AEPD (Spain) - EXP202203914: Difference between revisions

From GDPRhub
No edit summary
(linguistic changes to the holding and clarified the facts in relation to identity theft)
Line 61: Line 61:
}}
}}


The Spanish DPA fined Vodafone Spain €56,000 for a violation of [[Article 6 GDPR|Article 6(1) GDPR]] by duplicating a customer's SIM card without their consent or knowledge.
The Spanish DPA fined Vodafone Spain €56,000 for duplicating a customer's SIM card without a valid legal basis under [[Article 6 GDPR|Article 6(1) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 17 February 2022, Vodafone España, S.A.U (the controller), provided a duplicate of the data subject's SIM card to a third party. The controlled provided the SIM card, requested by telephone, with the consent of the data subject and without verifying the identity of said third party. The data subject found out after receiving an SMS of the controller corroborating the correct activation of the new SIM card. Later on, the controller's fraud department contacted the data subject to confirm the fraudulence of the SIM duplicate, and proceeded to block the new SIM card.
On 17 February 2022, Vodafone España, S.A.U (the controller), provided a duplicate of the data subject's SIM card to a third party who committed identity theft. The controller provided the SIM card without verifying the identity of said third party. By using the fraudulent SIM card, the third party accessed the bank account of the data subject's husband and made a transfer of an undisclosed amount.


Before the deactivation, the third party, using the fraudulent SIM card, acceded the data subject husband's bank account and made a transfer of an undisclosed amount.  
The data subject found out about the identity theft after receiving an SMS informing of the controller corroborating the correct activation of the new SIM card. Later on, the controller's fraud department contacted the data subject and proceeded to block the fraudulent SIM card.


The data subject filed a complaint with the Spanish DPA.  
The data subject filed a complaint with the Spanish DPA regarding this incident.


=== Holding ===
=== Holding ===
The Spanish DPA held that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] by duplicating the data subject's SIM card without their consent and without verifying the identity of the requesting third party. In this sense, the DPA questioned the diligence of the controller in identifying the person who requested a duplicate SIM card.  
The Spanish DPA held that the controller had no valid legal basis for duplicating the data subject's SIM card without their consent and without verifying the identity of the requesting third party. It also recalled Recital 40 GDPR, which emphasises that each data processing must be based on consent or another legitimate legal basis. Hence, the DPA concluded that the controller violated [[Article 6 GDPR|Article 6(1) GDPR]]. The DPA questioned the due diligence of the controller in preventing fraud during SIM card replacement procedures.  
The DPA found that the controller's infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]] was “very serious” and imposed a €70,000 fine. The DPA took into account the aggravating circumstance of the link between the controller's business activity and the processing of personal data of customers or third parties; and the mitigating circumstance of the rapid handling and resolution of the data subject's complaint by the controller.
The DPA considered the controller's infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]] as “very serious” and imposed a €70,000 fine. The DPA took into account aggravating circumstances, such as the link between the controller's business activity and the processing of personal data of customers or third parties on a large scale. The DPA considered as a mitigating circumstance the timely handling and resolution of the incident by the controller.


Benefiting from a Spanish administrative law provision, which allows for voluntary payment of the penalty, the controller paid €56,000 for the termination of the procedure. The controller refused the Spanish DPA's offer of admission of guilt, which would have further reduced the amount to €42,000.
The controller benefited from a Spanish administrative law provision, which allows for lowering the final amount of the fine, by voluntairly paying €56,000 in order to terminate the proceedings. The controller refused the DPA's offer of admission of guilt, which would have further reduced the amount of the fine to €42,000.


== Comment ==
== Comment ==

Revision as of 15:31, 20 December 2022

AEPD - AEPD PS-00290-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 07.03.2022
Decided:
Published: 15.12.2022
Fine: 70,000 EUR
Parties: VODAFONE ESPAÑA, S.A.U.
National Case Number/Name: AEPD PS-00290-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Teresa Lopez Carro

The Spanish DPA fined Vodafone Spain €56,000 for duplicating a customer's SIM card without a valid legal basis under Article 6(1) GDPR.

English Summary

Facts

On 17 February 2022, Vodafone España, S.A.U (the controller), provided a duplicate of the data subject's SIM card to a third party who committed identity theft. The controller provided the SIM card without verifying the identity of said third party. By using the fraudulent SIM card, the third party accessed the bank account of the data subject's husband and made a transfer of an undisclosed amount.

The data subject found out about the identity theft after receiving an SMS informing of the controller corroborating the correct activation of the new SIM card. Later on, the controller's fraud department contacted the data subject and proceeded to block the fraudulent SIM card.

The data subject filed a complaint with the Spanish DPA regarding this incident.

Holding

The Spanish DPA held that the controller had no valid legal basis for duplicating the data subject's SIM card without their consent and without verifying the identity of the requesting third party. It also recalled Recital 40 GDPR, which emphasises that each data processing must be based on consent or another legitimate legal basis. Hence, the DPA concluded that the controller violated Article 6(1) GDPR. The DPA questioned the due diligence of the controller in preventing fraud during SIM card replacement procedures.

The DPA considered the controller's infringement of Article 6(1) GDPR as “very serious” and imposed a €70,000 fine. The DPA took into account aggravating circumstances, such as the link between the controller's business activity and the processing of personal data of customers or third parties on a large scale. The DPA considered as a mitigating circumstance the timely handling and resolution of the incident by the controller.

The controller benefited from a Spanish administrative law provision, which allows for lowering the final amount of the fine, by voluntairly paying €56,000 in order to terminate the proceedings. The controller refused the DPA's offer of admission of guilt, which would have further reduced the amount of the fine to €42,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/13











     File No.: EXP202203914

       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                    VOLUNTEER


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                  BACKGROUND


FIRST: On September 23, 2022, the Director of the Spanish Agency
of Data Protection agreed to start a sanctioning procedure against VODAFONE
SPAIN, S.A. (hereinafter, the claimed party), through the Agreement that
transcribe:


<<



File No.: EXP202203914



            AGREEMENT TO START THE SANCTION PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in

based on the following:

                                      FACTS



FIRST: Ms. A.A.A. (hereinafter, the claiming party) dated March 7,
2022 filed a claim with the Spanish Data Protection Agency. The
claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in
forward, the claimed party or Vodafone). The reasons on which the claim is based
are the following:


The claimant states that on February 17, 2022, the entity claimed, without its
authorization, you provided a duplicate of your SIM card to a third party. He had knowledge of
the facts, after receiving an SMS from said entity informing them of the successful activation
of your new SIM.


Later he receives a call from the fraud department indicating that they had
detected a duplication of the suspicious SIM card and, after confirming the claimant
that she had not requested it, the new SIM card was blocked,
keeping the old one active.





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/13








On the other hand, it states that said third party, using the information contained in the
mobile phone, accessed her husband's bank account and made a transfer
through BIZUM for a value of X.XXX euros.


Along with the notification, the following relevant documentation is provided:

Screenshot of the SMS received regarding the activation of the SIM card.

Copy of the telephone bill showing a charge for the disputed duplicate

of the SIM card.

Complaint filed with the Ertzain-etxea of ***LOCALIDAD.1, on the 18th of
February 2022.


Claim filed with the bank, details of the movements
banking.

Complaint filed with the Kontsumobide-Basque Consumer Institute against
Vodafone.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was transferred to the claimed party, for
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of

Data Protection.

The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on April 26, 2022 as

It appears in the acknowledgment of receipt that is in the file.

On May 13, 2022, this Agency received a written response from
Vodafone stating the following: "A letter has been sent to the
claimant by means of which he has proceeded to inform him about the steps that
were carried out by Vodafone to solve the incident and that it was

is currently resolved.

In this sense, attached as Document number 1, a copy of said letter sent
to the claimant, through which she is informed, in particular, of the privacy policies
security available to Vodafone to prevent the making of duplicates of

SIM card and that what happened has been classified as fraud by the Department
Vodafone Fraud.

In addition, you are informed that you regained full control over the affected line on
same day February 17, 2022 and that the amount of 5 euros was reimbursed
that were charged as a result of the realization of the duplicate SIM in
question.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/13








After analyzing the claim and investigating what happened, Vodafone has been able to verify
that, on February 17, 2022, a SIM change was processed on the line
***PHONE.1, associated with customer ID ***ID.1 belonging to the claimant.

Said SIM change was requested by telephone.


My client managed to solve the incident that is the object of the claim effectively
and completely on February 17, 2022, that is, prior to the receipt of the
present request for information by the Agency.

In order to prevent similar incidents from occurring, Vodafone works
continues to improve Security Policies for its change processes and
SIM duplicates as well as for any other process that carries potential risks

of fraud or irregular actions for our clients.

In this sense, since March 14, 2012, Vodafone acts under the Policy
Security for the Contracting of Individuals, which has been updated
progressively, and whose last modification has been implemented on the 4th of
January 2022. Through said Security Policy, my client establishes what
type of information must be required from the client for each requested management.


Likewise, it is included how to proceed in case a user does not pass the
Security Policy, as well as preventive actions in fraud situations.
The aforementioned Security Policy is mandatory for all
Vodafone After-Sales Services, who are in charge of applying and respecting it.

Attached as Document number 4 is a copy of the Security Policy for
Vodafone individuals. As far as SIM card duplicates are concerned, it should be

indicate that Vodafone's objective is that all duplicate or card changes
be done in person, since it is the safest way to guarantee that
produce irregular or fraudulent processes.

Likewise, with regard to the processing of a duplicate SIM, in accordance with
with said Policies, and as was already exposed before the Agency within the

File E/11418/2019, to make a SIM change by telephone, it is
necessary to carry out and overcome the Vodafone Security Policy in order to
such scenarios. Said Policy foresees three specific scenarios for which
The change of SIM card will proceed by telephone: (i) in those cases in which
that the platform in charge of managing the change of the SIM card fails in such a way
so that the SIM change cannot be made in our stores; (ii) if the client is

company and therefore prefers to make the change from the platform ***PLATAFORMA.1,
In these cases, the SIM card is sent to the address of the company that appears in
our systems; and (iii) if the customer is prepaid and therefore the shipment can be made
of the SIM card in cases of breakdown, loss/theft, incidence in the store and for
Clients petition.


Likewise, and prior to verifying whether the applicant is under
the scope of the three previous cases, the Customer Service Department of
Vodafone, in accordance with said Security Policy, must invite you to attend
to manage the change of SIM before a Vodafone After-Sales Service (“SPV”) to
give the maximum guarantee of security to the process. In case the client is
find yourself in one of the three scenarios considered above, the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/13








Vodafone Customer Service Department will check prior to
SIM change management that none of the following circumstances exist:
(i) there must not be any change of address in the last month; (ii) there must not have been

requested previous SIM card shipments. It can be said that, in accordance with
our Security Policies, non-compliance with any of the two
above requirements will lead to the need to process the change of SIM in a
in person in our stores. In those cases in which the applicant complies with
the requirements of the previous paragraphs, the processing of the SIM change will depend
of the following: (i) if the applicant calls from the same number on which he is going to

request the change of SIM you will be asked for the access code of the Customer Service
Client or ID; however, (ii) if the client does not call from the same number,
will request the telephone number associated with the SIM (“MSISDN”) together with the password
access to Customer Service or DNI.

Additionally, it should be noted that all employees in the Department of
Customer Service have received training on the steps to follow to carry out

SIM changes, through the guide available to all agents on the portal
called "REDPLANET", which includes all the processes and procedures
of Vodafone that are applicable to them and the steps to follow in each case, according to the
circumstances.

Therefore, if the processing of a SIM change and/or a change of ownership exceeds

the previous Vodafone Security Policies, we will proceed to carry out
such procedures in accordance with what is indicated in said Policies, when considering my
represented the change as authentic, real and truthful. Without prejudice of the previous,
since February 17, 2022, my client carried out the procedures
in order to protect the claimant as a Vodafone customer. In this
sense, my client, at the request of the interested party, proceeded to declare what happened

as a fraud, adopting the appropriate security measures on your account, and
to solve the different incidents that occurred with respect to the SIM card of the
line ***PHONE.1 affected.

As a consequence of the classification of the facts as fraudulent by part of
Vodafone and in order to prevent future fraudulent practices on the

services associated with the claimant, my client proceeded, on February 17
of 2022, to be noted in the claimant's client file that only
make modifications, sim changes, new registrations, portability and orders if the
The interlocutor calls from the line associated with the claimant and manages to exceed an additional
process of reinforced security measures on your client ID.

In addition, internal processes are being reviewed to ensure compliance with the

Defined Security Policies or introduce the necessary changes when
consider pertinent.

Specifically, my client is working on the continuous improvement of: • Review of
internal processes to ensure compliance with Security Policies and
verification controls that have been defined and incorporated, both in channel
face-to-face and by telephone, for duplicate SIM scenarios.


• Periodic reinforcement of communication of Security Policies and verifications
that have been defined by Vodafone for SIM duplicates and that must be
applied by agencies, commercial stores and agents.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/13








• Sending periodic communications to the face-to-face and telephone channel, as well as to the
logistics operator, where it is alerted to the risk scenarios detected, its
characteristics and behavior patterns to prevent new cases. In these

communications include details of how these requests are produced, channels to
through which they are requested, documentation they provide, description of the
handling, geographic areas where the cards are being collected/delivered
Duplicate SIMs.

• Application -if applicable-, of the existing Penalty Policy for agents or
distributors who carry out any duplicate or change of a SIM card without having

required documentation or to carry out any SIM change management without
Follow all the steps defined in the Security Policy.

Regarding the carrying out of transactions of the entity "BIZUM" of
fraudulent nature revealed by the claimant in her claim, it is
opportune to express that the change of a SIM card only implies access to the
telephone line associated with it, and not the bank details of the holder.


Therefore, it does not seem possible that there is a correlation between the events that occurred in
relationship with my client and what happened with the bank of which he is a client
the claimant. In this sense, the bank movements that he alleges in his
claim do not have their origin, nor have they been caused by invoices for
Vodafone services that he had contracted, but are due to accesses
made through your bank account. Therefore, Vodafone cannot

be responsible for the accesses and banking movements that could have been
made fraudulently.

With all this, we can confirm that currently my client has carried out
all pertinent actions to resolve the claim, estimating that
has been correctly resolved prior to the receipt of this

written. Attached, as Document number 5, report of the investigations
internal actions carried out by Vodafone to solve this incident”.

THIRD: On May 30, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.



                           FUNDAMENTALS OF LAW

                                           Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "Procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/13








regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures.”


                                            II

The defendant is accused of committing an infraction for violation of article 6
of the RGPD, "Legacy of the treatment", which indicates in its section 1 the assumptions in which
that the processing of data by third parties is considered lawful:

"1. Processing will only be lawful if at least one of the following is fulfilled
conditions:


a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;
c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;

d) the processing is necessary to protect the vital interests of the data subject or of another

Physical person;

e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the data controller;

f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person in charge of the treatment or by a third party, provided that on said
interests do not outweigh the interests or fundamental rights and freedoms of the

interested party that require the protection of personal data, in particular when the
interested is a child. The provisions of letter f) of the first paragraph shall not apply.
application to processing carried out by public authorities in the exercise of their
functions”.

 The infringement is typified in article 83.5 of the GDPR, which considers as such:




"5. Violations of the following provisions will be penalized, in accordance with the
section 2, with administrative fines of a maximum of 20,000,000 EUR or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


a) The basic principles for the treatment, including the conditions for the
consent in accordance with articles 5,6,7 and 9.”


The Organic Law 3/2018, of Protection of Personal Data and Guarantee of the
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious” provides:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/13








"1. Based on what is established in article 83.5 of Regulation (U.E.) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the

following:

(…)

a) The processing of personal data without the fulfillment of any of the conditions
of legality of the treatment established in article 6 of Regulation (EU) 2016/679.”



                                               II

In the present case, it is proven that Vodafone provided a duplicate of the card
SIM of the claiming party to a third party, without their consent and without verifying the

identity of said third party, which has accessed information contained in the phone
mobile, such as bank details, passwords, email address and others
personal data associated with the terminal. Thus, the defendant did not verify the
personality of the person who requested the duplicate SIM card, did not take precautions
necessary for these events not to occur.


Based on the foregoing, in the case analyzed, the
diligence used by the defendant to identify the person who requested
a duplicate SIM card.

Well, it is accredited as recognized by the claimed party in its writ of
response to this Agency dated May 13, 2022, <<that after analyzing the
claim and investigate what happened, Vodafone has been able to verify that, as of

February 17, 2022, a SIM change was processed on the line ***TELEPHONE.1,
associated with the customer ID ***ID.1 belonging to the claimant.

Said SIM change was requested by telephone.

My client managed to solve the incident that is the object of the claim effectively
and completely on February 17, 2022, that is, prior to the receipt of the
present request for information by the Agency>>.


In accordance with the evidence available at this procedural moment and
without prejudice to what results from the investigation of the procedure, it is estimated that the
conduct of the claimed party could violate article 6.1 of the GDPR and may be
constituting the offense classified in article 83.5.a) of the aforementioned Regulation
2016/679.

In this sense, Recital 40 of the GDPR states:


"(40) For processing to be lawful, personal data must be processed with the
consent of the interested party or on some other legitimate basis established in accordance
a Law, either in this Regulation or under other Union law
or of the Member States referred to in this Regulation, including the
the need to comply with the legal obligation applicable to the data controller or the

need to execute a contract to which the interested party is a party or for the purpose of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/13








take measures at the request of the interested party prior to the conclusion of a
contract."

                                              IV.

The determination of the sanction that should be imposed in the present case requires

observe the provisions of articles 83.1 and 2 of the GDPR, precepts that,
respectively, provide the following:

"1. Each control authority will guarantee that the imposition of fines
administrative proceedings under this article for violations of this
Regulations indicated in sections 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.”

"two. Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or in lieu of the measures contemplated in

Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case shall be duly taken into account:

a) the nature, seriousness and duration of the offence, taking into account the

nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;

b) intentionality or negligence in the infringement;


c) any measure taken by the person in charge or in charge of the treatment to
settle the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or of the person in charge of the treatment, habi-
gives an account of the technical or organizational measures that have been applied by virtue of the
articles 25 and 32;


e) any previous infringement committed by the controller or processor;

f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the potential adverse effects of the infringement;


g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person in charge or the person in charge notified the infringement and, if so, in what
measure;


i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under article 40 or to certification mechanisms.
fications approved in accordance with article 42, and


k) any other aggravating or mitigating factor applicable to the circumstances of the case,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/13








as the financial benefits obtained or the losses avoided, directly or indirectly.
mind, through infraction.”

 Within this section, the LOPDGDD contemplates in its article 76, entitled "Sancio-

and corrective measures”:

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(UE) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of said article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuing nature of the offence.

b) The link between the activity of the offender and the performance of data processing.

personal information.

c) The benefits obtained as a consequence of the commission of the infraction.

d) The possibility that the conduct of the affected party could have led to the commission
of the offence.


e) The existence of a merger by absorption process subsequent to the commission of the
violation, which cannot be attributed to the absorbing entity.

f) The affectation of the rights of minors.


g) Have, when it is not mandatory, a data protection delegate.

h) Submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
there are controversies between those and any interested party.


3. It will be possible, complementary or alternatively, the adoption, when appropriate, of
the remaining corrective measures referred to in article 83.2 of the Regulation
(EU) 2016/679.”

In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to set the amount of the fine to

impose on the entity claimed as responsible for an infringement classified in the
article 83.5.a) of the GDPR and 72.1 b) of the LOPDGDD, in an initial assessment,
The following factors are considered concurrent in this case:

As aggravating factors:


- The evident link between the business activity of the defendant and the
      treatment of personal data of clients or third parties (article 83.2.k, of the
      GDPR in relation to article 76.2.b, of the LOPDGDD).

      The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,
      with respect to entities whose activity entails the continuous processing of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/13








      customer data, indicates that "...the Supreme Court has understood that
      recklessness exists whenever a legal duty of care is neglected, that is
      that is, when the offender does not behave with the required diligence. And in the

      assessment of the degree of diligence, special consideration must be given to the
      professionalism or not of the subject, and there is no doubt that, in the case now
      examined, when the appellant's activity is constant and abundant
      handling of personal data must insist on rigor and exquisite
      Be careful to comply with the legal provisions in this regard.”

As mitigations:


The claimed party proceeded to resolve the incident that is the subject of the claim
effective and in full on February 17, 2022 as soon as it became aware of the
facts (art. 83.2 c).

It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 70,000
€ for the alleged violation of article 6.1) typified in article 83.5.a) of the

cited GDPR.

Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection.

HE REMEMBERS:

FIRST: INITIATE SANCTION PROCEDURE against VODAFONE SPAIN,
S.A.U. with NIF A80907397, for the alleged violation of article 6.1) typified in the
Article 83.5.a) of the aforementioned GDPR.


SECOND: APPOINT as instructor D. B.B.B. and as secretary to Ms. C.C.C.,
indicating that any of them may be challenged, if applicable, in accordance with the provisions
established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime
co of the Public Sector (LRJSP).

THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the
claim filed by the claimant and its documentation, the documents

obtained and generated by the General Subdirectorate of Data Inspection.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be for the infringement of article 6.1 of the GDPR,
typified in article 83.5 a) of the GDPR, the sanction that would correspond would be a

fine for an amount of 70,000 euros (seventy thousand euros) without prejudice to what is
of the instruction.

FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with NIF
A80907397 granting a hearing period of ten business days to formulate
the allegations and present the evidence it deems appropriate. In his writing of
allegations must provide your NIF and the procedure number that appears in the

heading of this document.

If, within the stipulated period, he does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/13








64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, in the event that the
sanction to be imposed other than a fine, may recognize its responsibility within the

term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% for the sanction that should be imposed
in this proceeding, equivalent in this case to fourteen thousand euros (€14,000).
With the application of this reduction, the amount of the sanction would be established in
fifty-six thousand euros (€56,000), resolving the procedure with the imposition

of this sanction.
In the same way, it may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, in

accordance with the provisions of article 85.2 LPACAP, which will mean a
reduction of 20% of the amount of the same, equivalent in this case to fourteen thousand
euros (€14,000), for the alleged offence. With the application of this reduction, the
amount of the sanction would be established at fifty-six thousand euros (€56,000) and
Your payment will imply the termination of the procedure.

The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for acknowledgment of responsibility, provided that this acknowledgment

of the responsibility is revealed within the period granted to formulate
allegations at the opening of the procedure. Voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at forty-two thousand euros (€42,000).

In any case, the effectiveness of any of the two aforementioned reductions will be
conditioned to the withdrawal or resignation of any action or appeal via
administrative against the sanction.

In the event that you choose to proceed with the voluntary payment of any of the amounts
previously indicated, 56,000 euros or 42,000 euros, you must make it effective

by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to
name of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the reason for reducing the amount to which
welcomes.

Likewise, you must send proof of income to the General Subdirectorate of

Inspection to continue with the procedure in accordance with the quantity
entered.

The procedure will have a maximum duration of nine months from the
date of the initiation agreement or, where appropriate, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.


Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.

Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/13










>>

SECOND: On October 21, 2022, the claimed party has proceeded to pay

of the sanction in the amount of 56,000 euros using one of the two
reductions provided for in the Commencement Agreement transcribed above. Therefore, there has not
The acknowledgment of responsibility has been accredited.

THIRD: The payment made entails the waiver of any action or resource in the
against the sanction, in relation to the facts referred to in the

Commencement Agreement.

                           FUNDAMENTALS OF LAW

                                            Yo

                                     Competition

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."



                                           II
                            Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter LPACAP), under the heading

"Termination in disciplinary proceedings" provides the following:

"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction has only a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
any moment prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the

compensation for damages caused by the commission of the offence.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/13








3. In both cases, when the sanction is solely pecuniary in nature, the
The competent body to resolve the procedure will apply reductions of at least

20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or resource against the sanction.


The percentage reduction provided for in this section may be increased
according to regulations."

According to what has been stated,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202203914, in
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the

referred Law.


                                                                                 937-181022
Mar Spain Marti
Director of the Spanish Data Protection Agency




















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es