AEPD (Spain) - PS/00333/2019: Difference between revisions
Silvialoar (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...") |
m (Ar moved page AEPD - PS/00333/2019 to AEPD (Spain) - PS/00333/2019) |
Latest revision as of 14:29, 13 December 2023
AEPD - PS/00333/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5 GDPR Article 58(2) GDPR Article 83(5)(a) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | |
Fine: | None |
Parties: | AAA TECSIBLE, S.L. |
National Case Number/Name: | PS/00333/2019 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | Agencia Española de Protección de Datos (in ES) |
Initial Contributor: | n/a |
Spanish DPA holds that the entity is not responsible for the facts reported, since the telephone number from which the infringement occurred was transferred in January 2018 to another company
English Summary
Facts
Personal messages were sent by a telephone agent of a TELECOM company to a customer whose telephone number he had access to because he had previously called her to offer her the company's services
Dispute
Does sending messages by a telephone agent to a customer's telephone number to which he has access because he had made a commercial call infringe Article 5 of the GDPR?
Holding
The DPA held that the entity who was the object of the complaint was not responsible because it had transferred the agent's number to another entity before the events took place
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
DECISION ON DISCIPLINARY PROCEEDINGS From the procedure instructed by the Spanish Data Protection Agency and on the basis of the following BACKGROUND FIRST: Mrs. A.A.A. (hereinafter, the complainant) on 29/05/2019 filed claim before the Spanish Data Protection Agency. The claim is directed against TECSIBLE, S.L. with NIF B97907992 (from now on, the claimed). The The grounds for the complaint are, in summary: That on Thursday 10/01/2019, even with one of VODAFONE's employees on the Robinson list, from name B.B.B., contacts the complainant on her personal phone to offer you a change of company and after informing you that you are not interested end the conversation. On Monday 01/14/2019 you receive a message via WhatsApp of that person with the following text: "Helloaa beautiful. I'm B.B.B. from Vodafone. I was really proud to contact you, I love your voice, your sympathy, and your kindness.. I'd really like to be your friend. At no time did the complainant give this person cause to contact with her, so I request that VODAFONE investigate and expedite this worker for violating his privacy. And attach the following documentation: - Copy of the DNI. On 21/01/2019 the same complaint was filed with this agency, but it provide more data: - With regard to the telephone call, the calling number is ***PHONE.1 - Regarding the Whatsapp message, the source number of the message is ***PHONE.2 And attach the following documentation: - Screenshots of the conversation via Whatsapp. - Copy of police report. SECOND: In view of the facts reported and the documents provided by the claimant of which this Agency has become aware, the Sub-Directorate The General Data Inspectorate proceeded to carry out actions for the clarification of the facts in question. On 13/02/2019, the complaint was transferred to VODAFONE in the reference actions, no response being received. On 29/05/2019, VODAFONE sent the reply to the transfer to this Agency of the complaint: C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/6 1. A copy of the letter sent to the complainant apologizing and informing you of the steps taken by VODAFONE. In this letter, the following demonstrations are held, among others: a. That these practices are totally forbidden at VODAFONE and also apply to your service providers. b. That, upon receipt of the complaint, an internal investigation was opened and they contacted their supplier. The supplier indicated that there is no record on your dialers no outgoing calls from the number indicated in the claim and from which you received the message through WhatsApp. In this sense, they understand that this contact was made at personal title by the agent. c. That, since this practice is not admissible, they have put him in knowledge of your provider so that, as an employer of said agent, take appropriate action. d. That they have asked their provider to remind all their employees that it is strictly forbidden to contact The campaigns are addressed to individuals. e. Who have included the mobile number of the complainant in their list Robinson in order to ensure that it is not included in future campaigns commercials managed by VODAFONE. 2. States that they have verified that the reported contact has been made by an agent of a company contracted by VODAFONE to provide recruitment services (ATTENTION), on a personal basis and using their number personal. 3. States that the number through which the agent contacted in a personal capacity the complainant does not belong to VODAFONE, i.e. it is not listed in the numbers assigned to the ATENTO platform for the provision of services of recruitment. 4. He states that, after contacting ATENTO, they have verified that the number ***TELÉFONO.3 was included in a database that was provided to ATENTO to make pickup calls but which, according to ATENTO, do not there are neither outgoing nor incoming calls associated with that number. In other words, that this number was never called as a result of the of the service by ATENTO. On 29/05/2019, VODAFONE sent the following information to this Agency in response to the request for information dated 10/05/2019: 1. States that its systems do not have any clients associated with the number ***PHONE.3 Provides screenshots of searches made by that number. 1. States that they do not have documentation proving consent of the complainant to be contacted for commercial reasons because the number ***TELÉFONO.3 has been randomly generated so that VODAFONE does not have it associated with any particular person. 2. States that the numbers ***TELÉFONO.1 and ***TELÉFONO.2 do not belong to VODAFONE. On 04/06/2019, ADIGITAL sent this Agency the following information: 1. States that the telephone number ***TELÉFONO.3 is registered under the Robinson List in the name of the complainant through the call channel since 09/10/2018. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/6 Provide a certificate. On 07/06/2019 ORANGE sends this Agency the following information: 1. It confirms the existence of a call from the originating number ***PHONE.1 to destination number ***PHONE.3 on 10/01/2019 to 18:37h. On 07/06/2019, LEAST COST ROUTING TELECOM, S.L. refers to this Agency the following information: 1. States that the end-user corresponding to the number ***TELEPHONE.1 is TECSIBLE whose data have been included in the section of entities investigated. Provide a copy of the invoice dated 30/04/2019. On 03/07/2019, a request for information is sent to TECSIBLE, not having received a reply. On 10/09/2019, it is verified in ***URL.1 that the telephone prefix ***PREFIJO.1 corresponds to ***PAIS.1 THIRD: On 20/12/2019, the Director of the Agency agreed to initiate sanctioning proceedings against TECSIBLE, for the alleged infringement of article 5.1(b), as defined in Article 83(5)(a) and considered for the purposes of the statute of limitations in Article 72(1)(a), a fine of EUR 5,000 FOURTH: Notified of the agreement to initiate the proceedings, the respondent submitted a written statement on 24/12/2019 of allegations, stating, in summary: that he had been notified of the agreement to start and pointed out that the telephone number ***PHONE.1, was given since January 2018 to the company COSMOS CALL CENTER, S.L., and that the second phone number on the sanctioning file as well as the owner we understand that he belongs to that society. FIFTH: From the actions carried out in the present procedure, the following have been The following are accredited, PROVEN FACTS 1. The 15/01/2019 has written entry of the complainant stating that the 10/01/2019, even though Robinson, one of the workers of the VODAFONE company, is on the list name Ricardo, has contacted the complainant on his personal phone to offer her a change of company, moving her that she wasn't interested in the change. On Monday 01/14/2019 you received a message through WhatsApp from that person with the following text: "Helloaa beautiful. I am C.C.C. from Vodafone. I was really proud to contact you, I love your voice, your sympathy, and your kindness.. I'd really like to be your friend. 2. The complainant provides a copy of her ID card number ***NIF.1 C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/6 3. A copy of the complaint made by the complainant to the Police Commissioner of ***DIRECCIÓN (Madrid) by the above facts. 4. On 21 January 2019, the complainant wrote to VODAFONE informing it of the events previously disclosed and to take action against the employee by violating his privacy. 5. VODAFONE has stated that "After analysing the complaint and carrying out timely investigations we have verified that the contact reporting the The complaint was made by an agent of a company hired by Vodafone for the provision of recruitment services (Atento) on a personal basis and using their personal number. As answered in file 4173/2018, the number through the which the agent contacting the claimant in a personal capacity does not belong to Vodafone is that is to say, it does not appear within the numbers assigned to the Atento platform for provision of recruitment services". 6. These are messages received by the complainant through whasapp of the phone ***PHONE.2, messages identifying the employee as Vodafone operator, name B.B.B. 7. The company Adigital in a letter dated 04/06/2019 has certified 'that the number of phone ***TELÉFONO.3 is registered in the Robinson List in the name of claimant, with ID number ***NIF.1,..." 8. The company LEAST COST ROUTIN TELECOM, S.L in writing of 07/06/2019 indicated that: "...proceeds to provide them with the information we have in our files from number ***TELÉFONO.1 End User: TECSIBLE, S.L. NIF B97907992 Address: ***ADDRESS ***LOCALITY 9. ORANGE ESPAGNE S.A.U., in a letter dated 06/06/2019 has indicated that "With regard to making a call dated January 10, 2019 between 5 and 8 p.m. from the calling number ***PHONE.1, we confirm that on that date and time an outgoing call was made to the ***PHONE.3 line;..." 10. TECSIBLE in writing of 24/12/2019 has pointed out that: "..., the telephone number ***TELÉFONO.1, is assigned since January 2018 to the company COSMOS CALL CENTER SL, with CIF 887708236, whose representative is C.C.C. with DNI ***NIF.2 and telephone number for contact ***TELÉFONO.4, para lo which we provide assignment and configuration emails for that terminal. Second, the second telephone number that appears in the sanctioning file as well as the owner we understand that belongs to that society (COSMOS CALL CENTER, S.L.) LEGAL FOUNDATIONS C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/6 I By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the control, and in accordance with the provisions of Articles 47 and 48 of the LOPDGDD, the of the Spanish Data Protection Agency is competent to initiate and to resolve this procedure. II The reported facts are materialized in the sending through the application WhatsApp gives a message to the claimant using their data in an inconsistent manner and without authorization, in violation of the principle of confidentiality. Article 5, Principles relating to processing, of the RGPD states that: "1. Personal data shall be: (…) (b) collected for specified, explicit and legitimate purposes and not processed subsequently in a manner incompatible with those purposes; in accordance with Article 89, paragraph 1, the further processing of personal data for archiving purposes in public interest, scientific and historical research or statistical purposes are not shall be deemed to be incompatible with the initial purposes ("purpose limitation"); (…)” III Law 40/2015 of 1 October on the Legal Regime of the Public Sector Article 28, Liability, provides as follows: . "1. The following may be punished only for acts constituting an infringement The administrative authorities of natural and legal persons and, where a law The Committee on Economic, Social and Cultural Rights (CESCR) has been working on a number of issues legal personality and independent or autonomous assets, which are responsible for them by way of malice or guilt. 2. The administrative responsibilities arising from the commission of a shall be compatible with the requirement that the offender be reinstated in the situation altered by it to its original state, as well as with the compensation for the damage caused, which shall be determined and required by the body at that the exercise of the sanctioning power corresponds. If the compensation within a period to be determined on the basis of its amount, shall be shall proceed in the manner provided for in Article 101 of the Law on Procedure Common Administration of Public Administrations. 3. When the fulfilment of an obligation established by a rule with The following are the main reasons why the status of the law corresponds to several persons together The Commission shall be jointly and severally liable for any infringements committed and any penalties imposed. impose. However, where the penalty is financial and it is possible to individualized in the resolution according to the degree of participation of each responsible. 4. The laws governing the various penalty regimes may to make it an offence to breach the obligation to prevent administrative offences by those who are subject to a dependency or attachment. They may also provide for cases in which certain persons shall be liable for payment of the financial penalties imposed to those who depend on them or are linked to them". In the present case, the agreement to initiate the procedure charged the claimed the alleged violation of Article 5(1)(b), as set out in Article 83(5)(a) and considered for the purposes of prescription in Article 72.1.a) of the LOPDGDD. However, once the investigative actions have been carried out It is clear from the above that the Commission is not in a position to make a decision on this matter. entity is not responsible for the facts reported, since the number of The telephone number from which the messages were sent was given in January 2018 to the company COSMOS CALL CENTER, S.L. Therefore, in accordance with the applicable legislation and having assessed the criteria of graduation of penalties whose existence has been established, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: ARCHIVE to TECSIBLE, S.L., with NIF B97907992, for an alleged violation of Article 5 of the GPRS, as defined in Article 83.5(a) of the GPRS. SECOND: TO NOTIFY this resolution to TECSIBLE, S.L., with NIF B97907992. In accordance with Article 50 of the LOPDGDD, the This Resolution shall be made public after it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to art. 48.6 of the LOPDGDD, and in accordance with Article 123 of the LPACAP, the interested parties may, on an optional basis, file an appeal for replacement to the Director of the Spanish Data Protection Agency within a month from the day following notification of this resolution or directly contentious-administrative appeal before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within two months from day following notification of this act, as provided for in Article 46(1) of referred to Law. Mar España Martí Director of the Spanish Data Protection Agency