AEPD (Spain) - PS/00001/2021: Difference between revisions
(Just minor changes in wording. Very well made summary, capturing the main points of a very long and important decision.) |
|||
Line 51: | Line 51: | ||
}} | }} | ||
The Spanish DPA fined Vodafone €3,940,000 for the violation of Articles 5(1)(f) and 5(2) GDPR, as they had not implemented appropriate security measures to prevent fraudulent replication of SIM cards, | The Spanish DPA fined Vodafone €3,940,000 for the violation of Articles 5(1)(f) and 5(2) GDPR, as they had not implemented appropriate security measures to prevent fraudulent replication of SIM cards, or been able to provide proof thereof. | ||
== English Summary == | == English Summary == | ||
Line 58: | Line 58: | ||
Nine data subjects filed several complaints with the Spanish DPA (AEPD) against Vodafone after being victims of fraud, due to the deceitful replication of their SIM cards. | Nine data subjects filed several complaints with the Spanish DPA (AEPD) against Vodafone after being victims of fraud, due to the deceitful replication of their SIM cards. | ||
The perpetrators | The perpetrators obtained a replica of the data subjects' SIM cards through Vodafone, which could not verify the identity of the persons requesting them. The perpetrators used the SIM cards to carry out bank transfers from the data subjects' online banking services (which verify their users' identity via phone) and to transfer and spend money in other ways. The data subjects also reported these facts to the police. | ||
=== Holding === | === Holding === | ||
The | The AEPD considered that Vodafone was not able to prove that they had verified neither the identity of the person requesting the SIM card replica, the invoices issued, nor the effectiveness of measures implemented to prevent identity theft. | ||
The | The AEPD concluded that the security measures were insufficient, as any person who had the basic personal data of a data subject could circumvent Vodafone's security policy in this regard, and obtain a replica of the data subject's SIM card. Therefore, Vodafone showed a lack of accountability, breaching [[Article 5 GDPR#2|Article 5(2) GDPR]], since there was a lack of proper analysis, planning, implementation, maintenance, control, and updating of their security measures. The AEPD noted that this is also related to data protection by design, enshrined in [[Article 25 GDPR|Article 25 GDPR]]. | ||
Additionally, the AEPD concluded that the controller had violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], noting that the GDPR does not demand a result, but it does require actions, and Vodafone did not act with enough diligence to prevent the circumvention of their security measures against identity theft. The AEPD stated that Vodafone should have known the risk, which has a strong impact on data subjects' rights and freedoms, and should have acted accordingly. According to the AEPD, the measures were obviously insufficient and not adequate, since a relevant number of other similar cases had occurred, and not just the nine cases reported to the authority. | |||
While Vodafone alleged that some of the cases occurred due to human error, the | While Vodafone alleged that some of the cases occurred due to human error, the AEPD held that human error should be considered when determining the security measures, since they are always bound to happen. and should be foreseen with risk analysis, planning, implementation and control of adequate technical and organisational measures. Therefore, a high number of human errors just highlights a lack of due care, or in other words, a lack of adequate security measures and a disregard for accountability-related obligations. | ||
The | The AEPD also remarked that the data subjects had lost their power to exert control over their personal data. In this case, such personal data were of a particularly sensitive nature, since a SIM card provides access to apps and services that require authentication or password retrieval via SMS, therefore enabling identity theft for a large number of web services such as email, online banking, social networks, etc. | ||
The AEPD decided to fine the controller €3,940,000 for the violation of | The AEPD decided to fine the controller €3,940,000 for the violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 5 GDPR#2|Article 5(2) GDPR]]. The AEPD considered that the fine was proportional, since the GDPR establishes that fines shall be dissuasive. | ||
The | In this regard, the AEPD mentioned the [https://curia.europa.eu/juris/document/document.jsf?text=&docid=138383&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2204252 CJEU Judgment Versalis Spa/Comisión, C-511/11], in which both the meaning of ‘general deterrence’ and ‘specific deterrence’ are explained, the meaning of the latter defined as ''<nowiki/>'to dissuade the specific defendant from infringing the rules again in the future'<nowiki/>''. The aforementioned judgment also establishes that ''<nowiki/>'the purpose of the multiplier for deterrence and the taking into consideration of the size and global resources of the undertaking in question resides in the impact sought on that undertaking, and the sanction must not be negligible in the light, particularly, of its financial capacity'''. | ||
Additionally, Spanish case law<ref>STS, 11 de Mayo de 2006, ES:TS:2006:3384, https://vlex.es/vid/tasadora-grave-homologacion-cobertura-24281875</ref> notes that fines shall pursue that the perpetration an offense | Additionally, Spanish case law<ref>STS, 11 de Mayo de 2006, ES:TS:2006:3384, https://vlex.es/vid/tasadora-grave-homologacion-cobertura-24281875</ref> notes that fines shall pursue that the perpetration of an offense is not be more beneficial to the offender than actual compliance with the rules. | ||
The | The AEPD also declared that the fine was proportionatal taking into account, among others, the following aggravating factors: First, the nature, gravity and duration of the infringement. Second, number of data subjects affected, that was considered too high in relation to the risk at stake. Third, the level of damage suffered by them, that was also very high. The AEPD also remarked that a Data Protection Impact Assessment (DPIA) under [[Article 35 GDPR|Article 35 GDPR]] should have been considered. Fourth, the negligent character of the infringement. Fifth, previous infringements by the controller also related with identity theft, highlighting the following cases: | ||
* PS/00139/2020 (03/07/2020 - fine: €9000) | * PS/00139/2020 (03/07/2020 - fine: €9000) | ||
Line 91: | Line 91: | ||
* PS/00430/2020 (10/02/2021 - fine €120,000) | * PS/00430/2020 (10/02/2021 - fine €120,000) | ||
And sixth, the categories of personal data affected by the infringement, which in this case, as previously remarked, were personal data of a sensitive nature. | |||
The AEPD finally remarked that the sanction | The AEPD finally remarked that the sanction was not imposed solely because of the complaints filed by the data subjects, but because such cases highlight the failure to comply with the security and accountability obligations that are evidenced by the deficiency in the security measures adopted by the controller. | ||
== Comment == | == Comment == | ||
''Share your comments here!'' | ''Share your comments here!'' |
Revision as of 16:17, 3 February 2022
AEPD (Spain) - PS-00001-2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 01.02.2022 |
Fine: | 3940000 EUR |
Parties: | VODAFONE ESPAÑA, S.A.U. |
National Case Number/Name: | PS-00001-2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Carmen Villarroel |
The Spanish DPA fined Vodafone €3,940,000 for the violation of Articles 5(1)(f) and 5(2) GDPR, as they had not implemented appropriate security measures to prevent fraudulent replication of SIM cards, or been able to provide proof thereof.
English Summary
Facts
Nine data subjects filed several complaints with the Spanish DPA (AEPD) against Vodafone after being victims of fraud, due to the deceitful replication of their SIM cards.
The perpetrators obtained a replica of the data subjects' SIM cards through Vodafone, which could not verify the identity of the persons requesting them. The perpetrators used the SIM cards to carry out bank transfers from the data subjects' online banking services (which verify their users' identity via phone) and to transfer and spend money in other ways. The data subjects also reported these facts to the police.
Holding
The AEPD considered that Vodafone was not able to prove that they had verified neither the identity of the person requesting the SIM card replica, the invoices issued, nor the effectiveness of measures implemented to prevent identity theft.
The AEPD concluded that the security measures were insufficient, as any person who had the basic personal data of a data subject could circumvent Vodafone's security policy in this regard, and obtain a replica of the data subject's SIM card. Therefore, Vodafone showed a lack of accountability, breaching Article 5(2) GDPR, since there was a lack of proper analysis, planning, implementation, maintenance, control, and updating of their security measures. The AEPD noted that this is also related to data protection by design, enshrined in Article 25 GDPR.
Additionally, the AEPD concluded that the controller had violated Article 5(1)(f) GDPR, noting that the GDPR does not demand a result, but it does require actions, and Vodafone did not act with enough diligence to prevent the circumvention of their security measures against identity theft. The AEPD stated that Vodafone should have known the risk, which has a strong impact on data subjects' rights and freedoms, and should have acted accordingly. According to the AEPD, the measures were obviously insufficient and not adequate, since a relevant number of other similar cases had occurred, and not just the nine cases reported to the authority.
While Vodafone alleged that some of the cases occurred due to human error, the AEPD held that human error should be considered when determining the security measures, since they are always bound to happen. and should be foreseen with risk analysis, planning, implementation and control of adequate technical and organisational measures. Therefore, a high number of human errors just highlights a lack of due care, or in other words, a lack of adequate security measures and a disregard for accountability-related obligations.
The AEPD also remarked that the data subjects had lost their power to exert control over their personal data. In this case, such personal data were of a particularly sensitive nature, since a SIM card provides access to apps and services that require authentication or password retrieval via SMS, therefore enabling identity theft for a large number of web services such as email, online banking, social networks, etc.
The AEPD decided to fine the controller €3,940,000 for the violation of Article 5(1)(f) GDPR and Article 5(2) GDPR. The AEPD considered that the fine was proportional, since the GDPR establishes that fines shall be dissuasive.
In this regard, the AEPD mentioned the CJEU Judgment Versalis Spa/Comisión, C-511/11, in which both the meaning of ‘general deterrence’ and ‘specific deterrence’ are explained, the meaning of the latter defined as 'to dissuade the specific defendant from infringing the rules again in the future'. The aforementioned judgment also establishes that 'the purpose of the multiplier for deterrence and the taking into consideration of the size and global resources of the undertaking in question resides in the impact sought on that undertaking, and the sanction must not be negligible in the light, particularly, of its financial capacity'.
Additionally, Spanish case law[1] notes that fines shall pursue that the perpetration of an offense is not be more beneficial to the offender than actual compliance with the rules.
The AEPD also declared that the fine was proportionatal taking into account, among others, the following aggravating factors: First, the nature, gravity and duration of the infringement. Second, number of data subjects affected, that was considered too high in relation to the risk at stake. Third, the level of damage suffered by them, that was also very high. The AEPD also remarked that a Data Protection Impact Assessment (DPIA) under Article 35 GDPR should have been considered. Fourth, the negligent character of the infringement. Fifth, previous infringements by the controller also related with identity theft, highlighting the following cases:
- PS/00139/2020 (03/07/2020 - fine: €9000)
- PS/00168/2020 (20/07/2020 - fine €45,000,00)
- PS/00009/2020 (28/07/2020 - fine €48,000,00)
- PS/00186/2020 (31/08/2020 - fine €60,000,00)
- PS/00303/2020 (26/10/2020 - fine €36,000,00)
- PS/00341/2020 (28/10/2020 - fine €30,000,00)
- PS/00348/2020 (06/11/2020 - fine €42,000,00)
- PS/00356/2020 (16/11/2020 - fine €42,000,00)
- PS/00308/2020 (16/11/2020 - fine €36,000,00)
- PS/00415/2020 (30/12/2020 - fine €54,000)
- PS/00430/2020 (10/02/2021 - fine €120,000)
And sixth, the categories of personal data affected by the infringement, which in this case, as previously remarked, were personal data of a sensitive nature.
The AEPD finally remarked that the sanction was not imposed solely because of the complaints filed by the data subjects, but because such cases highlight the failure to comply with the security and accountability obligations that are evidenced by the deficiency in the security measures adopted by the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
- ↑ STS, 11 de Mayo de 2006, ES:TS:2006:3384, https://vlex.es/vid/tasadora-grave-homologacion-cobertura-24281875