AEPD (Spain) - EXP202203914: Difference between revisions
Teresa.lopez (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=AEPD...") |
m (Ar moved page AEPD (Spain) - AEPD PS-00290-2022 to AEPD (Spain) - EXP202203914) |
||
(5 intermediate revisions by 4 users not shown) | |||
Line 61: | Line 61: | ||
}} | }} | ||
Spanish DPA fined Vodafone Spain | The Spanish DPA fined Vodafone Spain €56,000 for duplicating a customer's SIM card without a valid legal basis under [[Article 6 GDPR|Article 6(1) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 17 February 2022, Vodafone España, S.A.U (the controller), provided a duplicate of the data subject's SIM card to a third party without | On 17 February 2022, Vodafone España, S.A.U (the controller), provided a duplicate of the data subject's SIM card to a third party who committed identity theft. The controller provided the SIM card without verifying the identity of said third party. By using the fraudulent SIM card, the third party accessed the bank account of the data subject's husband and made a transfer of an undisclosed amount. The data subject found out about the identity theft after receiving an SMS informing of the controller corroborating the correct activation of the new SIM card. Later on, the controller's fraud department contacted the data subject and proceeded to block the fraudulent SIM card. The data subject filed a complaint with the Spanish DPA regarding this incident. | ||
Later on, the controller's fraud department contacted the data subject | |||
=== Holding === | === Holding === | ||
The Spanish DPA held that the controller had | The Spanish DPA held that the controller had no valid legal basis for duplicating the data subject's SIM card without their consent and without verifying the identity of the requesting third party. It also recalled Recital 40 GDPR, which emphasises that each data processing must be based on consent or another legitimate legal basis. Hence, the DPA concluded that the controller violated [[Article 6 GDPR|Article 6(1) GDPR]]. The DPA questioned the due diligence of the controller in preventing fraud during SIM card replacement procedures. | ||
The DPA | The DPA considered the controller's infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]] as “very serious” and imposed a €70,000 fine. The DPA took into account aggravating circumstances, such as the link between the controller's business activity and the processing of personal data of customers or third parties on a large scale. The DPA considered as a mitigating circumstance the timely handling and resolution of the incident by the controller. | ||
The controller benefited from a Spanish administrative law provision, which allows for lowering the final amount of the fine, by voluntarily paying €56,000 in order to terminate the proceedings. The controller refused the DPA's offer of admission of guilt, which would have further reduced the amount of the fine to €42,000. | |||
== Comment == | == Comment == |
Latest revision as of 10:42, 13 December 2023
AEPD - AEPD PS-00290-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 07.03.2022 |
Decided: | |
Published: | 15.12.2022 |
Fine: | 70,000 EUR |
Parties: | VODAFONE ESPAÑA, S.A.U. |
National Case Number/Name: | AEPD PS-00290-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Teresa Lopez Carro |
The Spanish DPA fined Vodafone Spain €56,000 for duplicating a customer's SIM card without a valid legal basis under Article 6(1) GDPR.
English Summary
Facts
On 17 February 2022, Vodafone España, S.A.U (the controller), provided a duplicate of the data subject's SIM card to a third party who committed identity theft. The controller provided the SIM card without verifying the identity of said third party. By using the fraudulent SIM card, the third party accessed the bank account of the data subject's husband and made a transfer of an undisclosed amount. The data subject found out about the identity theft after receiving an SMS informing of the controller corroborating the correct activation of the new SIM card. Later on, the controller's fraud department contacted the data subject and proceeded to block the fraudulent SIM card. The data subject filed a complaint with the Spanish DPA regarding this incident.
Holding
The Spanish DPA held that the controller had no valid legal basis for duplicating the data subject's SIM card without their consent and without verifying the identity of the requesting third party. It also recalled Recital 40 GDPR, which emphasises that each data processing must be based on consent or another legitimate legal basis. Hence, the DPA concluded that the controller violated Article 6(1) GDPR. The DPA questioned the due diligence of the controller in preventing fraud during SIM card replacement procedures.
The DPA considered the controller's infringement of Article 6(1) GDPR as “very serious” and imposed a €70,000 fine. The DPA took into account aggravating circumstances, such as the link between the controller's business activity and the processing of personal data of customers or third parties on a large scale. The DPA considered as a mitigating circumstance the timely handling and resolution of the incident by the controller.
The controller benefited from a Spanish administrative law provision, which allows for lowering the final amount of the fine, by voluntarily paying €56,000 in order to terminate the proceedings. The controller refused the DPA's offer of admission of guilt, which would have further reduced the amount of the fine to €42,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13 File No.: EXP202203914 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On September 23, 2022, the Director of the Spanish Agency of Data Protection agreed to start a sanctioning procedure against VODAFONE SPAIN, S.A. (hereinafter, the claimed party), through the Agreement that transcribe: << File No.: EXP202203914 AGREEMENT TO START THE SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following: FACTS FIRST: Ms. A.A.A. (hereinafter, the claiming party) dated March 7, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in forward, the claimed party or Vodafone). The reasons on which the claim is based are the following: The claimant states that on February 17, 2022, the entity claimed, without its authorization, you provided a duplicate of your SIM card to a third party. He had knowledge of the facts, after receiving an SMS from said entity informing them of the successful activation of your new SIM. Later he receives a call from the fraud department indicating that they had detected a duplication of the suspicious SIM card and, after confirming the claimant that she had not requested it, the new SIM card was blocked, keeping the old one active. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/13 On the other hand, it states that said third party, using the information contained in the mobile phone, accessed her husband's bank account and made a transfer through BIZUM for a value of X.XXX euros. Along with the notification, the following relevant documentation is provided: Screenshot of the SMS received regarding the activation of the SIM card. Copy of the telephone bill showing a charge for the disputed duplicate of the SIM card. Complaint filed with the Ertzain-etxea of ***LOCALIDAD.1, on the 18th of February 2022. Claim filed with the bank, details of the movements banking. Complaint filed with the Kontsumobide-Basque Consumer Institute against Vodafone. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to the claimed party, for to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on April 26, 2022 as It appears in the acknowledgment of receipt that is in the file. On May 13, 2022, this Agency received a written response from Vodafone stating the following: "A letter has been sent to the claimant by means of which he has proceeded to inform him about the steps that were carried out by Vodafone to solve the incident and that it was is currently resolved. In this sense, attached as Document number 1, a copy of said letter sent to the claimant, through which she is informed, in particular, of the privacy policies security available to Vodafone to prevent the making of duplicates of SIM card and that what happened has been classified as fraud by the Department Vodafone Fraud. In addition, you are informed that you regained full control over the affected line on same day February 17, 2022 and that the amount of 5 euros was reimbursed that were charged as a result of the realization of the duplicate SIM in question. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/13 After analyzing the claim and investigating what happened, Vodafone has been able to verify that, on February 17, 2022, a SIM change was processed on the line ***PHONE.1, associated with customer ID ***ID.1 belonging to the claimant. Said SIM change was requested by telephone. My client managed to solve the incident that is the object of the claim effectively and completely on February 17, 2022, that is, prior to the receipt of the present request for information by the Agency. In order to prevent similar incidents from occurring, Vodafone works continues to improve Security Policies for its change processes and SIM duplicates as well as for any other process that carries potential risks of fraud or irregular actions for our clients. In this sense, since March 14, 2012, Vodafone acts under the Policy Security for the Contracting of Individuals, which has been updated progressively, and whose last modification has been implemented on the 4th of January 2022. Through said Security Policy, my client establishes what type of information must be required from the client for each requested management. Likewise, it is included how to proceed in case a user does not pass the Security Policy, as well as preventive actions in fraud situations. The aforementioned Security Policy is mandatory for all Vodafone After-Sales Services, who are in charge of applying and respecting it. Attached as Document number 4 is a copy of the Security Policy for Vodafone individuals. As far as SIM card duplicates are concerned, it should be indicate that Vodafone's objective is that all duplicate or card changes be done in person, since it is the safest way to guarantee that produce irregular or fraudulent processes. Likewise, with regard to the processing of a duplicate SIM, in accordance with with said Policies, and as was already exposed before the Agency within the File E/11418/2019, to make a SIM change by telephone, it is necessary to carry out and overcome the Vodafone Security Policy in order to such scenarios. Said Policy foresees three specific scenarios for which The change of SIM card will proceed by telephone: (i) in those cases in which that the platform in charge of managing the change of the SIM card fails in such a way so that the SIM change cannot be made in our stores; (ii) if the client is company and therefore prefers to make the change from the platform ***PLATAFORMA.1, In these cases, the SIM card is sent to the address of the company that appears in our systems; and (iii) if the customer is prepaid and therefore the shipment can be made of the SIM card in cases of breakdown, loss/theft, incidence in the store and for Clients petition. Likewise, and prior to verifying whether the applicant is under the scope of the three previous cases, the Customer Service Department of Vodafone, in accordance with said Security Policy, must invite you to attend to manage the change of SIM before a Vodafone After-Sales Service (“SPV”) to give the maximum guarantee of security to the process. In case the client is find yourself in one of the three scenarios considered above, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/13 Vodafone Customer Service Department will check prior to SIM change management that none of the following circumstances exist: (i) there must not be any change of address in the last month; (ii) there must not have been requested previous SIM card shipments. It can be said that, in accordance with our Security Policies, non-compliance with any of the two above requirements will lead to the need to process the change of SIM in a in person in our stores. In those cases in which the applicant complies with the requirements of the previous paragraphs, the processing of the SIM change will depend of the following: (i) if the applicant calls from the same number on which he is going to request the change of SIM you will be asked for the access code of the Customer Service Client or ID; however, (ii) if the client does not call from the same number, will request the telephone number associated with the SIM (“MSISDN”) together with the password access to Customer Service or DNI. Additionally, it should be noted that all employees in the Department of Customer Service have received training on the steps to follow to carry out SIM changes, through the guide available to all agents on the portal called "REDPLANET", which includes all the processes and procedures of Vodafone that are applicable to them and the steps to follow in each case, according to the circumstances. Therefore, if the processing of a SIM change and/or a change of ownership exceeds the previous Vodafone Security Policies, we will proceed to carry out such procedures in accordance with what is indicated in said Policies, when considering my represented the change as authentic, real and truthful. Without prejudice of the previous, since February 17, 2022, my client carried out the procedures in order to protect the claimant as a Vodafone customer. In this sense, my client, at the request of the interested party, proceeded to declare what happened as a fraud, adopting the appropriate security measures on your account, and to solve the different incidents that occurred with respect to the SIM card of the line ***PHONE.1 affected. As a consequence of the classification of the facts as fraudulent by part of Vodafone and in order to prevent future fraudulent practices on the services associated with the claimant, my client proceeded, on February 17 of 2022, to be noted in the claimant's client file that only make modifications, sim changes, new registrations, portability and orders if the The interlocutor calls from the line associated with the claimant and manages to exceed an additional process of reinforced security measures on your client ID. In addition, internal processes are being reviewed to ensure compliance with the Defined Security Policies or introduce the necessary changes when consider pertinent. Specifically, my client is working on the continuous improvement of: • Review of internal processes to ensure compliance with Security Policies and verification controls that have been defined and incorporated, both in channel face-to-face and by telephone, for duplicate SIM scenarios. • Periodic reinforcement of communication of Security Policies and verifications that have been defined by Vodafone for SIM duplicates and that must be applied by agencies, commercial stores and agents. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/13 • Sending periodic communications to the face-to-face and telephone channel, as well as to the logistics operator, where it is alerted to the risk scenarios detected, its characteristics and behavior patterns to prevent new cases. In these communications include details of how these requests are produced, channels to through which they are requested, documentation they provide, description of the handling, geographic areas where the cards are being collected/delivered Duplicate SIMs. • Application -if applicable-, of the existing Penalty Policy for agents or distributors who carry out any duplicate or change of a SIM card without having required documentation or to carry out any SIM change management without Follow all the steps defined in the Security Policy. Regarding the carrying out of transactions of the entity "BIZUM" of fraudulent nature revealed by the claimant in her claim, it is opportune to express that the change of a SIM card only implies access to the telephone line associated with it, and not the bank details of the holder. Therefore, it does not seem possible that there is a correlation between the events that occurred in relationship with my client and what happened with the bank of which he is a client the claimant. In this sense, the bank movements that he alleges in his claim do not have their origin, nor have they been caused by invoices for Vodafone services that he had contracted, but are due to accesses made through your bank account. Therefore, Vodafone cannot be responsible for the accesses and banking movements that could have been made fraudulently. With all this, we can confirm that currently my client has carried out all pertinent actions to resolve the claim, estimating that has been correctly resolved prior to the receipt of this written. Attached, as Document number 5, report of the investigations internal actions carried out by Vodafone to solve this incident”. THIRD: On May 30, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant party was admitted for processing. FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "Procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/13 regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures.” II The defendant is accused of committing an infraction for violation of article 6 of the RGPD, "Legacy of the treatment", which indicates in its section 1 the assumptions in which that the processing of data by third parties is considered lawful: "1. Processing will only be lawful if at least one of the following is fulfilled conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect the vital interests of the data subject or of another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person in charge of the treatment or by a third party, provided that on said interests do not outweigh the interests or fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph shall not apply. application to processing carried out by public authorities in the exercise of their functions”. The infringement is typified in article 83.5 of the GDPR, which considers as such: "5. Violations of the following provisions will be penalized, in accordance with the section 2, with administrative fines of a maximum of 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The basic principles for the treatment, including the conditions for the consent in accordance with articles 5,6,7 and 9.” The Organic Law 3/2018, of Protection of Personal Data and Guarantee of the Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions considered very serious” provides: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/13 "1. Based on what is established in article 83.5 of Regulation (U.E.) 2016/679, are considered very serious and will prescribe after three years the infractions that a substantial violation of the articles mentioned therein and, in particular, the following: (…) a) The processing of personal data without the fulfillment of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679.” II In the present case, it is proven that Vodafone provided a duplicate of the card SIM of the claiming party to a third party, without their consent and without verifying the identity of said third party, which has accessed information contained in the phone mobile, such as bank details, passwords, email address and others personal data associated with the terminal. Thus, the defendant did not verify the personality of the person who requested the duplicate SIM card, did not take precautions necessary for these events not to occur. Based on the foregoing, in the case analyzed, the diligence used by the defendant to identify the person who requested a duplicate SIM card. Well, it is accredited as recognized by the claimed party in its writ of response to this Agency dated May 13, 2022, <<that after analyzing the claim and investigate what happened, Vodafone has been able to verify that, as of February 17, 2022, a SIM change was processed on the line ***TELEPHONE.1, associated with the customer ID ***ID.1 belonging to the claimant. Said SIM change was requested by telephone. My client managed to solve the incident that is the object of the claim effectively and completely on February 17, 2022, that is, prior to the receipt of the present request for information by the Agency>>. In accordance with the evidence available at this procedural moment and without prejudice to what results from the investigation of the procedure, it is estimated that the conduct of the claimed party could violate article 6.1 of the GDPR and may be constituting the offense classified in article 83.5.a) of the aforementioned Regulation 2016/679. In this sense, Recital 40 of the GDPR states: "(40) For processing to be lawful, personal data must be processed with the consent of the interested party or on some other legitimate basis established in accordance a Law, either in this Regulation or under other Union law or of the Member States referred to in this Regulation, including the the need to comply with the legal obligation applicable to the data controller or the need to execute a contract to which the interested party is a party or for the purpose of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/13 take measures at the request of the interested party prior to the conclusion of a contract." IV. The determination of the sanction that should be imposed in the present case requires observe the provisions of articles 83.1 and 2 of the GDPR, precepts that, respectively, provide the following: "1. Each control authority will guarantee that the imposition of fines administrative proceedings under this article for violations of this Regulations indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” "two. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or in lieu of the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case shall be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person in charge or in charge of the treatment to settle the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, habi- gives an account of the technical or organizational measures that have been applied by virtue of the articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the potential adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to certification mechanisms. fications approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/13 as the financial benefits obtained or the losses avoided, directly or indirectly. mind, through infraction.” Within this section, the LOPDGDD contemplates in its article 76, entitled "Sancio- and corrective measures”: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (UE) 2016/679 will be applied taking into account the graduation criteria established in section 2 of said article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of data processing. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have led to the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the violation, which cannot be attributed to the absorbing entity. f) The affectation of the rights of minors. g) Have, when it is not mandatory, a data protection delegate. h) Submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between those and any interested party. 3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679.” In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the fine to impose on the entity claimed as responsible for an infringement classified in the article 83.5.a) of the GDPR and 72.1 b) of the LOPDGDD, in an initial assessment, The following factors are considered concurrent in this case: As aggravating factors: - The evident link between the business activity of the defendant and the treatment of personal data of clients or third parties (article 83.2.k, of the GDPR in relation to article 76.2.b, of the LOPDGDD). The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which, with respect to entities whose activity entails the continuous processing of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/13 customer data, indicates that "...the Supreme Court has understood that recklessness exists whenever a legal duty of care is neglected, that is that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to the professionalism or not of the subject, and there is no doubt that, in the case now examined, when the appellant's activity is constant and abundant handling of personal data must insist on rigor and exquisite Be careful to comply with the legal provisions in this regard.” As mitigations: The claimed party proceeded to resolve the incident that is the subject of the claim effective and in full on February 17, 2022 as soon as it became aware of the facts (art. 83.2 c). It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 70,000 € for the alleged violation of article 6.1) typified in article 83.5.a) of the cited GDPR. Therefore, in accordance with the foregoing, by the Director of the Agency Spanish Data Protection. HE REMEMBERS: FIRST: INITIATE SANCTION PROCEDURE against VODAFONE SPAIN, S.A.U. with NIF A80907397, for the alleged violation of article 6.1) typified in the Article 83.5.a) of the aforementioned GDPR. SECOND: APPOINT as instructor D. B.B.B. and as secretary to Ms. C.C.C., indicating that any of them may be challenged, if applicable, in accordance with the provisions established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime co of the Public Sector (LRJSP). THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the claim filed by the claimant and its documentation, the documents obtained and generated by the General Subdirectorate of Data Inspection. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be for the infringement of article 6.1 of the GDPR, typified in article 83.5 a) of the GDPR, the sanction that would correspond would be a fine for an amount of 70,000 euros (seventy thousand euros) without prejudice to what is of the instruction. FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with NIF A80907397 granting a hearing period of ten business days to formulate the allegations and present the evidence it deems appropriate. In his writing of allegations must provide your NIF and the procedure number that appears in the heading of this document. If, within the stipulated period, he does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/13 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed other than a fine, may recognize its responsibility within the term granted for the formulation of allegations to the present initiation agreement; it which will entail a reduction of 20% for the sanction that should be imposed in this proceeding, equivalent in this case to fourteen thousand euros (€14,000). With the application of this reduction, the amount of the sanction would be established in fifty-six thousand euros (€56,000), resolving the procedure with the imposition of this sanction. In the same way, it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, in accordance with the provisions of article 85.2 LPACAP, which will mean a reduction of 20% of the amount of the same, equivalent in this case to fourteen thousand euros (€14,000), for the alleged offence. With the application of this reduction, the amount of the sanction would be established at fifty-six thousand euros (€56,000) and Your payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate allegations at the opening of the procedure. Voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at forty-two thousand euros (€42,000). In any case, the effectiveness of any of the two aforementioned reductions will be conditioned to the withdrawal or resignation of any action or appeal via administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts previously indicated, 56,000 euros or 42,000 euros, you must make it effective by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to name of the Spanish Data Protection Agency at CAIXABANK Bank, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for reducing the amount to which welcomes. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue with the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months from the date of the initiation agreement or, where appropriate, of the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/13 >> SECOND: On October 21, 2022, the claimed party has proceeded to pay of the sanction in the amount of 56,000 euros using one of the two reductions provided for in the Commencement Agreement transcribed above. Therefore, there has not The acknowledgment of responsibility has been accredited. THIRD: The payment made entails the waiver of any action or resource in the against the sanction, in relation to the facts referred to in the Commencement Agreement. FUNDAMENTALS OF LAW Yo Competition In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/13 3. In both cases, when the sanction is solely pecuniary in nature, the The competent body to resolve the procedure will apply reductions of at least 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or resource against the sanction. The percentage reduction provided for in this section may be increased according to regulations." According to what has been stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202203914, in in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 937-181022 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es