AEPD (Spain) - PS/00452/2019: Difference between revisions
m (Cp moved page AEPD - PS/000453/2019 to AEPD - PS/000452/2019) |
No edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 7: | Line 7: | ||
|DPA_With_Country=AEPD (Spain) | |DPA_With_Country=AEPD (Spain) | ||
|Case_Number_Name=PS/ | |Case_Number_Name=PS/00452/2019 | ||
|ECLI= | |ECLI= | ||
Line 52: | Line 52: | ||
}} | }} | ||
The Spanish DPA has fined Orange Espagne with | The Spanish DPA has fined Orange Espagne with €80,000 for processing personal data without a legal basis. | ||
==English Summary== | ==English Summary== | ||
Line 65: | Line 65: | ||
Orange replied to the AEPD that the consent had been unequivocal and did not attribute falsity to the line registrations that have met the regulatory recruitment requirements | Orange replied to the AEPD that the consent had been unequivocal and did not attribute falsity to the line registrations that have met the regulatory recruitment requirements | ||
===Dispute=== | ===Dispute=== | ||
Is the processing of personal data, without the express consent of the person involved in the contract, a violation of Article 6 (1) (a) GDPR? | Is the processing of personal data, without the express consent of the person involved in the contract, a violation of [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]? | ||
===Holding=== | ===Holding=== | ||
The AEPD considered that ORANGE ESPAGNE did not act with due diligence to identify the contracting parties. | The AEPD considered that ORANGE ESPAGNE did not act with due diligence to identify the contracting parties. Therefore, it processed personal data without accrediting that it had the legal basis to do so. | ||
Therefore, it processed personal data without accrediting that it had the legal basis to do so. | |||
Furthermore, it was not aligned with the principle of proactive liability, which consists of previously determining that it met the requirements for processing the complainant's data. | Furthermore, it was not aligned with the principle of proactive liability, which consists of previously determining that it met the requirements for processing the complainant's data. | ||
The fact that it was a non-intentional negligent action, that basic personal identifiers were affected and the continued nature of the infringement were considered aggravating factors, determining the amount of the fine in | The fact that it was a non-intentional negligent action, that basic personal identifiers were affected and the continued nature of the infringement were considered aggravating factors, determining the amount of the fine in €80,000. | ||
==Comment== | ==Comment== |
Latest revision as of 14:55, 13 December 2023
AEPD - PS/00452/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1)(a) GDPR Article 83(5)(a) GDPR 72 (1) (a) LOPDGDD |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 11.08.2020 |
Published: | |
Fine: | 80000 EUR |
Parties: | ORANGE ESPAGNE S.A.U. |
National Case Number/Name: | PS/00452/2019 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve Falcó |
The Spanish DPA has fined Orange Espagne with €80,000 for processing personal data without a legal basis.
English Summary
Facts
A customer of the data controller filed a complaint with the Spanish DPA (AEPD), alleging that up to six phone lines had been opened in his name despite the data subject not having given his consent.
It was a fraud by which someone pretends to be a real client of the company - after obtaining their documentation - and calls the operator to contract voice or Internet products pretending to be that real user.
The situation also led to the inclusion of the customer who reported the operator in the files of ASNEF (Asociación Nacional de Establecimientos Financieros de Crédito), in whose records the customers of companies with outstanding invoices are stored.
Orange replied to the AEPD that the consent had been unequivocal and did not attribute falsity to the line registrations that have met the regulatory recruitment requirements
Dispute
Is the processing of personal data, without the express consent of the person involved in the contract, a violation of Article 6(1)(a) GDPR?
Holding
The AEPD considered that ORANGE ESPAGNE did not act with due diligence to identify the contracting parties. Therefore, it processed personal data without accrediting that it had the legal basis to do so.
Furthermore, it was not aligned with the principle of proactive liability, which consists of previously determining that it met the requirements for processing the complainant's data.
The fact that it was a non-intentional negligent action, that basic personal identifiers were affected and the continued nature of the infringement were considered aggravating factors, determining the amount of the fine in €80,000.
Comment
In a ruling dated 31 May 2006, the Spanish Audiencia Nacional established that the burden of proof lies with the data controller, who must collect and store the data in order to demonstrate the customer's consent.
In the judgement of the Audiencia Nacional of 12 May 2014 it was established that the value of unequivocal consent cannot be given to a telephone call. Similarly, payment of monthly bills arising from the contract cannot be considered as tacit consent.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
*Procedure No.: PS/00452/2019 180-100519 Appeal No. RR/00326/2020 The action for annulment brought by ORANGE ESPAGNE was examined, S.A.U. against the resolution issued by the Director of the Spanish Data protection in the sanctioning procedure PS/00452/2019, and on the basis following: DONE FIRST: On 23 June 2020, the Director of the Spanish Data Protection Agency in the sanctioning procedure PS/00452/2019, imposing a penalty of EUR 80 000, for violation of Article 6.1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (as regards (hereinafter GPRD), an offense under Article 83(5)(a) of the GPRD and described as very serious in article 72.1. a) of Organic Law 3/2018 of 5 December, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDPGDD). That decision was notified to the appellant on 25 June 2020, was issued after the corresponding sanctioning procedure was carried out, of in accordance with the provisions of the LOPDPGDD, and in addition to the LPACAP, in processing of sanctioning procedures. SECOND: As proven facts of the mentioned sanctioning procedure, PS/00452/2019, the following was recorded: FIRST - It is recorded that the claimant's data have been used for the fraudulent contracting of the following lines: ***TELEPHONE.1, ***TELEPHONE.2 ***telephone.3, ***Telephone.4, ***telephone.5 and ***telephone.6, and also The inclusion in the solvency file of Asnef is recorded. SECOND - Office of the National Police Force - Local Commissioner of Merida dated 11 February 2019 addressed to the Juzgado de Instrucción nº 1 de Mérida extension of Police Proceedings number 4602 dated 6 July 2018, in which the appellant, by means of a handwritten complaint, brought to the attention of National Police possible criminal offenses committed against him and his father (A.A.A.). THIRD - Diligences number 828632/2018 AT USCUALADA practiced by the Directorate General of Police -Generalitat of Catalonia- dated 18 September 2018 as a result of the complaint made by B.B.B. by an alleged the crime of fraud by the accused C.C.C.. FOURTH - Citation in the Procedure: PREVIEWS 440/2018 D agreed by the Court of Instruction No. 5 of Igualada addressed to the defendant C.C.C. for to give evidence as an investigator. FIFTH - Order of the Court of First Instance and Preliminary Investigation No. 1 of Mérida Date 18 March 2019, DPA Preliminary Proceedings Abbreviated 0000322/2018 decreeing the search for, arrest, and bringing to justice of C.C.C. SIXTH - Six audio files of the recordings corresponding to the contracting of various telecommunications services with the operator ORANGE, by several people with unequal voices, on behalf of the appellant. In particular, according to The latter has been presented: In files 20130226175518_000001301_14_155 and 20130226175518_000001302_14_155, the voice is of C.C.C., person denounced by the appellant to the police in Merida. In files 20130831123000_000003282_21_222 and 20141217120502_000007492_21_222, the voice is that of his father, A.A.A. In the files 20140612120501_000002896_21_222 and 20140817120501_000001578_21_222, the voice is that of C.C.C.'s son, his name is D.D.D.. SEVENTH - Reply received by the respondent on 9 September 2007 2018 from the respondent stating that they have been able to verify that the contracts and recordings have the full appearance of legality. THIRD: ORANGE ESPAGNE, S.A.U. (the appellant) has submitted on 15 July 2020, in this Spanish Data Protection Agency, appeal for reconsideration on the basis of essentially the same facts and arguments set out in the submissions to the motion for a resolution, i.e. "of the nullity or invalidity of all acts dealt with in the files E/004416/2018 and PS/00452/2019, pursuant to Article 47(1) and 48.1 of Law 39/2015 of 1 October, on the limitation of the infringement of article 6.1 of the RGPD typified in article 83.5 a) of the mentioned norm and in the alternative, if the above annulment is not granted, order that the The Commission has also decided to refer the matter to the Court of Justice. the limitation period is deemed to have expired, agree that PS/00452/2019 should be closed without the imposition of no sanction; in the alternative, if the above-mentioned file is not deemed to be closed, issue a new Resolution imposing a graduated penalty in the terms that Orange was always fully aware that the data provided by theThe recruitment process was real and he could not see the possibility of a alleged fraudulent recruitment". LEGAL BASES I The Director of the Agency is competent to decide on this action Spanish Data Protection Authority, in accordance with the provisions of Article 48.1 of the LOPDPGDD. II With regard to the statements made by the appellant, it is reiterated basically in the allegations already made in the course of the proceedings It should be noted that all of them have already been analyzed and rejected in the Legal Basis from II to IV inclusive, of the Resolution under appeal, as transcribed below: "II The defendant is charged with an infringement of the Article 6 of the GPRS, "Lawfulness of processing", which states in paragraph 1 the cases in which the processing of third party data is considered lawful: "1. Processing shall be lawful only if at least one of the following conditions is met conditions: a) the data subject has given his consent to the processing of his data for one or more specific purposes; (b) processing is necessary for the performance of a contract in which the interested is a party to or for the application at his request of measures pre-contractual; (…)” The infraction is typified in Article 83.5 of the RGPD, which considers it as such: “5. Infringements of the following provisions shall be sanctioned, in accordance with with paragraph 2, with administrative fines of up to EUR 20 000 000 or in the case of a company, an amount equivalent to a maximum of 4% of the the total annual turnover for the previous financial year, opting for the largest: (a) The basic principles for treatment, including the conditions for consent under articles 5, 6, 7, and 9. Organic Law 3/2018, on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements considered to be very serious" he states: "In accordance with the provisions of Article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will expire after three years if constitute a substantial breach of the articles mentioned in that one and, in In particular, the following: (…) a) The processing of personal data without any conditions for the lawfulness of processing laid down in Article 6 of Regulation (EU)2016/679. III The documentation in the file provides evidence that the Article 6.1 of the RGPD, since it processed the data of the personal data of the claimant without having any legitimacy to do so. The The complainant's personal data were incorporated into the information systems of the company and inclusion in the Asnef credit information file, without accredited that he had his consent to the collection and processing of your personal data, or there is some other cause that makes it lawful to treatment carried out. On the basis of the above, in the case analyzed, it is The diligence employed by the respondent to identify the victims of the persons who carried out the recruitment on behalf of the claimant. It should be noted that the party complained of in the letter of 9 September 2018 addressed to the complainant stated the following: "We inform you that by virtue of the complaint you have lodged with the Spanish Data Protection Agency a study has been carried out by the Risk Analysis of this company in order to determine the existence of irregularities in the recruitment carried out on your behalf. In this respect, the existence of contracts and recordings of the company verifying the telephone recruitment process in the which gives consent for the activation of the lines ***TELEFONO.5, ***TELEFONO.1, ***TELEFONO.2, ***TELEFONO.4, ***TELEFONO.3 and ***TELEFONO.6, having the same full appearance of legality. Likewise, it is has verified that the bills generated by the services have been paid 13,403.19 is currently pending payment for invoices issued between 26/06/2015 and 26/07/2016. Therefore, since no irregularities could be established in the contracts made that allow this company to catalog the controversial contracts as fraudulent, nor has it been Once the police report has been filed, it is absolutely necessary that this commercial is not able to attribute falsehood to the registration of lines where the the regulatory requirements for procurement. That said, the debt that currently maintained in this mercantile one is considered certain, expired, and exigible". Well, on the part of the respondent, the claim of the complainant; it has not been sufficiently established that the processing of the personal data was collected in accordance with the above-mentioned provisions previously; it having been established that Orange has associated the personal data of the claimant to the registration of six telephone lines that he denies having contracted. The Contentious-Administrative Chamber of the National Court, in The Commission has considered that when the holder of the rights to the The burden of proof is on the person who claims to have been recruited. existence and the person responsible for processing the data of third parties must collect and keep the necessary documentation to accredit the consent of the holder. We quote, for all, the SAN of 31/05/2006 (Rec. 539/2004), Fundamento de Derecho Fourth. The claimant's personal data were recorded in the files of the claimed and included in the Asnef credit information file and were treated to issue invoices for services associated with the claimant. Consequently, has processed the personal data without providing evidence that The legal entitlement to do so counts. However, and this is the essential point, the claimed does not prove the legitimacy to the processing of the claimant's data. In short, the respondent has not provided any document or evidence any evidence that the entity, in such a situation, would have deployed the minimum diligence required to verify that your interlocutor was indeed the one he claimed to hold. Respect for the principle of legality which is at the heart of the fundamental right The protection of personal data requires that it be proven that the the data controller took the necessary steps to prove that extreme. If this is not done - and if it is not required by this Agency, which is responsible for ensuring for compliance with the regulations governing the right to data protection of personal nature - the result would be to empty the principle of legality of its content. In addition, with regard to the arguments made by the defendant, it is notes first of all that the prescription did not occur since it is recorded in the the entity's files the outstanding debt and Orange carried out actions to recover debt and therefore there was data processing, as stated in the complaint in his letter of 9 September 2018. Moreover, as acknowledged by the requested in the articles 64.2 first and second paragraphs and 65.1, 2, and 4 of the LOPDGDD is not established from the obligation to notify the Resolution of non-admission to the The complaint will not be processed, nor will the resolution of the appeal for reversal be accepted. It should be noted that the reference to Article 118(1) of the LPACAP, that "where new facts or documents are to be taken into account not in the original file, will be made known to the interested parties in order to within a period of not less than ten days and not more than fifteen days, make the allegations and submit the documents and supporting evidence they deem appropriate". However, the present sanctioning procedure does not concern new facts are the same. Therefore, the sanctioning procedure has been opened with all legal guarantees and therefore no such claim has been made. As regards the merits of the dispute, as indicated by the SAN of 12 May 2014, "Telephone recording which cannot be validly recorded for the purpose of unambiguous consent, not only because no reference is made to such consent but, above all, because such consent in Article 6.1 LOPD must be of the owner of the personal data and in the present case it is evident that he is not, as the voice on the recording is male and not female. On the other hand, and with regard to the alleged existence of tacit consent as a result of the payment of electricity bills by part of the complainant. That payment does not mean, as this Chamber has stated in the consent of the person concerned to continue to deal with his or her personal data by ..." The lack of diligence displayed by the entity in complying with the obligations imposed by personal data protection regulations It is therefore obvious. Diligent compliance with the principle of the lawfulness of processing of third party, data requires that the data controller be in a position to prove it (principle of proactive responsibility). IV In accordance with the provisions of the RGPD in its Article 83.1 and 83.2, when deciding the imposition of an administrative fine and its amount in each individual case is take into account the aggravating and mitigating factors listed in and any other article that may be applicable to the circumstances of the case. "Each supervisory authority shall ensure that the imposition of the fines administrative offences under this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are on a case-by-case basis effective, proportionate and dissuasive". "Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j) In deciding to impose a fine and its amount in each individual case will be duly taken into account: (a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of stakeholders affected and the level of damage and damages they have suffered; (b) the intentionality or negligence of the infringement; (c) any measure taken by the controller or processor to mitigate the damages suffered by those concerned; (d) the degree of responsibility of the person responsible for or in charge of treatment, taking into account any technical or organisational measures that have applied under Articles 25 and 32; (e) any previous infringement committed by the person responsible for or in charge of treatment; (f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the way in which the supervisory authority became aware of the infringement, in particular whether the person responsible or the person in charge notified the infringement and, in that case, to what extent; (i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible or the person in charge in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement". With respect to paragraph k) of Article 83.2 of the RGPD, the LOPDGDD, Article 76, "Sanctions and corrective measures", it provides: "In accordance with Article 83(2)(k) of Regulation (EU) 2016/679 may also be taken into account: (a) the continuing nature of the infringement (b) The link between the activity of the offender and the carrying out of processing operations personal data. c) The benefits obtained as a result of the commission of the infringement. (d) The possibility that the conduct of the person concerned might have led to the commission of the infringement. (e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorber. f) Affecting the rights of minors. g) To have, when it is not compulsory, a data protection representative. h) The submission by the person responsible or in charge, on a voluntary basis, of alternative dispute resolution mechanisms, in cases where there are disputes between them and any interested party." In accordance with the above provisions, for the purpose of fixing the amount of the penalty of a fine to be imposed in the present case for the infringement in Article 83.5.a) of the RGPD for which the Respondent is held responsible, it is considered The following factors are concurrent: As aggravating criteria: - In this case we are dealing with an unintentional negligent action, but significant identified (Article 83(2)(b)). - Basic personal identifiers are affected (name, a identification number, the line identifier) (Article 83(2)(g)). The balance of the circumstances referred to in Article 83(2) of the GPRS, with with regard to the infringement committed in breach of Article 6 thereof, allows set a penalty of 80,000 euros (eighty thousand euros), classified as "very serious", to effects of prescription of the same, in article 72.1.b) of the LOPDGDD". Consequently, having analysed the arguments put forward in this action The following table shows the number of new applications that have been submitted to the legal arguments to reconsider the meaning of the resolution sanctioned on 23 June 2020. III Consequently, in the present action for annulment, the appellant has not provided new facts or legal arguments that allow the validity to be reconsidered of the contested decision. Having regard to the above and other provisions of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DISMISSUE the appeal for reversal lodged by ORANGE ESPAGNE, S.A.U. against the resolution of this Spanish Agency for the Protection of Decision of the Court of First Instance of 23 June 2020 in the disciplinary proceedings PS/00452/2019. SECOND: TO NOTIFY this resolution to ORANGE ESPAGNE, S.A.U.. THIRD: To warn the sanctioned party that the sanction imposed must be effective once this decision is enforceable, in accordance with the provisions of article 98.1.b) of law 39/2015 of 1 october on administrative procedure The common administration, within the voluntary payment deadline set by the Article 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of 29 July, in relation to Article 62 of Law 58/2003, of 17 July, on the December, by paying into the restricted account nº ES00 0000 0000 0000 0000, opened on behalf of the Spanish Data Protection Agency at the CAIXABANK, S.A. or otherwise, it will be collected during the period executive. Once the notification has been received and once it has been executed, if the date of execution The deadline for the completion of the registration process is between the 1st and 15th of each month, inclusive. voluntary payment will be until the 20th day of the following month or the next business day, and if is between the 16th and the last day of each month, inclusive, the deadline of Payment will be made until the 5th of the second following month or immediately thereafter. In accordance with the provisions of article 50 of the LOPDPGDD, the This Resolution will be made public after it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to art. 48.6 of the LOPDPGDD, and in accordance with the provisions of Article 123 of the Law 39/2015 of 1 October of the Common Administrative Procedure of the Public Administrations (LPACAP), the interested parties may lodge an appeal administrative proceedings before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from day following notification of this act, as provided for in Article 46(1) of the referred to Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) LPACAP, it is may suspend, as a precautionary measure, the final administrative decision if the The applicant states that he intends to bring an administrative appeal. If this is the case, the interested party must formally communicate this fact by written to the Spanish Data Protection Agency, submitting it through of the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registers provided for in Article 16.4 of the cited LPACAP. You must also send to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency does not was aware that the action for annulment had been brought before the Court of Justice within two months from the day following notification of this decision, would end the precautionary suspension. Mar España Martí Director of the Spanish Data Protection Agency