AEPD (Spain) - EXP202308186: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 79: | Line 79: | ||
== Comment == | == Comment == | ||
'' | ''The AEPD dismissed an internal appeal to this decision by the controller (see [https://www.aepd.es/documento/reposicion-ps-00306-2023.pdf here]) on 11 July 2024.'' | ||
== Further Resources == | == Further Resources == |
Revision as of 09:27, 26 July 2024
AEPD - EXP202308186 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 58(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 20.09.2022 |
Decided: | 11.07.2024 |
Published: | |
Fine: | 200,000 EUR |
Parties: | Vodafone España, S.A.U. |
National Case Number/Name: | EXP202308186 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined a controller €200,000 after it failed to respond to the DPA's requests for further information, finding that it hindered the investigation in violation of Article 58(1) GDPR.
English Summary
Facts
On 20 September 2022, a data subject filed a complaint with the Spanish DPA (AEPD). The data subject had received numerous advertising calls from Vodafone España, S.A.U. (the controller) on various dates, from various phone numbers. This occurred despite the data subject being listed on no-call lists.
The controller noted that it has partners who carry out calls on its behalf. However, it claimed that there was no record in its database associating the phone numbers that called the data subject with the controller. It noted that its calling partners are subject to contractual requirements that ensure they will not use non-Vodafone phone numbers, and that the controller has stopped working with partners that failed to comply with contractual obligations including data protection standards.
The AEPD dismissed the complaint in part because some calls could not be tied to the controller (see EXP202210932). However, it requested further information from the controller with regard to certain calls from third parties made by Vodafone partners on behalf of the controller. However, the controller failed to respond or to provide the AEPD with the requested information. On 19 September 2023, the AEPD initiated sanctioning procedures against the controller for a presumed infraction of Article 58(1) GDPR. In October 2023, the controller affirmed that it had not provided the requested documents or facilitated the investigation. Nonetheless, it argued that it had collaborated with the AEPD at all times and had no intention of hindering the investigation. It claimed that it could not provide the requested information without proper judicial authorisation and without breaching data protection obligations. It also argued that the calls were not affiliated with Vodafone but instead with a new customer of the former partner, which Vodafone had ended its contract with. Finally, it claimed that even if it had provided the requested information, the investigation would have been unaffected because the owners of the numbers that made the calls did not respond to the AEPD’s requests.
The controller also pointed out that documents and investigations carried out in this case against third parties were not provided to the controller and requested full access. The AEPD refused to provide access on the basis that those proceedings were independent of the current one, and that the investigation of third parties is unrelated to the sanctioning proceeding.
Holding
The AEPD found that the controller had failed to provide the AEPD with the information it requested, thus hindering the AEPD’s duty of investigation and infringing Article 58(1) GDPR. The AEPD imposed a fine of €200,000.
Comment
The AEPD dismissed an internal appeal to this decision by the controller (see here) on 11 July 2024.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/19 File No.: EXP202308186 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: As a consequence of a claim presented to the Spanish Agency of Data Protection against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in hereinafter, the claimed party), showing signs of a possible breach of the standards within the scope of the powers of the Spanish Agency for the Protection of Data, actions were initiated with file number EXP202210932. In accordance with the provisions of article 65 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (LOPDGDD hereinafter), the claim was transferred to the person in charge or to the Delegate of Data Protection that may have been designated, requesting that you send to this Agency the information and documentation that was indicated. SECOND: On November 28, 2022, a response is received from the entity claimed, registered at the outset with the numbers REGAGE22e00054090973 and REGAGE22e00054091729, in which it indicates the following: “The claim has taken place because it appears that Ms. A.A.A., in different dates, has received commercial calls in the name of Vodafone, coming from the calling numbers (…) ***PHONE.1 (…). According to the information available in the Registry of Numbers and Telecommunications Operators of the Commission National Markets and Competition Authority (CNMC), the numbers indicated They previously belong to the following operators; (…) ***PHONE.1 a Vodafone ONO; (…). After carrying out the appropriate checks, we have verified that the lines telephone numbers of the claimant, ***PHONE.2, ***PHONE.3 and ***PHONE.4, They appear in ADigital's official Robinson list and in ADigital's internal Robinson list. Vodafone. These numbers, according to the CNMC registry and as of December 28 November 2022, belong to VODAFONE ENABLER. (…) We have checked whether the calling numbers indicated in the request information appears in our database with the telephone numbers they use our collaborators to make recruitment calls. To this end, we have verified that it does not appear in our database of numbers associated with our collaborators who make recruitment calls on behalf of Vodafone. Thus, It does not seem possible to relate the reception of the calls that reveal the Mrs. A.A.A. in your claim with my client. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/19 (…) On the other hand, a single database has been created with the list of phone numbers. telephone number that each collaborator, distributor or supplier dedicated to collection used in the performance of these services, in order to be able to identify who is responsible for these calls. It is Vodafone's interest to ensure that These companies do not use numbers other than Vodafone and they are all are clearly identified and linked to the entity that uses it. (…) Likewise, currently Vodafone has stopped working with those entities that have repeatedly failed to comply with the contractual obligations established by Vodafone, as well as the legal provisions regarding data protection and is in the middle of a selection of those collaborators who guarantee the full compliance with current regulations. THIRD.- The Agency requests certain information for cases in which the call has been made by a third party. Since the calling numbers indicated by Mrs. A.A.A. do not appear. in his complaint in our database of telephone numbers used by our collaborators to make recruitment calls, the contribution of information. FOURTH.- The Agency requests information about the “DECISION ADOPTED TO PURPOSE OF THE CLAIM”. A copy of the letter prepared to Ms. A.A.A. is provided as Document number 5. in which informs you of the steps taken by my client to resolve your claim. In this sense, the letter informs the claimant that There is currently no data linked to your ID in Vodafone systems. No However, there is data linked to your ID in Vodafone systems. Enabler (Lowi), having active services with this brand. Likewise, attached as Document number 6 is an internal report in which confirms the deletion of the claimant's data in Vodafone systems.” The claim was admitted for processing on December 2, 2022. THIRD: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the investigative powers granted to the authorities of control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter RGPD), and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the aforementioned LOPDGDD. Within the framework of the investigation proceedings, they were sent to the requested party three information requirements, related to the claim outlined in section first, so that, within a period of ten business days, the information and documentation that was indicated therein. The requirements were registered departure on dates February 13, 2023, March 24, 2023 and March 12 May 2023. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/19 Specifically, information was required on up to three occasions regarding the following: - Confirmation of the sending to the number ***PHONE.2 of the call made by the line ***TELÉFONO.1 on June 16, 2022 between the hours of 12:00 and 14:00. - Confirmation of the sending to the number ***PHONE.3 of the call made by the line ***TELÉFONO.1 on June 16, 2022 between the hours of 12:00 and 14:00. - Confirmation of the sending to the number ***PHONE.4 of the call made by the line ***TELÉFONO.1 on June 16, 2022 between the hours of 12:00 and 14:00. FOURTH: The information requirements, which were notified in accordance with the rules established in Law 39/2015, of October 1, on the Procedure Administrative Plan of Public Administrations (hereinafter, LPACAP), were collected by the claimed party with dates February 22, 2023, March 29, 2023 and May 16, 2023, as stated in the acknowledgments of receipt in the proceedings. FIFTH: To the information requests sent to the claimed party requesting confirmation of receipt in the claimant's numbers of the calls made by the line ***PHONE.1, it was limited to answering, with registered writings of entry dated March 8, 2023 and registration number REGAGE23e00014439154 and dated May 22, 2023 and registration number REGAGE23e00032372663, that the calling number belongs to another operator since May 2021. The claimed party has not given this Spanish Data Protection Agency the required information. SIXTH: VODAFONE ESPAÑA, S.A.U. is part of the VODAFONE business group GROUP PLC, which has an annual business volume of 45,706 million euros, according to the financial results published by the entity itself in its annual report for fiscal year 2023. SEVENTH: On September 19, 2023, the Director of the Spanish Agency of Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged violation of Article 58.1 of the RGPD, typified in Article 83.5 of the GDPR Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter RGPD). EIGHTH: The aforementioned initiation agreement was collected by the claimed party on date September 27, 2023, as stated in the acknowledgment of receipt in the proceedings. NINTH: On September 27, 2023, writings are presented, registered in entry with numbers REGAGE23e00064771967 and REGAGE23e00065138852, in the that the claimed party requests the extension of the period initially granted for the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/19 formulation of allegations and access to the complete file of this procedure. This Agency facilitated access to the file and agreed to extend the deadline to formulate allegations up to a maximum of five days, computed from the day following the one in which the first period of allegations ended. TENTH: On October 5, 2023, a registered document of entry is presented with number REGAGE23e00067574223, in which the claimed party states that it is not facilitated the writings and other investigations carried out by this Agency regarding of the third parties involved in this investigation and requests again full access to the file. This Agency responded that file EXP202210932 is independent of the present sanctioning procedure and that the investigative actions of said file with respect to third parties are unrelated to the basis of this sanctioning procedure, so they have not been incorporated into it, they do not there being additional documentation to that included in the file previously sent. ELEVENTH: On October 19, 2023, allegations are presented to the agreement start in writing registered entry with number REGAGE23e00070808627 in the that the claimed party indicates that this Agency denied him access to a copy of the present complete file. Furthermore, first of all, the claimed party states that it has collaborated in all moment with this Agency and that at no point has it had the intention of hindering the investigation, he says, but to comply with all the legal requirements that, as an operator of telecommunications, are required. Thus, the claimed party says that the calling line ***PHONE.1 and the calls ***PHONE.2, ***PHONE.3 and ***PHONE.4 are their ownership, according to the information available in the Registry of Numbering and Operators of Telecommunications of the National Markets and Competition Commission. Regarding the calling number ***PHONE.1, the claimed party says that it informed this Agency that “it belonged to the reseller Akra Leuka Consulting, S.L., with CIF B54498688 (hereinafter, “Akra Leuka Consulting”). With this information We assume that the Agency sent a request for information to Akra Leuka Consulting, which must have indicated that the final owner of the line was the company JESCOM SARL AU. This information is inferred from the Archive Resolution of June 20, 2023 (hereinafter, the “Archive Resolution”), since the Agency has not provided these investigations as part of the file of this procedure, despite the requests sent by my client, limiting access to information and hence Vodafone's defense capacity.” Therefore, says the claimed party, said line did not belong to Vodafone since December 25. May 2021, when it was reported to the aforementioned reseller. As proof, the part claimed provides a screenshot of that reseller entity for fixed portability. It also provides a screenshot of the website of the Commission's Registry of Operators C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/19 National Markets and Competition where it is observed that Akra Leuka Consulting, S.L. is registered as a reseller. The complained party goes on to say that, to the extent that the numbering was of the reseller Akra Leuka Consulting, S.L., could not obtain information about the calls sent by the line ***PHONE.1 that this Agency required. In it in the event that the meaning of the requirement of this Agency was to request the confirmation of receipt on the claimant's line of the call made by the line ***PHONE.1, he adds, this information would refer to incoming traffic data, information that is especially protected, he points out, by the Conservation Law of data. In relation to the traffic information, the claimed party comments that “in order to be able to Accessing the system in which this information is archived requires judicial authorization under the provisions of Law 25/2007, of October 18, retention of data relating to electronic communications and networks public communications (hereinafter, “Conservation Law”), specifically its Article 1, the duty to transfer said traffic data, as well as location data on natural and legal persons, operates only if carried out by authorized agents, and whenever they are required through the corresponding judicial authorization. Likewise, article 6.2 of the Conservation Law lists Which are the authorized agents, specifically: a) “Members of the Security Forces and Corps, when they perform judicial police functions, in accordance with the provisions of article 547 of the Law Organic 6/1985, of July 1, of the Judicial Branch. b) The officials of the Deputy Directorate of Customs Surveillance, in the development of their powers as judicial police, in accordance with section 1 of article 283 of the Criminal Procedure Law. c) The personnel of the National Intelligence Center in the course of investigations of security over people or entities, in accordance with the provisions of Law 11/2002, of May 6, regulating the National Intelligence Center, and in the Organic Law 2/2002, of May 6, regulating prior judicial control of the National Center for Intelligence." In this sense, this legal reasoning has been defended by my client in other occasions with regard to traffic data, such as, for example, in the request with reference number EXP202211234, in which it was alleged before the Agency the following: Vodafone has a tool to manage, solely and exclusively, the requests for information received through judicial or police requests involving traffic information. Only through these mechanisms Vodafone is authorized to access this information. It must be taken into account Keep in mind that the use of this type of tools is extremely sensitive, and only It can be used in very exceptional cases, as long as it comes accompanied by a judicial or police information request prior to access to the information requested. […] For all this, and as stated in the previous allegations by my client, the exclusion of the duty of collaboration on the part of Vodafone would apply, included in article 52.3 of Organic Law 3/2018, of December 5, of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/19 Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), which reserves the transfer of data only for compliance with the obligations provided for in Law 25/2007, of October 18, on the conservation of data relating to electronic communications and public networks communications, and with prior judicial authorization requested by one of the agents to authorize. […] In this sense, my client requests that this Agency, to the extent possible possible, justify the reason why you consider that the alleged exception does not apply. This justification will be necessary to the extent that the tool used to obtaining traffic information has, due to the type of information that stores, a series of security, control and monitoring measures extremely elevated. Both the system and the measures implemented are audited with frequency and during such audits the reason for certain audits may be requested. consultations, the reasons for which are assessed. Therefore, in terms of strict defense, My client would need to provide legal justification of the entity applicant to have accessed the system, processed traffic data and communicated said information." Ultimately, the claimed party concludes that it could not provide the traffic data requested without having the proper judicial authorization. Likewise, he adds, the responsibility for the calls made by the reseller's customers is in all case of Akra Leuka Consulting, S.L. The claimed party reiterates that it has always sought collaboration with this Agency and that on the occasions in which information about calls made has been requested through its lines, whose information can be confirmed by reviewing the billing and without access traffic data, has sent said information to the Agency, such as, For example, it says, in the requirement with reference number EXP202102025, whose The allegations have the entry registration number REGAGE22e00016210068. Secondly, the defendant argues that in the event that there were provided the required information, contravening the obligations of the regulations of data retention, the outcome of the Agency's investigation would not have varied, then, he says, the holders of the numbers that executed the calls object of the investigation have not responded to the requirements of this Agency. Thirdly, the claimed party points out, subsidiarily, and in the event that This Agency understands that it has violated article 58.1 of the RGPD, which cannot appreciate the existence of guilt in the alleged infractions and, in Consequently, he says, no sanction can be imposed, according to article 28.1 of the Law 40/2015, of October 1, on the Legal Regime of the Public Sector. Furthermore, it continues, continuing with the interpretation made by the Supreme Court, For exculpation, the invocation of the absence of guilt will not be enough, but it will be It is necessary that the diligence that was required by the person who claims his non-existence (among others, the Supreme Court Ruling of January 23, 1998 [RJ 1998\601]). In this sense, the claimed party claims to have acted in all moment in collaboration with this Agency, complying with the due diligence that It is demandable, and no guilt can be attributed to him, he says. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/19 Fourthly, the claimed party indicates, subsidiarily, and in the event that This Agency understands that there has been a violation and a sanction must be imposed, which It must be modulated downwards taking into account extenuating circumstances. So, reiterates, acted in compliance with the Conservation Law. Furthermore, he adds, his degree of cooperation during the previous inspection actions was high, as evidenced by all responses made to information requests and the provided information that led, he adds, to this Agency being able to reach identify those responsible for the calls, having completed the investigation, he asserts, for reasons unrelated to his participation in the investigation. Finally, the claimed party says that it has not obtained any type of benefit or avoided losses to due to the alleged lack of collaboration. By virtue of all of the above, the claimed party requests the archiving of these actions because, he says, none of the alleged infractions had been committed and, subsidiarily, that if any sanction is imposed, it is imposed in an amount minimal. TWELFTH: On January 11, 2024, a proposed resolution was formulated, proposing that the Director of the Spanish Data Protection Agency sanction the claimed party, for a violation of Article 58.1 of the RGPD, typified in Article 83.5 of the GDPR, with a fine of €200,000.00. This proposal of resolution was reliably notified to the claimed party on January 17 of 2024, as stated in the acknowledgment of receipt in the file. THIRTEENTH: With dates January 18, 23 and 26, 2024, they are registered entry, with numbers REGAGE24e00004378839, REGAGE24e00005285077 and REGAGE24e00006323677, writings in which the claimed party requests the extension of the period initially granted in the maximum time allowed by the current legislation, under article 32 of the LPACAP. This Agency agreed to extend the period to formulate allegations up to a maximum of five days, computed from the day following the day on which the first allegations period. FOURTEENTH: With date February 7, 2024 and entry registration number REGAGE24e00009843778, the claimed party presents a written statement of allegations to the Proposal for a resolution, in which it states, “without prejudice to the fact that we refer to what set forth in the allegations presented before the Initiation Agreement”, the following. In the First Allegation, the claimed party once again states that it has not violated the article 58.1 of the RGPD, which has collaborated at all times with the Agency and that in No point, he says, has been intended to hinder the investigation, but rather to comply with all the legal requirements that, as a telecommunications operator, They are required. Regarding the duty of collaboration, the complained party does not agree with the affirmation of this Agency that in the present case it is not applicable the exclusion of the duty of collaboration imposed by article 52 of the LOPDGDD, since it cannot be accepted that the mere confirmation that a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/19 specific call between two numbers can be considered as traffic data treated “exclusively” to comply with the obligations provided for in the law 25/2007. On the contrary, the claimed party understands that “this information is protected to be offered solely and exclusively to authorized agents through requests for information received through judicial requests or police that involve traffic information. Consequently, Vodafone could not provide the data requested by the Agency without, as a result, access such traffic data. Likewise, and said in terms of strict defense, the responsibility for the calls made by the clients of the reseller is in all cases Akra Leuka Consulting, which may confirm said information, not from Vodafone. On the other hand, the Agency, in the Proposed Resolution, indicates that “[…] article 52 of the LOPDGDD expressly provides within the duty of collaboration that, in the assuming that the conduct had been carried out through the use of a fixed or mobile telephone service, information must be provided on “3rd The mere confirmation that a specific call has been made between two numbers on a certain date and time.” […] he was not being asked to provide specific data, but mere confirmation.” In this sense, my client does not deny the validity of this article, but rather analyzed in conjunction with Law 25/2007, of October 18, on data conservation (in (hereinafter, the “Data Preservation Law”). As a result, in certain cases, in those that do not involve access to traffic data, have been provided to the Agency confirmation of making calls, such as, for example, and as indicated in the allegations to the Startup Agreement, in the request with reference number EXP202102025, whose allegations have the entry registration number as REGAGE22e00016210068. In short, Vodafone has not violated article 58.1 of the RGPD and has offered the Agency the information available in its systems and that it is authorized to communicate in compliance with the multiple legal obligations that are required as communications operator.” In the Second Allegation, the defendant again argues that, in the case of who had provided the required information, contravening, he says, the obligations of the data retention regulations, the result of the investigation of no would have changed, since the holders of the numbers that executed the calls object of the investigation have not responded to the requirements of this Agency. In this sense, the claimed party points out that “they have not wanted to question the ability of the Agency to determine the need for the requested information, but highlight that the seriousness of the potential infraction, in the event that it occurs considered as such, it would have to be reduced, since the Agency, even contributing my represented the required information, would not have been able to confirm the reason for the themselves, not being able to conclude the original reason for this process, which is the realization of commercial communications to Ms. A.A.A.'s line, nor sanction or warn those responsible for them as they are outside the scope of competence territory of the AEPD”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/19 In the Third Allegation, the claimed party affirms that it has implemented security systems monitoring and auditing to control unauthorized, illegal or fraudulent activity when it comes to commercial calls. According to the claimed party, “this procedure is caused by a series of calls commercials that Ms. A.A.A. claims, calls that were not authorized by part of Vodafone and that are executed illegitimately or fraudulently. In this sense, my client has implemented numerous controls for the monitoring and auditing of these practices. Among other measures, Vodafone has implemented the routing system, sales audits, etc., measures that have been brought to the attention of this Agency in the course of other procedures. However, in this case we want to highlight what is related to the “Deontological Code in Commercial Contact Operations” (hereinafter, the “Code of Conduct”), signed by the main operators in the Spanish market on July 19, 2021. This Code of Conduct establishes that the signatories agree to mutual collaboration for investigation and adoption of measures corresponding in cases in which an irregular practice is identified, such as the case analyzed in this procedure. This measure demonstrates the diligence implemented by my client to control, monitor and implement the measures that are necessary to minimize these practices.” In the Fourth Allegation, the claimed party states again that, “Subsidiarily, and in the event that the Agency understands that Vodafone has violated article 58.1 of the RGPD, the existence of guilt cannot be appreciated in the infractions imputed to Vodafone and, consequently, it cannot be imposed on the same sanction.” Against the dismissal by this Agency of the lack of guilt to the consider that the claimed party did not respond adequately to the requirements made, thus calling into question the diligence employee, the claimed party alleges that “it did respond adequately to the information requirements, complying with the regulations that are considered applicable, in specifically, the Data Preservation Law. Likewise, it has acted with diligence due, not only complying with the applicable regulations, but has also implemented measures to control unauthorized calls made by third parties other than my client, such as, for example, through the collaboration processes of the Code of Conduct. Consequently, Vodafone has acted at all times in compliance with due diligence. due that is required of him, and no guilt can be attributed to him.” In the Fifth Allegation, the claimed party points out that, “Subsidiarily, and for the in the event that the Agency understands that there has been a violation and a penalty must be imposed. sanction to Vodafone, the following circumstances must be taken into account aggravating and mitigating. Regarding the applied aggravating circumstance of negligence in the infringement, the claimed party reiterates that it acted in compliance with the Conservation Law. Thus, he says that “no C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/19 could provide the requested traffic data, without having proper authorization judicial or police. It should not be understood that Vodafone's motivation in Denial of said information responds to a malicious and intentional intention with the in order to make the Agency's investigation difficult since Vodafone has collaborated in everything moment in this investigation answering all possible information and, in addition, It must be taken into account that the information requested from my client does not would change the results of the investigation, since, as the AEPD indicates in its file resolution, it would not clarify whether the reason for the calls was commercial for be able to conclude violation of the LGTel or RGPD.” The claimed party also insists that this Agency did not apply when evaluating the sanction “The degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement.” In In this sense, it reiterates that its degree of cooperation during the previous actions of inspection was high, as proven by all the responses made to the information requirements and the information provided that led, he says, to This Agency has been able to identify those responsible for the calls, having completed the investigation, he states, for reasons unrelated to his participation in on the research. Furthermore, the claimed party says that, “in order to remedy To this type of infractions my client has applied monitoring measures and audit to monitor unauthorized, illegal or fraudulent activity in what “regards commercial calls.” By virtue of all of the above, the claimed party requests that the dismissal of the file with the consequent archiving of the proceedings, for not none of the alleged infractions having been committed and that, subsidiarily, in If any sanction is imposed, it is imposed in a minimum amount, in light of the indicated mitigating circumstances and the appropriate delimitation of the responsibility in the processing of personal data of the affected parties. In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS FIRST: The information requirements indicated in the third and third background information Fourth, they were notified to the claimed party in accordance with the provisions of the LPACAP and collected as evidenced in the acknowledgments of receipt that appear in the proceedings. SECOND: To the requirements requesting confirmation of receipt in the numbers of the claimant of the calls made by the line ***TELÉFONO.1, the claimed party simply replied that the calling number belonged to another operator since May 2021, despite having the requested information when being VODAFONE ESPAÑA, S.A.U. the entity that operates the claimant's numbers through one of its brands (LOWI). THIRD: The notification of the agreement to initiate this procedure sanctioning was collected by the claimed party on September 27, 2023. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/19 FOURTH: The claimed party has presented allegations to the agreement to start this sanctioning procedure described in the eleventh antecedent. FIFTH: The notification of the proposed resolution of this procedure sanctioning was collected by the claimed party on January 17, 2024. SIXTH: The claimed party has presented allegations to the proposed resolution of this sanctioning procedure included in the fourteenth antecedent. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Allegations to the initiation agreement In response to the allegations presented by the claimed party, the following must be noted: following. Regarding the claim that this Agency denied the complained party access to this complete file and this limited his ability to defend himself, as already stated. indicated, the file of this procedure was sent complete and in good form. The writings and other investigations carried out regarding the third parties involved in the investigation that the claimed party requested are unrelated to the basis of the present sanctioning procedure and are part of another file, the number EXP202210932, independent of this one. As can be seen from the allegations presented, the claimed party was aware of the information that was required and whose lack of contribution is the origin of this sanctioning procedure, and has had the opportunity to present as many allegations and evidence as it has considered convenient for their defense, therefore the aforementioned defenselessness does not occur. Regarding the claim of the claimed party that, if it had contributed the required information, the result of the Agency's investigation would not have varied, it should be noted that the offending type is completed with the lack of response to the required information and is not conditioned to the eventual consequences of its lack of observation, and that it is up to this Agency to assess the need for the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/19 investigation of the information required at the time it is carried out. It Otherwise, it would mean accepting that it is not possible to demand compliance with the obligation. legal right to meet the information requirements of this Agency as long as it is not the actions are completed and their result is determined. Regarding the argument of the claimed party that, in application of the Law 25/2007, of October 18, on conservation of data related to communications electronic communications and public communications networks, could not facilitate this Agency the requested data without having the proper judicial authorization, it is noted that in the present case the aforementioned exclusion to the duty of collaboration imposed by article 52 of the LOPDGDD, since it cannot accept that mere confirmation that a specific call has been made between two numbers can be considered as processed traffic data “exclusively” to comply with the obligations provided for in Law 25/2007. In this sense, article 52 of the LOPDGDD expressly provides within the duty of collaboration that, in the event that the conduct had been carried out through the use of a fixed or mobile telephone service, it must be provided information about “3rd The mere confirmation that a call has been made between two numbers on a certain date and time.” In the now controversial case, the transfer of data was not being requested. concrete, but the mere confirmation of information that the AEPD already had and that transmitted to VDF for the purposes of confirmation, since the AEPD was aware of the calling number, as well as the specific time and date in which said call was made. produced the claimant's number. And all this in addition to the fact that this confirmation of information is expressly provided and determined by the legislator within the duty of collaboration of the mentioned article 52 of the LOPDGDD. Regarding the fact that the existence of guilt cannot be appreciated, it is recalled that, certainly, the principle of responsibility provided for in article 28.1 of the Law 40/2015, of October 1, of the Legal Regime of the Public Sector, provides that: “Only may be sanctioned for acts constituting an administrative infraction. natural and legal persons, as well as, when a Law recognizes their capacity to act, the groups of affected people, the unions and entities without legal personality and the independent or autonomous assets, which are responsible for them title of fraud or guilt.” However, as ruled in STS 7887/2011 of November 24, 2011, Rec. 258/2009, “(…) since its ruling 76/1990, of April 26, the Court Constitutional Court has been declaring that it does not fit into the administrative sanctioning sphere objective or no-fault liability, a doctrine that is reaffirmed in the ruling 164/2005, of June 20, 2005, by virtue of which the possibility of imposing sanctions for the mere result, without proving a minimum of guilt even by way of of mere negligence. Now, the way of attributing responsibility, to the legal persons does not correspond to the forms of willful or intentional guilt “reckless actions that are attributable to human conduct.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 13/19 So it happens that, in the case of infringements committed by legal entities, although the element of guilt must be present (see the ruling of this Chamber of the Supreme Court of November 20, 2011 (cassation appeal in the interest of law 48/2007), this is necessarily applied in a different way than it is done with respect to natural persons. According to STC 246/1991 “(...) this construction different from the imputability of the authorship of the infringement to the legal entity arises from the legal entity itself. nature of legal fiction to which these subjects respond. They lack the volitional element in the strict sense, but not the ability to violate the rules to which who are subjected. Capacity for infringement and, therefore, direct blameworthiness derives from the legal good protected by the norm that is violated and the need for said protection is really effective and for the risk that, consequently, must assume the legal entity that is subject to compliance with said rule.” To the above it must be added, following the ruling of January 23, 1998, partially transcribed in STS 6262/2009, of October 9, 2009, Rec 5285/2005, and STS 6336/2009, of October 23, 2009, Rec 1067/2006, that "although the guilt of the conduct must also be proven, it must be considered in order to the assumption of the corresponding load, which ordinarily the elements volitional and cognitive functions necessary to appreciate that are part of the behavior proven typical, and that its exclusion requires proving the absence of such elements, or in its normative aspect, that the diligence that was demandable by those who claim its non-existence; is not enough, in short, for exculpation against the invocation of the absence of fault to typical unlawful behavior". Consequently, the lack of guilt is rejected since the claimed party did not responded appropriately to the requirements made by this Agency, thus calling into question the diligence used. Finally, the absence of benefits cannot be considered a mitigating factor in the agreement. with the Judgment of the AN, of 05/05/2021, rec. 1437/2020, which indicates: “Consider, for On the other hand, the non-commission of an infraction must be considered as mitigating former. Well, article 83.2 of the RGPD establishes that it must be taken into account for the imposition of the administrative fine, among others, circumstance "e) all previous infringement committed by the person responsible or the person in charge of the treatment". This is an aggravating circumstance, the fact that the budget does not exist for Its application means that it cannot be taken into consideration, but it does not imply or allows, as the plaintiff claims, its application as a mitigating circumstance”; applied to the case prosecuted, the lack of the budget for its application with respect to art. 76.2.c) of the LOPDGDD, that is, obtaining benefits as a result of the infringement, does not allow its application as a mitigating factor.” This graduation criterion is established in the LOPDGDD in accordance with the provisions in article 83.2.k) of the RGPD, according to which administrative fines will be imposed taking into account any “aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement”, understanding that avoiding A loss has the same nature for these purposes as obtaining profits. If we add to this that the sanctions must be effective “in each individual case”, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/19 Admitting the absence of benefits as a mitigating circumstance is not only contrary to the assumptions of facts contemplated in article 76.2.c), but also contrary to what is established in article 83.2.k) of the RGPD and the principles indicated. Thus, valuing the absence of benefits as a mitigating factor would nullify the effect deterrent of the fine, to the extent that it reduces the effect of the circumstances that effectively affect its quantification, reporting to the person responsible a benefit to the that he has not deserved. It would be an artificial reduction of the sanction that can lead to the understanding that violating the rule without obtaining benefits, financial or otherwise Whatever it may be, it will not produce a negative effect proportional to the seriousness of the fact. offender. In any case, the administrative fines established in the RGPD, in accordance with the established in its article 83.2, are imposed depending on the circumstances of each individual case and it is not estimated that the absence of benefits is a factor of appropriate and decisive grading to assess the severity of the behavior offender. Only in the event that this absence of benefits is relevant to determine the degree of illegality and guilt present in the specific infringing action may be considered as a mitigating circumstance, in application of the article 83.2.k) of the GDPR, which refers to “any other aggravating or mitigating factor applicable to the circumstances of the case.” For all these reasons, it is not possible to grant the request of the claimed party regarding the file. of this sanctioning file, as well as the reduction of the sanction initially proposed under the mitigating circumstances indicated. III Allegations to the Proposed Resolution In response to the allegations to the Proposed resolution of this file presented by the claimed party the following must be noted. The allegations presented against the Proposed resolution of this file largely reproduce the same arguments used against the Agreement beginning and which, therefore, have already been answered by this Agency in the previous basis of law, so, where appropriate, the corresponding referrals to it. Regarding the First Allegation, regarding the disagreement shown by the party claimed regarding this Agency's assertion that in the present case there is no the exclusion of the duty of collaboration imposed by article 52 applies of the LOPDGDD, refers to what is stated in the previous legal basis, to which It is pertinent to add the following. When the request was made within the framework of the investigation, the party claimed motivated its lack of response to the requested information in which said line It belonged to another operator since May 2021. Thus, at that time, the claimed party did not argue to the contrary, nor did it say in its response that could not provide the information in accordance with Law 25/2007, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/19 argumentation made in this sanctioning procedure. That is, when the connection to his own acts is unfavorable to him, when a procedure is opened sanctioner. If really the reason why, according to the claimed party, it could not give The information is due to what refers to Law 25/2007, it is not consistent that it gave another different answer, which did not respond to what was asked in the request. All This shows a lack of willingness to collaborate to provide the mere confirmation of the existence of the call. In relation to the Second Allegation, in response to the argument of the party claimed that, if he had provided the required information, the result of the investigation had not changed, so the severity of the potential infringement, he says, in the event that it is considered as such, it would have to be seen reduced, with respect to what has already been explained in the previous legal basis, it is possible emphasize that the reason for this sanctioning procedure is not the carrying out of commercial communications to Mrs. A.A.A.'s line. Specifically, this procedure is initiated for the alleged violation of article 58.1 of the RGPD, classified in article 83.5 of the RGPD, for not providing the information required for the exercise of the functions of this Agency. Therefore, as already indicated, the type offender is completed with the lack of response to the requested information and is not conditions the eventual consequences of its lack of observation. As regards the Third Allegation, the fact that the claimed party would have implemented monitoring and auditing systems to control the unauthorized, illegal or fraudulent activity regarding calls commercial, as well as the one who has subscribed to the Code of Ethics in Transactions of Commercial Contact, has no relation to the infringement that in this procedure is being substantiated, which is not the making of commercial calls, but rather the facilitate access to the information required in breach of article 58.1 of the RGPD, so it cannot be taken into account as a mitigating factor. Regarding the Fourth Allegation, regarding the opinion of the claimed party that there is no the existence of guilt can be appreciated since he did answer, he says, of in an appropriate manner to the information requirements, complying with the regulations that considers applicable, specifically, the Data Conservation Law, it is possible to refer to what has already been stated in the previous legal basis. Regarding the Fifth Allegation, on the aggravating and mitigating circumstances referred to by the claimed party, the following is indicated. Regarding the applied aggravating factor of negligence in the infringement, reference is made to what indicated in the previous legal basis. In relation to the fact that this Agency did not apply when evaluating the sanction “The degree cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement”, as alleged in the Agreement of At the beginning, the claimed party adds that, “in order to remedy this type of violations, my client has applied monitoring and auditing measures to monitor unauthorized, illegal or fraudulent activity when it comes to calls commercial." In this regard, it is reiterated that the violation for which this procedure, as clearly stated in the foundations dedicated to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/19 unfulfilled obligation, classification and sanction, is not providing access to the required information and not making commercial calls. Therefore, the These measures are not related to the possible mitigation of the effects of the infringement. To this it must be added that a cooperation consisting of applying the necessary measures to control a illicit activity, since this is a duty imposed on the data controller, if possible, even more accentuated within the framework of the principle of proactive responsibility that has developed the GDPR. For all the above, it is not possible to grant the request of the claimed party regarding the archive of this sanctioning file, as well as the reduction of the sanction initially proposed by virtue of the mitigating circumstances indicated. IV Unfulfilled obligation Based on the facts presented, it is considered that the claimed party has not provided to the Spanish Data Protection Agency the information that required. The claimed entity did not respond to the requirements made by this Agency in order to confirm receipt in the claimant's numbers of the calls made, limiting themselves to answering that the calling number belonged to another operator, instead of responding to how questionable it was about whether the calls or not, information that must be known as it is VODAFONE ESPAÑA, S.A.U. the entity that operates the claimant's numbers through one of its brands (LOWI). With the indicated conduct of the claimed party, the investigative power that the Article 58.1 of the RGPD confers on the control authorities, in this case, the AEPD, has been hindered. Therefore, the facts described in the “Proven Facts” section are considered constituting an infraction, attributable to the claimed party, for violation of the article 58.1 of the RGPD, which provides that each supervisory authority will have, among his investigative powers: “a) order the person responsible and the person in charge of the treatment and, where appropriate, the representative of the person responsible or the person in charge, who provide any information that is required for the performance of its functions; b) carry out research in form of data protection audits; c) carry out a review of the certifications issued under Article 42, paragraph 7; d) notify the responsible or to the person in charge of the treatment of the alleged violations of this Regulation; e) obtain from the person responsible and the person in charge of the treatment access to all personal data and all information necessary for the exercise of its functions; f) obtain access to all the premises of the person responsible and the person in charge of the processing, including any equipment and means of data processing, of in accordance with the procedural law of the Union or of the Member States.” V C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/19 Classification and classification of the offense The facts presented are considered to constitute an infraction, attributable to the party claimed. This infraction is classified in article 83.5.e) of the RGPD, which considers as such: “no provide access in breach of Article 58(1).” The same article establishes that this violation can be punished with a fine. of twenty million euros (€20,000,000) maximum or, in the case of a company, of an amount equivalent to four percent (4%) maximum of the total global annual business volume of the previous financial year, opting for the of greater amount. For the purposes of the limitation period for infringements, the alleged infringement prescribes after three years, in accordance with article 72.1 of the LOPDGDD, which qualifies as The following behavior is very serious: “ñ) Do not facilitate access by data protection authority personnel competent to personal data, information, premises, equipment and means of processing that is required by the data protection authority for the exercise of its investigative powers.” SAW Imputed sanction The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. In Consequently, the sanction to be imposed must be graduated according to the criteria established in article 83.2 of the RGPD, and with the provisions of article 76 of the LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD. Based on the facts presented, the sanction that should be imposed is a fine. administrative for an amount of 200,000.00 euros, for the alleged violation of the article 58.1 of the RGPD, typified in article 83.5 of said regulation. It can be seen that no mitigating circumstance is applicable and they have been considered as aggravating the following facts: - Art. 83.2 b) RGPD: intentionality or negligence in the infringement. The claimed entity did not provide the information required in the requirements of this Agency, alleging a cause that does not justify the refusal to provide it. The Confirmation of receipt of calls is a fact that must be known by the one claimed as VODAFONE ENABLER (LOWI) is the operator of the numbers of the claimant. The order to provide the information was reiterated without responded to the question raised on neither of the two occasions. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/19 Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE VODAFONE ESPAÑA, S.A.U., with NIF A80907397, for a violation of Article 58.1 of the GDPR, typified in Article 83.5 of the GDPR, a fine of 200,000.00 euros (TWO HUNDRED THOUSAND euros). SECOND: ORDER VODAFONE ESPAÑA, S.A.U., with NIF A80907397, which, of In accordance with the investigative power provided in article 58.1.a) of the RGPD, facilitate, within a period of ten business days from when this resolution becomes final and executive, the information required in the requirements made within the framework of the actions with file number EXP202210932 and to which reference in the background of this resolution. Please note that not meeting the requirements of this organization may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its article 83.6, and such conduct may be motivated by opening of a subsequent administrative sanctioning procedure. THIRD: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U.. FOURTH: This resolution will be enforceable once the deadline to file the optional resource for replacement (one month counting from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned person is warned that he must make effective the sanction imposed once This resolution is executive, in accordance with the provisions of art. 98.1.b) of the LPACAP, within the voluntary payment period established in art. 68 of the Regulations General Collection, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned person and the procedure number that appears in the heading of this document, in the restricted account IBAN number: ES00-0000- 0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/19 contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative means if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative procedure within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-16012024 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es