AEPD (Spain) - PS/00026/2021: Difference between revisions
No edit summary |
m (Ar moved page AEPD - PS/00026/2021 to AEPD (Spain) - PS/00026/2021) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 54: | Line 54: | ||
}} | }} | ||
The Spanish DPA (AEPD) found that the data processor, Vamavi Phone SL, | The Spanish DPA (AEPD) found that the data processor, Vamavi Phone SL, had violated Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR by making a commercial call on behalf of Vodafone España, SAU to a data subject registered on the Robinson List. Vamavi paid a fine of €24,000 (reduced from €40,000). | ||
==English Summary== | ==English Summary== | ||
Line 64: | Line 64: | ||
===Dispute=== | ===Dispute=== | ||
Does a commercial call made by a processor to a claimant on the Robinson List entail a breach of Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR ? | Does a commercial call made by a processor to a claimant on the Robinson List entail a breach of Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR? | ||
===Holding=== | ===Holding=== |
Latest revision as of 13:48, 13 December 2023
AEPD - PS/00026/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 21 GDPR Article 28 GDPR Article 23 of the Law on the Protection of Personal Data and Guarantee of Digital Rights Article 48(1)(b) of the Law on General Telecommunications |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 09.02.2021 |
Published: | 10.02.2021 |
Fine: | 24000 EUR |
Parties: | Vamavi Phone SL |
National Case Number/Name: | PS/00026/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) found that the data processor, Vamavi Phone SL, had violated Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR by making a commercial call on behalf of Vodafone España, SAU to a data subject registered on the Robinson List. Vamavi paid a fine of €24,000 (reduced from €40,000).
English Summary
Facts
The complainant filed a complaint as they received a commercial call on behalf of "Vodafone España, SAU" despite being listed on the Robinson List (advertising exclusion list).
The Spanish DPA (AEPD) therefore began an investigation to clarify the facts at stake. This revealed that Vamavi Phone SL was responsible for the data processing. Vamavi had made the commercial call to the Claimant on behalf of Vodafone España, SAU.
Dispute
Does a commercial call made by a processor to a claimant on the Robinson List entail a breach of Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR?
Holding
The Spanish DPA (AEPD) held that the facts in question indicated a breach of Article 48(1)(b) of the Spanish Law on General Telecommunications (LGT) by Vamavi. This provision outlines that individuals have the right to oppose receiving unwanted calls for commercial communication purposes. The DPA went on to outline that this must be read in light of Article 21 GDPR (right to object) and Article 23 of the Spanish Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
The DPA held that by acting on behalf of Vodafone, Vamavi acted as a data processor within the meaning of Article 28 GDPR. Vamavi was nonetheless the one found responsible for the data processing in question.
As Vamavi made a voluntary, early and guilty payment, the fine paid was reduced to €24,000 (rather than the original fine of €40,000).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/16 Procedure No.: PS / 00026/2021 RESOLUTION R / 00087/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTARY In the sanctioning procedure PS / 00026/2021, instructed by the Spanish Agency for Data Protection to VAMAVI PHONE, S.L., considering the complaint filed by A.A.A., and based on the following, BACKGROUND FIRST: On January 27, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure to VAMAVI PHONE, S.L. (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure No.: PS / 00026/2021 AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection and in based on the following ACTS FIRST: A.A.A. (hereinafter the claimant) filed a claim with the Agency Spanish Data Protection Agency (hereinafter AEPD) for receipt on January 31 2020, at 11:34 am, from a commercial call on behalf of “Vodafone España, S.A.U. ”, with NIF A80907397 (hereinafter VDF), to its telephone line *** PHONE. 1 that is registered on the advertising exclusion list Robinson, from the line *** PHONE. 2. Relevant documentation provided by the claimant: - 34-second audio file corresponding to the call recording commercial on behalf of VDF. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/16 - Copy of the invoice (issued by XFERA MÓVILES, S.A.U. with NIF A82528548) of the telephone line *** TELEPHONE. 1 in which the ownership of this by part of the claimant. - Copy of the certificate of the Robinson List registration issued on 01/31/2020, in which your phone line *** PHONE. 1 is registered against phone calls commercials since 08/03/2018. SECOND: In view of the facts reported in the claim and the documents provided by the claimant / of the facts and documents of which he has this Agency, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigation actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigative actions carried out, it is verified that the responsible for the treatment is the entity VAMAVI PHONE, S.L. BACKGROUND Claim entry date: February 3, 2020. Claimant: A.A.A .. Dated 04/15/2020 in check-in 014582/2020, associated with procedure E / 02271/2020, the AEPD found allegations of the VDF in which it established that he had no record in his database of the number *** PHONE. 2 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/16 associated with your collaborators who make recruitment calls on your behalf. VDF in that same registry, he stated that the claimant was recorded in the List Robinson corresponding from 08/03/2018. In addition, VDF reports having included in the internal Robinson list of your entity to the telephone line *** TELEPHONE 1 of the claimant as a result of the transfer of the claim, becoming recorded as registered in she. VDF stated that it had not contacted the claimant to notify him of the procedures made by not having your contact information INVESTIGATED ENTITIES As stated in the Diligence, incorporated in the associated Investigation File (E / 09385/2020) on 11/25/2020, the telephone line with number *** TELEPHONE. 2 was operated by SEWAN COMUNICACIONES, as recorded in the Records of Numbering and Telecommunications Operators of the National Commission of Markets and Competition (hereinafter, CNMC). Consequently, during these proceedings, the following has been investigated entity: SEWAN COMUNICACIONES, S.L.U. (hereinafter, the investigated # 1), with NIF B73619215 and address *** ADDRESS. 1. Likewise, by the very course of these previous actions of investigation, the need to proceed to investigate also the following entity: VAMAVI PHONE, S.L. (hereinafter, the VAMAVI), with NIF B87914446 and address *** ADDRESS. 2. RESULT OF INVESTIGATION ACTIONS The claimant's telecommunications operator, XFERA MÓVILES, S.A.U. manifests confirmation of receipt at the number *** PHONE. 1 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/16 (ownership of the claimant) of the call made by the line *** PHONE. 2, on January 31, 2020 at 11:34:50 am. This line of origin of the call is recorded as incoming in the interconnection platform operated by investigated # 1. The investigated # 1 claims to be a telecommunications operator that provides telephone services to customers, end users and resellers. The investigated # 1 provides a copy of the CNMC public registry of operators in that is thus identified. The investigated # 1 identifies VAMAVI as its client owner of the line telephone *** TELEPHONE. 2 on January 31, 2020 at 11:34:50 a.m., and specifically in its ownership since October 2, 2019. The investigated # 1 alleges that he did not make the call or have a contract or any connection with VDF to advertise its commercial services. The investigated # 1 confirms that the call from the telephone line *** PHONE. 2 to line *** PHONE. 1 (owned by the claimant) produced on January 31, 2020 at around 11:34 a.m. and had a duration of 39 seconds. The investigated # 1 provides a copy of the invoice corresponding to the month of January 2020 issued to VAMAVI, as its client owner of the telephone line *** TELEPHONE. 2, in which said phone call. VAMAVI confirms the realization of a commercial call on January 31, 2020 at 11:34 a.m. to offer commercial services from the VDF, to the line Claimant's telephone number *** TELEPHONE.1 from line *** TELEPHONE.2 (under your ownership). VAMAVI identifies itself as a subagent of the entity SOLIVESA MASTER FRANCHISE, S.L. (hereinafter SOLIVESA), with NIF B97154488, who acts as an authorized commercial distributor of the VDF. VAMAVI provides a contract between you and SOLIVESA dated 03/21/2019, for the activity of intermediation in client registrations through commercial telephone calls in favor of VDF and with a duration of 12 months. VAMAVI states that customer acquisition for VDF through calls commercial telephony occurred in the private segment, self-employed and of micro-enterprises. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/16 VAMAVI claims that it does not have files related to the owners of the lines telephone numbers to which he called commercially due to the fact that lists were generated of random numbers from the list of valid published numberings by the CNMC. VAMAVI provides a copy of the list of telephone numbers allegedly taken from the CNMC. VAMAVI states that it has a Robinson list in which to carry out the filtering to avoid numbers that oppose business calls and add recognize the claimant's telephone line *** TELEPHONE.1 included in said list. VAMAVI alleges, after identifying the claimant's number involved in the commercial call produced, which [sic]: “(…) so it seems that this is a specific error in our filtering system. " FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and to solve this procedure. In accordance with the provisions of article 84.3) of the LGT, the competence to initiate and resolve this Penalty Procedure corresponds to the Director of the Spanish Agency for Data Protection. II The known facts could constitute an infraction, attributable to VAMAVI, for violation of article 48.1.b) of Law 9/2014, of May 9, General of Telecommunications (hereinafter, LGT), included in its Title III, which states: << Article 48. Right to the protection of personal data and privacy in relation with unsolicited communications, with traffic and location data and with subscriber guides. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/16 1. Regarding the protection of personal data and privacy in relation to unsolicited communications end users of communications services electronic will have the following rights: (…) b) To oppose receiving unwanted calls for commercial communication purposes that are carried out through systems other than those established in the previous letter and to be informed of this right. >> Although, the aforementioned article does not configure such a right, so we must go to the data protection rules that regulate the right of opposition: article 21 of the RGPD, (Regulation (EU) 2016/679, of the European Parliament and of the Council, 04/27/2016, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and Free Circulation of this Data) and article 23 of the LOPDGDD (Organic Law 3/2018, of December 5, on Data Protection Personal Rights and Guarantee of Digital Rights). The offense is classified as minor in article 78.11 of said rule, which considers as such: “The breach of public service obligations, of the public obligations and the violation of consumer rights and end users, as established in Title III of the Law and its regulations on developing". This offense can be sanctioned with a fine of up to 50,000 euros, according to with article 79.1.d) of the aforementioned LGT. In accordance with the evidence available at the present time of agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the sanction to be imposed should be graduated in accordance with the following criteria established in article 80 of the LGT: As aggravating factors: Art 80.1 of the LGT. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/16 a) The seriousness of the offenses previously committed by the subject to whom the sanctions. This AEPD consists of numerous previous antecedents known to VDF. c) The benefit that the offending event has provided to the offender. The promotional actions are aimed at obtaining profits business. d) The damage caused and its repair. The claimant has had to take action before this AEPD. There are no remedial actions by VDF. g) The cessation of the infringing activity, previously or during the processing of the sanctioning file. There is no evidence of the cessation of the infringing activity. Considering the exposed factors, the initial assessment that reaches the amount of the The fine for the violation of art 48.1.b) of the LGT imputed is € 20,000 (twenty thousand euros). III Article 28 of the RGPD establishes the following: In charge of the treatment <1. When a treatment is to be carried out on behalf of a person responsible for the treatment, it will only choose a manager who offers sufficient guarantees to apply appropriate technical and organizational measures, so that the treatment is in accordance with the requirements of this Regulation and guarantees the protection of the rights of the interested party. 2. The person in charge of the treatment will not resort to another person in charge without prior authorization in writing, specific or general, of the person in charge. In the latter case, the manager will inform the person in charge of any change foreseen in the incorporation or replacement of other managers, thus giving the person in charge the opportunity to oppose to such changes. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/16 3. The treatment by the person in charge will be governed by a contract or other legal act with under Union or Member State law, which binds the person in charge with respect to the person in charge and establish the object, duration, nature and purpose of the treatment, the type of personal data and categories of interested parties, and the obligations and rights of the person in charge. Said contract or legal act shall stipulate, in particular, that the person in charge: a) will process personal data only following documented instructions from the responsible, including with respect to transfers of personal data to a third country or an international organization, unless it is obliged to do so under of the law of the Union or the Member States that applies to the processor; in In this case, the person in charge will inform the person in charge of this legal requirement prior to treatment, unless such Law prohibits it for important reasons of interest public; b) will guarantee that the persons authorized to process personal data have committed to respecting confidentiality or subject to an obligation of confidentiality of a statutory nature; c) take all necessary measures in accordance with Article 32; d) will respect the conditions indicated in sections 2 and 4 to resort to another in charge of the treatment; e) will assist the controller, taking into account the nature of the treatment, through appropriate technical and organizational measures, whenever possible, so that this can fulfill its obligation to respond to requests that have as their object the exercise of the rights of the interested parties established in chapter III; f) will help the controller to ensure compliance with the obligations established in articles 32 to 36, taking into account the nature of the treatment and the information available to the person in charge; g) at the choice of the controller, delete or return all personal data once once the provision of treatment services ends, and will delete the copies existing unless the conservation of personal data is required under of the Law of the Union or of the Member States; h) will make available to the controller all the information necessary to demonstrate compliance with the obligations established in this article, as well as to enable and contribute to the performance of audits, including inspections, by part of the person in charge or another auditor authorized by said person in charge. In relation to the provisions of letter h) of the first paragraph, the person in charge will inform immediately to the person responsible if, in their opinion, an instruction violates this Regulation or other provisions on data protection of the Union or of Member States. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/16 4. When a processor uses another processor to carry out certain processing activities on behalf of the controller, will be imposed on this other person in charge, through a contract or other legal act established in accordance with Union or Member State law, the same obligations to data protection than those stipulated in the contract or other legal act between the responsible and the person in charge referred to in section 3, in particular the provision sufficient guarantees for the application of appropriate technical and organizational measures so that the treatment is in accordance with the provisions of this Regulation. If that other manager breaches their data protection obligations, The initial manager will remain fully accountable to the person responsible for the treatment with regard to the fulfillment of the obligations of the other in charge. 5. Adherence of the data controller to a code of conduct approved by pursuant to article 40 or to a certification mechanism approved pursuant to article 42 may be used as an element to demonstrate the existence of guarantees sufficient referred to in sections 1 and 4 of this article. 6. Without prejudice to the person in charge and the person in charge of the treatment holding a individual contract, the contract or other legal act referred to in sections 3 and 4 of this article may be based, totally or partially, on the clauses contractual type referred to in sections 7 and 8 of this article, inclusive when they form part of a certification granted to the person in charge of in accordance with articles 42 and 43. 7. The Commission may establish standard contractual clauses for the matters to which refer to sections 3 and 4 of this article, in accordance with the procedure for examination referred to in article 93, paragraph 2. 8. A supervisory authority may adopt standard contractual clauses for the matters referred to in sections 3 and 4 of this article, in accordance with the coherence mechanism referred to in article 63. 9. The contract or other legal act referred to in sections 3 and 4 shall consist of written, including in electronic format. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/16 10. Without prejudice to the provisions of articles 82, 83 and 84, if a person in charge of the treatment violates these Regulations by determining the purposes and means of the treatment, you will be considered responsible for the treatment with respect to said treatment> Article 83.4.a) of the RGPD establishes the following: <4. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43; …>. Article 74.k) of the LOPDGDD, establishes the following: <Infringements considered minor. They are considered mild and will prescribe the remaining infringements of a merely formal nature of the articles mentioned in paragraphs 4 and 5 of Article 83 of Regulation (EU) 2016/679 and, in particular, the following: k) Failure by the person in charge of the stipulations imposed in the contract or legal act that regulates the treatment or instructions of the person responsible for the treatment, unless legally obliged to do so in accordance with Regulation (EU) 2016/679 and the present organic law or in the cases in which it is necessary to avoid the infringement of data protection legislation and have notified the person in charge or the person in charge of the treatment.> IV In the present case, there are reasonable and sufficient indications to consider that the VAMAVI entity, as sub-manager of the treatment now imputed consisting of making commercial calls on behalf of and on behalf of Vodafone C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/16 Spain, S.A.U. to numbers included in the advertising exclusion lists Robinson and without having had the due diligence to which it is obliged by the hiring because of its content, and that has led to the violation of Claimant's rights. V In accordance with the evidence available at the present time of agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, the known facts could constitute an infraction, attributable to the defendant, for violation of art. 28, offense typified in art. 83.4.a) of said rule considered mild for the purposes of prescription in article 74.k) of the LOPDGDD. SAW In an initial assessment, concurrent aggravating criteria are estimated following graduation: . The high link between the activity of the offender and the performance of treatment of personal information. It is established that VAMAVI is an entity specialized in treatments of personnel in a systematic way. . VAMAVI does not have adequate technical and organizational procedures in place for action in order to comply with the treatment subject to sub-commission in the terms of art 28 of the RGPD, so that the infringement is not the consequence of a punctual anomaly in the operation of these procedures but a defect persistent and continuous of the personal data management system. Considering the exposed factors, the initial assessment that reaches the amount of the The fine for the infringement of art 28 of the RGPD is € 20,000 (twenty thousand euros). Therefore, based on the foregoing, by the Director of the Agency Spanish Data Protection, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/16 HE REMEMBERS: FIRST: INITIATE SANCTIONING PROCEDURE to VAMAVI PHONE S.L., with NIF B87914446, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of art. 48.1.b) in relation to the art. 21 of the RGPD and 23 of the LOPDGDD, classified as mild in article 78.11 of the mentioned LGT, without prejudice to what results from the instruction. INITIATE SANCTIONING PROCEDURE to VAMAVI PHONE S.L., with NIF B87914446, for the alleged violation of article 28 of the RGPD typified in accordance with Article 83.4.a) of the RGPD. SECOND: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Public Sector Legal (LRJSP). THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation; documents obtained and generated by the General Subdirectorate for Data Inspection during the investigations phase; as well as the report of previous Inspection actions; all of them are part of the file. FOURTH: THAT for the purposes provided for in art. 64.2 b) of the LPACAP, the sanction that could correspond would be 40,000 euros, without prejudice to what results from the instruction. FIFTH: NOTIFY this agreement VAMAVI PHONE S.L., with NIF B87914446, granting him a hearing period of ten business days to formulate the allegations and present the evidence that you consider appropriate. In his writing of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/16 allegations, you must provide your NIF and the procedure number that appears in the heading of this document. If within the stipulated period it does not make allegations to this initiation agreement, the same It may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; the which will entail a reduction of 20% of the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be established at 32,000 euros, resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the penalty would be established at 32,000 euros and its payment will imply the termination of the process. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the recognition of responsibility, provided that this recognition of responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph it may be done at any time prior to the resolution. In In this case, if both reductions should be applied, the amount of the penalty would be set at 24,000 euros. In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/16 mentioned above, you must make it effective by entering account no. ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause for the reduction of the amount to which it applies. Likewise, you must send proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. 167-200320 Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On February 5, 2021, the defendant has proceeded to pay the sanction in the amount of 24,000 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts to which the Initiation Agreement refers. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/16 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction, but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00026/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to VAMAVI PHONE, S.L .. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/16 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-031219 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es