AEPD (Spain) - PS/00089/2021: Difference between revisions
No edit summary |
m (Ar moved page AEPD - PS/00089/2021 to AEPD (Spain) - PS/00089/2021) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 11: | Line 11: | ||
|Original_Source_Name_1=AEPD decision | |Original_Source_Name_1=AEPD decision | ||
|Original_Source_Link_1=https://www.aepd.es/es/documento/ | |Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00089-2021.pdf | ||
|Original_Source_Language_1=Spanish | |Original_Source_Language_1=Spanish | ||
|Original_Source_Language__Code_1=ES | |Original_Source_Language__Code_1=ES | ||
|Original_Source_Name_2= | |Original_Source_Name_2= | ||
|Original_Source_Link_2= | |Original_Source_Link_2= | ||
|Original_Source_Language_2= | |Original_Source_Language_2= | ||
|Original_Source_Language__Code_2= | |Original_Source_Language__Code_2= | ||
|Type=Complaint | |Type=Complaint | ||
Line 53: | Line 53: | ||
|Initial_Contributor=n/a | |Initial_Contributor=n/a | ||
| | |}} | ||
}} | |||
The Spanish DPA fined Orange Spain €150,000 (reduced to €90,000) for sending bulk unsolicited commercial communications without obtaining the consent of the users in accordance with Articles 6 and 7 GDPR. | The Spanish DPA fined Orange Spain €150,000 (reduced to €90,000) for sending bulk unsolicited commercial communications without adequately obtaining the consent of the users in accordance with Articles 6 and 7 GDPR. | ||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
The Spanish DPA (AEPD) launched an investigation on Orange's marketing practices after several complainants lodged a complaint with the authority. | |||
The AEPD discovered that Orange used the provision of different services to potential clients or actual clients to obtain their phone number, that was included in different databases used for commercial and marketing purposes by the sending of SMS. Both Orange and Jazztel (Orange's subsidiary) sent daily SMS to the phones in such databases, that occasionally reached the amount of 1,050,000 SMS per day. | |||
Orange offered two different services, one that offers information about the availability of fibre in a particular location, and one that offers direct calls for supplying information about different services, that forced the user or client to accept a privacy policy. Such privacy policy included a clause that provided consent for Orange to use the personal data of the client for commercial communications. | |||
===Dispute=== | ===Dispute=== | ||
Is consent valid in accordance with Articles 6 and 7 GDPR? | |||
===Holding=== | |||
The AEPD concluded that this way of obtaining consent was not valid. The [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Information Society Services Act] (LSSI) implementing the e-Privacy Directive prohibits in its Article 21(1) the sending of commercial communications without express consent. The way of obtaining consent is not defined in that law, and therefore is ruled in accordance to the GDPR. | |||
The AEPD remarks that the statement of consent shall be named as such, and that consent such be specifically given for each option of processing. Orange, however, did not offer the possibility of giving consent for each type of processing, but included consent for commercial communications in a privacy policy that was obligatory to accept for the provision of the service. | |||
The AEPD considered that consent, under these circumstances, was not: | |||
*Freely given: Users were forced to accept a whole privacy policy that includes such consent. | |||
*Specific: They don't have an option of giving consent for each type of processing. | |||
*Informed: As no information about such consent for commercial communications is offered when accepting the privacy policy. | |||
Thus, Article 21(1) LSSI has not been complied with, as there is no consent according to Articles 6 and 7 GDPR. | |||
in | |||
Serious infringements, according to the LSSI, imply a fine between €30,001 and €150,000. The AEPD decided to imposed a fine of the maximum amount, €150,000, based on the following criteria: | |||
*The existence of intentionality. | |||
*The period of time in which the infringement happened. | |||
*The benefits earned by it. | |||
*The yearly revenue of the company: €4,779,670,000 in 2019. | |||
*The amount of users affected and of SMS sent. | |||
*The fact that the company is not adhered to any kind of code of conduct or any advertisement self-regulation system. | |||
The fine was reduced to €90,000 due to the assumption of responsibility and an early payment by Orange. | |||
==Comment== | ==Comment== |
Latest revision as of 13:58, 13 December 2023
AEPD - PS/00089/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1)(a) GDPR Article 7 GDPR Article 21(1) LSSI |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 07.04.2021 |
Fine: | 150000 |
Parties: | ORANGE ESPAGNE, S.A.U. |
National Case Number/Name: | PS/00089/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined Orange Spain €150,000 (reduced to €90,000) for sending bulk unsolicited commercial communications without adequately obtaining the consent of the users in accordance with Articles 6 and 7 GDPR.
English Summary
Facts
The Spanish DPA (AEPD) launched an investigation on Orange's marketing practices after several complainants lodged a complaint with the authority.
The AEPD discovered that Orange used the provision of different services to potential clients or actual clients to obtain their phone number, that was included in different databases used for commercial and marketing purposes by the sending of SMS. Both Orange and Jazztel (Orange's subsidiary) sent daily SMS to the phones in such databases, that occasionally reached the amount of 1,050,000 SMS per day.
Orange offered two different services, one that offers information about the availability of fibre in a particular location, and one that offers direct calls for supplying information about different services, that forced the user or client to accept a privacy policy. Such privacy policy included a clause that provided consent for Orange to use the personal data of the client for commercial communications.
Dispute
Is consent valid in accordance with Articles 6 and 7 GDPR?
Holding
The AEPD concluded that this way of obtaining consent was not valid. The Spanish Information Society Services Act (LSSI) implementing the e-Privacy Directive prohibits in its Article 21(1) the sending of commercial communications without express consent. The way of obtaining consent is not defined in that law, and therefore is ruled in accordance to the GDPR.
The AEPD remarks that the statement of consent shall be named as such, and that consent such be specifically given for each option of processing. Orange, however, did not offer the possibility of giving consent for each type of processing, but included consent for commercial communications in a privacy policy that was obligatory to accept for the provision of the service.
The AEPD considered that consent, under these circumstances, was not:
- Freely given: Users were forced to accept a whole privacy policy that includes such consent.
- Specific: They don't have an option of giving consent for each type of processing.
- Informed: As no information about such consent for commercial communications is offered when accepting the privacy policy.
Thus, Article 21(1) LSSI has not been complied with, as there is no consent according to Articles 6 and 7 GDPR.
Serious infringements, according to the LSSI, imply a fine between €30,001 and €150,000. The AEPD decided to imposed a fine of the maximum amount, €150,000, based on the following criteria:
- The existence of intentionality.
- The period of time in which the infringement happened.
- The benefits earned by it.
- The yearly revenue of the company: €4,779,670,000 in 2019.
- The amount of users affected and of SMS sent.
- The fact that the company is not adhered to any kind of code of conduct or any advertisement self-regulation system.
The fine was reduced to €90,000 due to the assumption of responsibility and an early payment by Orange.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/3 Procedure Nº: E / 03276/2021 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following FACTS FIRST: The claim filed by Mr. A.A.A. (hereinafter, the claimant) has entry dated March 29, 2019, in the Spanish Protection Agency of data. The claim is directed against ALDANITI INTERNATIONAL NETWORK, LTD, (in ahead, the claimed one). The claim indicates the following: “I received an email from pulpower to confirm my subscription, as I had not done no management, delete the mail that I have now been able to recover, as it turns out that without accept that subscription that I also do not make, I begin to receive spam, not only do I not I have subscribed, nor confirmed that email that they sent me, but I am subscribed in the Robinson list, attached certificate certifying it. I request the opening of sanctioning file. Thank you". It all started with a confirmation email of a supposed registration in the system, and He continued with emails where he was offered "tokens" to exchange for gifts. The claimant does not acknowledge having ever registered in the services of the person in charge, and, In addition, your email is listed on ADigital's Robinson list. In the second letter it is denounced that, in the aforementioned web portal, "cookies" with the mere visit to the page, and no way is offered not to provide or revoke consent to said treatment. SECOND: The Subdirectorate General for Data Inspection, learned of the following points and carried out these actions: It was verified that the person responsible for the treatment and owner of the web PULPOWER.COM is ALDANITI INTERNATIONAL NETWORK LTD, established in the UK. The claim was incorporated into the "Internal Market Information System" (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (Regulation IMI), whose objective is to promote cross-border administrative cooperation, the mutual assistance between Member States and the exchange of information; with IMI number 69346 and dated June 17, 2019. One month is given at authorities to manifest. On August 24, 2019: the data protection control authority in the United Kingdom (ICO) they accept the case, making a provisional file. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/3 When the time for Brexit to take effect, ICO has not made any action on the claim incorporated into IMI. FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions by the Director of the Spanish Agency for Data Protection. II Prior to the initiation of sanctioning actions, it is necessary to identify the presumed responsible for the administrative offense. Article 64 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, referring to the Initiation Agreement in the procedures of a sanctioning nature, establishes the following: "1. The initiation agreement will be communicated to the instructor of the procedure, with transfer of how many actions exist in this regard, and the interested parties will be notified, understanding in any case the accused as such. Likewise, the initiation will be communicated to the complainant when the rules governing the procedure so provide. 2. The initiation agreement must contain at least: a) Identification of the person or persons allegedly responsible. ... " In order to be able to initiate sanctioning actions, the Agency has been requested State Tax Administration if there was any NIF associated with the entity claimed, for identification. The State Tax Administration Agency has responded to the Spanish Agency of Data Protection that has not been able to locate any NIF related to the claimed entity. Therefore, although the claim presented, if detrimental to the possible prescription of the infringements claimed, could constitute an infringement of the regulations of data protection, it is not possible to initiate sanctioning actions due to not having Tax identification of the alleged person responsible. Therefore, in accordance with the provisions, by the Director of the Spanish Agency for Data Protection, IT IS AGREED: FIRST: PROCEED WITH THE FILING of these actions. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/3 SECOND: NOTIFY this resolution to the claimant. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, and in accordance with the provisions of the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and paragraph 5 of the provision Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within two months from the next day upon notification of this act, as provided in article 46.1 of the aforementioned Law. 940-0419 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es