AEPD (Spain) - E/08501/2019: Difference between revisions

From GDPRhub
(Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |AEPD - PS/00405/2019 |- | colspan="2" style="padding: 20px; background-color:#ffffff;"...")
 
No edit summary
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
! colspan="2" |AEPD - PS/00405/2019
! colspan="2" |AEPD - E/08501/2019
|-
|-
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:logoES.jpg|center|250px]]
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:logoES.jpg|center|250px]]
Line 28: Line 28:
A.A.A.
A.A.A.
|-
|-
|National Case Number:||PS/00405/2019
|National Case Number:||E/08501/2019
|-
|-
|European Case Law Identifier
|European Case Law Identifier
Line 38: Line 38:
Spanish
Spanish
|-
|-
|Original Source:||[https://www.aepd.es/es/documento/ps-00405-2019.pdf AEPD (in ES)]
|Original Source:||[https://www.aepd.es/es/documento/e-08501-2019.pdf AEPD (in ES)]
|}  
|}  


Line 77: Line 77:


<pre>
<pre>
1/12
Procedure No.: E/08501/2019940-0419RESOLUTION OF ACTIONSFrom the actions carried out by the Spanish Data Protection Agency and based on the followingFIRST ACTS: On 30 May 2019 the entity CAIXABANK, S.A. (hereinafter CAIXABANK) notified this Agency of a security breach relating to the paper documentation of customers deposited in a public waste container, among which there is no evidence, but it could not be ruled out, that there were personal data.SECOND: On September 12, 2019, the director of the Spanish Data Protection Agency agreed to initiate investigative actions urging the Subdirectorate General of Data Inspection to proceed with the realization of investigations to clarify the facts that were the object of the notification, having knowledge of the following points: ENTIDADES INVESTIGADASCAIXABANK S.A. ENTIDADES INVESTIGADASCAIXABANK S.A. with NIF A08663619 and domiciled in C/ PINTOR SOROLLA 2-4 -46002 VALENCIA (VALENCIA)RESULTS OF THE INVESTIGATION ACTIONSWith regard to the factsCaixabank has communicated to this Agency the following facts in the notification of security work: "During the transfer of an office of the entity, some boxes with confidential documents for internal use, among which it is not stated, but it has not been ruled out, that there were personal data, were deposited in the wrong waste container (not dedicated to paper destruction) that took 3 days to be removed from the public road."They declare that they found out about the gap through comments on a social network. The approximate number of people affected by the gap Caixabank consign zero. Caixabank was asked to print the commentary published on the social network, which reads: "It is normal that a huge amount of internal papers from the branch 4364-AUDITORIUM are thrown in a container of works in Valencia?  This is internal documentation with details of customer accounts, reports, etc... from 1999 to 2004! ..." "In the report made by the entity, which includes the investigations carried out as a result of the incident detected, a possible account of the events is included:
936-031219
 
Product No.: PS/00405/2019
"In the final work of emptying the furniture, documentation, equipment, materials and equipment and cleaning of the integrated office, which was carried out on Friday 24 May, two cardboard boxes were removed from the office which had been erroneously classified by the Office as obsolete advertising material and were therefore considered to be waste. ...] All the material resulting from the final work that was classified as waste was transferred to the management facility located in the Campanar district of Valencia's municipal district in the late afternoon of Friday 24 May. This facility was closed at that time so the material was deposited in the containers located for that purpose at the access to the facility with the idea that they were treated for management and destruction by the facility the next working day, Monday 27/5. During the period of time that elapsed between Friday afternoon/night (when the material was deposited there) and the first hour of Monday (when it was managed and destroyed), the deposited materials (including documentation incorrectly classified at source) were placed in the aforementioned containers.  It was in these containers (or around them) where the complainant located the reference documents and proceeded to make the complaint through social networks. It can be assumed that someone, at some point prior to the arrival of the denouncer, must have rummaged through these containers, breaking and/or emptying the boxes of documents mentioned and that they arrived there closed, thus exposing their contents". In response to the Agency's request for information, the representatives of CaixaBank stated: 'This incident was communicated to the Agency as a matter of prudence, since neither at the time nor at the date of issue of this letter has it been confirmed that the documents deposited in the destruction containers referred to in this procedure actually contained personal data.   In particular, it is not possible to determine from the photograph that accompanied a citizen's commentary published on social networks that this incident was brought to our attention whether the documents thrown into the container included personal data (books, a financial report of a legal entity, accounting balances of CaixaBank branches, etc.). "With respect to the measures implemented before the breach: Caixabank has provided the following information and documentation at the request of the Data Inspection Authority:-With respect to general security policies and measures: Caixabank has provided a copy of the Registry of Processing Activities, in which they are recorded as activities: (i) Transfer of paper documentation and (ii) Destruction of paper documentation: The representatives of Caixabank indicate that the data processing activities that were compromised were carried out before the General Data Protection Regulation came into force and have not been modified in any way, so it was not necessary to carry out a Risk Analysis or an Impact Assessment, and that, notwithstanding the above, in response to the security breaches that have occurred, the process has been initiated to carry out the corresponding impact assessment.The entity has implemented a procedure for the management of security breaches, a copy of which has been provided.With regard to specific policies for the transfer/destruction of documentation, in order to guarantee the security of documentation and material in paper format during the branch integration process, CaixaBank has had a Branch Integration Protocol in place since October 2018, which specifies how to act during the transport of documentation and which security measures must be adopted. A copy of the Branch Integration Protocol is provided in section three of the Branch Integration Protocol, which refers to the operational aspects and defines the tasks to be carried out during the branch integration process in all matters relating to the transfer and destruction of documents and paper material. According to the Protocol, documentation is treated differently depending on whether it contains confidential client information or simply paper-based material, mainly advertising material, posters, etc. According to the provisions of the Office Integration Protocol, days before the transfer of documentation and paper-based material, the office to be transferred is obliged to separate all the archives, distinguishing (i) documentation to be destroyed, (ii) documentation to be filed and (iii) documentation to be sent to the receiving office. Once classified, the documentation must be stored in boxes, clearly indicating what type of documentation it contains and then transported. They also provide a copy of the CaixaBankFacilities Management Integration Task Protocol, which defines the functions and responsibilities in relation to the transport and destruction of documentation in the case of office integrations. Under this protocol, branches must first destroy all documentation in accordance with the internal standards of CaixaBank. Once this has been done, the branch must determine which documentation must be sent and stored at the integrating branch and which must be filed at a third branch or removed by third party file management companies. Once all the documentation is classified and packed in boxes, it is then moved. The transfer is supervised by the technical service. All the documentation that has not been destroyed on the day the office closes is transferred to the integrating office, with a copy of the integration protocol of LEVIRA Spain, the supplier contracted to transport the boxes. According to the protocol, the documentation is only handled by the office and is always packed in the transfer boxes, so that LEVIRA employees never have access to the documentation. As an additional security measure, it establishes the obligation to count the number of boxes that are withdrawn and the number of boxes that are delivered, confirming if the number coincides. The number of boxes must be noted in the register and both the issuing and receiving offices must sign it.
DECISION R/00011/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT
 
VOLUNTEER
-Regarding the reason why the measures implemented could not serve to avoid the alleged access to the documentation by a third party, the representatives of the entity state: Before analyzing the possible reasons why the described security measures were not sufficient to avoid the access to the documentation by a third party, Caixabank wants to show that they have been carried out numerous integrations of offices without any incidence.Specifically, the only two incidents that occurred were notified to the Spanish Data Protection Agency on 20 March and 30 May 2019.They understand that the security measures provided for in the protocols in force prior to the security breach that occurred were effective and have been effective in general, and as to why the existing measures did not prevent the incident, they conclude that, as described in the protocols, in office integration processes, the responsibility for classifying the documentation and deciding when it should be destroyed in a confidential manner, which should be filed and which should be transferred directly to the integrating office, lies with the offices. In this way, it was the offices themselves that decided whether paper material should be destroyed on a routine basis, i.e., without the guarantees of destruction of confidential documentation.   This process implies that the classification of the documentation as confidential or as mere paper-based material depended on the criteria of the office staff, and therefore there was a margin of error. With respect to the actions taken and the measures implemented as a consequence of the occurrence of the breach: Caixabank has provided a copy of a report that includes the investigations carried out as a result of the incident detected during the documentation transfer phase in the integration of offices 4364 and 5052. The report details the analysis of the actions carried out by each of the parties involved in the integration process of offices 4364 and 5052. It includes a chronological list of the actions carried out during the integration, a detailed description of the incident that occurred and a proposal for corrective measures. An action plan has been drawn up to modify the Integration Protocols of the offices and add additional security measures. A copy of the modified version of the Integration Protocol, dated May 2019, is included in the action plan drawn up to reinforce the guarantees of the office integration protocols and to strengthen the traceability and centralisation of the archive.Specifically, these measures are:(i) Assurance of the early delivery of material (boxes) to the office to facilitate the appropriate classification of the documentation to be transferred to the integrating premises, documentation to be transferred to the Centralised Archive and documentation to be managed by means of confidential destruction.  
In sanction procedure PS/00405/2019, conducted by the Agency
(ii)Classification of all documentation into one of the three groups indicated. All documentation that is not transferred to the destination location or that is not filed centrally must be managed by confidential destruction. (iii) The documentation to be transferred will be organized in boxes that will be numbered and classified, leaving a photographic record both in the location of origin and destination.(iv) The supplier in charge of the confidential destruction will always be summoned at the time of closing of the integrated premises in order to manage any documentation that may arise at the last moment. (v) The offices will sign a delivery note showing the documentation from the office of origin and the documentation that arrives at the office of destination.(vi)An employee of the office must always be present in both locations when the transfer work is carried out. (vii)At the beginning of the integration campaign, the delivery of the current integration protocol to the intervening technical services must be expressly recorded.(viii)An incident register is created for the transfer and integration processes so that they can be traced. The action plan expressly indicates that all the modifications and safety measures described must be incorporated into the protocols in force and communicated to the intervening agents. The incorporation of the above security measures into the protocols is intended to ensure greater traceability of the actions carried out in the integration processes of the offices and greater security of the documentation as all materials on paper are treated as confidential documents.According to the powers of investigation and correction that Article 58 of Regulation (EU) 2016/679 (General Regulation on Data Protection, hereinafter referred to as GPRD) grants to each supervisory authority, and in accordance with the provisions of Article 47 of Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (hereinafter referred to as LOPDGDD), the Director of the Spanish Data Protection Agency is competent to resolve these investigative actions.The RGPD defines, in a broad way, the "personal data security violations" (from now on security breach) as "all those security violations that cause the destruction, loss or accidental or illicit alteration of personal data transmitted, kept or otherwise treated, or the unauthorized communication or access to such data".
Spanish Data Protection Agency to VODAFONE ESPAÑA, S.A.U., in view of the complaint
 
presented by A.A.A., and based on the following,
In the present case, it is presumed that a breach of security of personal data occurred in the circumstances indicated above, categorised as a possible breach of confidentiality as a result of the deposit in public access containers of documentation on clients of the entity during an unbundling transfer.  However, in the present case, there is no evidence that such documentation contained personal data of clients. The investigation revealed that Caixabank had taken a number of technical and organisational measures to prevent this type of incident, and these measures were passed on to the collaborating agencies and employees. Likewise, Caixabank had action protocols to deal with an incident like the one analyzed here, which allowed for the identification, analysis and classification of the personal data security breach as well as the diligent reaction to it in order to notify and communicate, minimize the impact and implement new reasonable and timely measures to avoid the repetition of the incidence in the future through the implementation and effective execution of an action plan by the various figures involved such as the person responsible for the treatment and the collaborating agencies as managers, as well as the Data Protection Delegate. It is also recorded that on the occasion of the incident, an impact assessment was carried out on the affected treatments and technical and organisational improvements were implemented.  As a result, it is recorded that Caixabank had reasonable technical and organizational measures in place to avoid this type of incident and that, as they were insufficient, they were diligently updated. However, in order to close the security gap, it is suggested that a Final Report be drawn up on the traceability of the event and its assessment, particularly with regard to the final impact. This report is a valuable source of information to feed into risk analysis and management and will serve to prevent the repetition of a gap of similar characteristics as the one analyzed, which could be caused by a specific error.III Therefore, it has been accredited that the action of Caixabank as the entity responsible for the processing has been in accordance with the regulations on personal data protection analysed in the previous paragraphs.
BACKGROUND
 
FIRST: On November 28, 2019, the Director of the Spanish
SECOND: TO NOTIFY the present resolution CAIXABANK S.A. with NIFA08663619 with address in C/ PINTOR SOROLLA 2-4 - 46002 VALENCIA(VALENCIA) In accordance with the provisions of article 50 of the LOPDGDD, the present resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to the provisions of article 114.1.c) of Law 39/2015, of 1st October, on the Common Administrative Procedure of Public Administrations, and in accordance with the provisions of articles 112 and 123 of the aforementioned Law 39/2015, of 1 October, the interested parties may lodge, optionally, an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this decision or from the day of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the above-mentioned Law. Mar Spain Martí Director of the Spanish Data Protection Agency
of Data Protection agreed to initiate sanctioning proceedings against VODAFONE
 
SPAIN, S.A.U. (hereinafter, the claimed), by means of the Agreement which is transcribed:
<<
Procedure No.: PS/00405/2019
935-240719
AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS
Of the actions carried out by the Spanish Agency for the Protection of
Data and based on the following:
FACTS
FIRST: Mrs. A.A.A. (hereinafter, the Claimant) dated May 16, 2019
filed a complaint with the Spanish Data Protection Agency. The
claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in
go ahead, the one claimed). The grounds on which the claim is based are that on
February 2019 received an e-mail from the respondent informing about the billing of a
line that claims not to have hired. In spite of the steps taken, he has not
received adequate response to the situation of the alleged recruitment.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/12
The complainant provides the messages sent to the respondent and received from
this one.
It provides receipts for bank charges.
SECOND: In view of the facts denounced in the complaint and the
documents provided by the complainant, the Subdirectorate General for the Inspection of
Data proceeded to the realization of previous research actions for the
clarification of the facts in question under the powers of investigation
granted to the inspection authorities in Article 57(1) of the Regulation (EU)
2016/679 (General Data Protection Regulations, hereinafter referred to as GPRD), and
in accordance with the provisions of Title VII, Chapter I, Section Two of the Act
Organic 3/2018 of 5 December on the Protection of Personal Data and Guarantee of
digital rights (hereinafter LOPDGDD).
As a result of the investigation carried out, it was found that
that the person responsible for the processing is the one who is being claimed.
The following points are also noted:
This body has transferred this complaint to the defendant, with
dates July 15 and October 4, 2019, it is stated that July 18 and October 7
of the same year, not having responded to the requirements of this Agency.
In the messages sent by the complaining party to the complainant, the
he notes:
That the respondent sent an e-mail to the complainant stating that
you would receive an invoice for your line.
Charges to your bank account in connection with that line.
Answer to the claimant in which he states that at the time
a line was active in the same address where he lived
previously the claimant, but under the ownership of another person.
THIRD: According to the documentation in the file, it is accredited
that the respondent carried out the processing of the personal data of the claimant without her
consent. The claimant's personal data were recorded in the
files and were treated for the issuance of invoices for services
associated with the person claimed.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
3/12
LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the
supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to resolve this procedure.
II
Article 58 of the RGPD, "Powers", says:
"2 Each supervisory authority shall have all the following powers
corrections indicated below:
()
(b) sanction any person responsible for or in charge of the processing with a warning
where processing operations have infringed the provisions of this
Regulations;
(...)
(d) instruct the controller or processor to ensure that the processing operations
treatment are in accordance with the provisions of this Regulation, where applicable,
in a certain way and within a specified time frame.
(…)
(i) to impose an administrative fine pursuant to Article 83, in addition to or in place of
measures referred to in this paragraph, depending on the circumstances of the case
particular
(…)”
III
Article 5 of the RGPD deals with the principles that should govern the
processing of personal data and mentions among them that of "lawfulness, loyalty and
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
4/12
transparency". The precept states:
"1. Personal data shall be:
(a) processed in a lawful, fair and transparent manner in connection with
interested (<<lawfulness, loyalty and transparency>>);"
Article 6 of the RGPD, "Lawfulness of processing", details in its paragraph 1 the
cases in which the processing of third party data is considered lawful:
"1. Processing shall be lawful only if at least one of the following conditions is met
conditions:
(a) the data subject has given his consent to the processing of his data
personal for one or more specific purposes;
(b) processing is necessary for the performance of a contract in which the
interested is a party to or for the application at his request of measures
pre-contractual;
(…)”
The infringement for which the claimed entity is held responsible is
Article 83 of the RGPD which, under the heading "General conditions for
the imposition of administrative fines," he says:
“5. Infringements of the following provisions shall be penalised, in accordance with
with paragraph 2, with administrative fines of up to EUR 20 000 000 or,
in the case of a company, for an amount equivalent to a maximum of 4% of
total annual turnover for the previous financial year, opting for
the largest:
(a) The basic principles for treatment, including the conditions for
consent under Articles 5, 6, 7 and 9.
The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements
considered to be very serious," he says:
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
5/12
"1. In accordance with the provisions of Article 83(5) of the Rules of Procedure (E.U.)
2016/679 are considered very serious and will prescribe after three years the infringements that
constitute a substantial infringement of the articles mentioned in that
In particular, the following:
(…)
b) The processing of personal data without any
conditions for the lawfulness of processing laid down in Article 6 of
Regulation (EU)2016/679.
IV
The documentation in the file provides evidence that the
Article 6.1 of the RGPD, since it dealt with the
personal data of the claimant without her consent. The personal data of the
were incorporated into the company's information systems, without
has provided evidence that it had his consent to the collection and processing
of your personal data.
The Contentious-Administrative Chamber of the National Court, in cases
like the one here, has considered that when the data owner denies
the burden of proof is on the person claiming its existence
the data controller of third parties must collect and keep the
documentation necessary to prove the consent of the owner. We quote, for
All, SAN of 31/05/2006 (Rec. 539/2004), Fundamento de Derecho Cuarto.
The complainant's personal data were recorded in the files of the
claimed and were treated for the issuance of invoices for services associated with the
complainant. Consequently, it has carried out a processing of the data
personal without proof of consent
for treatment, not to mention legal authorization.
However, and this is the essential point, the claimed does not prove the legitimacy to
the processing of the claimant's data.
In short, the respondent has not provided any document or evidence
any evidence that the entity, in such a situation, would have deployed the
minimum diligence required to verify that your interlocutor was indeed the one
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/12
he claimed to hold.
Respect for the principle of legality which is at the heart of the fundamental right
of personal data protection requires proof that the
The controller took the necessary steps to prove that the
extreme. If this is not done - and if it is not demanded by this Agency, which is responsible for ensuring
for the compliance with the regulations of the data protection law of
personal nature - the result would be to empty the principle of legality of its content.
V
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, which are the provisions that indicate:
"Each supervisory authority shall ensure that the imposition of fines
administrative offences under this Article for violations of this
Regulation referred to in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.
"Administrative fines shall be imposed, depending on the circumstances of
each individual case, in addition to or instead of the measures referred to in
Article 58(2)(a) to (h) and (j) In deciding to impose a fine
and its amount in each individual case will be duly taken into account:
(a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation concerned
as well as the number of stakeholders affected and the level of damage and
damages they have suffered;
(b) the intentional or negligent nature of the infringement;
(c) any action taken by the controller or processor
to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of the
treatment, taking into account any technical or organisational measures
applied under Articles 25 and 32;
(e) any previous offence committed by the person responsible for or in charge of the
treatment;
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
7/12
(f) the degree of cooperation with the supervisory authority in order to put
remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement,
in particular whether the person responsible or the person in charge notified the infringement and, in such
case, to what extent;
(i) where the measures referred to in Article 58(2) have been
ordered in advance against the person responsible or the person in charge
in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to mechanisms
of certification approved in accordance with Article 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as the financial benefits obtained or the losses avoided, directly
or indirectly, through the infringement."
With respect to section 83.2 (k) of the RGPD, the LOPDGDD, section 76,
"Sanctions and corrective measures," he says:
"In accordance with Article 83(2)(k) of Regulation (EU) 2016/679
may also be taken into account:
(a) the continuing nature of the infringement
(b) The link between the activity of the offender and the processing of data
personal.
(c) The profits obtained as a result of the commission of the offence.
(d) the possibility that the conduct of the person concerned might have led to the commission of
the infraction.
(e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the acquiring entity.
(f) Affecting the rights of minors.
g) To have, when it is not compulsory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases where
there are disputes between them and any interested party."
In accordance with the precepts transcribed, and without prejudice to what may result from the
proceedings, for the purpose of setting the amount of the fine to be imposed
in the present case, the party complained of is considered to be responsible for an infringement
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
8/12
As defined in article 83.5.a) of the RGPD, in an initial evaluation, the following are considered to be concurrent
the following factors.
As aggravating factors the following:
- In the present case we are dealing with an unintentional negligent action, but
identified significant (Article 83(2)(b)).
- Basic personal identifiers are affected (name, a number of
identification, the line identifier) (Article 83(2)(g)).
Therefore, it is considered appropriate to graduate the penalty to be imposed on the defendant and
set it at the amount of 100,000 euros for the infringement of Article 6.1 of the RGPD.
Therefore, in view of the above,
By the Director of the Spanish Data Protection Agency,
AGREED:
1. Initiate disciplinary proceedings against VODAFONE ESPAÑA, S.A.U,
with NIF A80907397, for the alleged infringement of Article 6.1. of the RGPD
as defined in article 83.5.a) of the aforementioned RGPD.
To appoint Mr. B.B.B. as instructor and Ms. C.C.C. as secretary,
indicating that either of them may be challenged, if appropriate, in accordance with
The provisions of Articles 23 and 24 of Law 40/2015 of 1 October on
Public Sector Legal System (LRJSP).
1. INCORPORATE into the sanctioning file, for evidentiary purposes, the
claimant and its accompanying documentation, the
information requirements that the Subdirectorate General for the Inspection of
Data was sent to the complained entity in the preliminary investigation phase and its
respective acknowledgements of receipt.
2. THAT for the purposes of Article 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of the Administrations
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
9/12
100,000 (one hundred thousand euros), which would be a fine of
euros), without prejudice to the outcome of the investigation.
3. NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF
A80907397, giving you a hearing period of ten working days to
make the allegations and submit the evidence he deems appropriate.
In your pleading, you must provide your tax identification number and the number of
procedure set out in the heading of this document.
If you do not make representations to this initiating agreement within the stipulated time limit, it
may be considered as a motion for resolution, as set out in Article
64.2(f) of Law 39/2015 of 1 October on the Common Administrative Procedure of
the Public Administration (hereinafter LPACAP).
In accordance with Article 85 of the LPACAP, if the
penalty to be imposed other than a fine, may acknowledge its responsibility within the
period granted for the formulation of arguments to the present agreement of beginning; the
which will be accompanied by a 20% reduction in the penalty to be imposed in
the present procedure. With the application of this reduction, the sanction would be
80,000, with the procedure being resolved by the imposition of this
sanction.
Similarly, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed penalty, which
will result in a 20% reduction in its amount. With the application of this reduction,
80,000 and its payment will result in the termination of the
procedure.
The reduction for the voluntary payment of the penalty is cumulative with that for
apply for recognition of liability, provided that this recognition
of the responsibility becomes apparent within the time allowed for formulating
allegations to the opening of the procedure. The voluntary payment of the amount referred to
in the preceding paragraph may be made at any time prior to the resolution. At
in this case, if both reductions were to be applied, the amount of the penalty would be
set at 60,000 euros.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
10/12
In any case, the effectiveness of either of the two above-mentioned reductions will be
conditional upon the withdrawal or waiver of any action or remedy in the
administrative sanction against the sanction.
If you choose to proceed with the voluntary payment of any of the amounts
80,000 or 60,000 euros, you must pay it
by depositing it in the account nº ES00 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure in
the heading of this document and the reason for the reduction in the amount to which
welcomes.
Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure in accordance with the quantity
admitted.
The procedure will last a maximum of nine months from the
date of the agreement to initiate or, where appropriate, the draft agreement to initiate.
Once this period has elapsed, the agreement will expire and, consequently, the
actions; in accordance with the provisions of Article 64 of the LOPDGDD.
Finally, it is noted that in accordance with Article 112.1 of the LPACAP,
No administrative appeal is possible against this act.
Mar Spain Martí
Director of the Spanish Data Protection Agency
>>
SECOND : On December 24, 2019, the claimant has proceeded to the payment of
the penalty in the amount of 60 000 euros by making use of the two reductions
provided for in the above transcribed Agreement, which implies the
recognition of responsibility.
THIRD: The payment made, within the period granted for making allegations to
the opening of the procedure, entails the waiver of any action or appeal in
administrative sanctioning and acknowledgement of responsibility in relation to
the facts referred to in the Agreement to Initiate.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
11/12
LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the
control, and in accordance with Article 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights (in
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
is competent to penalise infringements committed against it
Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General
of Telecommunications (hereinafter referred to as LGT), in accordance with the
Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the
information and electronic commerce (hereinafter referred to as the ISESA), as provided for in
43.1 of the said Act.
II
Article 85 of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), under the heading
"Termination in sanctioning proceedings" provides the following:
"1. Penalty proceedings are initiated if the offender acknowledges his
responsibility, the procedure may be resolved with the imposition of the penalty
as appropriate.
2. Where the penalty is solely pecuniary in nature or where it is
impose a financial penalty and a non-pecuniary penalty but has been justified
the impropriety of the second, voluntary payment by the alleged perpetrator, in
any time before the resolution, will imply the termination of the procedure,
except as regards the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the penalty is solely of a pecuniary nature,
the body competent to decide on the procedure shall apply reductions of, at
at least 20 % of the amount of the proposed penalty, which may be cumulated
with each other. These reductions shall be determined in the notification of
initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this paragraph may be increased
by regulation.
In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure PS/00405/2019, of
in accordance with Article 85 of the LPACAP.
SECOND: TO NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U.
In accordance with the provisions of article 50 of the LOPDGDD, this
The decision will be made public once it has been notified to the interested parties.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
12/12
Against this resolution, which puts an end to the administrative procedure as prescribed by
Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure
The interested parties may lodge an appeal with the
administrative litigation before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months of
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
Mar Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
</pre>
</pre>

Revision as of 11:36, 12 February 2020

AEPD - E/08501/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Type: Complaint
Outcome: Upheld
Decided: 28.11.2019
Pub

lished:||n/a

Fine: 100.000 EUR
Parties: Vodafone España, S.A.U

A.A.A.

National Case Number: E/08501/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD decided to initiate disciplinary proceedings against Vodafone España, S.A.U. and impose a fine of € 100.000 for the alleged infringement of Article 6(1) GDPR.

English Summary

Facts

The complainant filed a complaint against Vodafone España, S.A.U. (respondent) with the Spanish Data Protection Agency (AEPD) on 16 May 2019. On 20 February 2019 the complainant received an email with an invoice for an alleged contracted telephone line from Vodafone España, S.A.U. Despite the efforts to clarify the situation, the claimant had not received a response from the respondent.

Dispute

In view of the facts denounced in the complaint and the documents provided by the complainant, the AEPD initiated an investigation pursuant to Article 57(1) GDPR to clarify the facts.

Th AEPD has transferred the complaint to the respondent, but the latter had not responded to the requests.

Holding

As a result of the investigation, the AEPD found that that the person responsible for the processing is the one who is being claimed.

According to the documentation in the file, the AEPD decided that Vodafone España, S.A.U. processed the personal data of the claimant without their consent. The claimant's personal data were recorded in the files and were treated for the issuance of invoices for services associated with the person claimed.

When making a decision in this case, the AEPD considered the following aggravating factors:

- the present case is dealing with an unintentional negligent action, but was identified as significant (Article 83(2)(b) GDPR).

- basic personal identifiers were affected (name, identification number, the line identifier) (Article 83(2)(g) GDPR).

The fine was therefore set to the amount of 100.000 euros for the infringement of Article 6(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Procedure No.: E/08501/2019940-0419RESOLUTION OF ACTIONSFrom the actions carried out by the Spanish Data Protection Agency and based on the followingFIRST ACTS: On 30 May 2019 the entity CAIXABANK, S.A. (hereinafter CAIXABANK) notified this Agency of a security breach relating to the paper documentation of customers deposited in a public waste container, among which there is no evidence, but it could not be ruled out, that there were personal data.SECOND: On September 12, 2019, the director of the Spanish Data Protection Agency agreed to initiate investigative actions urging the Subdirectorate General of Data Inspection to proceed with the realization of investigations to clarify the facts that were the object of the notification, having knowledge of the following points: ENTIDADES INVESTIGADASCAIXABANK S.A. ENTIDADES INVESTIGADASCAIXABANK S.A. with NIF A08663619 and domiciled in C/ PINTOR SOROLLA 2-4 -46002 VALENCIA (VALENCIA)RESULTS OF THE INVESTIGATION ACTIONSWith regard to the factsCaixabank has communicated to this Agency the following facts in the notification of security work: "During the transfer of an office of the entity, some boxes with confidential documents for internal use, among which it is not stated, but it has not been ruled out, that there were personal data, were deposited in the wrong waste container (not dedicated to paper destruction) that took 3 days to be removed from the public road."They declare that they found out about the gap through comments on a social network. The approximate number of people affected by the gap Caixabank consign zero. Caixabank was asked to print the commentary published on the social network, which reads: "It is normal that a huge amount of internal papers from the branch 4364-AUDITORIUM are thrown in a container of works in Valencia?   This is internal documentation with details of customer accounts, reports, etc... from 1999 to 2004! ..." "In the report made by the entity, which includes the investigations carried out as a result of the incident detected, a possible account of the events is included:

"In the final work of emptying the furniture, documentation, equipment, materials and equipment and cleaning of the integrated office, which was carried out on Friday 24 May, two cardboard boxes were removed from the office which had been erroneously classified by the Office as obsolete advertising material and were therefore considered to be waste. ...] All the material resulting from the final work that was classified as waste was transferred to the management facility located in the Campanar district of Valencia's municipal district in the late afternoon of Friday 24 May. This facility was closed at that time so the material was deposited in the containers located for that purpose at the access to the facility with the idea that they were treated for management and destruction by the facility the next working day, Monday 27/5. During the period of time that elapsed between Friday afternoon/night (when the material was deposited there) and the first hour of Monday (when it was managed and destroyed), the deposited materials (including documentation incorrectly classified at source) were placed in the aforementioned containers.   It was in these containers (or around them) where the complainant located the reference documents and proceeded to make the complaint through social networks.  It can be assumed that someone, at some point prior to the arrival of the denouncer, must have rummaged through these containers, breaking and/or emptying the boxes of documents mentioned and that they arrived there closed, thus exposing their contents". In response to the Agency's request for information, the representatives of CaixaBank stated: 'This incident was communicated to the Agency as a matter of prudence, since neither at the time nor at the date of issue of this letter has it been confirmed that the documents deposited in the destruction containers referred to in this procedure actually contained personal data.   In particular, it is not possible to determine from the photograph that accompanied a citizen's commentary published on social networks that this incident was brought to our attention whether the documents thrown into the container included personal data (books, a financial report of a legal entity, accounting balances of CaixaBank branches, etc.). "With respect to the measures implemented before the breach: Caixabank has provided the following information and documentation at the request of the Data Inspection Authority:-With respect to general security policies and measures: Caixabank has provided a copy of the Registry of Processing Activities, in which they are recorded as activities: (i) Transfer of paper documentation and (ii) Destruction of paper documentation: The representatives of Caixabank indicate that the data processing activities that were compromised were carried out before the General Data Protection Regulation came into force and have not been modified in any way, so it was not necessary to carry out a Risk Analysis or an Impact Assessment, and that, notwithstanding the above, in response to the security breaches that have occurred, the process has been initiated to carry out the corresponding impact assessment.The entity has implemented a procedure for the management of security breaches, a copy of which has been provided.With regard to specific policies for the transfer/destruction of documentation, in order to guarantee the security of documentation and material in paper format during the branch integration process, CaixaBank has had a Branch Integration Protocol in place since October 2018, which specifies how to act during the transport of documentation and which security measures must be adopted. A copy of the Branch Integration Protocol is provided in section three of the Branch Integration Protocol, which refers to the operational aspects and defines the tasks to be carried out during the branch integration process in all matters relating to the transfer and destruction of documents and paper material. According to the Protocol, documentation is treated differently depending on whether it contains confidential client information or simply paper-based material, mainly advertising material, posters, etc. According to the provisions of the Office Integration Protocol, days before the transfer of documentation and paper-based material, the office to be transferred is obliged to separate all the archives, distinguishing (i) documentation to be destroyed, (ii) documentation to be filed and (iii) documentation to be sent to the receiving office. Once classified, the documentation must be stored in boxes, clearly indicating what type of documentation it contains and then transported. They also provide a copy of the CaixaBankFacilities Management Integration Task Protocol, which defines the functions and responsibilities in relation to the transport and destruction of documentation in the case of office integrations. Under this protocol, branches must first destroy all documentation in accordance with the internal standards of CaixaBank. Once this has been done, the branch must determine which documentation must be sent and stored at the integrating branch and which must be filed at a third branch or removed by third party file management companies. Once all the documentation is classified and packed in boxes, it is then moved. The transfer is supervised by the technical service. All the documentation that has not been destroyed on the day the office closes is transferred to the integrating office, with a copy of the integration protocol of LEVIRA Spain, the supplier contracted to transport the boxes. According to the protocol, the documentation is only handled by the office and is always packed in the transfer boxes, so that LEVIRA employees never have access to the documentation. As an additional security measure, it establishes the obligation to count the number of boxes that are withdrawn and the number of boxes that are delivered, confirming if the number coincides. The number of boxes must be noted in the register and both the issuing and receiving offices must sign it.

-Regarding the reason why the measures implemented could not serve to avoid the alleged access to the documentation by a third party, the representatives of the entity state: Before analyzing the possible reasons why the described security measures were not sufficient to avoid the access to the documentation by a third party, Caixabank wants to show that they have been carried out numerous integrations of offices without any incidence.Specifically, the only two incidents that occurred were notified to the Spanish Data Protection Agency on 20 March and 30 May 2019.They understand that the security measures provided for in the protocols in force prior to the security breach that occurred were effective and have been effective in general, and as to why the existing measures did not prevent the incident, they conclude that, as described in the protocols, in office integration processes, the responsibility for classifying the documentation and deciding when it should be destroyed in a confidential manner, which should be filed and which should be transferred directly to the integrating office, lies with the offices. In this way, it was the offices themselves that decided whether paper material should be destroyed on a routine basis, i.e., without the guarantees of destruction of confidential documentation.   This process implies that the classification of the documentation as confidential or as mere paper-based material depended on the criteria of the office staff, and therefore there was a margin of error. With respect to the actions taken and the measures implemented as a consequence of the occurrence of the breach: Caixabank has provided a copy of a report that includes the investigations carried out as a result of the incident detected during the documentation transfer phase in the integration of offices 4364 and 5052. The report details the analysis of the actions carried out by each of the parties involved in the integration process of offices 4364 and 5052. It includes a chronological list of the actions carried out during the integration, a detailed description of the incident that occurred and a proposal for corrective measures. An action plan has been drawn up to modify the Integration Protocols of the offices and add additional security measures. A copy of the modified version of the Integration Protocol, dated May 2019, is included in the action plan drawn up to reinforce the guarantees of the office integration protocols and to strengthen the traceability and centralisation of the archive.Specifically, these measures are:(i) Assurance of the early delivery of material (boxes) to the office to facilitate the appropriate classification of the documentation to be transferred to the integrating premises, documentation to be transferred to the Centralised Archive and documentation to be managed by means of confidential destruction. 
(ii)Classification of all documentation into one of the three groups indicated. All documentation that is not transferred to the destination location or that is not filed centrally must be managed by confidential destruction. (iii) The documentation to be transferred will be organized in boxes that will be numbered and classified, leaving a photographic record both in the location of origin and destination.(iv) The supplier in charge of the confidential destruction will always be summoned at the time of closing of the integrated premises in order to manage any documentation that may arise at the last moment. (v) The offices will sign a delivery note showing the documentation from the office of origin and the documentation that arrives at the office of destination.(vi)An employee of the office must always be present in both locations when the transfer work is carried out. (vii)At the beginning of the integration campaign, the delivery of the current integration protocol to the intervening technical services must be expressly recorded.(viii)An incident register is created for the transfer and integration processes so that they can be traced. The action plan expressly indicates that all the modifications and safety measures described must be incorporated into the protocols in force and communicated to the intervening agents. The incorporation of the above security measures into the protocols is intended to ensure greater traceability of the actions carried out in the integration processes of the offices and greater security of the documentation as all materials on paper are treated as confidential documents.According to the powers of investigation and correction that Article 58 of Regulation (EU) 2016/679 (General Regulation on Data Protection, hereinafter referred to as GPRD) grants to each supervisory authority, and in accordance with the provisions of Article 47 of Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (hereinafter referred to as LOPDGDD), the Director of the Spanish Data Protection Agency is competent to resolve these investigative actions.The RGPD defines, in a broad way, the "personal data security violations" (from now on security breach) as "all those security violations that cause the destruction, loss or accidental or illicit alteration of personal data transmitted, kept or otherwise treated, or the unauthorized communication or access to such data".

In the present case, it is presumed that a breach of security of personal data occurred in the circumstances indicated above, categorised as a possible breach of confidentiality as a result of the deposit in public access containers of documentation on clients of the entity during an unbundling transfer.   However, in the present case, there is no evidence that such documentation contained personal data of clients. The investigation revealed that Caixabank had taken a number of technical and organisational measures to prevent this type of incident, and these measures were passed on to the collaborating agencies and employees. Likewise, Caixabank had action protocols to deal with an incident like the one analyzed here, which allowed for the identification, analysis and classification of the personal data security breach as well as the diligent reaction to it in order to notify and communicate, minimize the impact and implement new reasonable and timely measures to avoid the repetition of the incidence in the future through the implementation and effective execution of an action plan by the various figures involved such as the person responsible for the treatment and the collaborating agencies as managers, as well as the Data Protection Delegate. It is also recorded that on the occasion of the incident, an impact assessment was carried out on the affected treatments and technical and organisational improvements were implemented.  As a result, it is recorded that Caixabank had reasonable technical and organizational measures in place to avoid this type of incident and that, as they were insufficient, they were diligently updated. However, in order to close the security gap, it is suggested that a Final Report be drawn up on the traceability of the event and its assessment, particularly with regard to the final impact. This report is a valuable source of information to feed into risk analysis and management and will serve to prevent the repetition of a gap of similar characteristics as the one analyzed, which could be caused by a specific error.III Therefore, it has been accredited that the action of Caixabank as the entity responsible for the processing has been in accordance with the regulations on personal data protection analysed in the previous paragraphs.

SECOND: TO NOTIFY the present resolution CAIXABANK S.A. with NIFA08663619 with address in C/ PINTOR SOROLLA 2-4 - 46002 VALENCIA(VALENCIA) In accordance with the provisions of article 50 of the LOPDGDD, the present resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to the provisions of article 114.1.c) of Law 39/2015, of 1st October, on the Common Administrative Procedure of Public Administrations, and in accordance with the provisions of articles 112 and 123 of the aforementioned Law 39/2015, of 1 October, the interested parties may lodge, optionally, an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this decision or from the day of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the above-mentioned Law. Mar Spain Martí Director of the Spanish Data Protection Agency