AEPD (Spain) - PS-00507-2022
AEPD - PS-00507-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(1) GDPR Article 6(1) GDPR Article 57(1) GDPR Article 58 GDPR Article 83(2) GDPR Article 83(5) GDPR C-511/11 LOPDGDD 3/2018 LPACAP 39/2015 |
Type: | Complaint |
Outcome: | Upheld |
Started: | 15.11.2022 |
Decided: | |
Published: | |
Fine: | 70,000 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00507-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Marie |
The Spanish DPA fined a telecom company (the controller) €70,000 for issuing a duplicated SIM and provided it to a third party, without the data subjects's consent under Article 6 GDPR.
English Summary
Facts
On 27 August 2021 the Spanish telecommunication company DIGI SPAIN TELECOM, S.L. (controller) duplicated the SIM card of Mr. A.A.A. (data subject). It was provided to a third party through a sale. The duplicate was active on 28 August 2021 from 01:18 to 19:42. During this time the third party had access to the data subjects bank details and carried out various transactions. They also had access to social networks.
On 2 September 2021 the data subject filed a complaint with the responding Civil court.
On 15 November 2022 sanctioning proceedings were initiated, based on Article 63 and Article 64 LPACAP and an infringement of Article 6(1) GDPR typified in Article 83(5).
After the proceedings were initiated, the controller provided documents proving that they took measures upon seeing the irregular issuing of the duplicate. They also proved that they took security measures, as only the distributor and the data subject could duplicate the SIM card. The controller proved that the third party must have been in possession of personal data of the subject already (eg. Through a “phishing” attack). The controller also showed how they implemented measures to prevent any repetition of the incident. The distributor was sent on temporary one-week leave.
Holding
The AEDP found that there was no unlawful processing of data, as the processing was done by a third party. The issuance of a duplicated SIM is not enough to carry out banking operations.
However, the controller breached the principles of confidentiality and security and didn’t behave with the needed diligence. They didn’t carry out the identification check properly, giving access to a third party. The AEDP saw that the negligence and the obvious link between the controller’s business activity and the processing of data to a third party called for sanctioning.
Considering the culpability and responsibility of the controller, paired with their cooperation and adoption of measures the AEPD decided on a fine according to Article 58 GDPR Supporting this they, amongst others, used the Case Versalis Spa v Commission, C-511/11, as well as the Recital 40 of the GDPR as basis of their decision.
To conclude, the AEPD found an infringement of Article 6(1) GDPR typified in Article 83(5)(a) and classified it as a grave infringement (Article 72(1) LOPDGDD).
Due to these violations the AEPD issued a fine of €70,000 based on Article 83(2), GDPR and Article 76(2)(b) LOPDGDD.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/16 File No.: EXP202104009 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following: BACKGROUND FIRST: D. A.A.A. (hereinafter, the complaining party) dated September 2, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against DIGI SPAIN TELECOM, S.L. with NIF B84919760 (in hereinafter, the claimed party or DIGI). The grounds on which the claim is based are: following: The complaining party states that a duplicate of his SIM card was made, despite not having requested it. Likewise, he points out that the third party to whom he provided his card SIM, based on the information contained in your mobile phone, had access to your data banking, withdrawing sums of money from your account and carrying out various banking operations, with the consequent economic damage, in addition to trying access your social networks. Relevant documentation provided by the complaining party: - Complaints filed with the Civil Guard of La Zubia (Granada) exposing the facts. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on November 8, 2021 as It appears in the acknowledgment of receipt that is in the file. On December 3, 2021, this Agency received a response letter indicating that you have received the claim from the interested party regarding the non-connectivity of its numbering proceeded to provisionally suspend the service on the numbering of the claimant in order to minimize any possible risk. They point out that the duplicate was obtained through a point of sale while the day 08/28/21 from 1:18 a.m. to 7:42 p.m., when the party claimant recovers the numbering again. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/16 The data controller considered the facts as a case of irregular issuance of duplicate cards, also adopting measures against distributor. Likewise, they indicate that they have adopted a series of measures that detail in order to avoid situations like the one claimed in the future. THIRD: In accordance with article 65 of the LOPDGDD, when presented before the Spanish Data Protection Agency (hereinafter, AEPD) a claim, it must evaluate its admissibility for processing, and must notify the complaining party the decision on the admission or non-admission for processing, within the period of three months since the claim was submitted to this Agency. If, after this period, said notification does not occur, it will be understood that The processing of the claim continues in accordance with the provisions of Title VIII of the law. This provision also applies to the procedures that the AEPD had to be processed in the exercise of the powers attributed to it by other laws. In this case, taking into account the above and that the claim is presented to this Agency, on September 2, 2021, it is reported that your claim has been admitted for processing on December 2, 2021, having elapsed three months since it was entered into the AEPD. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: RESULT OF THE RESEARCH ACTIONS (…) The defendant reprimanded the distributor, punishing him with one week of temporary suspension of the activity, indicating that the objective of the sanction is to avoid future behaviors such as the one in the case. They provide a copy of the communication sent to distributor. Furthermore, they declare having visited the distributor, reiterating the obligation compliance with established procedures. (…) FIFTH: On November 15, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged violation of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/16 SIXTH: On November 28, 2022, DIGI requests a copy of the file and the extension of the legal period granted to respond to said request. SEVENTH: On December 15, 2022, it is received in this Agency, in time and form, writing from the representative of DIGI in which, in summary, it is alleged that reiterate in the allegations previously presented, firstly pointing out chronological manner in which the events occurred, indicating the security protocol and the measures adopted due to these events, stating that DIGI has not made provision to alleged criminals of personal information of the claimant other than of what those already had previously, after having obtained them through the email. Consequently, it is not possible to associate DIGI with the performance of non-medical treatment. legitimized personal data, given that its action is reduced to compliance with their processes and obligations. That is, during the process of requesting and delivering the duplicate, a processing of personal data provided to DIGI in order for it to verify the identity of the interlocutor, first by telephone and later in person. Besides. DIGI states that it is proven that identity theft and Access to the claimant's data illegitimately occurs prior to have contact with DIGI, the alleged impersonator had the data in his possession personal details of the claimant, including his bank account (which allowed him, as well yourself, access it). On the other hand, it points out that the AEPD unequivocally imposes on DIGI a objective liability, in which, regardless of the diligence and measures deployed, the entity's guilt is declared. The AEPD seems to confuse the concept of proactive responsibility with the obligation of results imposed by the objective liability. In the present case, the existence of a strict control, prior and after the request for the duplicate, the establishment of prior and a posteriori measures, as well as the existence of measures aimed at avoid these practices beforehand. That is why the claimed party considers that this Initiation Agreement is not adjusted to law, since it imposes on DIGI an obligation of result, based only in the harmful result that occurs due to the fraudulent activity of a third, without taking into account the diligence used and without considering the deployment of measures technically adequate and implemented. Furthermore, it points out that the following mitigating circumstances exist in the present: that have not been considered in the appropriate grading of the sanction: The absence of previous infringements committed by DIGI (art. 83.2 e) RGPD). At no time have special categories of data been processed (Art. 83.2 g) GDPR) The degree of cooperation of DIGI with the AEPD in order to remedy a alleged infringement and mitigate its possible adverse effects (art. 83.2 f) GDPR). The non-existent benefit obtained (Art. 83.2 k). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/16 Requests that a resolution be issued by means of which the file of the procedure. Subsidiarily warning and, ultimately, moderating or modulating the proposal included in the Startup Agreement. EIGHTH: On January 10, 2023, the instructor of the procedure agreed perform the following tests: 1. The claim filed by D. A.A.A. and its documentation, the documents obtained and generated during the phase of admission for processing of the claim, and the report of prior investigative actions that are part of the procedure. 2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement to initiate the referenced sanctioning procedure, presented by DIGI SPAIN TELECOM, S.L., and the documentation that accompanies them. NINTH: On February 2, 2023, a proposed resolution was formulated, proposing that the Director of the Spanish Data Protection Agency sanction DIGI SPAIN TELECOM, S.L., with NIF B84919760, for a violation of the Article 6.1 of the RGPD, typified in Article 83.5 a) of the RGPD, the sanction that would be a fine of 70,000 euros (seventy thousand euros). TENTH: Once the proposed resolution was notified, the claimed party requested an extension of the period to formulate allegations that was granted to him, he presented a written allegations on February 27, 2023 in which, in summary, it is alleged that it is reiterated in the allegations previously presented, and that in the report issued by the Agency of Cybersecurity of the European Union ratifies that, to make a duplicate SIM fraud, the fraudster needs to have access to some of the data personal belongings of the victim, client of the operator. That is, cybercriminals, They have personal information about their victims prior to going before the court. Mobile Network Operator. He points out that this is what happened in the present case, the victim lost control on your personal data in favor of the impersonator prior to him Contact DIGI. That is, it is through the “phishing” attack where the victim you lose control over your personal data, and it is this fact that triggers and enables the commission of fraud. Likewise, it states that it must be taken into account that DIGI does not participate in the process identification of a user before his bank, but it is the bank that determines the way where you want to carry out this check, so it is not possible to transfer the responsibility before telephone operators. Likewise, they indicate that this is why the complained party considers that the Proposal It is not in accordance with the law, since it imposes on DIGI an obligation of result, consisting of the establishment of infallible measures, when imputing a violation of the Article 6.1 of the GDPR based solely on the harmful result that occurs due to the fraudulent intervention of a third party, without taking into account the diligence used and without consider the deployment of technically appropriate and implemented measures. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/16 DIGI cannot foresee or know what the applicable duty of care is. Regarding the lack of proportionality of the proposed sanction and that prior to the procedures appropriate resolution is issued by means of which the procedure is archived No. EXP202104009. Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS FIRST.- The claimant filed a claim with this Agency on the 2nd of September 2021, which states that the claimed party provided on the 27th August of the same year to a third party a duplicate of your SIM card, with the consequence that he had access to his personal data, extracting sums of money of your account and carrying out various banking operations. SECOND.- DIGI certifies that the duplicate occurred on August 27, 2021 at 01:18 a.m. at a Point of Sale, and that DIGI has dealt with the case internally as an irregular issuance of a duplicate SIM. Duplication could only be done by the owner of the line and only in person at a distributor. The customer must show the original identity document, photocopies not being valid, and the dealer check the line number and identity document details that They must match those that the client has in the systems of the claimed party. THIRD. - It is clear that DIGI reprimanded the distributor, sanctioning him with a week of temporary suspension of activity. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/16 II Unfulfilled Obligation The claimed party is charged with committing an infraction due to violation of the Article 6 of the GDPR, “Legality of processing”, which states in section 1 the Cases in which the processing of third-party data is considered lawful: "1. Treatment will only be legal if at least one of the following is met conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect vital interests of the interested party or another Physical person; e) the processing is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the controller; f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that regarding said interests do not prevail over the interests or fundamental rights and freedoms of the interested party requiring the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph will not be application to the processing carried out by public authorities in the exercise of their functions.” III Classification and classification of the offense The infringement is classified in article 83.5 of the RGPD, which considers as such: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) The basic principles for treatment, including the conditions for treatment consent in accordance with articles 5,6,7 and 9.” The LOPDGD, for the purposes of the prescription of the infringement, qualifies in its article 72.1 of very serious infringement, in this case the limitation period being three years, “b) The processing of personal data without any of the conditions of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/16 legality of the treatment established in article 6 of Regulation (EU) 2016/679”. In response to the allegations presented by the claimed entity, it should be noted the next: Regarding the fact that DIGI has not made available to the alleged criminals personal information of the complaining party other than that already held by those with anteriority. Consequently, there has been no non-legitimate treatment of personal information. Indeed, the issuance of a duplicate is not sufficient to carry out operations bank accounts on behalf of the holders, certainly, to complete the scam, it is necessary for a third party to “impersonate” the identity of the data owner before the entity financial. Which entails, a priori, a treatment outside the principle of legality, since a third party is processing data, since it has access to them, without any legal basis, in addition of the violation of other principles such as confidentiality. For this reason, this is a process where the diligence provided by the operators is essential to avoid this type of scams and violations of the RGPD. Diligence that translates into the establishment of appropriate measures to guarantee that the data processing complies with the RGPD. The actions of the banking entities that provide payment services, in which area this type of scam begins, since The third party has access to the credentials of the affected user and impersonates this. While these entities are responsible for the processing of the data of their clients, they have the same obligations as those indicated until now for the operators referring to compliance with the RGPD and the LOPDGDD, and also the derived from Royal Decree-Law 19/2018, of November 23, on payment services and other urgent measures in financial matters. It can be assumed that DIGI has provided a duplicate SIM card to a third party other than the legitimate owner of the mobile line, after the third party exceeds the policy of existing security, which shows a breach of the duty to protect the customer information. Denying the concurrence of negligent action on the part of DIGI would be equivalent to recognize that their conduct - by action or omission - has been diligent. Obviously not We share this perspective of the facts, since the lack of due diligence. The SAN of October 17, 2007 is very illustrative. (rec. 63/2006), assuming that these are entities whose activity involves in continuous processing of customer data, indicates that “…the Supreme Court comes understanding that imprudence exists whenever a legal duty of care, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of data of a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/16 personnel must insist on rigor and exquisite care in conforming to the legal precautions in this regard. It is proven in the file that security has not been guaranteed appropriate in the processing of personal data, taking into account the result that identity theft has occurred. That is, a third party has managed to access to the personal data of the line owner. Regarding the fact that the criminals have not managed to obtain personal data from DIGI, so we cannot speak of non-compliance with protective measures, point out that access to a duplicate SIM card that makes your owner, responds to the definition of personal data in article 4.1) of the RGPD. Regarding the responsibility of DIGI, it should be indicated that, in general, DIGI processes the data of its clients under the provisions of article 6.1 b) of the RGPD, because it is considered a necessary treatment for the execution of a contract in which the interested party is a party or for the application at his request of measures pre-contractual. In other cases, it bases the legality of the treatment on the bases provided for in article 6.1.a), c), e) and f) of the RGPD. On the other hand, to complete the scam, it is necessary for a third party to “impersonate the identity” of the data owner, to receive the duplicate SIM card. Which entails, a priori, a treatment outside the principle of legality since a third party is processing data, since it has access to them, without any legal basis, in addition to the violation of other principles such as confidentiality. Certainly, the principle of responsibility provided for in article 28 of the LRJSP, provides that: “They may only be sanctioned for acts that constitute an infraction administrative authority of natural and legal persons, as well as, when a Law recognize the capacity to act, the affected groups, the unions and entities without legal personality and independent or autonomous assets, which are responsible for them by way of fraud or guilt.” However, the method of attributing responsibility to legal entities is not corresponds to the intentional or reckless forms of guilt that are attributable to human behavior. So, in the case of violations committed by legal persons, although the element of guilt must be present, it is necessarily applies in a different way than it does with respect to people physical. According to STC 246/1991 "(...) this different construction of the imputability of the self- The infringement of the legal entity arises from the very nature of legal fiction. to which these subjects respond. The volitional element in the strict sense is missing in them. to, but not the ability to violate the rules to which they are subject. Capacity for infringement and, therefore, direct blameworthiness that derives from the good legal protected by the norm that is violated and the need for said protection is really effective and for the risk that, consequently, the person must assume legal entity that is subject to compliance with said norm" (in this sense STS of 24 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/16 of November 2011, Rec 258/2009). To the above it must be added, following the ruling of January 23, 1998, partially transcribed in the SSTS of October 9, 2009, Rec 5285/2005, and 23 of October 2010, Rec 1067/2006, that "although the guilt of the conduct must also be the subject of evidence, must be considered in order to assume the corresponding charge, which ordinarily the volitional and cognitive elements necessary to appreciate it are part of the proven typical behavior, and that its exclusion requires that the absence of such elements be proven, or in its regulations, that the diligence that was required by whoever claims his nonexistence; is not enough, in short, to exculpate behavior "the invocation of the absence of fault is typically unlawful". Therefore, the lack of guilt is rejected. The ultimate responsibility on the treatment continues to be attributed to the person responsible, who is the one who determines the existence of the treatment and its purpose. Let us remember that, in general, the operators process their clients' data under the provisions of article 6.1 b) of the RGPD, as it is considered a necessary treatment for the execution of a contract to which the interested party is a party (…). In this sense, DIGI has a network of sales representatives, points of sale and approved distributors through a distribution contract to offer DIGI services. Among these services offered from their points of sale, is the creation of duplicate SIM cards corresponding to a mobile telephone line. Regarding non-compliance with the principle of proportionality, the GDPR provides expressly the possibility of graduation, through the provision of fines susceptible to modulation, taking into account a series of circumstances of each case individual. Regarding the imposition of a warning, reprimand, or the adoption of corrective measures pursuant to article 58 of the GDPR, a deterrent fine is one that has a genuine deterrent effect. In this regard, the Judgment of the CJEU, June 13, 2013, Versalis Spa/Commission, C-511/11, ECLI:EU:C:2013:386, says: “94.With regard, first of all, to the reference to the Showa Denko v Commission judgment, mentioned above, it must be noted that Versalis interprets it incorrectly. Indeed, the Court of Justice, when pointing out in paragraph 23 of said judgment that the factor deterrent is assessed taking into consideration a multitude of elements and not only the particular situation of the company in question, referred to points 53 to 55 of the conclusions presented in that case by Advocate General Geelhoed, who had pointed out, in essence, that the multiplier coefficient of a deterrent nature may have as its objective not only "general deterrence", defined as an action to discourage all companies, in general, from committing the violation of in question, but also a "specific deterrence", consisting of deterring the specific defendant so that he does not violate the rules again in the future. For the Therefore, the Court of Justice only confirmed, in that ruling, that the Commission did not was required to limit its assessment to factors related only to the particular situation of the company in question.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/16 “102. According to reiterated jurisprudence, the objective of the deterrent multiplier factor and consideration, in this context, of the size and overall resources of the company in question lies in the desired impact on the aforementioned company, since the sanction should not be insignificant, especially in relation to the capacity financial situation of the company (in this sense, see, in particular, the ruling of 17 Case C-413/08 P Lafarge v Commission [2010] ECR p. I-5361, section 104, and the order of 7 February 2012, Total and Elf Aquitaine v Commission, C-421/11 P, paragraph 82).” We must attend to the unique circumstances of the claim presented, through from which it can be verified that, from the moment in which the person impersonator performs the SIM replacement, the victim's phone is left without service passing control of the line to the impersonators. Consequently, their powers of disposal and control over their personal data are affected, which constitute part of the content of the fundamental right to data protection as stated by the Constitutional Court in Sentence 292/2000, of 30 November 2000 (FJ 7). So, when you get a duplicate SIM card, Under certain circumstances, access to contacts or applications and services that have the key recovery procedure sending an SMS with a code to modify passwords. Definitely, may impersonate those affected, being able to access and control, for example: email accounts; bank accounts; applications like WhatsApp; social networks, such as Facebook or Twitter, and much more. In short accounts, once the access code is modified by the impersonators, they lose control of your accounts, applications and services, which poses a great threat. In short, it is the data controller who has the obligation to integrate the necessary guarantees in the treatment, with the purpose of, by virtue of the principle of proactive responsibility, comply and be able to demonstrate compliance, while while respecting the fundamental right to data protection. In the present case, it is proven that on August 27, 2021 DIGI processed the issuance of a duplicate SIM card for the ***TELÉFONO.1 line, belonging to the complaining party, and that according to DIGI the alleged impersonator exceeded the established protocols. Now, it should be noted that Sim Swapping is a fraud that allows impersonation identity by hijacking the phone number by obtaining a duplicate of the SIM card. Well, the result was that the defendant issued the SIM card to a third party who did not He was the owner of the line. In fact, in the establishment where the duplicate SIM card was issued, it must have the original of the identification document has been verified, thus, If this operation had been carried out correctly, the duplicate should have been denied. In the explanation provided by the claimed party, it is not pointed out which could have been the specific cause that led to the issuance of the duplicate, beyond some generic explanations that the alleged impersonator had in his possession the personal data of the claimant, including his bank account (which allowed him, as well yourself, access it). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/16 On the other hand, the party claimed in response to this Agency on December 3 of 2021, states that he reprimanded the distributor, sanctioning him with a week of temporary suspension of the activity, indicating that the objective of the sanction is to avoid future behaviors such as the one in the case. Based on the above, in the case analyzed, the diligence used by the defendant to identify the person who requested a duplicate SIM card. In accordance with the evidence available, it is estimated that the conduct of the claimed party violates article 6.1 of the RGPD, being constitutive of the infringement classified in article 83.5.a) of the aforementioned Regulation 2016/679. In this sense, Recital 40 of the GDPR states: “(40) For the processing to be lawful, personal data must be processed with the consent of the interested party or on some other legitimate basis established in accordance a Law, whether in this Regulation or under other Union law or of the Member States referred to in this Regulation, including the need to comply with the legal obligation applicable to the person responsible for the treatment or the need to execute a contract to which the interested party is a party or for the purpose of take measures at the request of the interested party prior to the conclusion of a contract." IV Fine sanction. Determination of the amount. The determination of the sanction that should be imposed in the present case requires observe the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively, they provide the following: "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of this Regulations indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to pa- bundle the damages and losses suffered by the interested parties; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/16 d) the degree of responsibility of the person responsible or in charge of the treatment, given gives an account of the technical or organizational measures that have been applied under the articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms fication approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirect. mind, through infringement.” Within this section, the LOPDGDD contemplates in its article 76, entitled “Sancio- tions and corrective measures”: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of medical treatments. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/16 g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which disputes exist between them and any interested party. 3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679.” Digi requests that the following extenuating circumstances be appreciated: (I) “the absence of previous infringements” (art. 83.2 e) RGPD). (II) “At no time have special categories of data been processed” (art. 83.2 g). (III) “cooperation with the control authority in having responded to the transfer of the claim and having provided the requested information”, article 83.2 f) of the RGPD. (IV) “The lack of benefits obtained through the infringement”, article 83.2 k) of the RGPD and 76.2 c) of the LOPDGDD. None of the mitigating circumstances invoked are admitted. Regarding (I) and (II), it should be noted that such circumstances can only operate as aggravating factors and in no case as mitigating factors. The statement made by the National Court in its SAN of May 5, 2021 (Rec. 1437/2020) on section e) of article 83.2. of the GDPR, the commission Previous violations: "Considers, on the other hand, that the non-commission of of a previous violation. Well, article 83.2 of the GDPR establishes that must be taken into account for the imposition of the administrative fine, among others, the circumstance "e) any previous infraction committed by the person responsible or the person in charge of treatment". This is an aggravating circumstance, the fact The fact that the budget for its application does not exist means that it cannot be taken into consideration, but it does not imply or allow, as the plaintiff claims, its application as a mitigating factor”; (III) Article 83.2.f) of the GDPR refers to the “degree of cooperation with the authority of control in order to remedy the violation and mitigate the possible effects adverse of the infringement;”. The response of the defendant to the information request of the Inspection Subdirectorate did not fulfill these purposes, so it is not fit into that mitigating circumstance. (IV) On the application of article 76.2.c) of the LOPDGDD, in connection with the article 83.2.k), lack of benefits obtained, it should be noted that such circumstance can only operate as an aggravating circumstance and in no case as a mitigating circumstance. Article 83.2.k) of the GDPR refers to “any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement.” and the article C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/16 76.2c) of the LOPDGDD says that “2. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: [..] c) The benefits obtained as a consequence of the commission of the infraction.” Both provisions mentioned as a factor that can be taken into account in the graduation of the sanction the “benefits” obtained, but not the “absence” of these, which is what DIGI alleges. Furthermore, in accordance with article 83.1 of the RGPD, the imposition of fine sanctions is governed by the following principles: they must be individualized for each particular case, be effective, proportionate and dissuasive. The admission that it operates as a mitigating factor, the absence of benefits is contrary to the spirit of article 83.1 of the GDPR and the principles governing the determination of the amount of the fine sanction. If, as a result of the commission of a violation of the RGPD, it is classified as mitigating factor that there have been no benefits, the deterrent purpose that It is fulfilled through sanction. Accept DIGI's thesis in a case like the one we are dealing with would mean introducing an artificial reduction in the sanction that truly it is necessary to impose itself; which results from considering the circumstances of article 83.2 RGPD that must be valued. The Administrative Litigation Chamber of the National Court has warned that, the fact that in a specific case not all the elements that integrate a circumstance modifying responsibility that, by its nature, has an aggravating nature, it cannot lead to the conclusion that such circumstance is applicable as a mitigating factor. The pronouncement made by the National Court in its SAN of May 5, 2021 (Rec. 1437/2020) - even though that resolution is seen on the circumstance of section e) of article 83.2. of the GDPR, the commission previous infractions - can be extrapolated to the question raised, the claim of the demand that the “absence” of benefits be accepted as a mitigating factor, being thus that both the RGPD and the LOPDGDD refer only to “the benefits obtained”: "Considers, on the other hand, that the non-commission of of a previous violation. Well, article 83.2 of the GDPR establishes that must be taken into account for the imposition of the administrative fine, among others, the circumstance "e) any previous infraction committed by the person responsible or the person in charge of treatment". This is an aggravating circumstance, the fact The fact that the budget for its application does not exist means that it cannot be taken into consideration, but it does not imply or allow, as the plaintiff claims, its application as a mitigating factor”; In accordance with the transcribed precepts, the amount of the fine to be imposed on the entity claimed as responsible for an infraction classified in article 83.5.a) of the RGPD and 72.1 b) of the LOPDGDD, the following factors: As aggravating factors: - The evident link between the business activity of the defendant and the processing of personal data of clients or third parties (article 83.2.k, of the RGPD in relation to article 76.2.b, of the LOPDGDD). The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which, with respect to entities whose activity involves continuous processing of client data, indicates that “…the Supreme Court has been understanding that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/16 Imprudence exists whenever a legal duty of care is neglected, that is That is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the appellant's activity is constant and abundant handling of personal data must insist on rigor and exquisite “Be careful to comply with the legal provisions in this regard.” As mitigating factors: The claimed party proceeded to resolve the incident that was the subject of the claim in a manner effective (art. 83.2 c). The balance of the circumstances contemplated in article 83.2 of the RGPD, with regarding the infraction committed by violating the provisions of article 6.1 of the GDPR allows a fine of 70,000 euros (seventy thousand euros) to be set. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE DIGI SPAIN TELECOM, S.L., with NIF B84919760, for a violation of Article 6.1 of the GDPR, typified by Article 83.5 of the GDPR, a fine of 70,000 euros (seventy thousand euros). SECOND: NOTIFY this resolution to DIGI SPAIN TELECOM, S.L. THIRD: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00 0000 0000 0000 0000 0000, open in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected during the executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/16 Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative procedure within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es