AEPD (Spain) - PS/00014/2020
From GDPRhub
| AEPD - PS/00014/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 75.000 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS/00014/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | dataguidance.com (in ES) |
| Initial Contributor: | Pablo Rossi |
AEPD has fined Telefónica Móviles España EUR 75,000 for a violation of article 6 GDPR. The claimed company carried out the portability of the claimant's telephone line without his consent.
English Summary
Facts
The portability of the claimant's phone line was carried out without his consent. The telephone service was being provided by YOIGO, who transferrred the claimant's personal data to Telefonica. After this transfer, Telefonica carried out the change of ownership of the line.
Telefonica claimed that there was a human mistake, but the portability was not effectively carried out until six days after this error, leaving plenty of time for the claimant to contact the them. However, the claimant did not file any claim for cancellation of the portability process until one year after this event. During this time, the line was operating correctly at all times, without any incidents.
Dispute
Should the unconsented portability of a telephone line be considered a violation of article 6 of the GDPR?
Holding
AEPD considered that despite the existence of a human mistake (the petitioner of the portability and the owner of the line had different names and surnames), this does not prevent the actions of Telefonica from being considered as data processing without appropriate legal basis, in contravention of Article 6(1) GDPR. The unintentional negligent action by Telefónica, and the fact that the personal data affected (name and telephone line identification number) are basic personal identifiers were determining aggravating factors, setting the amount of the fine at EUR 75,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Procedure No.: PS / 00014/2020 RESOLUTION OF PENALTY PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: AAA ( hereinafter, the claimant) on October 14, 2019 filed a claim with the Spanish Agency for Data Protection. The claim is directed against TELEFONICA MOVILES ESPAÑA, SAU The reasons on which the claim is based are the portability of the telephone line SAU without your consent. Until that day, the telephone service was provided by YOIGO, who, according to the claimant, transfers his personal data without his authorization to the company. TELEFÓNICA MÓVILES ESPAÑA, SAU and this executes the action changing the ownership of the line, causing the loss of said line. * * * TELEPHONE 1 of which he is the owner, to the company TELEFÓNICA MÓVILES ESPAÑA, SECOND: In view of the facts denounced in the claim and the documents provided by the claimant / the facts and documents of which this Agency has been informed, the General Sub-Directorate for Data Inspection proceeded to carry out previous actions on investigation to clarify the facts in question, by virtue of the investigative powers granted to the supervisory authorities in article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and of In accordance with the provisions of Title VII, Chapter I, Second Section, of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigation actions carried out, the following facts are found: In case E / 10113/2018, the claim is transferred to notification date of December 17, 2018 and December 27, 2018, respectively, requesting to submit a report on the causes that have motivated the incident that caused the claim, and on the measures adopted to prevent similar incidents from occurring. TELEFÓNICA MÓVILES ESPAÑA, SAU ( hereinafter the claimed) presents a brief of allegations stating that the number *** TELEPHONE 1 It was imported to the one claimed from YOIGO on 11/05/2018 at 02:00 a.m. TELEFÓNICA MÓVILES ESPAÑA, SAU and XFERA MÓVILES, SA (YOIGO) with C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 2/8 It indicates that in the cases of portability of lines, the agent must transfer the call to the entity that verifies mobile portability prior to the insertion of the portability request that triggers the Technical Specification approved by the National Market Commission and the Competition (hereinafter CNMC) for the change of operator, but due to a specific failure of the agent who processed the discharge in the service, portability was inserted prior to verification by a third party contrary to what was dictated in the norm. The defendant provides the recordings of the registration request for portability and the call for verification of verbal consent by a third party. The defendant adds that the registrant requested that the verification call be made after the request and that once the verification was made, three SMS were sent to the line owner in order to inform and offer the possibility of canceling said operation . The mobile portability operation implemented in said operator contemplates in the general portability procedure the sending of a series of informative SMS to the telephone number that is going to be carried, informing of the different steps through which the request made passes, but does not provide accreditation of shipments made to this line. The defendant also alleges that she had no record of any claim until September 18, 2019; date on which the Arbitration Board of * * * LOCATION. 1 submits to this Company a claim filed in connection with this process at the end of November 2018, practically one year after the facts claimed took place. The arbitration hearing was held on October 10, 2019 and the requested party is pending receipt of the notification of the arbitration award issued in order to comply with its content. The claimed operator concludes its allegations stating that currently the ownership of the line belongs to the portability applicant, not the complainant. And, among others, they attach the following documents. - Recording of the discharge telephone conversation dated October 31, 2018 - Call recording Verification of verbal consent of portability dated November 1, 2018. - Copy of the summons at the arbitration hearing - Transfer of the claim THIRD: On February 4, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for the person claimed, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of article 6 of the RGPD, typified in article 83.5 of the RGPD. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 3/8 FOURTH: Once the aforementioned initial agreement has been notified, the defendant submitted an allegation brief on February 24, 2020, in which, in synthesis, he stated that despite having made the portability request insertion on October 31, 2018, this it does not occur effectively until November 5, 2019, the claimant having had a period of six (6) days to contact the claimant. However, the claimant does not file any claim or request for cancellation of the portability process, and no incident reported by the claimant to said operator in relation to this request until September 18, 2019, that is, almost a year later that the events denounced, object of the present claim, took place and during that time the line was working correctly at all times and without any type of incident. Additionally, the claimed party has the recording of the claimant's consent to carry her line dated November 2, 2018. FIFTH: On March 3, 2020, the procedure instructor agreed to open a test practice period, taking into account the previous investigation actions, E / 02655/2019. SIXTH: On March 4, 2020, a motion for a resolution was formulated, A78923125, for a violation of article 6 of the RGPD, typified in article 83.5 of the RGPD, a fine of € 75,000 (seventy-five thousand euros) SEVENTH: On June 8, 2020, the defendant sent a written statement expressing the following statements “We reiterate that we are faced with punctual human error that would not affect the general procedure established by TME for these cases. Likewise, we inform the AEPD that despite the fact that the portability process had started, the CLAIMANT was subsequently contacted to request their consent. Regarding the presumed absence of consent for contracting, regulated in article 6.1 of Regulation (EU) 2016/679 General Data Protection (hereinafter, "RGPD"), we must say that the aforementioned precept of the RGPD does not require that consent be presented in writing or with certain formalities, but it does require that the consent of those affected be "unequivocal", in this case it corresponds to my representative to prove that the CLAIMANT has the consent. To this end, we refer to the recording dated November 2, 2018 that is already in the possession of the AEPD as conclusive evidence of the granting of said consent. For all of the above and taking into account that our agent had committed the punctual human error of starting the portability process prior to verification, from TME we consider that the CLAIMANT would have lent his proposing that the TELEFONICA MOVILES ESPAÑA, SAU with NIF C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 4/8 consent to carry out the portability of your line unequivocally days before the effective portability of the line. Therefore, we insist that there has been no violation of the article 6.1 of the RGPD for the treatment of data regarding data protection. ” PROVEN FACTS FIRST: Portability of the phone line has been carried out * * * TELEPHONE 1 of which the claimant is the owner, without his consent. Until that day, the telephony service was provided by YOIGO, who, according to the claimant, transfers his personal data without his authorization to the claimed company and it executes the action changing the ownership of the line, causing the loss of said line. SECOND: The claimed entity alleges that although the portability request is made on October 31, 2018, it is not produced effectively until November 5, 2019, so the claimant has had six (6) days to contact the requested party. However, the claimant does not file any claim, nor request for cancellation of the portability process, until September 18, 2019, almost a year later, and during all this time the line was working at all times correctly and without any incidence type. FUNDAMENTALS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and resolve this process. II Article 4.11 of the RGPD defines the “consent of the interested party” as any expression of free will, specific, informed and unequivocal by which the interested party accepts, whether by means of a declaration or a clear affirmative action, the processing of personal data that concerns him . For its part, article 6.1 of the RGPD establishes that " The treatment will only be lawful if at least one of the following conditions is met: to) the interested party gave his consent for the processing of his personal data for one or more specific purposes; C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 5/8 b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at its request of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the controller; d) the treatment is necessary to protect the vital interests of the interested party or of another natural person; and) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller; F) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller or by a third party, provided that the interests or fundamental rights and freedoms of the interested party that require the protection of personal data do not prevail over said interests, particularly when the interested be a child. ” III In the present case, the portability of the telephone line is denounced * * * TELEPHONE 1 without their consent. of which the claimant is the owner, to the operator claimed because it is produced Said operator recognizes human error in the protocol followed to carry out the portability of the line object of this claim, since the agent must transfer the call to the mobile portability verification entity prior to the insertion of the portability request that triggers the Technical Specification approved by the National Commission of Markets and Competition (hereinafter CNMC) for the change of operator, but Due to a punctual failure of the agent who processed the discharge in the service, portability was inserted prior to verification by a third party contrary to the provisions of the regulation. From the locutions provided to this Agency by the defendant, it appears that in the recording of the portability maintained between the holder of the call and the agent of the claimed, it is verified that the identification data of the interlocutor with the agent of the operator do not match those of the claimant and line owner. Note at this point that although the claimed is aware that the applicant's high-portability data is different from that of the line owner and claimant, it is heard in the recording of the third-party verification that this verifier asks the agent of the operator claimed, if the applicant corresponds to the name and surname of the complainant that the verifier provides and to which said agent responds "YES". C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 6/8 From this fact, it can be deduced that the requested one allows the verification to continue despite knowing that the portability applicant's data does not coincide with the line owner's data provided by the verifier. Thus, in accordance with the available evidence, it is considered that the operator claimed has used the data of the claimant, to carry out portability, from the phone line *** TELEPHONE 1 of which he is the owner, without his consent to the contracting, or any other cause that legitimizes the treatment of his data. The one claimed in response to the transfer of this claim provides recordings from which it appears that the portability of a line was carried out with the knowledge that the participants, that is, the portability applicant and the owner of the line, had different names and surnames , which triggered an unsolicited portability by the owner of the line, that is, the claimant, and the loss of the corresponding telephone line, thereby contravening the provisions of Circular 1/2009 of the National Commission for Markets and Competition in its Annex I, section “ Processing of mobile portability requests ”Point 4, which indicates that the verifier will request the client to provide or confirm the personal data of the owner and the data related to the line and operators. Therefore, the known facts are considered to be constitutive of an infraction, attributable to the respondent, for an alleged violation of article 6 of the RGPD, indicated in reason II. IV Article 72.1.b) of the LOPDGDD states that “ Based on what is established in article 83.5 of Regulation (EU) 2016/679, they are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that one and, in particular, the following: c) The processing of personal data without any of the conditions of lawfulness of the treatment in article 6 of Regulation (EU) 2016/679. ” V Article 58.2 of the RGPD provides the following: “Each supervisory authority shall have all the following corrective powers indicated below: b) sanction any person responsible or responsible for the treatment with warning when the processing operations have violated the provisions of these Regulations; d) order the data controller or processor that the operations of treatment complies with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; i) impose an administrative fine pursuant to article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case; C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 7/8 SAW This infringement can be sanctioned with a fine of a maximum of € 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, opting for the largest amount, of in accordance with article 83.5 of the RGPD. Likewise, it is considered that the sanction to be imposed should be graduated in accordance with the following criteria established in article 83.2 of the RGPD: As aggravating the following: In the present case we are faced with unintentional negligent action, but identified significant (article 83.2 b) Basic personal identifiers (name, an identification number, the line identifier) are affected, according to article 83.2 g) • • Therefore, in light of the above, By the Director of the Spanish Agency for Data Protection, IT IS AGREED: FIRST: IMPOSE TELEFONICA MOVILES ESPAÑA, SAU with NIF A78923125, for a violation of article 6 of the RGPD, typified in Article 83.5 of the RGPD, a fine of € 75,000 (Seventy-five thousand euros). SECOND: NOTIFY this resolution to TELEFONICA MOVILES ESPAÑA, SAU THIRD: Warn the sanctioned that he must enforce the sanction imposed once this resolution is executive, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the period of voluntary payment established in art. 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering, indicating the NIF of the sanctioned and the procedure number that appears in the heading of this document, in the restricted account no. ES00 0000 0000 0000 0000 0000, open in the name of the Spanish Agency for Data Protection in the bank CAIXABANK, SA. Otherwise, it will be collected in the executive period. Once the notification has been received and once it is enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or immediately after business month, and if is between the 16th and last day of each month, both inclusive, the payment term will be until the 5th of the second following month or immediately after business. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 8/8 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which ends the administrative procedure pursuant to art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, those interested may optionally file an appeal for reversal with the Director of the Spanish Agency for Data Protection within a period of one month from day after notification of this resolution or directly administrative contentious appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29 / 1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of said Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be provisionally suspended in administrative proceedings if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing to the Spanish Agency for Data Protection, presenting it to through of the Registry Electronic of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within two months from the day following the notification of this resolution, it would terminate the precautionary suspension.
