary nature or it is possible to impose apecuniary sanction and other non-pecuniary sanction , but theinadmissibility of the second, the voluntary payment by the presumed responsible, inany time prior to the resolution, will imply the termination of the procedure,Except for the replacement of the altered situation or the determination of thecompensation for damages caused by the commission of the offense.3. In both cases, when the sanction is solely of a pecuniary nature, thecompetent body to resolve the procedure will apply reductions of, at least,20% of the amount of the proposed penalty, these being cumulative among themselves.The aforementioned reductions must be determined in the notice of initiationof the procedure and its effectiveness will be conditioned to the withdrawal or resignation ofany action or appeal in administrative proceedings against the sanction.The percentage of reduction foreseen in this section may be increasedregulations.In accordance with the above, the Director of the Spanish Agency for the Protection ofData RESOLVES :FIRST: DECLARE the termination of procedure PS / 00433/2020, ofin accordance with the provisions of article 85 of the LPACAP.SECOND: NOTIFY this resolution to XFERA MÓVILES, SA .In accordance with the provisions of article 50 of the LOPDGDD, thisResolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to the administrative procedure as prescribed bythe art. 114.1.c) of Law 39/2015, of October 1, on Administrative ProcedureCommon of Public Administrations, interested parties may file an appealadministrative litigation before the Contentious-Administrative Chamber of theNational High Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-Administrative Jurisdiction, within a period of two months from theday following notification of this act, as provided in article 46.1 of thereferred Law.
Mar España Martí
Director of the Spanish Agency for Data Protection