AEPD (Spain) - EXP202104006
AEPD - EXP202104006 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(12) GDPR Article 5(1)(f) GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR Article 83(4) GDPR Article 83(5) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 21.08.2021 |
Decided: | 13.09.2023 |
Published: | 13.09.2023 |
Fine: | 56,000 EUR |
Parties: | VODAFONE ESPAÑA, S.A.U. |
National Case Number/Name: | EXP202104006 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | mgrd |
VODAFONE was fined €56,000 for sharing confidential data of another customer while addressing a different customer's right of access.
English Summary
Facts
On 21 August 2021 the data subject filed a complaint against Vodafone España, S.A.U., the controller, for violating their right of access.
The data subject requested VODAFONE to provide a copy of their commercial telephone contract, since the company was, allegedly, not applying the contracted tariff. After several unsuccessful attempts to receive their contract, the controller sent an email containing contract of another customer as well as an audio recording of that customer's data.
Holding
The DPA ('AEPD') highlighted the breach of confidentially and security by VODAFONE for sharing a commercial contract of another individual with the data subject, violating Article 5(1)(f) GDPR. According to the evidence presented, the data subject acquired access to name, ID number and telephone number of an unknown person without any authorization to disclose their data to third parties.
The AEPD, therefore, found a violation of Article 32 GDPR for not implementing the appropriate technical and organization measures to prevent such incident.
The AEPD fined VODAFONE €50,000 for violating Article 5(1)(f) GDPR and €20,000 for violating Article 32 GDPR. However, in this case, the AEPD gave the possibility to VODAFONE to acknowledge the liability, leading to a greater reduction in the final amount, totaling €42,000.
VODAFONE opted for a voluntary payment option, paying a fine of €56,000. This payment utilized the reduction offered in the initial agreement for early payment, indicating a renunciation of any form of administrative appeal against the sanction.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11 File No.: EXP202104006 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On August 10, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against VODAFONE SPAIN, S.A.U. (hereinafter, the claimed party), through the Agreement that is transcribes: << File No.: EXP202104006 AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: A.A.A. (hereinafter, the complaining party) dated August 21, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in forward, VODAFONE). The reasons on which the claim is based are the following: Indicates that you have requested a copy of your telephone contract from VODAFONE because it is not applying the contracted rate. That he has requested it on several occasions without being forward (infringement of your right to access your personal data). Finally receives an email with another client's telephone contract, violating the secrecy of the personal data of said client. Along with the notification, an audio file in mp3 format is provided, in which you can listening to a recording in which two people intervene, one on behalf of VODAFONE, and another that identifies itself as B.B.B. with DNI ***NIF.1, owner of the line phone ***PHONE.1. The recording is dated 07/28/2020. There is no record of the date on which the complaining party has had access to said recording, since he has not sent the email in which he states that he had C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/11 received. Likewise, the complaining party does not provide a document proving that it has required VODAFONE its own contract. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to VODAFONE, so that proceed to its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on 11/08/2021 as stated in the acknowledgment of receipt that appears in the file. No response has been received to this transfer letter. THIRD: On November 21, 2021, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is the processing of personal data, since VODAFONE carries out, among other treatments, collection, registration, consultation, etc. of the following personal data of natural persons, such as: name, identification number, telephone number etc. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/11 VODAFONE carries out this activity in its capacity as data controller, given that he is the one who determines the ends and means of such activity, by virtue of article 4.7 of the GDPR. Article 4 section 12 of the GDPR broadly defines “violations of security of personal data” (hereinafter security breach) as “all those security violations that cause the destruction, loss or alteration accidental or unlawful personal data transmitted, preserved or otherwise processed form, or unauthorized communication or access to said data.” In the present case, there is a personal data security breach in the circumstances indicated above, categorized as a breach of confidentiality, by a recording containing data has been sent to the complaining party personal information of another person, thus allowing its knowledge by someone who is not legitimized for it. It should be noted that the identification of a security breach does not imply the imposition of a sanction directly by this Agency, since it is necessary analyze the diligence of those responsible and in charge and the security measures applied. Within the treatment principles provided for in article 5 of the RGPD, the integrity and confidentiality of personal data is guaranteed in section 1.f) of article 5 of the GDPR. For its part, the security of personal data comes regulated in articles 32, 33 and 34 of the RGPD, which regulate the security of the processing, notification of a breach of personal data security to the control authority, as well as the communication to the interested party, respectively. III Article 5.1.f) of the GDPR Article 5.1.f) “Principles relating to processing” of the GDPR establishes: "1. The personal data will be: (…) f) treated in such a way as to ensure adequate safety of the personal data, including protection against unauthorized processing or unlawful and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality»).” In the present case, it is clear that the personal data of a VODAFONE customer, recorded in its database, were improperly exposed to the complaining party who, according to his own statement, received them by email, having had therefore access to the name, ID and telephone number of an unknown person, without There is, of course, the authorization of said person to expose their data to a Third, there is no legitimizing cause for it. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/11 In accordance with the evidence available in this agreement of initiation of the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the known facts could constitute a infringement, attributable to VODAFONE, due to violation of article 5.1.f) of the RGPD. IV Classification of the violation of article 5.1.f) of the RGPD If confirmed, the aforementioned violation of article 5.1.f) of the RGPD could mean the commission of the infractions classified in article 83.5 of the RGPD that under the The section “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 72 “Infringements considered very “serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” V Penalty for violation of article 5.1.f) of the RGPD For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence currently available agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, the infraction in question is considered to be serious for the purposes of the RGPD and that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD: As mitigating factors: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/11 -The number of interested parties affected and the level of damages suffered suffered (section a). This file deals with data from a single person, and there is no evidence that such action has caused harm. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures corrective measures” of the LOPDGDD: As aggravating factors: -The linking of the offender's activity with the performance of processing of personal data (section b). The activity of VODAFONE, provider of telephone and Internet, and the high number of clients it has, entails the handling a large number of personal data. This implies that they have sufficient experience and should have adequate knowledge to the processing of said data. The balance of the circumstances contemplated in article 83.2 of the RGPD and the article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the established in article 5.1.f) of the RGPD, allows initially setting a sanction of €50,000 (fifty thousand euros). SAW Article 32 of the GDPR Article 32 “Security of processing” of the GDPR establishes: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a)pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c)the ability to restore availability and access to personal data quickly in the event of a physical or technical incident; d)a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to takes into account the risks presented by data processing, in particular as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/11 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or in charge and has access to personal data can only process said data following instructions of the person responsible, unless it is obliged to do so by virtue of the Law of the Union or the Member States. In the present case, at the time of the breach, VODAFONE did not have with the appropriate technical and organizational measures to avoid the incident, since According to the complaining party, he was sent by email a recording that corresponds to another client, where the personal data of said client. In accordance with the evidence available in this agreement of initiation of the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the known facts could constitute a infringement, attributable to VODAFONE, due to violation of article 32 of the RGPD. VII Classification of the violation of article 32 of the RGPD If confirmed, the aforementioned violation of article 32 of the RGPD could mean the commission of the infractions classified in article 83.4 of the RGPD that under the The section “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/11 f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee a level of security adequate to the risk of the treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. VIII Penalty for violation of article 32 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence currently available agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, the infraction in question is considered to be serious for the purposes of the RGPD and that the sanction to be imposed should be graduated in accordance with the following criteria established by article 83.2 of the RGPD: As mitigating factors: -The number of interested parties affected and the level of damages suffered suffered (section a). This file deals with data from a single person, and there is no evidence that such action has caused harm. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures “corrective measures” of the LOPDGDD: As aggravating factors: -The linking of the offender's activity with the performance of data processing personal (section b). The activity of VODAFONE, service provider telephone and internet, and the high number of clients it has, entails the handling a large number of personal data. This implies that they have experience sufficient and should have adequate knowledge for the treatment of such data. The balance of the circumstances contemplated in article 83.2 of the RGPD and the article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the established in article 32 of the RGPD, allows initially setting a sanction of €20,000 (twenty thousand euros). IX Imposition of measures Among the corrective powers provided in article 58 “Powers” of the GDPR, in the section 2.d) establishes that each control authority may “order the responsible or in charge of the treatment that the treatment operations are comply with the provisions of this Regulation, where applicable, in a manner certain manner and within a specified period….” The Spanish Data Protection Agency in the resolution that puts an end to the This procedure may order the adoption of measures, as established C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/11 in article 58.2.d) of the RGPD and in accordance with what is derived from the instruction of the procedure, if necessary, in addition to sanctioning with a fine. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: START SANCTIONING PROCEDURE against VODAFONE ESPAÑA, S.A.U., with NIF A80907397, for the alleged violation of Article 5.1.f) of the RGPD typified in Article 83.5 of the RGPD. START SANCTIONING PROCEDURE against VODAFONE ESPAÑA, S.A.U., with NIF A80907397, for the alleged violation of Article 32 of the RGPD, typified in the Article 83.4 of the GDPR. SECOND: APPOINT C.C.C. as instructor. and, as secretary, to D.D.D., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Legal Department of the Public Sector (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the complaining party and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Inspection of Data in the actions prior to the start of this sanctioning procedure. FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be: - For the alleged violation of article 5.1.f) of the RGPD, typified in article 83.5 of said rule, administrative fine of 50,000.00 euros - For the alleged violation of article 32 of the RGPD, typified in article 83.4 of said rule, administrative fine of 20,000.00 euros FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF A80907397, granting him a hearing period of ten business days to formulate the allegations and present the evidence that you consider appropriate. In his writing of allegations must provide your NIF and the procedure number that appears in the heading of this document. If within the stipulated period you do not make allegations to this initial agreement, the same may be considered a proposal for a resolution, as established in the article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a 20% reduction in the sanction that may be imposed in this procedure. With the application of this reduction, the penalty would be established at 56,000.00 euros, resolving the procedure with the imposition of this sanction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/11 Likewise, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a 20% reduction in the amount. With the application of this reduction, The penalty would be established at 56,000.00 euros and its payment will imply termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with that corresponding apply for recognition of responsibility, provided that this recognition of the responsibility becomes evident within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at 42,000.00 euros. In any case, the effectiveness of any of the two mentioned reductions will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (56,000.00 euros or 42,000.00 euros), you must make it effective by depositing it into account number ES00 0000 0000 0000 0000 0000 open to name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it is accepted. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months counting from the date of the initiation agreement or, where applicable, of the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-110422 Sea Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On September 7, 2022, the claimed party has proceeded to payment of the penalty in the amount of 56,000 euros using one of the two reductions provided for in the Inception Agreement transcribed above. Therefore, it has not recognition of responsibility has been accredited. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/11 THIRD: The payment made entails the waiver of any action or resource pending. administrative against the sanction, in relation to the facts referred to in the Startup Agreement. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/11 The reduction percentage provided for in this section may be increased “regularly.” According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202104006, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 937-240122 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es