AEPD (Spain) - PS/00448/2020: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name= PS/0...") |
m (Ar moved page AEPD - PS/00448/2020 to AEPD (Spain) - PS/00448/2020) |
||
| (6 intermediate revisions by 2 users not shown) | |||
| Line 10: | Line 10: | ||
|ECLI= | |ECLI= | ||
|Original_Source_Name_1= | |Original_Source_Name_1=AEPD | ||
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00448-2020.pdf | |Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00448-2020.pdf | ||
|Original_Source_Language_1=Spanish | |Original_Source_Language_1=Spanish | ||
| Line 32: | Line 32: | ||
|Party_Name_1= | |Party_Name_1=Xfera Móviles S.A. | ||
|Party_Link_1= | |Party_Link_1= | ||
|Party_Name_2= | |Party_Name_2= | ||
|Party_Link_2= | |Party_Link_2= | ||
| Line 52: | Line 52: | ||
}} | }} | ||
The Spanish DPA (AEPD) imposed a fine of | The Spanish DPA (AEPD) imposed a fine of €150,000 on Xfera Móviles S.A. (defendant) for infringing Article 17, 32, 5(1)(f) GDPR and Article 21 LSSI. The fine was imposed after investigating two complaints received from the same data subject who indicated that the defendant had not stopped sending marketing messages and that the data subject was able to access third party's personal data through the 'Mi Yoigo' platform. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
First, a data subject filed a complaint in which indicated that they have exercised their right to object to the use of their personal data for direct marketing purposes but the defendant continued to send SMS to their mobile number | First, a data subject filed a complaint in which indicated that they have exercised their right to object to the use of their personal data for direct marketing purposes but the defendant continued to send SMS to their mobile number. The complainant provided proof of having received more than 60 SMS within 30 days which suggests that the defendant did not fulfil the complainant’s request. | ||
Second, the same complainant indicated that they reported to the defendant that they were receiving a large number of SMS to their mobile | Second, the same complainant indicated that they reported to the defendant that they were receiving a large number of SMS to their mobile number with confidential information about third parties. The defendant told the complainant that it had noted the incident and that it would not reoccur. However, the defendant continued to send information related to third parties to the complainant, in particular, a security code to access the platform "Mi Yoigo", to which the complainant accessed and was able to view personal data from a third party. The access given allowed the complainant to view someone else’s bills, phone number, address, bank account, account number and the possibility to make any changes in the third party’s profile. The complainant also provided proof to this effect. | ||
==Dispute== | |||
Were the actions of the defendant a violation of the principles relating to processing of personal data contained in article 5(f) and 32 the GDPR? | |||
===Holding=== | |||
The AEPD held that this offense is considered as ‘grave’ in accordance with Article 72(1)(k) LOPDGDD and falls under the criteria defined in article 83(5)(a) GDPR where a company can be fined up to €20000000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. | |||
The AEPD imposed a fine of €150000 for infringing the following provisions: | |||
-Article 17 GDPR – Right to Erasure - €50000 fine | |||
-Article 32 GDPR – Failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk – €30000 fine | |||
-Article 5(1)(f) GDPR - For breaching of the principle of integrity and confidentiality in the processing of personal data of customers - €50000 fine | |||
- Article 21 of the LSSI (Spanish Law on Information Society Services and Electronic Commerce) regarding the sending of commercial SMS or advertising without the express consent of the recipient - €20000 fine | |||
- Article | |||
The AEPD, indicated that the fine may be reduced to €90000 for voluntary payment and admission of responsibility. | |||
==Comment== | |||
'''When imposing the fine, the AEPD considered:''' | |||
- The duration of the violation, taking into account the scope or purpose of the data processing operation, as well as the damages caused to the interested party and third parties – Article 83(2)(a) GDPR | - The duration of the violation, taking into account the scope or purpose of the data processing operation, as well as the damages caused to the interested party and third parties – Article 83(2)(a) GDPR | ||
- Negligence in the infringement, when verifying the lack of due diligence of the claimed entity in the fulfilment of its obligations with respect to the management of users' personal data - Article 83(2)( | |||
- The way in which the supervisory authority learned of the infringement, since this occurred through several complaints filed by the | - Negligence in the infringement, when verifying the lack of due diligence of the claimed entity in the fulfilment of its obligations with respect to the management of users' personal data - Article 83(2)(b) GDPR | ||
- The existence of a prior complaint | |||
Aggravating factors in accordance with Article 72(2) (a) & (b) LOPDGDD and Article 83(2)(k) GDPR | - The way in which the supervisory authority learned of the infringement, since this occurred through several complaints filed by the complainant, Article 83(2)(h) GDPR | ||
- The existence of a prior complaint. | |||
'''Aggravating factors in accordance with Article 72(2)(a) & (b) LOPDGDD and Article 83(2)(k) GDPR:''' | |||
- The continuing nature of the infringement even though the defendant informed that it had been corrected | - The continuing nature of the infringement even though the defendant informed that it had been corrected | ||
== Further Resources == | - The nature of the defendant’s activities with respect to the processing of personal data. | ||
==Further Resources== | |||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | ||
Latest revision as of 14:40, 13 December 2023
| AEPD - PS/00448/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 17 GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 05.03.2021 |
| Published: | 09.03.2021 |
| Fine: | 150000 EUR |
| Parties: | Xfera Móviles S.A. |
| National Case Number/Name: | PS/00448/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Paola L. |
The Spanish DPA (AEPD) imposed a fine of €150,000 on Xfera Móviles S.A. (defendant) for infringing Article 17, 32, 5(1)(f) GDPR and Article 21 LSSI. The fine was imposed after investigating two complaints received from the same data subject who indicated that the defendant had not stopped sending marketing messages and that the data subject was able to access third party's personal data through the 'Mi Yoigo' platform.
English Summary
Facts
First, a data subject filed a complaint in which indicated that they have exercised their right to object to the use of their personal data for direct marketing purposes but the defendant continued to send SMS to their mobile number. The complainant provided proof of having received more than 60 SMS within 30 days which suggests that the defendant did not fulfil the complainant’s request.
Second, the same complainant indicated that they reported to the defendant that they were receiving a large number of SMS to their mobile number with confidential information about third parties. The defendant told the complainant that it had noted the incident and that it would not reoccur. However, the defendant continued to send information related to third parties to the complainant, in particular, a security code to access the platform "Mi Yoigo", to which the complainant accessed and was able to view personal data from a third party. The access given allowed the complainant to view someone else’s bills, phone number, address, bank account, account number and the possibility to make any changes in the third party’s profile. The complainant also provided proof to this effect.
Dispute
Were the actions of the defendant a violation of the principles relating to processing of personal data contained in article 5(f) and 32 the GDPR?
Holding
The AEPD held that this offense is considered as ‘grave’ in accordance with Article 72(1)(k) LOPDGDD and falls under the criteria defined in article 83(5)(a) GDPR where a company can be fined up to €20000000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The AEPD imposed a fine of €150000 for infringing the following provisions:
-Article 17 GDPR – Right to Erasure - €50000 fine
-Article 32 GDPR – Failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk – €30000 fine
-Article 5(1)(f) GDPR - For breaching of the principle of integrity and confidentiality in the processing of personal data of customers - €50000 fine
- Article 21 of the LSSI (Spanish Law on Information Society Services and Electronic Commerce) regarding the sending of commercial SMS or advertising without the express consent of the recipient - €20000 fine
The AEPD, indicated that the fine may be reduced to €90000 for voluntary payment and admission of responsibility.
Comment
When imposing the fine, the AEPD considered:
- The duration of the violation, taking into account the scope or purpose of the data processing operation, as well as the damages caused to the interested party and third parties – Article 83(2)(a) GDPR
- Negligence in the infringement, when verifying the lack of due diligence of the claimed entity in the fulfilment of its obligations with respect to the management of users' personal data - Article 83(2)(b) GDPR
- The way in which the supervisory authority learned of the infringement, since this occurred through several complaints filed by the complainant, Article 83(2)(h) GDPR
- The existence of a prior complaint.
Aggravating factors in accordance with Article 72(2)(a) & (b) LOPDGDD and Article 83(2)(k) GDPR:
- The continuing nature of the infringement even though the defendant informed that it had been corrected
- The nature of the defendant’s activities with respect to the processing of personal data.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/19
Procedure No.: PS / 00448/2020
- RESOLUTION R / 00180/2021 TERMINATION OF THE PROCEDURE
BY VOLUNTARY PAYMENT
In the sanctioning procedure PS / 00448/2020, instructed by the Spanish Agency for
Data Protection to XFERA MÓVILES, S.A., considering the complaint filed by
A.A.A., and based on the following,
BACKGROUND
FIRST: On February 12, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against XFERA MÓVILES,
S.A. (hereinafter, the claimed), through the Agreement that is transcribed:
<<
Procedure Nº: PS / 00448/2020
935-240719
AGREEMENT TO START THE SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Agency for Data Protection before
the entity, XFERA MÓVILES, S.A., with CIF .: A82528548, (hereinafter, “the entity
claimed ”), by virtue of a complaint filed by D.A.A.A., (hereinafter,“ the
claimant ”), and based on the following:
ACTS
FIRST: On 10/16/20, you have an entry in this Agency, a complaint filed
by the claimant in which it indicated, among others, the following:
“Start a claim with you dated 07/19/20, Nº: E / 06604/2020; where I
indicated that the company had complied with the right of objection and was not admitted to
procedure, (to understand that they had taken the appropriate measures).
To this day, this operator continues to send SMS to my telephone line, (attached
screenshots in attached file), of more than 60 SMS in the last 30 days, so
it is understood that this operator has not taken the measures indicated ".
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/19
The complaint letter was accompanied by the following documents:
- Screenshots of 26 SMS from 09/22/20 to 10/15/20, sent from the
Yoigo company with advertising messages, inviting the user to access
to certain web pages such as, http // shorturi.kairos365.com / MjkxNDM2 and
http //: yoigo.kairos365.com/coronavirus; or to call the numbers of
telephone, *** TELEPHONE.1 or *** TELEPHONE.2 to contract the promotions
offered by the company.
SECOND: On 10/31/20, a second letter from
complaint filed by the claimant in which he indicated, among others, the following:
“ON 09/24/20 I sent an email to Yoigo (Más-Móvil), informing that I was
receiving a large number of SMS on my mobile line with information
confidential information from third parties, who told me that they had taken note and
it would not happen again. Well, this company, to this day, has sent me
phone line, an SMS with my phone number and a security code to
access your platform ("Mi Yoigo"), which I have accessed, since it has my number
phone number and I have been able to verify that I have accessed personal data from a third party
someone else, with whom I have nothing to do, I have seen their bills and the
possibility and to carry out any procedure in your profile ”.
The complaint letter was accompanied by the following documents:
- Email sent from the address *** EMAIL.1, dated 09/24/20
to the address ***EMAIL.2@masmovil.com denounced the receipt of shipments
mass of advertising SMS and others with personal data of third parties
persons.
- Reply email to the claimant, from the address
***EMAIL.2@masmovil.com, dated 09/24/20, indicating, among others, that,
have responded to your request for opposition, dated 08/13/20 and that, regarding
of the commercial communications that you have received after said
date, they inform you that they have been made by a MASMOVIL agent,
who performs operations with their own database, committing to
give the order to said agent to delete your personal data from their
databases and stop advertising.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/19
- Provide a screenshot: "My Yoigo Account - Manage your information
personal and access data ”from the web address:
https://miyoigo.yoigo.com/datos-personales ”, dated 10/31/20, where
you can see that, with the claimant's phone number, entered in
In the "user" box, the personal data, address and number of
bank account of a third person unrelated to the claimant. Also I know
Attached invoice for the month of October 2020, of the services provided by the
company to said third person, where data such as: the name, the
address, checking account number, and contact phone numbers.
THIRD: On 11/10/20, a third letter from
complaint filed by the claimant in which he indicated, among others, the following:
“The complaint filed with that Agency, dated October 31,
2020, against the operator of Yoigo (MásMóvil), for the use of data in a
fraudulent and repeated, even after having been notified of these facts ”.
The complaint letter was accompanied by the following documents:
- Screenshots of 16 SMS, sent from 10/18/20 to 11/09/20, from
the Yoigo company, informing the user of the existence of problems
technicians for the management of your requests and the subsequent correction of the
themselves.
FOURTH: On 11/30/20, by the Director of the Spanish Agency for
Data Protection an agreement is issued for the admission of processing of complaints
submitted by the claimant, in accordance with article 65 of the Organic Law
3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (LPDGDD).
FOUNDATIONS OF LAW
I- Competition.
a) .- Regarding the processing of personal data:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/19
It is competent to initiate and resolve this Penalty Procedure, the Director of
the Spanish Data Protection Agency, by virtue of the powers that art 58.2
of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16,
Relating to the Protection of Natural Persons with regard to the Treatment of
Personal Data and the Free Circulation of this Data (RGPD) recognizes each
Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD).
Sections 1) and 2), of article 58 of the RGPD, list, respectively, the
investigative and corrective powers that the supervisory authority may provide to the
effect, mentioning in point 1.d), that of: “notify the person in charge or commission of the
treatment of alleged infringements of this Regulation ”and in 2.i), that of:
“Impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each
case.".
b) .- Regarding the sending of advertising SMS without the consent of the interested party:
It is competent to initiate and resolve this Penalty Procedure, the Director of
the Spanish Agency for Data Protection, in accordance with the provisions of the
art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the
Information Society and Electronic Commerce (LSSI), is competent to initiate
and resolve this Penalty Procedure, the Director of the Spanish Agency for
Data Protection.
II
From file No.: E / 06604/2020, followed by this Agency as a result of the
first complaint filed by the claimant against the claimed entity, it must be
keep in mind the following points:
On 07/17/20, the claimant filed a complaint with this Agency,
indicating in it that: “he was receiving advertising messages on his phone
mobile, from the company denounced, which he had not authorized ”.
Dated 09/14/20, in response to the request made from this Agency
on the occasion of the denounced events, the company indicated that: “we confirm that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/19
We have managed the claimant's right of opposition in relation to all the
databases for which we are responsible for the treatment dated 13 of
August 2020 (…) ”.
On 09/25/20, the claimed entity, in response to the request for
additional information made from this Agency, reported that: “In relation to the
extension made by the claimant, as can be seen in the messages
provided by this, point to a "url" with domain hazmeclic.es, which is not
ownership of my client, as accredited through red.es., not being the
database of this company under the responsibility of Xfera Móviles ”.
Vector Software Factory, S.L. is a MASMOVIL distributor, with whom you have a
Agency contract, which carries out commercial campaigns on its own initiative and
on its own database, which, as we have indicated, is not under
responsibility, nor have we provided from MASMOVIL. However, the foregoing,
We will proceed to contact this agent in order to transfer the opposition
of Mr. A.A.A. in order to meet the right of the interested party.
By mail dated September 24, 2020, at 3:25 p.m., we have proceeded to
inform the interested party of the following: “We write to your email, to which
we have had access within the framework of the procedure followed by the Spanish Agency
of Data Protection E / 06604/2020. in order to inform you of how we have
proceeded in the attention of your right of opposition. We hereby inform you
that we proceeded to manage your right of opposition regarding the numbering
XXX XXX XXX, by Xfera Móviles, S.L. (More Mobile) dated August 13
2020.
In relation to the communications that the Spanish Protection Agency indicates to us
of Data has received after that date, we inform you that we have
verified that they have been sent by an agent of the brand
MASMOVIL, who carries out commercial actions on its own databases. In
In this sense, we inform you that we will transmit your request to exercise your
rights of opposition to this agent, after which we hope you will stop receiving our
advertising.
Well, dated 10/01/20, once the reasons given by the
claimed entity, and consider that the person responsible had attended the claim
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/19
presented, this Agency agreed not to admit the claim for processing
submitted, notifying the interested parties.
However, dated 10/16/20, a second entry has been entered into this Agency
complaint filed by the claimant indicating that the operator was still
sending SMS to his telephone line, and attached the screenshots of more than 60 SMS
received until that day, for which he considered that the operator had not attended
satisfactorily the first claim, and that the AEPD had rejected the processing of the
consider otherwise.
A few days later, on 10/31/20, the claimant resubmits a written statement of
complaint to this Agency, indicating that he had contacted the
claimed entity, on 09/24/20, to inform them that, although he had exercised before them
the right to object continued to receive a huge amount of advertising SMS,
receiving as a response from the entity that had responded to his request for opposition
dated 08/13/20 and that it would not happen again, but the claimant again justifies
that you continue to receive SMS from the company after that date, providing a copy
of all of them. On 11/10/20, he once again submits a new letter to this
Agency providing advertising SMS of the claimed entity, up to 16 SMS, from the
10/18/20 to 11/09/20.
Apart from all the above, the claimant also reports that he has received an SMS from
the company, to your phone number with a security code to access the
platform, (“Mi Yoigo”), in which, once accessed, you have been able to verify that the
profile belongs to another user, but has access to the personal data of this
person, to their invoices, and even has the possibility and to carry out any procedure
with the data of this person.
III- On the breach of the right to delete personal data.
This section examines the presumed non-compliance, on the part of the
claimed entity, of the deletion of all personal data from its databases
data, which was requested by the claimant.
Article 17.1.c) of the RGPD, establishes the right to delete data
personal data of the interested party, ("the right to be forgotten"), that:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/19
"The interested party shall have the right to obtain without undue delay from the person responsible for the
treatment the deletion of personal data that concerns you, which will be
obliged to delete without undue delay the personal data when there is any
of the following circumstances: (…)
c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not
other legitimate reasons for the treatment prevail, or the interested party opposes the
treatment in accordance with article 21, paragraph 2; ”.
From the existing documentation in the file followed in this Agency, by the
same facts denounced (E / 06604/2020), of the documentation presented by the
claimant in the present sanctioning procedure (PS / 00448/2020) and of the
Answers made by the claimed entity, to the requirements made
by this Agency, set forth in point II, it is verified that the facts known
could be constitutive of an infringement, attributable to the defendant, for violation of the
Article 17.1.c) of the RGPD, for breach of the right to delete data
personal data of the interested party, when he had exercised the right of opposition before the
entity and he had even confirmed that he had correctly managed said
right.
Article 72.1.k) of the LOPDGDD, considers very serious, for the purposes of prescription,
“The impediment or the obstruction or the repeated lack of attention to the exercise of the
rights established in articles 15 to 22 of Regulation (EU) 2016/679. ”.
This offense may be punished with a fine of a maximum of € 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
of a higher amount, in accordance with article 83.5.b) of the RGPD.
In accordance with the indicated precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the sanction to be imposed in
In this case, it is considered that the sanction to be imposed should be adjusted according to
with the following aggravating criteria established in article 83.2 of the RGPD:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/19
- The duration of the offense, taking into account the scope or purpose of the
data processing operation, as well as the damages caused to the
interested party, as the entity stated that it had proceeded to erase the data of the
complainant from their databases on 08/13/20 and continued to send SMS
advertising until 11/09/20, (section a).
- Negligence in the infringement, when verifying the lack of due diligence of the
claimed entity in the fulfillment of its obligations with respect to the
management of users' personal data, (section b).
- The way in which the supervisory authority learned of the infringement,
since this was produced through several complaints filed by the
claimant, (section h).
- The existence of a previous complaint, which was not admitted for processing by this
Agency, by affirming the claimed entity that it had proceeded
satisfactorily to address the right to delete personal data
of the interested party, (section k).
For its part, article 76.2 of the LOPDGDD, establishes that, in accordance with the provisions
in article 83.2.k) of the RGPD, it will be taken into account, as aggravating factors of the
sanction, the following:
- The continuing nature of the infringement, therefore, although the claimed entity
affirms that it has proceeded to the erasure of the claimant's personal data from
your databases on 08/13/20, continues to send advertising SMS on your mobile,
even after 11/08/20, (section a).
- The linking of the activity of the offender with the performance of treatment of
personal data, (section b).
The balance of the circumstances contemplated in article 83.2 of the RGPD, with
Regarding the offense committed by violating the provisions of article 17 of the
RGPD, allows setting an initial penalty of 50,000 euros, (fifty thousand euros).
IV- On the lack of security measures in the company's systems.
This section examines the presumed non-compliance, on the part of the
claimed entity, of the security in the treatment of the personal data of its
clients, since the claimant reports having received an SMS from the company, with his
telephone number and a security code to access the platform (“My
Yoigo ”), in which, he has been able to verify that the profile belongs to another user, that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/19
has access to the personal data of this person, to their invoices, and there is even the
possibility of carrying out any procedure with your personal data.
The security of personal data is regulated in article 32 of the RGPD,
where it is stated that:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the treatment, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person in charge and the person in charge of the treatment will apply technical measures and
appropriate organizational arrangements to ensure a level of security appropriate to the risk,
(…) "
The GDPR defines personal data security breaches as “all
those security violations that cause destruction, loss or
accidental or illegal alteration of personal data transmitted, stored or processed
otherwise, or unauthorized communication or access to said data ”.
From the documentation in the file there are evident indications that the
claimed has violated article 32 of the RGPD, due to a breach of
security in their systems by sending an SMS to the claimant with the access codes to
the “Mi Yoigo” platform, belonging to another client of the company.
It should be noted that the RGPD in the aforementioned precept does not establish a list of the
security measures that are applicable according to the data that are the object
of treatment, but establishes that the person in charge and the person in charge of the treatment
apply technical and organizational measures that are appropriate to the risk involved
the treatment, taking into account the state of the art, the application costs, the
nature, scope, context and purposes of the treatment, the risks of probability
and seriousness for the rights and freedoms of the interested persons.
Article 73.g) of the LOPDGDD, considers serious, for the purposes of prescription, "The
breach, as a consequence of the lack of due diligence, of the
technical and organizational measures that have been implemented as required
by article 32.1 of Regulation (EU) 2016/679 ”.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/19
This offense can be sanctioned with administrative fines of 10,000,000 EUR
at most or, in the case of a company, of an amount equivalent to 2% as
maximum total annual global business volume of the previous financial year,
opting for the highest amount in accordance with article 83.4.a) of the RGPD.
In accordance with the indicated precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the sanction to be imposed in
In this case, it is considered that the sanction to be imposed should be adjusted according to
with the following aggravating criteria established in article 83.2 of the RGPD:
- The duration of the offense, taking into account the scope or purpose of the
treatment operation in question, (section a).
- Negligence in the infringement, when verifying the lack of due diligence of the
claimed entity in the fulfillment of its obligations with respect to the
management of the security of the personal data of its clients, (section b).
- The way in which the supervisory authority learned of the infringement,
as it has been through the complaint filed by the claimant, (section
h).
For its part, article 76.2 of the LOPDGDD, establishes that, in accordance with the provisions
in article 83.2.k) of the RGPD, it will be taken into account, as aggravating factors of the
sanction, the following:
- The linking of the activity of the offender with the performance of treatment of
personal data, (section b).
The balance of the circumstances contemplated in article 83.2 of the RGPD, with
Regarding the offense committed by violating the provisions of Article 32 of the
RGPD, allows setting an initial penalty of 30,000 euros, (thirty thousand euros).
V- On the consequences of the lack of adequate security measures.
This section examines the presumed non-compliance, on the part of the
claimed entity, of the security in the treatment of the personal data of its
clients, since the claimant reports that he has received an SMS from the company, with
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/19
your phone number and a security code to access the platform (“My
Yoigo ”), in which, he has been able to verify that the profile belongs to another user, that
has access to the personal data of this person, to their invoices, and there is even the
possibility and to carry out any procedure with your these personnel who are not the
his.
The RGPD establishes, in article 5, the principles that must govern the treatment of
the
personal data and mentions among them that of "integrity and confidentiality".
The article states, in point 1.f) that: "Personal data will be treated in such a way
in a way that ensures adequate security of personal data, including the
protection against unauthorized or illegal processing and against its loss, destruction
or accidental damage, through the application of technical or organizational measures
appropriate ('integrity and confidentiality') ”.
Well, in accordance with the evidence available at present
moment, the fact that the claimed entity made it possible to view data
personal data of a third person outside the claimant, allow verifying that the
complained has not been able to guarantee the security in the processing of the data
personal data of its clients, thereby showing a serious lack of due diligence and
incurring, therefore, in the violation of article 5.1 f) of the RGPD, which establishes the
principles of integrity and confidentiality of personal data, as well as the
proactive responsibility of the controller to demonstrate its
compliance.
Article 72.1.a) of the LOPDGDD considers very serious, for the purposes of prescription: "The
processing of personal data violating the principles and guarantees established in
Article 5 of Regulation (EU) 2016/679 "
This offense may be punished with a fine of a maximum of € 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
of a higher amount, in accordance with article 83.5.b) of the RGPD.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/19
In accordance with the indicated precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the sanction to be imposed in
In this case, it is considered that the sanction to be imposed should be adjusted according to
with the following aggravating criteria established in article 83.2 of the RGPD:
- The duration of the offense, taking into account the scope or purpose of the
data processing operation, as well as the damages caused to the
interested party and third parties, (section a).
- Negligence in the infringement, when verifying the lack of due diligence of the
claimed entity in the fulfillment of its obligations with respect to the
management of users' personal data, (section b).
- The way in which the supervisory authority learned of the infringement,
since this was produced through several complaints filed by the
claimant, (section h).
- The existence of a previous complaint, which was not admitted for processing by this
Agency, by affirming the claimed entity that it had proceeded
satisfactorily the problem posed, (section k).
For its part, article 76.2 of the LOPDGDD, establishes that, in accordance with the provisions
in article 83.2.k) of the RGPD, it will be taken into account, as aggravating factors of the
sanction, the following:
- The continuing nature of the infringement, therefore, although the claimed entity
states that it proceeded to solve the problems caused on 08/13/20, continues
there is sending SMS with data belonging to other outsiders
to the interested party, (section a).
- The linking of the activity of the offender with the performance of treatment of
personal data, (section b).
The balance of the circumstances contemplated in article 83.2 of the RGPD, with
regarding the offense committed by violating the provisions of its article 5.1.f) of the
RGPD, allows setting an initial penalty of 50,000 euros, (fifty thousand euros).
VI- On the sending of advertising SMS without the consent of the interested party.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/19
This section examines the presumed non-compliance, on the part of the
claimed entity, of article 21 of the LSSI, which establishes the prohibition of
send advertising or promotional communications, by means of communication
electronic, which had not previously been requested or expressly authorized.
Article 21 of the LSSI, on non-consensual commercial communications,
states that:
"1. The sending of advertising or promotional communications by
email or other equivalent electronic means of communication that
had not previously been requested or expressly authorized by the
recipients of the same. 2. The provisions of the preceding section shall not be
application when there is a prior contractual relationship, provided that the provider
had obtained the recipient's contact details lawfully and used them
for sending commercial communications regarding products or services of your
own company that are similar to those that were initially the subject of
contracting with the client. In any case, the provider must offer the recipient the
possibility of opposing the processing of your data for promotional purposes through
a simple and free procedure, both at the time of data collection
as in each of the commercial communications that I address. When the
communications had been sent by email, said medium must
necessarily consist of the inclusion of an email address or another
valid email address where this right can be exercised, being prohibited
sending communications that do not include said address. "
From the existing documentation in the file followed in this Agency, by the
same facts denounced (E / 06604/2020), of the documentation presented by the
claimant in the present sanctioning procedure (PS / 00448/2020) and of the
Answers made by the claimed entity, to the requirements made
by this Agency, set forth in point II, it is verified that the facts known
could be constitutive of an infringement, attributable to the defendant, for violation of the
Article 21 of the LSSI, for sending a large number of advertising SMS or
without the authorization of the interested party and after the claimed entity
affirm that they had responded to the request of the interested party not to send him again
SMS.
The aforementioned offense is classified as minor in art. 38.4.d) of bliss
standard, which qualifies as such, “Sending commercial communications by mail
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/19
electronic or other equivalent electronic means of communication when in said
shipments do not meet the requirements established in article 21 and do not constitute
Serious offense".
In accordance with the provisions of article 39.1.c) of the LSSI, minor offenses may
be sanctioned with a fine of up to € 30,000, establishing the criteria for its
graduation in article 40 of the same rule.
After the evidence obtained, and without prejudice to what results from the instruction,
considers that the sanction to be imposed should be adjusted in accordance with the following
aggravating criteria, established in art. 40 of the LSSI:
- The existence of intentionality, an expression that must be interpreted as
equivalent to degree of guilt according to the Judgment of the
National Court of 11/12/07 relapse in Appeal no. 351/2006,
corresponding to the entity denounced the determination of a system of
obtaining the informed consent that conforms to the mandate of the LSSI.
- Period of time during which the offense has been committed, since the
entity stated that it had agreed not to send any more SMS to the interested party, the
08/13/20 and continued to send SMS until 11/09/20 (last SMS that this
Agency knows) (section b).
Based on these criteria, it is deemed appropriate to impose on the claimed entity
a penalty of 20,000 euros (twenty thousand euros), for the violation of article 21 of the
LSSI, regarding the sending of commercial communications through SMS without the
consent of the affected party.
Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
START: SANCTIONING PROCEDURE to the entity XFERA MÓVILES, S.A.,
with CIF .: A82528548, for the following infractions:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/19
- Infringement of article 17 of the RGPD, punishable in accordance with
provided in art. 58.2 of the aforementioned RGPD, for breach, of the deletion
of the personal data of its databases, requested by the claimant.
- Infringement of article 32 of the RGPD, punishable in accordance with
provided in art. 58.2 of the aforementioned RGPD, for breach of security
in the treatment of the personal data of its clients.
- Infringement of article 5.1.f) of the RGPD, punishable in accordance with
provided in art. 58.2 of the aforementioned RGPD, for breach of the principle of
integrity and confidentiality in the processing of personal data of its
customers.
- Infringement of article 21 of the LSSI, regarding the sending of commercial SMS or
advertising without the express consent of the recipient.
APPOINT: as Instructor to D. R.R.R., and Secretary, where appropriate, to Ms. S.S.S.,
indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime
of the Public Sector (LRJSP).
INCORPORATE: to the sanctioning file, for evidentiary purposes, the claim
filed by the claimant and his documentation, all of them part of this
Administrative file.
WHAT: for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, on
Common Administrative Procedure of Public Administrations, the sanction that
could correspond would be:
- 50,000 euros (fifty thousand euros) for the violation of article 17
of the RGPD, without prejudice to what results from the instruction of this
sanctioning procedure.
- 30,000 euros (thirty thousand euros) for the violation of article 32 of the
RGPD, without prejudice to what results from the instruction of this
sanctioning procedure.
- 50,000 euros (fifty thousand euros) for the violation of the article of article
5.1.f) of the RGPD, without prejudice to what results from the instruction of this
sanctioning procedure
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/19
- 20,000 euros (twenty thousand euros) for the violation of article 21 of the LSSI, without
detriment to what results from the instruction of this procedure
sanctioner.
Therefore, for the purposes provided for in art. 64.2 b) quoted, the total sanction that could
correspond would be 150,000 euros (one hundred and fifty thousand euros)
NOTIFY: this agreement to initiate the sanctioning file to the entity
XFERA MÓVILES, S.A., granting a hearing period of ten business days to
to formulate the allegations and present the evidence it deems appropriate.
If within the stipulated period it does not make allegations to this initiation agreement, the same
It may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the penalty to be imposed in
the present procedure, equivalent in this case to 30,000 euros. With the app
of this reduction, the penalty would be set at 120,000 euros, resolving the
procedure with the imposition of this sanction.
In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of the amount thereof, equivalent in this case
to 30,000 euros. With the application of this reduction, the sanction would be established
in 120,000 euros and its payment will imply the termination of the procedure.
The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be
set at 90,000 euros (ninety thousand euros).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/19
In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.
If you choose to proceed to the voluntary payment of any of the amounts indicated
previously, you must make it effective by entering account number ES00
0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of
Data in Banco CAIXABANK, S.A., indicating in the concept the number of
reference to the procedure in the heading of this document and the
cause of reduction of the amount to which it is accepted. You must also send the
Proof of admission to the Subdirectorate General of Inspection to continue with the
procedure in accordance with the amount entered.
The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.
Mar Spain Martí
Director of the Spanish Agency for Data Protection.
>>
SECOND: On March 3, 2021, the defendant has proceeded to pay the
sanction in the amount of 90,000 euros making use of the two planned reductions
in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.
THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/19
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.
II
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.
3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.
The percentage of reduction foreseen in this section may be increased
regulations.
In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:
FIRST: DECLARE the termination of procedure PS / 00448/2020, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to XFERA MÓVILES, S.A ..
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 19/19
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
