AEPD (Spain) - EXP202104006: Difference between revisions

AEPD - EXP202104006
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 4(12) GDPR Article 5(1)(f) GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR Article 83(4) GDPR Article 83(5) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	21.08.2021
Decided:	13.09.2023
Published:	13.09.2023
Fine:	56,000 EUR
Parties:	VODAFONE ESPAÑA, S.A.U.
National Case Number/Name:	EXP202104006
European Case Law Identifier:	n/a
Appeal:	Not appealed
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	mgrd

The DPA fined VODAFONE €56,000 for sharing confidential data of another customer while addressing a different customer's right of access. The controller benefitted from a €14,000 reduction in the original fine as they renounced to any form of appeal against the sanction

English Summary

Facts

On 21 August 2021 the data subject filed a complaint against Vodafone España, S.A.U., the controller, for violating their right of access.

The data subject requested VODAFONE to provide a copy of their commercial telephone contract, since the company was, allegedly, not applying the contracted tariff. After several unsuccessful attempts to receive their contract, the controller sent an email containing contract of another customer as well as an audio recording of that customer's data.

Holding

The DPA ('AEPD') highlighted the breach of confidentially and security by VODAFONE for sharing a commercial contract of another individual with the data subject, violating Article 5(1)(f) GDPR. According to the evidence presented, the data subject acquired access to name, ID number and telephone number of an unknown person without any authorization to disclose their data to third parties.

The AEPD, therefore, found a violation of Article 32 GDPR for not implementing the appropriate technical and organization measures to prevent such incident.

The AEPD fined VODAFONE €50,000 for violating Article 5(1)(f) GDPR and €20,000 for violating Article 32 GDPR. However, in this case, the AEPD gave two possibilities to VODAFONE to either acknowledge the liability, leading to a greater reduction in the final amount, totaling €42,000 or to pay a fine of €56,000 and renounce any form of appeal against the sanction.

VODAFONE opted for a voluntary payment option, paying a fine of €56,000. This payment utilized the reduction offered in the initial agreement for early payment, indicating a renunciation of any form of administrative appeal against the sanction.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/11











     File No.: EXP202104006

       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                    VOLUNTEER


From the procedure instructed by the Spanish Data Protection Agency and based
to the following

                                  BACKGROUND


FIRST: On August 10, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against VODAFONE
SPAIN, S.A.U. (hereinafter, the claimed party), through the Agreement that is
transcribes:


<<



File No.: EXP202104006



            AGREEMENT TO START SANCTIONING PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in

based on the following

                                      FACTS

FIRST: A.A.A. (hereinafter, the complaining party) dated August 21, 2021

filed a claim with the Spanish Data Protection Agency. The
claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in
forward, VODAFONE). The reasons on which the claim is based are the following:

Indicates that you have requested a copy of your telephone contract from VODAFONE because it is not

applying the contracted rate. That he has requested it on several occasions without being
forward (infringement of your right to access your personal data). Finally
receives an email with another client's telephone contract, violating the
secrecy of the personal data of said client.


Along with the notification, an audio file in mp3 format is provided, in which you can
listening to a recording in which two people intervene, one on behalf of
VODAFONE, and another that identifies itself as B.B.B. with DNI ***NIF.1, owner of the line
phone ***PHONE.1. The recording is dated 07/28/2020.


There is no record of the date on which the complaining party has had access to said
recording, since he has not sent the email in which he states that he had


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/11








received. Likewise, the complaining party does not provide a document proving that it has
required VODAFONE its own contract.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to VODAFONE, so that
proceed to its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.


The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 11/08/2021 as stated in the
acknowledgment of receipt that appears in the file.


No response has been received to this transfer letter.

THIRD: On November 21, 2021, in accordance with article 65 of
the LOPDGDD, the claim presented by the complaining party was admitted for processing.




                           FOUNDATIONS OF LAW

                                            Yo

                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                           II
                                  Previous issues

In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is
the processing of personal data, since VODAFONE

carries out, among other treatments, collection, registration, consultation, etc. of the following
personal data of natural persons, such as: name, identification number,
telephone number etc.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/11








VODAFONE carries out this activity in its capacity as data controller,
given that he is the one who determines the ends and means of such activity, by virtue of article
4.7 of the GDPR.


Article 4 section 12 of the GDPR broadly defines “violations of
security of personal data” (hereinafter security breach) as “all
those security violations that cause the destruction, loss or alteration
accidental or unlawful personal data transmitted, preserved or otherwise processed
form, or unauthorized communication or access to said data.”


In the present case, there is a personal data security breach in the
circumstances indicated above, categorized as a breach of confidentiality, by
a recording containing data has been sent to the complaining party
personal information of another person, thus allowing its knowledge by someone who is not

legitimized for it.

It should be noted that the identification of a security breach does not imply the
imposition of a sanction directly by this Agency, since it is necessary
analyze the diligence of those responsible and in charge and the security measures
applied.


Within the treatment principles provided for in article 5 of the RGPD, the
integrity and confidentiality of personal data is guaranteed in section 1.f)
of article 5 of the GDPR. For its part, the security of personal data comes
regulated in articles 32, 33 and 34 of the RGPD, which regulate the security of the

processing, notification of a breach of personal data security to
the control authority, as well as the communication to the interested party, respectively.

                                           III
                                Article 5.1.f) of the GDPR


Article 5.1.f) “Principles relating to processing” of the GDPR establishes:

"1. The personal data will be:
(…)


       f) treated in such a way as to ensure adequate safety of the
       personal data, including protection against unauthorized processing or
       unlawful and against its loss, destruction or accidental damage, through the application
       of appropriate technical or organizational measures ("integrity and
       confidentiality»).”


In the present case, it is clear that the personal data of a VODAFONE customer,
recorded in its database, were improperly exposed to the complaining party
who, according to his own statement, received them by email, having had
therefore access to the name, ID and telephone number of an unknown person, without

There is, of course, the authorization of said person to expose their data to a
Third, there is no legitimizing cause for it.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/11








In accordance with the evidence available in this agreement of
initiation of the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the known facts could constitute a

infringement, attributable to VODAFONE, due to violation of article 5.1.f) of the RGPD.

                                          IV
                Classification of the violation of article 5.1.f) of the RGPD

If confirmed, the aforementioned violation of article 5.1.f) of the RGPD could mean the

commission of the infractions classified in article 83.5 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,

In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:

       a) the basic principles for the treatment, including the conditions for the
       consent under articles 5, 6, 7 and 9; (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:


       a) The processing of personal data violating the principles and guarantees
       established in article 5 of Regulation (EU) 2016/679. (…)”

                                           V
                 Penalty for violation of article 5.1.f) of the RGPD


For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence currently available
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, the infraction in question is considered to be serious for the purposes of the

RGPD and that it is appropriate to graduate the sanction to be imposed in accordance with the following
criteria established by article 83.2 of the RGPD:

As mitigating factors:




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/11








-The number of interested parties affected and the level of damages suffered
suffered (section a). This file deals with data from a single
person, and there is no evidence that such action has caused harm.


Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
corrective measures” of the LOPDGDD:

As aggravating factors:


           -The linking of the offender's activity with the performance of
           processing of personal data (section b).
           The activity of VODAFONE, provider of telephone and
           Internet, and the high number of clients it has, entails the

           handling a large number of personal data. This implies that they have
           sufficient experience and should have adequate knowledge to
           the processing of said data.

The balance of the circumstances contemplated in article 83.2 of the RGPD and the
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the

established in article 5.1.f) of the RGPD, allows initially setting a sanction of
€50,000 (fifty thousand euros).

                                           SAW
                                 Article 32 of the GDPR


Article 32 “Security of processing” of the GDPR establishes:

"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of

variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:
       a)pseudonymization and encryption of personal data;
       b) the ability to guarantee the confidentiality, integrity, availability and

       permanent resilience of treatment systems and services;
       c)the ability to restore availability and access to personal data
       quickly in the event of a physical or technical incident;
       d)a process of regular verification, evaluation and assessment of effectiveness
       of the technical and organizational measures to guarantee the security of the

       treatment.

2. When evaluating the adequacy of the security level, particular consideration will be given to
takes into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data

personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/11








3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the

present article.

4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and
has access to personal data can only process said data following
instructions of the person responsible, unless it is obliged to do so by virtue of the Law of

the Union or the Member States.

In the present case, at the time of the breach, VODAFONE did not have
with the appropriate technical and organizational measures to avoid the incident, since
According to the complaining party, he was sent by email a

recording that corresponds to another client, where the personal data of
said client.

In accordance with the evidence available in this agreement of
initiation of the sanctioning procedure, and without prejudice to what results from the

instruction, it is considered that the known facts could constitute a
infringement, attributable to VODAFONE, due to violation of article 32 of the RGPD.

                                           VII
                 Classification of the violation of article 32 of the RGPD


If confirmed, the aforementioned violation of article 32 of the RGPD could mean the
commission of the infractions classified in article 83.4 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the largest amount:


       a) the obligations of the controller and the processor pursuant to Articles 8,
       11, 25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,

5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”

For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the

following:
       (…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/11








       f) The lack of adoption of those technical and organizational measures that
       are appropriate to guarantee a level of security adequate to the
       risk of the treatment, in the terms required by article 32.1 of the

       Regulation (EU) 2016/679.

                                         VIII
                  Penalty for violation of article 32 of the GDPR

For the purposes of deciding on the imposition of an administrative fine and its amount,

in accordance with the evidence currently available
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, the infraction in question is considered to be serious for the purposes of the
RGPD and that the sanction to be imposed should be graduated in accordance with the following
criteria established by article 83.2 of the RGPD:


As mitigating factors:

-The number of interested parties affected and the level of damages suffered
suffered (section a). This file deals with data from a single
person, and there is no evidence that such action has caused harm.


Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
“corrective measures” of the LOPDGDD:


As aggravating factors:

-The linking of the offender's activity with the performance of data processing
personal (section b). The activity of VODAFONE, service provider
telephone and internet, and the high number of clients it has, entails the

handling a large number of personal data. This implies that they have experience
sufficient and should have adequate knowledge for the treatment of
such data.

The balance of the circumstances contemplated in article 83.2 of the RGPD and the
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the

established in article 32 of the RGPD, allows initially setting a sanction of
€20,000 (twenty thousand euros).

                                          IX
                                Imposition of measures


Among the corrective powers provided in article 58 “Powers” of the GDPR, in the
section 2.d) establishes that each control authority may “order the
responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where applicable, in a manner

certain manner and within a specified period….”

The Spanish Data Protection Agency in the resolution that puts an end to the
This procedure may order the adoption of measures, as established

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/11








in article 58.2.d) of the RGPD and in accordance with what is derived from the instruction
of the procedure, if necessary, in addition to sanctioning with a fine.


Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:

FIRST: START SANCTIONING PROCEDURE against VODAFONE ESPAÑA,
S.A.U., with NIF A80907397, for the alleged violation of Article 5.1.f) of the RGPD

typified in Article 83.5 of the RGPD.

START SANCTIONING PROCEDURE against VODAFONE ESPAÑA, S.A.U., with
NIF A80907397, for the alleged violation of Article 32 of the RGPD, typified in the
Article 83.4 of the GDPR.


SECOND: APPOINT C.C.C. as instructor. and, as secretary, to D.D.D.,
indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).


THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.


FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be:
- For the alleged violation of article 5.1.f) of the RGPD, typified in article 83.5
of said rule, administrative fine of 50,000.00 euros

- For the alleged violation of article 32 of the RGPD, typified in article 83.4 of
said rule, administrative fine of 20,000.00 euros

FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF
A80907397, granting him a hearing period of ten business days to formulate
the allegations and present the evidence that you consider appropriate. In his writing of

allegations must provide your NIF and the procedure number that appears in the
heading of this document.

If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the

sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 56,000.00 euros, resolving the
procedure with the imposition of this sanction.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/11









Likewise, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 56,000.00 euros and its payment will imply termination
of the procedure.


The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In

In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 42,000.00 euros.

In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.

administrative against the sanction.

In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (56,000.00 euros or 42,000.00 euros), you must make it effective
by depositing it into account number ES00 0000 0000 0000 0000 0000 open to

name of the Spanish Data Protection Agency in the banking entity
CAIXABANK, S.A., indicating in the concept the reference number of the
procedure that appears in the heading of this document and the cause of
reduction of the amount to which it is accepted.


Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.

The procedure will have a maximum duration of nine months counting from the

date of the initiation agreement or, where applicable, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.

Finally, it is noted that in accordance with the provisions of article 112.1 of the

LPACAP, there is no administrative appeal against this act.


                                                                                935-110422
Sea Spain Martí
Director of the Spanish Data Protection Agency



>>

SECOND: On September 7, 2022, the claimed party has proceeded to
payment of the penalty in the amount of 56,000 euros using one of the two
reductions provided for in the Inception Agreement transcribed above. Therefore, it has not

recognition of responsibility has been accredited.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/11









THIRD: The payment made entails the waiver of any action or resource pending.
administrative against the sanction, in relation to the facts referred to in the

Startup Agreement.

                           FOUNDATIONS OF LAW

                                            Yo


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47 and 48.1 of the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.


Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”





                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:

"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the

compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.

The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/11








The reduction percentage provided for in this section may be increased

“regularly.”

According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DECLARE the termination of procedure EXP202104006, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the

referred Law.


                                                                               937-240122
Sea Spain Martí
Director of the Spanish Data Protection Agency





























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es