AEPD (Spain) - PS/00168/2020

From GDPRhub
Revision as of 07:52, 7 August 2020 by Assinari (talk | contribs) (→‎Facts)
AEPD - PS/00168/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 75.000 EUR
Parties: n/a
National Case Number/Name: PS/00168/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: aepd.es (in ES)
Initial Contributor: Pablo Rossi

AEPD fined VODAFONE ESPAÑA EUR 75,000 for an infringement of article 6(1) GDPR. Advertising SMS were sent to the complainant, despite that his personal data had been erased in 2015. National administrative law attenuating factors were invoked, leading to a reduced fine of EUR 45,000

English Summary

Facts

The reason for the complaint is that, after the erasure of the claimant's personal data in 2015, he continued to receive advertising SMS messages on his mobile line. Vodafone, in its communication with AEPD, stated that they carried out the relevant checks and established that the reason why the claimant was able to receive such SMS is that his personal data could have been visible in their customer data management systems. In the same communication, Vodafone stated that a series of blockages had been made in the system that prevent, for advertising purposes, the use of the telephone number of the claimant.

Dispute

Does continuing to send advertising messages after an erasure of personal data constitute a violation of Article 6(1) GDPR?

Holding

AEPD considered that the documentation provided offers evidence that Vodafone violated Article 6(1) of the GDPR, by processing the claimant's personal data without any legitimate reason. The fact that it was a non-intentional negligent action, that basic personal identifiers were affected and the continued nature of the infringement were considered aggravating factors, determining the amount of the fine in EUR 75,000. However, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) could be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge their responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed fine. On June 16, 2020, Vodafone proceeded to pay the sanction in the amount of EUR 45,000 applying therefore the two previously mentioned reductions. This implied the recognition of their responsibility and the resignation to any action or appeal in administrative channels against the sanction. After these events, the AEPD decided to terminate the procedure.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/11
936-031219
• Procedure Nº: PS / 00168/2020
RESOLUTION R / 00335/2020 TERMINATION OF THE PROCEDURE FOR PAYMENT
VOLUNTARY
In the sanctioning procedure PS / 00168/2020, instructed by the Spanish Agency for Data Protection
to VODAFONE ESPAÑA, SAU, having regard to the complaint presented by AAA, and based on the
following,
BACKGROUND
FIRST: On June 24, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a
sanctioning procedure against VODAFONE ESPAÑA, SAU ( hereinafter, the claimed), through the
Agreement that is transcribed:
<<
Procedure Nº: PS / 00168/2020
935-200320
AGREEMENT TO START SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Agency for Data Protection and based on the following:
ACTS
FIRST D. AAA ( hereinafter, the claimant) on December 29, 2019 filed a claim with the Spanish Agency for
Data Protection. The claim is directed against Vodafone España, SAU with NIF A80907397 (hereinafter, the
claimed one).
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
2/11
The reasons on which your claim is based are that after deleting your personal data in 2015, you
continued to receive advertising SMS messages on your mobile line (*** TELEPHONE 1).
SECOND: In view of the facts denounced in the claim and the documents provided by the claimant, the
General Sub-Directorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify
the facts in question, by virtue of the Investigative powers granted to the control authorities in article 57.1 of
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with
the provisions of Title VII, Chapter I, Second Section , of the Organic Law 3/2018, of December 5, Protection
of Personal Data and guarantee of digital rights (hereinafter LOPDGDD).
As a result of the investigation actions carried out, it is verified that the person responsible for the
treatment is the one claimed.
Likewise, the following points are found:
On April 15, 2020, the respondent states that after carrying out the appropriate investigations into
what happened, they have proceeded to send a letter to the claimant, informing him of the steps that have
been carried out by Vodafone in response to his claim (attached copy of the letter sent).
They add that the claimant's data is correctly deleted in their computer systems related to the
management of customer data, by virtue of the request to exercise the right to cancel them made by him in
May 2015. The reason for which could have received the SMS messages could have been because their
personal data had been visible in their customer data management systems, or there had been some type of
error of the claimed when managing the cancellation of such data.
On the other hand, they point out that the main reason is that this number has been used by both
collaborating agents and Vodafone employees as it is a simple number to remember and quick to write,
therefore, a "dummy" number, how use in certain activities and processes.
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
3/11
Finally, it points out that the complainant has implemented a series of actions in order to avoid the
misuse of the aforementioned number (which are detailed), among them that real and updated information
must be included in the client's files, which does not Data can be invented or others used that they consider
implausible that they may belong to a client, such as the aforementioned number. A series of blockages have
been made in the system that prevent, for these purposes, the use of said numbering.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as
established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is
competent to initiate and resolve this process.
II
The defendant is charged with committing an offense for violation of Article 6 of the RGPD, " Legality
of the treatment ”, Which indicates in section 1 the cases in which the processing of third-party data is
considered lawful:
"one. The treatment will only be lawful if at least one of the following conditions is met:
a) the interested party gave their consent to the processing of their personal data for one or more
specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party is a party or
for the application at his request of pre-contractual measures;
(…) "
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
4/11
The offense is typified in Article 83.5 of the RGPD, which considers as such:
"5. Infringements of the following provisions shall be penalized, in accordance with section 2, with
administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent
to a maximum of 4% of the total global annual business volume of the previous financial year, opting for the
one with the highest amount:
a) The basic principles for the treatment, including the conditions for consent in accordance with
articles 5,6,7 and 9. "
The Organic Law 3/2018, of Protection of Personal Data and Guarantee of Digital Rights
(LOPDGDD) in its article 72, under the heading “ Violations considered very serious " has:
"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679, infractions that imply
a substantial violation of the articles mentioned therein and, in particular, the following will prescribe after
three years:
(…)
a) The processing of personal data without the concurrence of any of the conditions of lawfulness of
the treatment established in article 6 of Regulation (EU) 2016/679. "
III
The documentation in the file provides evidence that the complained party violated article 6.1 of the
RGPD, since it processed the claimant's personal data without having any legitimacy to do so.
The respondent has recognized this error and has indicated that one of the causes that motivated the
sending of the SMS to the claimant is that said number has been used by both collaborating agents and
Vodafone employees as it is a simple and fast number to remember to write, therefore, a “dummy” number,
how to use it in certain activities and processes.
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
5/11
However, and this is essential, the respondent does not prove the legitimacy for the treatment of the
claimant's data.
IV
The determination of the sanction to be imposed in this case requires observing the provisions of
articles 83.1 and 83.2 of the RGPD, precepts that, respectively, provide the following:
"Each supervisory authority shall guarantee that the imposition of the administrative fines in
accordance with this article for the infringements of this Regulation indicated in paragraphs 4, 9 and 6 are in
each individual case effective, proportionate and dissuasive."
" Administrative fines will be imposed, depending on the circumstances of each individual case, as
an additional or substitute for the measures referred to in article 58, paragraph 2, letters a) to h) and j). When
deciding to impose an administrative fine and its amount in each individual case, the following will be duly
taken into account:
a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or
purpose of the processing operation in question as well as the number of interested parties affected
and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) Any measure taken by the person in charge or in charge of the treatment to alleviate the
damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking
into account the technical or organizational measures that have been applied by virtue of articles 25 and
32;
e) any previous infringement committed by the controller or the processor;
f) the degree of cooperation with the supervisory authority in order to remedy the infringement and
mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
6/11
h) the way in which the supervisory authority became aware of the infringement, in particular
whether the controller or processor notified the infringement and, if so, to what extent;
i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the
person responsible or the person in charge in question in relation to the same matter, compliance
with said measures;
j) adherence to codes of conduct under Article 40 or certification mechanisms approved under
Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the
financial benefits obtained or the losses avoided, directly or indirectly, through the infringement. " ( The
underlining is from the AEPD)
In order to specify the amount of the sanction to be imposed on the claimed person for violation of
article 83.5.a) of the RGPD, it is essential to examine and assess whether the circumstances described in
article 83.2 of the RGPD exist and if they intervene mitigating or aggravating the responsibility of the
responsible entity.
In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the
procedure, for the purpose of setting the amount of the fine to be imposed in this case, the claimed party is
considered responsible for an offense typified in Article 83.5.a) of the RGPD, in an initial assessment, the following
factors are considered concurrent.
As aggravating factors the following:
- In the present case we are dealing with an unintentional negligent action, but
identified significant (article 83.2 b).
- Basic personal identifiers (name, an identification number, the line identifier) are affected (article 83.2 g).
- Any previously committed offense (article 83.2 e).
- Section k), in relation to article 76.2 of Organic Law 3/2018, in which the continued nature of the offense
attributed to the claimed is framed as an aggravating factor.
That is why it is considered appropriate to graduate the sanction to impose on the claimed and set it at the amount
of € 75,000 for the violation of article 6 of the RGPD.
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
7/11
Therefore, based on the foregoing,
By the Director of the Spanish Agency for Data Protection,
HE REMEMBERS:
1. START SANCTIONING PROCEDURE against VODAFONE ESPAÑA, SAU, with NIF A80907397, for
the alleged violation of article 6 of the RGPD typified in article 83.5.a) of the aforementioned RGPD.
2. APPOINT Mr. BBB and as secretary to Dña. CCC,
indicating that any of them may be challenged, where appropriate, in accordance with the provisions
of articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector
(LRJSP).
3. INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its
attached documentation, the information requirements that the General Sub-Directorate of Data
Inspection sent to the claimed entity in the preliminary investigation phase and their respective
acknowledgments of receipt .
4. THAT, for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, on the Common
Administrative Procedure of Public Administrations, the corresponding sanction would be 75,000
euros (seventy-five thousand euros), without prejudice to what results from the instruction .
5. NOTIFY this agreement to Vodafone España, SAU, with NIF A80907397, granting it a hearing period
of ten business days to formulate the allegations and present the evidence it deems appropriate. In
your statement of allegations, you must provide your NIF and the procedure number that appears at
the top of this document.
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
8/11
If within the stipulated period no allegations are made to this start-up agreement, it may be considered a
resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations
(hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed is
a fine, you may acknowledge your responsibility within the term granted for the formulation of allegations to
this initiation agreement; which will entail a reduction of 20% of the sanction to be imposed in this procedure.
With the application of this reduction, the penalty would be set at 60,000 euros, resolving the procedure with
the imposition of this penalty.
In the same way, it may, at any time prior to the resolution of this procedure, carry out the voluntary payment
of the proposed penalty, which will entail a reduction of 20% of its amount. With the application of this
reduction, the sanction would be established at 60,000 euros and its payment will imply the termination of the
procedure.
The reduction for the voluntary payment of the penalty is cumulative to the one that corresponds to apply for
the acknowledgment of responsibility, provided that this acknowledgment of responsibility is made manifest
within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of
the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this
case, if both reductions should be applied, the amount of the penalty would be set at 45,000 euros.
In any case, the effectiveness of any of the two aforementioned reductions will be conditioned to the
withdrawal or waiver of any action or appeal in administrative proceedings against the sanction.
In case you choose to proceed to the voluntary payment of any of the amounts
indicated above, 60,000 euros or 45,000 euros, you must make it effective by entering account no. ES00
0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for Data Protection at Banco
CAIXABANK,
SA, indicating in the concept the reference number of the procedure that appears in
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
9/11
the heading of this document and the cause for the reduction of the amount to which it applies.
Likewise, you must send proof of entry to the General Inspection Subdirectorate to continue with the
procedure in accordance with the amount entered.
The procedure will have a maximum duration of nine months from the date of the initiation agreement or,
where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently,
the file of actions; in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, there is no
administrative appeal against this act.
Sea spain marti
Director of the Spanish Agency for Data Protection
>>
SECOND: On July 16, 2020, the defendant has proceeded to pay the penalty in the amount of 45,000 euros making
use of the two reductions provided in the Initiation Agreement transcribed above, which implies the
recognition of responsibility.
THIRD: The payment made, within the period granted to formulate allegations at the beginning of the
procedure, entails the waiver of any action or appeal in administrative proceedings against the sanction and
the recognition of responsibility in relation to the facts to which the Agreement refers Of start.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established
in art. 47 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital
rights (hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
10/11
it is competent to sanction the infractions that are committed against said Regulation; the infractions of article
48 of the Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the
provisions of article 84.3 of the LGT, and the infractions typified in articles 38.3 c) , d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the information society and electronic commerce
(hereinafter LSSI), as provided in article
43.1 of said Law.
II
Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations
(hereinafter, LPACAP), under the heading “ Termination of sanctioning procedures ”Provides the following:
"one. Once a sanctioning procedure has been initiated, if the offender acknowledges his
responsibility, the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely of a pecuniary nature or it fits
impose a penalty pecuniary and another of a non-pecuniary nature but the inadmissibility of the second has
been justified, the voluntary payment by the presumed responsible, at any time prior to the resolution, will
imply the termination of the procedure, except in relation to the replacement of the altered situation or the
determination of compensation for damages caused by the commission of the offense.
3. In both cases, when the penalty is solely of a pecuniary nature,
the competent body to resolve the procedure will apply reductions of at least 20% on the amount of the
proposed sanction, these being cumulative with each other. The aforementioned reductions must be
determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the
withdrawal or resignation of any action or appeal in administrative proceedings against the sanction.
Reduction percentage provided in this section it may be increased by regulation.
In accordance with the above,
the Director of the Spanish Agency for Data Protection RESOLVES:
FIRST: DECLARE the termination of the procedure PS / 00168/2020, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, SAU.
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it
has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure according to the provisions of art.
114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations,
the interested parties may file an administrative contentious appeal before the Contentious-Administrative
Chamber of the National Court, in accordance with the provisions in article 25 and in section 5 of the fourth
additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a
period of two months from the day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
11/11
Mar España marti
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es