AEPD (Spain) - PS/00030/2021
From GDPRhub
AEPD (Spain) - PS/00030/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 28 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 17.05.2021 |
Published: | 25.05.2021 |
Fine: | 100000 EUR |
Parties: | “Vodafone España, S.A.U. |
National Case Number/Name: | PS/00030/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
in progress
English Summary
Facts
in progress
Dispute
Holding
in progress
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/24 Procedure No.: PS / 00030/2021 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and with based on the following BACKGROUND FIRST: A.A.A. (hereinafter the claimant) filed a claim with the Agency Spanish Data Protection Agency (hereinafter AEPD) upon receipt on *** DATE.1, at 11:34 am, from a commercial call on behalf of “Vodafone España, S.A.U.”, with CIF A80907397 (hereinafter the claimed or VDF), to your telephone line *** TELEPHONE. 1, which is registered in the advertising exclusion list Robinson, from the line *** PHONE. 2. Relevant documentation provided by the claimant: - 34 second audio file corresponding to the call recording commercial claimed. - Copy of the invoice (issued by XFERA MÓVILES, S.A.U. with CIF A82528548) of the telephone line *** TELEPHONE.1 in which the ownership of the claimant is accredited. - Copy of the certificate of registration in the Robinson List issued on 01/31/2020, in which your phone line *** PHONE. 1 is registered against phone calls commercials since 08/03/2018. SECOND: In view of the facts denounced in the claim and the documents provided by the claimant / of the facts and documents of which he has this Agency, the Subdirectorate General for Data Inspection, had knowledge proceeded to carry out preliminary investigation actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and of in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigative actions carried out, it is verified that the responsible for the treatment is the one claimed. BACKGROUND Claim entry date: *** DATE. 2. Claimant: A.A.A. Claimed: VODAFONE ESPAÑA, S.A.U. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/24 Dated 04/15/2020 in check-in 014582/2020, associated with procedure E / 02271/2020, the AEPD verified allegations of the complained in that It established that it had no record in its database of the number *** TELEPHONE. 2 associated with your collaborators who make recruitment calls on your behalf. The claimed in that same registry stated that the claimant was recorded in the the corresponding Robinson List from 08/03/2018. In addition, the claimed informs have included the telephone line in the internal Robinson list of their entity *** PHONE. 1 of the claimant as a result of the transfer of the claim, going to be recorded as registered in it. The respondent stated that she had not contacted the claimant to notify him of the steps taken for not having his data of Contact INVESTIGATED ENTITIES As stated in the Diligence, incorporated in the associated Investigation File (E / 09385/2020) on 11/25/2020, the telephone line with number *** TELEPHONE. 2 was operated by SEWAN COMUNICACIONES, as recorded in the Records of Numbering and Telecommunications Operators of the National Commission of the Markets and Competition (hereinafter, CNMC). Consequently, during these proceedings the following has been investigated entity: SEWAN COMUNICACIONES, S.L.U. (hereinafter, the investigated # 1), with CIF B73619215 and address at *** ADDRESS.1 (MADRID). Likewise, in the course of the preliminary investigation actions, it was established the need to proceed to investigate also the following entity: VAMAVI PHONE, S.L. (hereinafter, the investigated # 2), with CIF B87914446 and address at *** ADDRESS.2, *** LOCALITY.1 (MADRID). RESULT OF RESEARCH ACTIONS The claimant's telecommunications operator, XFERA MÓVILES, S.A.U. manifests confirmation of receipt at the number *** PHONE. 1 (ownership of the claimant) of the call made by the line *** PHONE. 2, on *** DATE.1 at 11:34:50. This line of origin of the call appears to you as incoming in the interconnection platform operated by the investigated # 1. The investigated # 1 claims to be a telecommunications operator that provides telephone services to customers, end users and resellers. The investigated # 1 provides a copy of the CNMC public registry of operators in that is thus identified. Respondent # 1 identifies respondent # 2 as her client who owns the telephone line *** TELEPHONE.2 on *** DATE.1 at 11:34:50, and specifically in its ownership since October 2, 2019. The investigated C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/24 # 1 alleges that he did not make the call or have a contract or any connection with the one claimed to advertise its commercial services. The investigated # 1 confirms that the call from the telephone line *** PHONE. 2 to line *** PHONE. 1 (owned by the claimant) produced the *** DATE.1 at around 11:34 a.m. and lasted for 39 seconds. The investigated # 1 provides a copy of the invoice corresponding to the month of January 2020 issued to the investigated # 2, as its client holder of the telephone line *** TELEPHONE. 2, in which said call is reflected telephone. The investigated # 2 confirms the realization of a commercial call on *** DATE 1 at 11:34 a.m. to offer commercial services on behalf of and on behalf of the respondent, to the claimant's phone line *** TELEPHONE.1 from line *** TELEPHONE.2 (under your ownership). The investigated # 2 expresses that the acquisition of clients for the claimed through commercial telephone calls occurred in the segment of individuals, self-employed and micro-businesses. The investigated # 2 alleges that she does not have files related to the owners of the telephone lines to which he called commercially due to the fact that generated lists of random numbers from the list of numberings valid published by the CNMC, in accordance with the instructions of the claimed according to contract. The investigated # 2 provides a copy of the numbering list telephone numbers allegedly taken from the CNMC. The respondent # 2 states that she has access to the Robinson List in which performs the filtering to avoid numberings that have been opposed to the commercial calls and adds to recognize the claimant's phone line *** PHONE. 1 included in said list. The investigated # 2 alleges, after the identification of the number of the claimant involved in the business call produced, which [sic]: “(…) so it seems that it is a specific error in our filtering system. " THIRD: On January 27, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for the complained party (VDF), for the alleged violation of Article 28 of the RGPD, typified in Article 83.4 of the GDPR. FOURTH: The person in charge has not requested the practice of tests or the sending of the documentation in the file. FIFTH: In relation to the allegations made by the person in charge after the agreement Initially, they are answered in the Law Foundation II (FDII). SIXTH: On March 5, 2021, a resolution proposal was formulated, in the following terms: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/24 <That the Director of the Spanish Data Protection Agency sanctions VODAFONE ESPAÑA, S.A.U., with CIF A80907397, for a violation of Article 28 in relation to art. 24 both of the RGPD, typified in Article 83.4 of the RGPD and according to art. 83.2, with a fine of 100,000 euros (one hundred thousand euros)>. SEVENTH: It is established that investigated # 2 (Vamavi) has direct access to VDF by means of access code, to proceed to the registration of the services contracted in VDF direct distributor quality since September 2019. EIGHTH: On 03/23/2021, VDF presented allegations to the Proposal for Resolution, in summary, in the following terms: 1. VDF is not responsible for the treatments carried out by its "collaborators ... that use their own databases in the development of their own activity ”. 2. The AEPD has investigated the calling numbering and has concluded that it is owned by the Vamavi entity, an entity that has acknowledged having carried out the call to the claimant to promote VDF services. This entity has identified before the Agency as a subagent of Solivesa. Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited, PROVEN FACTS FIRST: The complained party (VDF) is responsible for data processing personnel carried out by their entities in charge, among which is the investigated # 2, being the one that defines the purpose and means and acting as those in charge in the name and on behalf of VDF. SECOND: The defendant (VDF) contracted with investigated # 2 -as manager treatment- who made a commercial call to the claimant on the date *** DATE. 1, 11:34 m, 39 seconds long, to your line number *** TELEPHONE.1 from line *** TELEPHONE.2, offering VDF services. THIRD: It is clear that VDF had knowledge of the events now analyzed and of the claimant's data on 03/11/2020 (16:03:36, according to the support of the electronic notifications and certified email address). In the transfer of the The claim contained the complete contact details of the claimant. However, VDF alleges that it did not communicate with the claimant due to not having his data. FOURTH: The claimant's line *** TELEPHONE 1 was registered in the list of advertising exclusion robinson of ADigital from the date 08/03/2018. FIFTH: In the contract for the data controller entered into between VDF and the investigated # 2, dated 09/19/2017, and in annexes II, III and IV provided that are head with express reference to the investigated # 2 as "in charge of the treatment ”, there are no instructions on how to carry out the mandatory crossing of data in order to eliminate the lines registered in ADigital's robinson list of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/24 advertising exclusion. In this regard, VDF alleges that there is “no instruction to VDF regarding the treatment of said data ”(sic). SIXTH: Nor does the VDF record the monitoring and follow-up of the execution of the contract manager from its inception to the end of the treatment of Personal data commissioned for advertising actions, including the subcontracting with third parties of VDF promotional services. The claimed Until the beginning of this proceeding, it was not aware that the number of Claimant's telephone number was included in the advertising exclusion list Adigital's Róbinson List, without any action against the investigated # 2 to avoid the commercial call on your behalf by the investigated # 2. SEVENTH: Exhibit VI of the aforementioned contract states that the scope of this service provision contract is the promotion of services on behalf of and by VDF account. The second clause states: "The purpose of this contract is the promotion commercial, in person, of the VODAFONE Services in the area geographic location that is communicated by VODAFONE to the COLLABORATOR (hereinafter, "Sales Area") so that they are hired by Clients and consumed by recurring and consolidated way. Exceptionally, the CONTRIBUTOR may carry out your activity by making phone calls when VODAFONE expressly authorizes this authorization may be limited temporary or objectively to specific promotions / campaigns ”. The fourth clause states: "In the Sales Areas in which the COLLABORATOR develop their activity for VODAFONE, the COLLABORATOR may not, directly or indirectly, promote the commercialization of services of other operators, companies or professionals that intervene in the market in which it operates VODAFONE, with or without its own network, that concur or compete directly or indirectly with the Services provided by VODAFONE, regardless of the technology used by the aforementioned operators, companies or professionals, having to develop their professional activity in this field exclusively on behalf of and on behalf of VODAFONE ”. The fifth clause states: “5.2 At the beginning of the validity of this contract, the EMPLOYEE has the third party collaborators listed in Annex II of this contract. (consists investigated # 2 as in charge of the treatment) 5.3. The COLLABORATOR must expressly communicate to VODAFONE the new incorporations of third-party collaborators that must be expressly authorized by VODAFONE in accordance with clause 6.1. Also, the COLLABORATOR must send VODAFONE quarterly the list of third-party collaborators with whom it has at that time ”. EIGHTH: Section 6 of Annex IV of the aforementioned contract states the following: <USE OF SUB-MANAGER OF TREATMENTS C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/24 6.1. The Treatment Manager will not subcontract or outsource any Treatment of Personal Data to any other person or entity, including the Entities of the Group of the Person in Charge of Treatment ("Sub-person in charge of Treatment") unless and until: 6.1.1. The Treatment Manager has notified Vodafone by notification formal in writing the full name and registered office or main headquarters of the Deputy in Charge of Treatment by completing Annex 1. 6.1.2. The Data Controller has notified Vodafone of any change that Annex 1 is required to be made in accordance with this Clause 6. 6.1.3. The Data Controller has provided Vodafone with the details (including categories) of the Treatment to be carried out by the Assistant Manager of Treatment in relation to the Services provided; 6.1.4. Treatment Manager has signed an agreement with said Sub-Manager Treatment that, in no case, may be less demanding than what is contained in this Agreement; 6.1.5. The Treatment Manager must send Vodafone a certificate or Responsible statement in which you state that you have signed with your Sub-processors the corresponding contracts regarding data protection and processing personal in which all the obligations required by VODAFONE are transferred in accordance with the provisions of VODAFONE in clause 13 of the contract and in the clause 6.1.4. of this Annex, reserving the right VODAFONE to request evidence of compliance at any time; 6.1.6. Vodafone has not substantiated its opposition to outsourcing or outsourcing within ten (10) business days after receipt of the written notification of the Treatment Manager established in Clause 6.1.1, including the information established in Clause 6.1.3; Y 6.2. In all cases, the Treatment Manager will be responsible to Vodafone of any act or omission made by the Sub-Manager of Treatment or any another third party designated by him as if the acts or omissions had been carried out by the Person in Charge of Treatment, regardless of whether the Treatment Manager complied with its obligations specified in Clause 6.1. 6.3. In case of breach of the obligations contained in this Agreement for the commission of actions carried out by a Deputy in Charge of Treatment, the Treatment Manager must, if requested by Vodafone, assign the Vodafone's right to act as it deems necessary for the protection and safeguards the Personal Data, by virtue of the contract of the Treatment Manager with the Sub-person in charge of Treatment>. NINTH: Section 9 of Annex IV of the aforementioned contract states the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/24 <9. RIGHT TO AUDIT. The Treatment Manager will ensure that any Sub-Processor Treatment allows Vodafone, its clients (including subcontractors, auditors or other Vodafone agents and their respective customers) and / or the Authorities of Privacy (each of them an "Audit Party") access their systems IT and other information systems, records, documents and agreements that reasonably required by the Audit Party, to verify that the Person in Charge of Treatment and / or its Deputy Managers of Treatments are complying with their obligations under this Agreement (or any contract of subsequent sub-treatment) or any Applicable Privacy Legislation, always that said review does not imply the review of third party data and that said entity auditor complies with the confidentiality obligations of the person in charge of Treatment or with the relevant Sub-Manager of Treatment, respecting the confidentiality of the commercial interests of the Treatment Manager or Sub-manager of Treatment and the data and information of third parties of which the auditing entity can become aware in the course of carrying out the audit…> TENTH: It is established that the reference sanctioning procedure PS / 00026/2021 filed against investigated # 2 (Vamavi), was resolved by advance payment and recognition of the facts (those described in the Second Proven Fact), which knows the claimed every time it alleges. Also, in the procedure reference sanctioner PS / 00031/2021 is resolved in the sense of filing the facts imputed to Solivesa since the twelfth proven fact contains that Vamavi acted on behalf of and on behalf of VDF as manager of the treatment in making the now investigated call to the claimant. Consists that VDF is aware of the foregoing by being credited with the proven fact twelfth of the resolution of the citato PS / 00031/2021, the following: <TWELFTH: After the agreement to initiate this sanctioning procedure, SOLIVESA requested a meeting with the DPD of Vodafone to inform them how Vamavi had a direct access key from Vodafone to sign up for services contracted, at which point Vodafone informs SOLIVESA that effectively Vamavi has a direct key from Vodafone as an authorized distributor since September 2019.> (underlined is from the AEPD). FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/24 In relation to the allegations made by the person in charge after the initiation agreement, are answered in the following terms: 1R) It should be noted that the object of the claim is not due directly to the receiving an unwanted call, but a call to a line registered in the advertising exclusion list since 08/03/2018, violating the provisions of art 23 of the LOPDGDD. As developed in the Fundamentals of Law, the person in charge must have absolute control over the data processing that is the object of the order, not only previously check the organizational and technical means available to the entity in charge, but to carry out the necessary subsequent audits in order to guarantee the rights and freedoms of those affected in the treatments carried out in name and on behalf of the person in charge. 2R) As indicated in the Fundamentals of Law, the imputation to VDF in the This sanctioning procedure does not exonerate other entities from liability involved in the processing of data of responsibility VDF and object of order to other entities as those in charge, although each one must be responsible for its conduct contrary to the RGPD, where appropriate, in separate procedures. 3R) In the present case, VDF is responsible for the treatments carried out by the entities in charge of them. The publicity call received by the claimant being included in Adigital's Robinson advertising exclusion list should have been avoided by applying effective organizational and technical means in hiring of the person in charge (s), that there is no evidence that they were implanted. 4R) VDF alleges that managers must present themselves to potential clients in her name. Without prejudice to the internal rules of courtesy in the face of a potential client, it should be noted that the treatment object of analysis is carried out on behalf of and on behalf of VDF at all times, regardless of the databases that are used. 5R) Regarding the call routing system through the VDF trunk, It should be noted that its efficacy is not established since in the present case it has not been made or verified the correct filtering of calls with the exclusion list Adigital advertising. 5, 6 and 7R) In addition, as stated by VDF in other proceedings, said system routing was supposed to be activated in February 2020 and now VDF claims that it did not will be effective until February 2021, which denotes a serious lack of diligence on the commercial activity carried out by those in charge of the treatment in the name and by VDF account. 8.1R) As has already been reiterated, regarding the application of the aggravating factor of art 76.1.b) of the LOPDGDD in relation to art 83.2.k) of the RGPD, its application is evident since VDF is one of the largest telecommunications operators in the country and acts as responsible for the data being processed in its campaigns advertising to attract customers and, in the present case, acting without the diligence due in the hiring and monitoring of entities in charge. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/24 8.2R) It should be emphasized that VDF is responsible for the treatments object of analysis in this proceeding, as proven by the proven facts and It is developed in the Fundamentals of Law. 8.3R) It should be noted that article 83.2.e) of the RGPD indicates as an aggravating factor: “all infringement… ”, that is, the repetition of conduct contrary to the regulations of competition the AEPD. III In relation to the allegations made by the person in charge after the initiation agreement, are answered in the following terms: 1R) VDF is not responsible for the treatments carried out by its "collaborators … That use their own databases in the development of their own activity ”. From the definition of data controller in art. 4.7 of RGPD, it is established that VDF It is the one that determines the purposes and means of the treatment. In the present case, it consists that Vamavi materializes the call to the claimant in the name and on behalf of VDF as stated in the contract signed between both entities in September 2019. In the following Fundamentals of Law, the concept of responsible person is specified. of the treatment, in charge of the treatment and the obligations of one and the other according to provides art. 28 of the GDPR. Consequently, the claim must be rejected. 2R) The AEPD has investigated the calling numbering and has concluded that the It is owned by the Vamavi entity, an entity that has acknowledged having made the call to the claimant to promote VDF services. Is entity has identified before the Agency as a subagent of Solivesa. As stated in the proven facts of this resolution, the allegation must be rejected since it is proven that VDF and Vamavi signed a contract direct and independent (in September 2019) of the previously subscribed with Solivesa, for which reason in the present case Vamavi acted as the person in charge of the treatment on behalf of and on behalf of VDF in making the call to claimant on January 31, 2020. Consequently, making the call commercial by Vamavi in the name and on behalf of VDF (responsible) on the date 01/31/2020 when the claimant was included in the advertising exclusion list Róbinson de Adigital since 08/03/2018, it is the total responsibility of VDF by not have had due diligence in ordering and insuring previously and throughout the period of execution of the contract that your manager (Vamavi) deleted the records included in Adigital's Róbinson advertising exclusion list, as provided art 28 of the RGPD and art. 23 of the LOPDGDD. IV Article 24 of the RGPD establishes the following: <Responsibility of the person responsible for the treatment C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/24 1. Taking into account the nature, scope, context and purposes of the processing as well as risks of varying probability and severity to the rights and freedoms of natural persons, the data controller will apply measures appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the treatment is in accordance with this Regulation. These measures will be reviewed and will update when necessary. 2. When they are provided in relation to the treatment activities, between the measures mentioned in section 1 shall include the application, by the responsible for the treatment, of the appropriate data protection policies. 3. Adherence to codes of conduct approved pursuant to article 40 or to a certification mechanism approved under article 42 may be used as elements to demonstrate compliance with the obligations by the responsible for the treatment.> Report 0064/2020 of the Legal Office of the AEPD has emphatically expressed that “The RGPD has meant a paradigm shift when addressing the regulation of the right to the protection of personal data, which is based on the principle of "accountability" or "proactive responsibility" as stated repeatedly the AEPD (Report 17/2019, among many others) and is included in the Statement of reasons for Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD) ”. The aforementioned report continues that “… the criteria on how to attribute the different roles remain the same (section 11), reiterates that these are concepts functional, which aim to assign responsibilities according to the roles of the parties (section 12), which implies that in most cases should be addressed to the circumstances of the specific case (case by case) according to their actual activities rather than the formal designation of an actor as "responsible" or "manager" (for example, in a contract), as well as concepts self-employed, whose interpretation must be carried out under the protection of European regulations on the protection of personal data (section 13), and taking into account (section 24) that the need for a factual assessment also means that the role of a responsible for the treatment does not derive from the nature of an entity that is processing data but of their specific activities in a specific context… ”. The concepts of controller and processor are not formal, but functional and must attend to the specific case. The designation by VDF of "Responsible for the treatment" to its collaborators, does not automatically grant them such condition. The person responsible for the treatment is so from the moment he decides the purposes and means of treatment, not losing this condition the fact of leaving a certain margin of action to the person in charge of the treatment or for not having access to the databases of the in charge. This is undoubtedly expressed in the Guidelines 07/2020 of the European Committee on Data Protection (CEPD) on the concepts of data controller and in charge of the RGPD -the translation is ours-, “A data controller is who determines the purposes and means of the treatment, that is, the why and the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/24 how of the treatment. The controller must decide on both purposes and means. However, some more practical aspects of the implementation ("nonessential media") can be left to the manager treatment. It is not necessary for the controller to actually have access to the data that is being processed to qualify as responsible ". In the present case, it is established that VDF is the data controller now analyzed (call to the claimant on date *** DATE.1 made by Vamavi in quality of data controller in the name and on behalf of VDF) since, As defined in article 4.7 of the RGPD, it is the entity that determines the purpose and means of the treatments carried out in direct marketing actions of the person in charge. Therefore, in its capacity as data controller, it is obliged to comply with the provisions of the transcribed article 24 of the RGPD and, especially, regarding the control effective and continued “appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the treatment is in accordance with the present Regulation ”among which are those provided in article 28 of the RGPD in relationship with those in charge of the treatments who act in the name and on behalf of VDF. In this sense, and in relation to the allegation made by VDF in its brief of allegations that those responsible for the treatments that the entities those in charge carry out on behalf of VDF and, therefore, those that have of their own files, they do not act as managers but rather as managers. responsible for these treatments, it should be noted that in the Guidelines 07/2020 of the European Data Protection Committee (CEPD) on the concepts of data controller and person in charge of the RGPD - the translation is ours -, “42. It is not necessary for the controller to actually have access to the data being processed. Whoever outsources a treatment activity and, at the to do so, has a determining influence on the purpose and (essential) means of the treatment (for example, adjusting the parameters of a service in such a way that influences whose personal data will be processed), should be considered as responsible although he will never have real access to the data ”. Remember that VDF determines who the calls can be made to, as they cannot be made to who are already clients of the company, as well as filtering regarding lists of advertising exclusion (Robinson ADigital) or whatever corresponds with respect to the exercise opposition (internal Robinson). Likewise, following the legal report of the AEPD dated 11/20/2019, with internal reference 0007/2019 and STS 1562/2020 (for all), we must point out that analyzes the legal figure of the data controller from the perspective of the RGPD that regulates it exclusively. V Article 28 of the RGPD establishes the following: In charge of the treatment <1. When a treatment is to be carried out on behalf of a person responsible for the treatment, it will only choose a manager who offers sufficient guarantees to apply appropriate technical and organizational measures, so that the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/24 treatment is in accordance with the requirements of this Regulation and guarantees the protection of the rights of the interested party. 2. The person in charge of the treatment will not resort to another person in charge without prior authorization in writing, specific or general, of the person in charge. In the latter case, the person in charge will inform the person in charge of any change foreseen in the incorporation or substitution of other managers, thus giving the person in charge the opportunity to oppose to such changes. 3. The treatment by the person in charge will be governed by a contract or other legal act with according to the law of the Union or of the Member States, that binds the person in charge with respect to the person in charge and establish the object, duration, nature and purpose of the treatment, the type of personal data and categories of interested parties, and the obligations and rights of the person in charge. Said contract or legal act shall stipulate, in particular, that the person in charge: a) will process personal data only following documented instructions from the responsible, including with respect to transfers of personal data to a third country or an international organization, unless it is obliged to do so by virtue of of the law of the Union or of the Member States that applies to the processor; on In such case, the person in charge will inform the person in charge of this legal requirement prior to treatment, unless such Right prohibits it for important reasons of interest public; b) will guarantee that the persons authorized to process personal data have are committed to respecting confidentiality or are subject to an obligation of confidentiality of a statutory nature; c) take all necessary measures in accordance with Article 32; d) respect the conditions indicated in sections 2 and 4 to resort to another in charge of the treatment; e) will assist the person in charge, taking into account the nature of the treatment, through appropriate technical and organizational measures, whenever possible, so that this can fulfill its obligation to respond to requests that have as their object the exercise of the rights of the interested parties established in chapter III; f) will help the person in charge to guarantee compliance with the obligations established in articles 32 to 36, taking into account the nature of the treatment and the information available to the person in charge; g) at the discretion of the person in charge, delete or return all personal data a once the provision of treatment services ends, and will delete the copies existing unless the preservation of personal data is required by virtue of of the Law of the Union or of the Member States; h) will make available to the controller all the information necessary to demonstrate the fulfillment of the obligations established in this article, as well as C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/24 to enable and assist in the conduct of audits, including inspections, by part of the person in charge or another auditor authorized by said person in charge. In relation to the provisions of letter h) of the first paragraph, the person in charge will inform immediately to the person responsible if, in his opinion, an instruction violates this Regulation or other provisions on data protection of the Union or of Member States. 4. When a processor uses another processor to carry out certain processing activities on behalf of the controller, will be imposed on this other person in charge, by means of a contract or other legal act established in accordance with the Union or Member State law, the same obligations to data protection than those stipulated in the contract or other legal act between the responsible and the person in charge referred to in section 3, in particular the provision of sufficient guarantees of application of appropriate technical and organizational measures so that the treatment is in accordance with the provisions of this Regulation. If that other person in charge breaches their data protection obligations, The initial manager will remain fully accountable to the person responsible for the treatment with regard to the fulfillment of the obligations of the other in charge. 5. The adherence of the person in charge of the treatment to a code of conduct approved by pursuant to article 40 or to a certification mechanism approved pursuant to article 42 may be used as an element to demonstrate the existence of the guarantees sufficient referred to in sections 1 and 4 of this article. 6. Without prejudice to the person in charge and the person in charge of the treatment holding a individual contract, the contract or other legal act referred to in sections 3 and 4 of this article may be based, totally or partially, on the clauses contractual type referred to in sections 7 and 8 of this article, inclusive when they are part of a certification granted to the person in charge or in charge of in accordance with articles 42 and 43. 7. The Commission may establish standard contractual clauses for the matters to which it is refer to sections 3 and 4 of this article, in accordance with the procedure for examination referred to in article 93, paragraph 2. 8. A supervisory authority may adopt standard contractual clauses for the matters referred to in sections 3 and 4 of this article, in accordance with the coherence mechanism referred to in article 63. 9. The contract or other legal act referred to in sections 3 and 4 shall consist of written, including in electronic format. 10. Without prejudice to the provisions of articles 82, 83 and 84, if a person in charge of the treatment violates these Regulations by determining the purposes and means of the treatment, you will be considered responsible for the treatment with respect to said treatment> C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/24 The definition of 'processor' includes a wide range of actors, since be they natural or legal persons, public authorities, agencies or other bodies. The existence of a data processor depends on a decision taken by the data controller (VDF), who may decide to carry out certain treatment operations or contract all or part of the treatment with a in charge. The essence of the role of "processor" is that personal data are processed in the name and on behalf of the person responsible for the treatment. In practice, It is the person in charge who determines the purpose and the means, at least the essential ones, while the processor has a function of providing services to the Responsible for the Treatment. In other words, "acting in the name and on behalf of of the person responsible for the treatment »means that the person in charge of the treatment service of the interest of the controller in carrying out a task specific and that, therefore, follows the instructions established by the person responsible for the treatment, at least with regard to the purpose and essential means of the entrusted treatment. Article 28, section 1, of the RGPD establishes that “When a treatment on behalf of a data controller, he will choose only a manager that offers sufficient guarantees to apply technical measures and appropriate organizational, so that the treatment is in accordance with the requirements of this Regulation and guarantee the protection of the rights of the interested". The obligation provided for in article 28.1 of the RGPD -to select a person in charge of the treatment that offers sufficient guarantees to guarantee the application of the Regulation and the rights and freedoms of the interested party - it is not exhausted in the action prior to the selection and hiring of the treatment manager. This forces the responsible for the treatment to be evaluated at all times during the entire execution of the contract if the guarantees (technical or organizational) offered by the person in charge of the treatment are sufficient to guarantee the rights and freedoms of the interested. The 07/2020 Guidelines of the European Data Protection Committee (CEPD) on the concepts of data controller and processor in the RGPD -translation is ours- have, without a doubt, that “97. The obligation to use only the processors "who provide sufficient guarantees" contained in the Article 28 (1) of the GDPR is a continuous obligation. It does not end in the moment in which the controller and the person in charge of the treatment conclude a contract or another legal act. Instead, the controller should, at appropriate intervals, verify the assurances from the manager, including through audits and inspections when corresponds ”. And this, because the person responsible for the treatment is the one who has the obligation to guarantee the application of data protection regulations and the protection of the rights of interested parties, as well as being able to prove it (articles 5.2, 24, 28 and 32 of the GDPR). The control of compliance with the law extends throughout the treatment, from start to finish. The person responsible for the treatment must Act, in any case, diligently, consciously, committed and actively. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/24 This mandate of the legislator is independent of whether the treatment is carried out directly the person in charge of the treatment or that it carries out using a in charge of the treatment. Where the Law does not distinguish, we cannot distinguish ourselves. In addition, the treatment carried out materially by a person in charge of treatment by account of the data controller belongs to the sphere of action of this Lastly, in the same way as if he did it directly himself. The person in charge of Treatment, in the case examined, is an extension of the person responsible for the treatment. The data controller has the obligation to integrate and deploy the protection of data within everything that constitutes your organization, in all its areas. I know must bear in mind that, ultimately, the determining purpose is to guarantee the protection of the interested party. Interpret it in the opposite sense - the obligations that article 28 of the RGPD imposes to the data controller are limited to verifying the capabilities of the processor ab initio and to sign the contract of the data controller - not only would they contravene the current legislation constituting a clearly fraudulent action, but rather would violate the spirit and purpose of the GDPR. In light of the principle of proactive responsibility (art 5.2 RGPD), the person responsible for the treatment must be able to demonstrate that it has taken into account all the elements provided for in the RGPD. In the present case, VDF has disregarded the hiring by the entity in charge of the initially entrusted treatments. The data controller must take into account whether the data controller provides adequate documentation that demonstrates such compliance, privacy protection, file management policies, privacy policies information security, external audit reports, certifications, management of the exercise of rights ... etc. The controller must also take into account the knowledge specialized technicians of the person in charge of the treatment, the reliability and its resources. Only if the controller can demonstrate (principle of responsibility proactive of article 5.2 of the RGPD) that the person in charge of the treatment is adequate during the entire treatment phase (at all times) to carry out the order entrusted may enter into a binding agreement that meets the requirements of the Article 28 of the RGPD, without prejudice to the fact that the controller must follow complying with the principle of accountability and periodically checking the compliance of the manager and the measures in use. Before outsourcing a treatment and in order to avoid possible violations of rights and freedoms of those affected, the data controller must enter into a contract, another legal act or an agreement binding with the other entity that establishes clear and precise obligations regarding of data protection (in this case there is a contract of September 2019 with Vamavi). The person in charge of the treatment can only carry out treatments on the instructions documented data of the person in charge, unless he is obliged to do so by the Law C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/24 of the Union or a Member State, which is not the case. The person in charge of the treatment It also has the obligation to collaborate with the person in charge in guaranteeing the rights of the interested parties and comply with the obligations of the person responsible for the treatment of in accordance with the provisions of the aforementioned article 28 of the RGPD (and related). Therefore, it is insisted that the person responsible for the treatment must establish clear modalities for such assistance and give precise instructions to the person in charge of the treatment on how to comply with them properly and document it prior to through a contract or another (binding) agreement and check all moment of the development of the contract, its fulfillment in the manner established in the same. However, despite the obligations of the person in charge, article 28 of the RGPD seems to suggest that the responsibility of the processor remains limited compared to the responsibility of the controller. On In other words, although controllers may, in principle, be responsible for the damages derived from any infraction related to the processing of personal data (including those that have been committed by the processor) or breach of contract or other agreement (binding) Managers may be held liable when they have acted upon margin of the mandate granted by the controller, or have not complied your own contractual obligations or under the GDPR. In these cases, the data controller can be considered fully or partially responsible for the "part" of the processing operation in which you participate. You will only be in charge fully responsible when fully responsible for the damages caused in terms of the rights and freedoms of the affected parties; everything This, without avoiding the responsibility in which the person responsible for the treatment has incurred in order to avoid them. In the present case, and in accordance with the content of the signed contract, the investigated # 2 acts in a manager capacity whenever, according to the definition, they act fully in the name and on behalf of the person in charge (VDF) for all purposes in data protection matters. It is enough to bring up the content of the already mentioned STS 1562/2020 (by all), which states the following: << In this sense, and the Judgment of the Supreme Court of June 5, 2004, which confirms, on appeal for Uni fi cation of Doctrine, that of this AN of October 16, 2003, echoing what was argued by this Chamber, refers to the differentiation of two responsible depending on whether the decision-making power is directed to the file or to the data treatment. Thus, the person responsible for the file is the one who decides the creation of the file. file and its application, and also its purpose, content and use, that is, who has decision-making capacity on all the data registered in said file. The person responsible for the treatment, however, is the subject to whom the decisions about the specific activities of a certain data processing, that is, on a specific application. It would be all those assumptions in those that the power of decision must be differentiated from the material realization of the activity that integrates the treatment. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/24 With this, as the STS of April 26, 2005 also argues (appeal for uni fi cation of doctrine 217/2004), the Spanish legislator intends to adapt to the requirements of Directive 95/46 / EC, which aims to provide a legal response to the The phenomenon, which is becoming more and more frequent, of the so-called externalization of IT services, where multiple operators operate, many of them insolvent, created with the aim of seeking impunity or irresponsibility of the that follow him in the next links of the chain. Currently, the new Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons in the regarding the processing of personal data (repealing the Directive 95/46 / CE, and directly applicable as of May 25, 2018) also distinguishes between the figures of the person in charge and the person in charge of the treatment. The first is defined in paragraph 7) of article 4 as "natural or legal person (...) that determines the purposes and means of the treatment ". And the person in charge of treatment in section 8) of the same article 4 as the one that "processes personal data on behalf of the person in charge treatment ". This in relation to Articles 24 and 28 of the same European Regulation of Data Protection. Responsible for and in charge of the data processing that, without place doubtless, they are also responsible for infractions in terms of protection of data, in such a new regulatory framework, in accordance with the provisions of article 82.2 of the repeated Regulation (EU) 2016/679 in which: «Any person responsible who participates in the treatment operation will be liable for damages caused in the event that said operation does not comply with the provisions of the present Regulation. A manager will only be liable for damages. caused by the treatment when it has not complied with the obligations of the these Regulations specifically addressed to those in charge or has acted at the margin or against the legal instructions of the person in charge ". It follows from all the above that the concurrence, in the present case, of a ZZZZ processor in no way exempts the entity from liability XXXX now recurring, and this despite the forcefulness of the clauses that appear in the contract and annex thereto signed by both companies (proven facts 9 and 10) insofar as the personal data processed was for the purpose of carrying out an advertising campaign regarding car and motorcycle insurance that marketed the (XXXX), ultimately for the benefit of said XXXX, such plaintiff being the one that, in last term, determines the purposes and means of repeated data processing, therefore that it cannot be exonerated of responsibility. >> The STS continues, in relation to the possible exoneration of alleged responsibility Regarding what is subscribed in the contract of "person in charge of the treatment", the following: << The sanctioned conduct of obstruction or impediment by XXXX of the exercise by his client of the right of opposition to the treatment of his data, is manifested in that said company did not adopt any kind of measure or precaution to avoid the sending advertising to your client's email addresses by those companies to which it entrusted the realization of the advertising campaigns. The adoption of the necessary measures or precautions to ensure the effectiveness of the Right to object to the processing of your data by XXXX, such as C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/24 responsible for the file, subsist even if the advertising campaigns are not carried out starting with the data of your own files, but with databases of other companies hired by XXXX, and in this case it was proven that the appellant did not communicate to the companies with which it contracted the performance of publicity the opposition of the complainant to receive publicity from the Mutual, nor in short made any provision to ensure the exclusion of its customer from shipments advertising contracted with third parties >> and as in the present case, resulting in the called line included in the advertising exclusion lists from the 08/03/2018. Consequently, it must be concluded that the treatment analyzed in the antecedents in its various forms by the person in charge, the person responsible for the treatment is Vodafone Spain, S.A.U. (VDF) and acting as manager that other entity that acts in the name and on behalf of and for the benefit of VDF (Vamavi). Of the documentation in the file that is mentioned in the present resolution from the information collected by the Inspection of this AEPD and VDF's own acts and manifestations, the breach is accredited by VDF as responsible for the treatments entrusted to the effective control and continued in time of the measures provided in the above transcribed art 28 of the GDPR. In this regard, add that the obligation provided in article 28.3.h) RGPD, using in the at the beginning, the imperative term "will put" referring to the person in charge of the treatment, Obligation to "demand" from the person in charge "compliance with the obligations established in this article, as well as to allow and contribute to the realization of audits, including inspections, by the manager or another auditor authorized by said person in charge. " Thus, it is established that those in charge of the treatment (and in its case successive sub-processors) acting in the name and on behalf of VDF do not offer the guarantees sufficient to apply the appropriate technical and organizational measures to the treatment commissioned by VDF. Nor are the VDF duly documented entrusted tasks that carry out the treatments in the name and on behalf of the responsible (VDF). VDF, as the data controller, does not know under what conditions it hires a commissioned to act on his own behalf and under his specific specifications -that do not exist in terms of the crossing and exclusion of lines called included previously in robinson Adigital- and accept in these conditions and without qualms this conduct even having knowledge of this anomaly. Nothing appears in the relationship between VDF and managers regarding the requirements listed in the aforementioned art 28.3 which, in summary, are specified in defining previously by the person responsible for the treatment (VDF) the object, duration, nature, purpose, types of data, categories, obligations and rights of the interested parties, and mandatory powers of continuous control ... etc. Only on specific occasions cites having informally communicated one or other specific guidelines for action without that this implies any effective control of VDF with the entrusted treatments on your own and in your name. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 19/24 Therefore, non-compliance with data protection regulations must be also imputed, and in the first place, to the person responsible for the treatment (VDF) by not acting clearly, actively and effectively in stipulating and enforcing the specifications timely to carry out the treatment adequately in time entrusted in his name. The foregoing, without prejudice to the responsibilities incurred by the entities in charge and sub-entrusted of the treatments that must be settled in other procedures, which to date have already been resolved. Consequently, there is no evidence that VDF has carried out continuous monitoring during the entire cycle of execution of the treatments ordered despite the numerous known claims and ongoing investigations carried out by AEPD and which VDF has full knowledge of SAW Art 23 LOPDGDD. Article 23. Advertising exclusion systems. << 1. The processing of personal data that is intended to prevent the sending of commercial communications to those who have expressed their refusal or opposition to receiving them. For this purpose, information systems may be created, general or sectoral, in which only the data essential to identify the affected. These systems may also include preference services, by which those affected limit the reception of commercial communications those from certain companies. 2. The entities responsible for the advertising exclusion systems will notify the competent control authority its creation, its general or sectoral nature, as well as the way in which those affected can join them and, where appropriate, assert your preferences. The competent control authority will make public in its electronic headquarters a list of the systems of this nature that were communicated, incorporating the information mentioned in the previous paragraph. To such In effect, the competent control authority to which the creation has been communicated of the system will make it known to the other control authorities for their publication by all of them. 3. When an affected party expresses to a person in charge his wish that his data not are processed for the referral of commercial communications, it must inform you of the existing advertising exclusion systems, being able to refer to the information published by the competent control authority. 4. Those who intend to make direct marketing communications must previously consult the advertising exclusion systems that could affect your action, excluding from the treatment the data of those affected who had expressed their opposition or refusal to it. For these purposes, to consider Once the above obligation has been fulfilled, consulting the exclusion systems will suffice included in the list published by the competent control authority. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 20/24 It will not be necessary to carry out the query referred to in the previous paragraph when the affected would have provided, in accordance with the provisions of this organic law, its consent to receive the communication to whoever intends to make it. >> VII In the event of an infringement of the RGPD precepts, among the corrective powers available to the Spanish Data Protection Agency, As a supervisory authority, Article 58.2 of said Regulation contemplates the following: “2 Each supervisory authority shall have all the following corrective powers listed below: (…) b) punish any person responsible or in charge of the treatment with warning when the processing operations have infringed the provisions of this Regulation;" i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case;". VIII Therefore, VDF as responsible for the treatments carried out on behalf of and on your behalf and in accordance with the evidence available in the present moment, it is considered that the facts presented do not comply with the in article 28, with the scope expressed in the Fundamentals of Law above, and involve the commission of an offense typified in article 83.4.a) of the RGPD, which under the heading "General conditions for the imposition of fines administrative ”provides the following: Article 83.4.a) of the RGPD, establishes the following: <4. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43; …>. Article 71 of the LOPDGDD. Infractions. The acts and conducts referred to in sections 4, 5 constitute offenses. and 6 of Article 83 of Regulation (EU) 2016/679, as well as those resulting contrary to the present organic law. Article 73 section p) of the LOPDGDD, establishes the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 21/24 <Violations considered serious. Based on the provisions of article 83.4 of the Regulation (EU) 2016/679 are considered serious and will prescribe after two years the offenses that involve a substantial violation of the aforementioned articles in that and, in particular, the following: p) The processing of personal data without carrying out a prior assessment of the elements mentioned in article 28 of this organic law.> In accordance with the evidence available, the facts constitute infringement of art. 28 in relation to art 24 of the RGPD, offense typified in art. 83.4.a) of said rule and considered serious for the purposes of prescription in art. 73 section p) of the LOPDGDD. IX In the present case, the complained party, as the data controller personal now accused, has not proven to carry out its obligations or the due diligence to which it is obliged as indicated in art 28 and 24 of the RGPD in the continuous and permanent monitoring and control throughout the entire cycle of the treatment of the services commissioned with the entity in charge of the treatment (Vamavi), which has led to the violation of rights and freedoms of the claimant. X In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, provisions that state: "1. Each supervisory authority will guarantee that the imposition of fines administrative under this article for the infractions of this Regulations indicated in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; h) the way in which the supervisory authority learned of the infringement, in in particular if the person in charge or the person in charge notified the infringement and, if so, in what measure; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 22/24 k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the infringement. For its part, in relation to article 83.2.k) RGPD, article 76 “Sanctions and measures corrective ”of the LOPDGDD provides: <1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 The following may also be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of treatment of personal information. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have induced the commission of the offense. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested party. 3. It will be possible, complementary or alternative, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679. 4. The information that identify the offender, the offense committed and the amount of the penalty imposed When the competent authority is the Spanish Data Protection Agency, the The penalty exceeds one million euros and the offender is a legal person. When the competent authority to impose the sanction is an authority autonomic data protection, it will be to its application regulations>. In accordance with the transcribed precepts, and derived from the instruction of the procedure for the purpose of setting the amount of the penalty for infringement of article 28 of RGPD to VDF as responsible for the aforementioned offense typified in article 83.4.a) of the RGPD, it is necessary to graduate the fine that corresponds to impose as follows: Infringement for breach of the provisions of article 28 in relation to the 24 of the RGPD, typified in article 83.4.a) and classified as serious for the purposes of prescription in article 73, sections p) of the LOPDGDD: The following graduation criteria are estimated as concurrent aggravating factors, according to Article 83.2 of the RGPD and 76 of the LOPDGDD: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 23/24 Art. 76.1.b) LOPDGDD. The high link between the offender's activity and the processing of personal data. It is known that VDF is a entity with more than fifteen million customers whose personal data is processed systematically in the exercise of its powers as one of the main telecommunications operators. Art. 83.1 and 83.2.k) and RGPD. The status of a large company of the responsible entity and your business volume (according to the corresponding audited annual accounts report to the period from March 2018 to March 2019, plus 1,600 million euros of business and with more than 4,000 employees). Art. 83.2.b) RGPD. The claimed entity does not have procedures in place adequate performance in the hiring and continuous, permanent and effective during the entire term of the contract with those in charge of the treatment of so that the infringement is not the consequence of a specific anomaly in the functioning of these procedures but a persistent and continuous defect of the personal data management system designed by the person in charge in terms of the treatments delegated to those in charge of them, which denotes a gross negligence. Art. 83.2.e) Any previous infraction: There are more than fifty in this AEPD disciplinary proceedings completed in the last two years. Considering the exposed factors, and taking into account the range of the sanction possible of up to 10 million euros, the assessment of the amount of the fine for the The infringement charged is € 100,000 (one hundred thousand euros), resulting in the present case adequate to be proportional, effective and dissuasive (art 83.1 RGPD). Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE VODAFONE ESPAÑA, S.A.U., with CIF A80907397, for a violation of Article 28 of the RGPD, typified in Article 83.4 of the RGPD, a fine 100,000 euros (one hundred thousand euros). SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U .. THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned and the number procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 24/24 Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es