AEPD (Spain) - PS/00452/2019: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 52: Line 52:
}}
}}


The Spanish DPA has fined Orange Espagne with €80000 for processing personal data without a legal basis.
The Spanish DPA has fined Orange Espagne with €80,000 for processing personal data without a legal basis.


==English Summary==
==English Summary==
Line 65: Line 65:
Orange replied to the AEPD that the consent had been unequivocal and did not attribute falsity to the line registrations that have met the regulatory recruitment requirements
Orange replied to the AEPD that the consent had been unequivocal and did not attribute falsity to the line registrations that have met the regulatory recruitment requirements
===Dispute===
===Dispute===
Is the processing of personal data, without the express consent of the person involved in the contract, a violation of Article 6 (1) (a) GDPR?
Is the processing of personal data, without the express consent of the person involved in the contract, a violation of [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]?
 
<br />


===Holding===
===Holding===
The AEPD considered that ORANGE ESPAGNE did not act with due diligence to identify the contracting parties.  
The AEPD considered that ORANGE ESPAGNE did not act with due diligence to identify the contracting parties. Therefore, it processed personal data without accrediting that it had the legal basis to do so.
Therefore, it processed personal data without accrediting that it had the legal basis to do so.


Furthermore, it was not aligned with the principle of proactive liability, which consists of previously determining that it met the requirements for processing the complainant's data.
Furthermore, it was not aligned with the principle of proactive liability, which consists of previously determining that it met the requirements for processing the complainant's data.


The fact that it was a non-intentional negligent action, that basic personal identifiers were affected and the continued nature of the infringement were considered aggravating factors, determining the amount of the fine in €80000.
The fact that it was a non-intentional negligent action, that basic personal identifiers were affected and the continued nature of the infringement were considered aggravating factors, determining the amount of the fine in €80,000.


==Comment==
==Comment==

Latest revision as of 14:55, 13 December 2023

AEPD - PS/00452/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 83(5)(a) GDPR
72 (1) (a) LOPDGDD
Type: Investigation
Outcome: Violation Found
Started:
Decided: 11.08.2020
Published:
Fine: 80000 EUR
Parties: ORANGE ESPAGNE S.A.U.
National Case Number/Name: PS/00452/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA has fined Orange Espagne with €80,000 for processing personal data without a legal basis.

English Summary

Facts

A customer of the data controller filed a complaint with the Spanish DPA (AEPD), alleging that up to six phone lines had been opened in his name despite the data subject not having given his consent.

It was a fraud by which someone pretends to be a real client of the company - after obtaining their documentation - and calls the operator to contract voice or Internet products pretending to be that real user.

The situation also led to the inclusion of the customer who reported the operator in the files of ASNEF (Asociación Nacional de Establecimientos Financieros de Crédito), in whose records the customers of companies with outstanding invoices are stored.

Orange replied to the AEPD that the consent had been unequivocal and did not attribute falsity to the line registrations that have met the regulatory recruitment requirements

Dispute

Is the processing of personal data, without the express consent of the person involved in the contract, a violation of Article 6(1)(a) GDPR?

Holding

The AEPD considered that ORANGE ESPAGNE did not act with due diligence to identify the contracting parties. Therefore, it processed personal data without accrediting that it had the legal basis to do so.

Furthermore, it was not aligned with the principle of proactive liability, which consists of previously determining that it met the requirements for processing the complainant's data.

The fact that it was a non-intentional negligent action, that basic personal identifiers were affected and the continued nature of the infringement were considered aggravating factors, determining the amount of the fine in €80,000.

Comment

In a ruling dated 31 May 2006, the Spanish Audiencia Nacional established that the burden of proof lies with the data controller, who must collect and store the data in order to demonstrate the customer's consent.

In the judgement of the Audiencia Nacional of 12 May 2014 it was established that the value of unequivocal consent cannot be given to a telephone call. Similarly, payment of monthly bills arising from the contract cannot be considered as tacit consent.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

*Procedure No.: PS/00452/2019
180-100519
Appeal No. RR/00326/2020
The action for annulment brought by ORANGE ESPAGNE was examined,
S.A.U. against the resolution issued by the Director of the Spanish
Data protection in the sanctioning procedure PS/00452/2019, and on the basis
following:
DONE
FIRST: On 23 June 2020, the Director of the
Spanish Data Protection Agency in the sanctioning procedure
PS/00452/2019, imposing a penalty of EUR 80 000, for
violation of Article 6.1 of Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
natural persons with regard to the processing of personal data and the free
movement of such data and repealing Directive 95/46/EC (as regards
(hereinafter GPRD), an offense under Article 83(5)(a) of the GPRD and described as
very serious in article 72.1. a) of Organic Law 3/2018 of 5 December, on
Protection of Personal Data and guarantee of digital rights (hereinafter,
LOPDPGDD).
That decision was notified to the appellant on 25 June 2020,
was issued after the corresponding sanctioning procedure was carried out, of
in accordance with the provisions of the LOPDPGDD, and in addition to the LPACAP, in
processing of sanctioning procedures.
SECOND: As proven facts of the mentioned sanctioning procedure,
PS/00452/2019, the following was recorded:
FIRST - It is recorded that the claimant's data have been used for the
fraudulent contracting of the following lines: ***TELEPHONE.1, ***TELEPHONE.2
***telephone.3, ***Telephone.4, ***telephone.5 and ***telephone.6, and also
The inclusion in the solvency file of Asnef is recorded.
SECOND - Office of the National Police Force - Local Commissioner of Merida
dated 11 February 2019 addressed to the Juzgado de Instrucción nº 1 de Mérida
extension of Police Proceedings number 4602 dated 6 July 2018, in
which the appellant, by means of a handwritten complaint, brought to the attention of
National Police possible criminal offenses committed against him and his father
(A.A.A.).
THIRD - Diligences number 828632/2018 AT USCUALADA practiced by the
Directorate General of Police -Generalitat of Catalonia- dated 18 September
2018 as a result of the complaint made by B.B.B. by an alleged
the crime of fraud by the accused C.C.C.. 
FOURTH - Citation in the Procedure: PREVIEWS 440/2018 D agreed
by the Court of Instruction No. 5 of Igualada addressed to the defendant C.C.C. for
to give evidence as an investigator.
FIFTH - Order of the Court of First Instance and Preliminary Investigation No. 1 of Mérida
Date 18 March 2019, DPA Preliminary Proceedings Abbreviated 0000322/2018
decreeing the search for, arrest, and bringing to justice of C.C.C.
SIXTH - Six audio files of the recordings corresponding to the contracting
of various telecommunications services with the operator ORANGE, by
several people with unequal voices, on behalf of the appellant. In particular, according to
The latter has been presented:
In files 20130226175518_000001301_14_155 and
20130226175518_000001302_14_155, the voice is of C.C.C., person
denounced by the appellant to the police in Merida.
In files 20130831123000_000003282_21_222 and
20141217120502_000007492_21_222, the voice is that of his father, A.A.A.
In the files 20140612120501_000002896_21_222 and
20140817120501_000001578_21_222, the voice is that of C.C.C.'s son, his name
is D.D.D..
SEVENTH - Reply received by the respondent on 9 September 2007
2018 from the respondent stating that they have been able to verify that the
contracts and recordings have the full appearance of legality.
THIRD: ORANGE ESPAGNE, S.A.U. (the appellant) has submitted
on 15 July 2020, in this Spanish Data Protection Agency,
appeal for reconsideration on the basis of essentially the same facts and
arguments set out in the submissions to the motion for a resolution, i.e. "of the
nullity or invalidity of all acts dealt with in the files
E/004416/2018 and PS/00452/2019, pursuant to Article 47(1)
and 48.1 of Law 39/2015 of 1 October, on the limitation of the infringement of
article 6.1 of the RGPD typified in article 83.5 a) of the mentioned norm and
in the alternative, if the above annulment is not granted, order that the
The Commission has also decided to refer the matter to the Court of Justice.
the limitation period is deemed to have expired, agree that PS/00452/2019 should be closed without the imposition of
no sanction; in the alternative, if the above-mentioned file is not deemed to be closed, issue a new
Resolution imposing a graduated penalty in the terms that Orange
was always fully aware that the data provided by theThe recruitment process was real and he could not see the possibility of a
alleged fraudulent recruitment".
LEGAL BASES
I
The Director of the Agency is competent to decide on this action
Spanish Data Protection Authority, in accordance with the provisions of Article 48.1
of the LOPDPGDD.
II
With regard to the statements made by the appellant, it is reiterated
basically in the allegations already made in the course of the proceedings
It should be noted that all of them have already been analyzed and rejected in
the Legal Basis from II to IV inclusive, of the Resolution under appeal,
as transcribed below:
"II
The defendant is charged with an infringement of the
Article 6 of the GPRS, "Lawfulness of processing", which states in paragraph 1 the
cases in which the processing of third party data is considered lawful:
 "1. Processing shall be lawful only if at least one of the following conditions is met
conditions:
a) the data subject has given his consent to the processing of his data
for one or more specific purposes;
(b) processing is necessary for the performance of a contract in which the
interested is a party to or for the application at his request of measures
pre-contractual;
(…)”
 The infraction is typified in Article 83.5 of the RGPD, which considers it as such:
“5. Infringements of the following provisions shall be sanctioned, in accordance with
with paragraph 2, with administrative fines of up to EUR 20 000 000 or
in the case of a company, an amount equivalent to a maximum of 4% of the
the total annual turnover for the previous financial year, opting for
the largest:
(a) The basic principles for treatment, including the conditions for
consent under articles 5, 6, 7, and 9.
 Organic Law 3/2018, on the Protection of Personal Data and the Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements considered to be very serious" he states:
"In accordance with the provisions of Article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will expire after three years if
constitute a substantial breach of the articles mentioned in that one and, in
In particular, the following:
 (…)
a) The processing of personal data without any
conditions for the lawfulness of processing laid down in Article 6 of
Regulation (EU)2016/679.
III
The documentation in the file provides evidence that the
Article 6.1 of the RGPD, since it processed the data of the
personal data of the claimant without having any legitimacy to do so. The
The complainant's personal data were incorporated into the information systems
of the company and inclusion in the Asnef credit information file, without
accredited that he had his consent to the collection and processing
of your personal data, or there is some other cause that makes it lawful to
treatment carried out.
On the basis of the above, in the case analyzed, it is
The diligence employed by the respondent to identify the victims of the
persons who carried out the recruitment on behalf of the claimant.
It should be noted that the party complained of in the letter of 9 September 2018
addressed to the complainant stated the following:
"We inform you that by virtue of the complaint you have lodged with the
Spanish Data Protection Agency a study has been carried out by the
Risk Analysis of this company in order to determine the existence of
irregularities in the recruitment carried out on your behalf.
In this respect, the existence of contracts and
recordings of the company verifying the telephone recruitment process in the
which gives consent for the activation of the lines ***TELEFONO.5,
***TELEFONO.1, ***TELEFONO.2, ***TELEFONO.4, ***TELEFONO.3 and
***TELEFONO.6, having the same full appearance of legality. Likewise, it is
has verified that the bills generated by the services have been paid
13,403.19 is currently pending payment
for invoices issued between 26/06/2015 and 26/07/2016.
Therefore, since no irregularities could be established
in the contracts made that allow this company to catalog the
controversial contracts as fraudulent, nor has it been
Once the police report has been filed, it is absolutely necessary that this commercial
is not able to attribute falsehood to the registration of lines where the
the regulatory requirements for procurement. That said, the debt that currently
maintained in this mercantile one is considered certain, expired, and exigible".
Well, on the part of the respondent, the claim of the
complainant; it has not been sufficiently established that the processing of
the personal data was collected in accordance with the above-mentioned provisions
previously; it having been established that Orange has associated the personal data
of the claimant to the registration of six telephone lines that he denies having contracted.
 The Contentious-Administrative Chamber of the National Court, in
The Commission has considered that when the holder of the rights to the
The burden of proof is on the person who claims to have been recruited.
existence and the person responsible for processing the data of third parties must collect and
keep the necessary documentation to accredit the consent of the holder.
We quote, for all, the SAN of 31/05/2006 (Rec. 539/2004), Fundamento de Derecho
Fourth.
The claimant's personal data were recorded in the files of the
claimed and included in the Asnef credit information file and were treated
to issue invoices for services associated with the claimant. Consequently,
has processed the personal data without providing evidence that
The legal entitlement to do so counts.
However, and this is the essential point, the claimed does not prove the legitimacy to
the processing of the claimant's data.
In short, the respondent has not provided any document or evidence
any evidence that the entity, in such a situation, would have deployed the
minimum diligence required to verify that your interlocutor was indeed the one
he claimed to hold.
Respect for the principle of legality which is at the heart of the fundamental right
The protection of personal data requires that it be proven that the
the data controller took the necessary steps to prove that
extreme. If this is not done - and if it is not required by this Agency, which is responsible for ensuring
for compliance with the regulations governing the right to data protection of
personal nature - the result would be to empty the principle of legality of its content.
In addition, with regard to the arguments made by the defendant, it is
notes first of all that the prescription did not occur since it is recorded in the
the entity's files the outstanding debt and Orange carried out actions to recover
debt and therefore there was data processing, as stated in the complaint in
his letter of 9 September 2018.
Moreover, as acknowledged by the requested in the articles
64.2 first and second paragraphs and 65.1, 2, and 4 of the LOPDGDD is not established from
the obligation to notify the Resolution of non-admission to the
The complaint will not be processed, nor will the resolution of the appeal for reversal be accepted.
It should be noted that the reference to Article 118(1) of
the LPACAP, that "where new facts or documents are to be taken into account not
in the original file, will be made known to the interested parties in order to within a period of not less than ten days and not more than fifteen days, make the allegations and
submit the documents and supporting evidence they deem appropriate".
 However, the present sanctioning procedure does not concern new
facts are the same. Therefore, the sanctioning procedure has been opened with
all legal guarantees and therefore no such claim has been made.
As regards the merits of the dispute, as indicated by the SAN of 12 May
2014, "Telephone recording which cannot be validly recorded for the purpose of
unambiguous consent, not only because no reference is made to such consent
but, above all, because such consent in Article 6.1 LOPD must be of the
owner of the personal data and in the present case it is evident that he is not,
as the voice on the recording is male and not female.
On the other hand, and with regard to the alleged existence of
tacit consent as a result of the payment of electricity bills by
part of the complainant. That payment does not mean, as this Chamber has stated in
the consent of the person concerned to continue to deal with his or her
personal data by ..."
The lack of diligence displayed by the entity in complying with the
obligations imposed by personal data protection regulations
It is therefore obvious. Diligent compliance with the principle of the lawfulness of processing
of third party, data requires that the data controller be in a position
to prove it (principle of proactive responsibility).
IV
In accordance with the provisions of the RGPD in its Article 83.1 and 83.2, when deciding
the imposition of an administrative fine and its amount in each individual case is
take into account the aggravating and mitigating factors listed in
and any other article that may be applicable to the
circumstances of the case.
 "Each supervisory authority shall ensure that the imposition of the fines
administrative offences under this Article for infringements of this
Regulation referred to in paragraphs 4, 9 and 6 are on a case-by-case basis
effective, proportionate and dissuasive".
 "Administrative fines will be imposed, depending on the circumstances of
each individual case, in addition to or instead of the measures referred to in
Article 58(2)(a) to (h) and (j) In deciding to impose a fine
and its amount in each individual case will be duly taken into account:
(a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation concerned
as well as the number of stakeholders affected and the level of damage and
damages they have suffered;
(b) the intentionality or negligence of the infringement;
(c) any measure taken by the controller or processor
to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of
treatment, taking into account any technical or organisational measures that have
applied under Articles 25 and 32;
(e) any previous infringement committed by the person responsible for or in charge of
treatment;
 (f) the degree of cooperation with the supervisory authority in order to put
remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the way in which the supervisory authority became aware of the infringement,
in particular whether the person responsible or the person in charge notified the infringement and, in that
case, to what extent;
(i) where the measures referred to in Article 58(2) have been
ordered in advance against the person responsible or the person in charge
in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to mechanisms
of certification approved in accordance with Article 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as the financial benefits obtained or the losses avoided, directly
or indirectly, through the infringement".
With respect to paragraph k) of Article 83.2 of the RGPD, the LOPDGDD, Article 76,
"Sanctions and corrective measures", it provides:
 "In accordance with Article 83(2)(k) of Regulation (EU) 2016/679
may also be taken into account:
(a) the continuing nature of the infringement
(b) The link between the activity of the offender and the carrying out of processing operations
personal data.
c) The benefits obtained as a result of the commission of the infringement.
(d) The possibility that the conduct of the person concerned might have led to the commission
of the infringement.
(e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorber.
f) Affecting the rights of minors.
g) To have, when it is not compulsory, a data protection representative.
h) The submission by the person responsible or in charge, on a voluntary basis, of
alternative dispute resolution mechanisms, in cases where
there are disputes between them and any interested party."
In accordance with the above provisions, for the purpose of fixing the amount of the
penalty of a fine to be imposed in the present case for the infringement in
Article 83.5.a) of the RGPD for which the Respondent is held responsible, it is considered
The following factors are concurrent:
As aggravating criteria:
- In this case we are dealing with an unintentional negligent action, but
significant identified (Article 83(2)(b)).
- Basic personal identifiers are affected (name, a
identification number, the line identifier) (Article 83(2)(g)).
The balance of the circumstances referred to in Article 83(2) of the GPRS, with
with regard to the infringement committed in breach of Article 6 thereof, allows
set a penalty of 80,000 euros (eighty thousand euros), classified as "very serious", to
effects of prescription of the same, in article 72.1.b) of the LOPDGDD".
Consequently, having analysed the arguments put forward in this action
The following table shows the number of new applications that have been submitted to the
legal arguments to reconsider the meaning of the resolution
sanctioned on 23 June 2020.
III
Consequently, in the present action for annulment, the appellant has not
provided new facts or legal arguments that allow the validity to be reconsidered
of the contested decision.
Having regard to the above and other provisions of general application,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DISMISSUE the appeal for reversal lodged by ORANGE
ESPAGNE, S.A.U. against the resolution of this Spanish Agency for the Protection of
Decision of the Court of First Instance of 23 June 2020 in the disciplinary proceedings
PS/00452/2019.
SECOND: TO NOTIFY this resolution to ORANGE ESPAGNE,
S.A.U..
THIRD: To warn the sanctioned party that the sanction imposed must be effective
once this decision is enforceable, in accordance with the provisions of
article 98.1.b) of law 39/2015 of 1 october on administrative procedure
The common administration, within the voluntary payment deadline set by the
Article 68 of the General Regulations on Collection, approved by Royal Decree
939/2005, of 29 July, in relation to Article 62 of Law 58/2003, of 17 July, on the
December, by paying into the restricted account nº ES00 0000 0000 0000
0000, opened on behalf of the Spanish Data Protection Agency at the
CAIXABANK, S.A. or otherwise, it will be collected during the period
executive.
Once the notification has been received and once it has been executed, if the date of execution
The deadline for the completion of the registration process is between the 1st and 15th of each month, inclusive.
voluntary payment will be until the 20th day of the following month or the next business day, and if
is between the 16th and the last day of each month, inclusive, the deadline of
Payment will be made until the 5th of the second following month or immediately thereafter.
In accordance with the provisions of article 50 of the LOPDPGDD, the
This Resolution will be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure according to art.
48.6 of the LOPDPGDD, and in accordance with the provisions of Article 123 of the Law
39/2015 of 1 October of the Common Administrative Procedure of the
Public Administrations (LPACAP), the interested parties may lodge an appeal
administrative proceedings before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of the
referred to Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) LPACAP, it is
may suspend, as a precautionary measure, the final administrative decision if the
The applicant states that he intends to bring an administrative appeal.
If this is the case, the interested party must formally communicate this fact by
written to the Spanish Data Protection Agency, submitting it through
of the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registers provided for in Article 16.4 of the
cited LPACAP. You must also send to the Agency the documentation that proves
the effective filing of the contentious-administrative appeal. If the Agency does not
was aware that the action for annulment had been brought before the Court of Justice
within two months from the day following notification of this decision,
would end the precautionary suspension.
Mar España Martí
Director of the Spanish Data Protection Agency