AEPD (Spain) - PS/00333/2019

From GDPRhub
Revision as of 11:41, 13 July 2020 by Silvialoar (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00333/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5 GDPR
Article 58(2) GDPR
Article 83(5)(a) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published:
Fine: None
Parties: AAA
TECSIBLE, S.L.
National Case Number/Name: PS/00333/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: Agencia Española de Protección de Datos (in ES)
Initial Contributor: n/a

Spanish DPA holds that the entity is not responsible for the facts reported, since the telephone number from which the infringement occurred was transferred in January 2018 to another company

English Summary

Facts

Personal messages were sent by a telephone agent of a TELECOM company to a customer whose telephone number he had access to because he had previously called her to offer her the company's services

Dispute

Does sending messages by a telephone agent to a customer's telephone number to which he has access because he had made a commercial call infringe Article 5 of the GDPR?

Holding

The DPA held that the entity who was the object of the complaint was not responsible because it had transferred the agent's number to another entity before the events took place

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

DECISION ON DISCIPLINARY PROCEEDINGS
From the procedure instructed by the Spanish Data Protection Agency and
on the basis of the following
BACKGROUND
FIRST: Mrs. A.A.A. (hereinafter, the complainant) on 29/05/2019 filed
claim before the Spanish Data Protection Agency. The claim is
directed against TECSIBLE, S.L. with NIF B97907992 (from now on, the claimed). The
The grounds for the complaint are, in summary: That on Thursday 10/01/2019, even
with one of VODAFONE's employees on the Robinson list, from
name B.B.B., contacts the complainant on her personal phone to
offer you a change of company and after informing you that you are not interested
end the conversation. On Monday 01/14/2019 you receive a message via WhatsApp
of that person with the following text:
"Helloaa beautiful.
I'm B.B.B. from Vodafone.
I was really proud to contact you, I love your voice, your sympathy, and your
kindness..
I'd really like to be your friend.
At no time did the complainant give this person cause to contact
with her, so I request that VODAFONE investigate and expedite this
worker for violating his privacy.
 And attach the following documentation:
- Copy of the DNI.
On 21/01/2019 the same complaint was filed with this agency, but it
provide more data:
- With regard to the telephone call, the calling number is ***PHONE.1
- Regarding the Whatsapp message, the source number of the message is
***PHONE.2
And attach the following documentation:
- Screenshots of the conversation via Whatsapp.
- Copy of police report.
SECOND: In view of the facts reported and the documents provided by
the claimant of which this Agency has become aware, the Sub-Directorate
The General Data Inspectorate proceeded to carry out actions for the
clarification of the facts in question.
On 13/02/2019, the complaint was transferred to VODAFONE in the
reference actions, no response being received.
On 29/05/2019, VODAFONE sent the reply to the transfer to this Agency
of the complaint:
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/6
1. A copy of the letter sent to the complainant apologizing and
informing you of the steps taken by VODAFONE. In this
letter, the following demonstrations are held, among others:
a. That these practices are totally forbidden at VODAFONE and
also apply to your service providers.
b. That, upon receipt of the complaint, an internal investigation was opened and
they contacted their supplier. The supplier indicated that there is no record
on your dialers no outgoing calls from the number indicated
in the claim and from which you received the message through
WhatsApp. In this sense, they understand that this contact was made at
personal title by the agent.
c. That, since this practice is not admissible, they have put him in
knowledge of your provider so that, as an employer of
said agent, take appropriate action.
d. That they have asked their provider to remind all their
employees that it is strictly forbidden to contact
The campaigns are addressed to individuals.
e. Who have included the mobile number of the complainant in their list
Robinson in order to ensure that it is not included in future campaigns
commercials managed by VODAFONE.
2. States that they have verified that the reported contact has been made by
an agent of a company contracted by VODAFONE to provide
recruitment services (ATTENTION), on a personal basis and using their number
personal.
3. States that the number through which the agent contacted in a personal capacity
the complainant does not belong to VODAFONE, i.e. it is not listed in the
numbers assigned to the ATENTO platform for the provision of services
of recruitment.
4. He states that, after contacting ATENTO, they have verified that the
number ***TELÉFONO.3 was included in a database that was provided
to ATENTO to make pickup calls but which, according to ATENTO, do not
there are neither outgoing nor incoming calls associated with that number. In other words,
that this number was never called as a result of the
of the service by ATENTO.
On 29/05/2019, VODAFONE sent the following information to this Agency
in response to the request for information dated 10/05/2019:
1. States that its systems do not have any clients associated with the
number ***PHONE.3
Provides screenshots of searches made by that number.
1. States that they do not have documentation proving consent
of the complainant to be contacted for commercial reasons because the
number ***TELÉFONO.3 has been randomly generated so that
VODAFONE does not have it associated with any particular person.
2. States that the numbers ***TELÉFONO.1 and ***TELÉFONO.2 do not belong
to VODAFONE.
On 04/06/2019, ADIGITAL sent this Agency the following information:
1. States that the telephone number ***TELÉFONO.3 is registered under
the Robinson List in the name of the complainant through the call channel
since 09/10/2018.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
3/6
Provide a certificate.
On 07/06/2019 ORANGE sends this Agency the following information:
1. It confirms the existence of a call from the originating number
***PHONE.1 to destination number ***PHONE.3 on 10/01/2019 to
18:37h.
On 07/06/2019, LEAST COST ROUTING TELECOM, S.L. refers to this
Agency the following information:
1. States that the end-user corresponding to the number ***TELEPHONE.1 is
TECSIBLE whose data have been included in the section of entities
investigated.
Provide a copy of the invoice dated 30/04/2019.
On 03/07/2019, a request for information is sent to TECSIBLE, not
having received a reply.
On 10/09/2019, it is verified in ***URL.1 that the telephone prefix
***PREFIJO.1 corresponds to ***PAIS.1
THIRD: On 20/12/2019, the Director of the Agency agreed
to initiate sanctioning proceedings against TECSIBLE, for the alleged infringement of article
5.1(b), as defined in Article 83(5)(a) and considered for the purposes of the statute of limitations in
Article 72(1)(a), a fine of EUR 5,000
FOURTH: Notified of the agreement to initiate the proceedings, the respondent submitted a written statement on 24/12/2019
of allegations, stating, in summary: that he had been notified of the agreement to
start and pointed out that the telephone number ***PHONE.1, was given
since January 2018 to the company COSMOS CALL CENTER, S.L., and that the second
phone number on the sanctioning file as well as the owner
we understand that he belongs to that society.
FIFTH: From the actions carried out in the present procedure, the following have been
The following are accredited,
PROVEN FACTS
1. The 15/01/2019 has written entry of the complainant stating that the 10/01/2019,
even though Robinson, one of the workers of the VODAFONE company, is on the list
name Ricardo, has contacted the complainant on his personal phone
to offer her a change of company, moving her that she wasn't interested
in the change. On Monday 01/14/2019 you received a message through WhatsApp from
that person with the following text:
"Helloaa beautiful.
I am C.C.C. from Vodafone.
I was really proud to contact you, I love your voice, your sympathy, and your
kindness..
I'd really like to be your friend.
2. The complainant provides a copy of her ID card number ***NIF.1
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
4/6
3. A copy of the complaint made by the
complainant to the Police Commissioner of ***DIRECCIÓN (Madrid) by the above
facts.
4. On 21 January 2019, the complainant wrote to VODAFONE informing it of the
events previously disclosed and to take action against the
employee by violating his privacy.
5. VODAFONE has stated that "After analysing the complaint and carrying out
timely investigations we have verified that the contact reporting the
The complaint was made by an agent of a company hired by Vodafone
for the provision of recruitment services (Atento) on a personal basis and using their
personal number.
As answered in file 4173/2018, the number through the
which the agent contacting the claimant in a personal capacity does not belong to Vodafone is
that is to say, it does not appear within the numbers assigned to the Atento platform for
provision of recruitment services".
6. These are messages received by the complainant through whasapp of the
phone ***PHONE.2, messages identifying the employee as
Vodafone operator, name B.B.B.
7. The company Adigital in a letter dated 04/06/2019 has certified 'that the number of
phone ***TELÉFONO.3 is registered in the Robinson List in the name of
claimant, with ID number ***NIF.1,..."
8. The company LEAST COST ROUTIN TELECOM, S.L in writing of 07/06/2019
indicated that: "...proceeds to provide them with the information we have in our
files from number ***TELÉFONO.1
End User:
TECSIBLE, S.L.
NIF B97907992
Address: ***ADDRESS
***LOCALITY
9. ORANGE ESPAGNE S.A.U., in a letter dated 06/06/2019 has indicated that "With regard to
making a call dated January 10, 2019 between 5 and 8 p.m.
from the calling number ***PHONE.1, we confirm that on that date and time
an outgoing call was made to the ***PHONE.3 line;..."
10. TECSIBLE in writing of 24/12/2019 has pointed out that:
"..., the telephone number ***TELÉFONO.1, is assigned since January 2018 to the
company COSMOS CALL CENTER SL, with CIF 887708236, whose representative is
C.C.C. with DNI ***NIF.2 and telephone number for contact ***TELÉFONO.4, para lo
which we provide assignment and configuration emails for that terminal.
Second, the second telephone number that appears in the sanctioning file
as well as the owner we understand that belongs to that society (COSMOS CALL
CENTER, S.L.)
LEGAL FOUNDATIONS
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
5/6
I
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the
control, and in accordance with the provisions of Articles 47 and 48 of the LOPDGDD, the
of the Spanish Data Protection Agency is competent to initiate and
to resolve this procedure.
II
The reported facts are materialized in the sending through the application
WhatsApp gives a message to the claimant using their data in an inconsistent manner
and without authorization, in violation of the principle of confidentiality.
Article 5, Principles relating to processing, of the RGPD states that:
"1. Personal data shall be:
(…)
(b) collected for specified, explicit and legitimate purposes and not processed
subsequently in a manner incompatible with those purposes; in accordance with Article 89,
paragraph 1, the further processing of personal data for archiving purposes in
public interest, scientific and historical research or statistical purposes are not
shall be deemed to be incompatible with the initial purposes ("purpose limitation");
(…)”
III
Law 40/2015 of 1 October on the Legal Regime of the Public Sector
Article 28, Liability, provides as follows:
.
"1. The following may be punished only for acts constituting an infringement
The administrative authorities of natural and legal persons and, where a law
The Committee on Economic, Social and Cultural Rights (CESCR) has been working on a number of issues
legal personality and independent or autonomous assets, which are
responsible for them by way of malice or guilt.
2. The administrative responsibilities arising from the commission of a
shall be compatible with the requirement that the offender be reinstated in the
situation altered by it to its original state, as well as with the compensation
for the damage caused, which shall be determined and required by the body at
that the exercise of the sanctioning power corresponds. If the
compensation within a period to be determined on the basis of its amount, shall be
shall proceed in the manner provided for in Article 101 of the Law on Procedure
Common Administration of Public Administrations.
3. When the fulfilment of an obligation established by a rule with
The following are the main reasons why the status of the law corresponds to several persons together
The Commission shall be jointly and severally liable for any infringements committed and any penalties imposed.
impose. However, where the penalty is financial and it is possible to
individualized in the resolution according to the degree of participation of each
responsible.
4. The laws governing the various penalty regimes may
to make it an offence to breach the obligation to prevent
administrative offences by those who are subject to a
dependency or attachment. They may also provide for cases in which
certain persons shall be liable for payment of the financial penalties imposed
to those who depend on them or are linked to them".
In the present case, the agreement to initiate the procedure charged the
claimed the alleged violation of Article 5(1)(b), as set out in Article 83(5)(a) and
considered for the purposes of prescription in Article 72.1.a) of the LOPDGDD.
However, once the investigative actions have been carried out
It is clear from the above that the Commission is not in a position to make a decision on this matter.
entity is not responsible for the facts reported, since the number of
The telephone number from which the messages were sent was given in January 2018 to the
company COSMOS CALL CENTER, S.L.
Therefore, in accordance with the applicable legislation and having assessed the criteria of
graduation of penalties whose existence has been established,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: ARCHIVE to TECSIBLE, S.L., with NIF B97907992, for an alleged
violation of Article 5 of the GPRS, as defined in Article 83.5(a) of the GPRS.
SECOND: TO NOTIFY this resolution to TECSIBLE, S.L., with NIF
B97907992.
In accordance with Article 50 of the LOPDGDD, the
This Resolution shall be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure according to art.
48.6 of the LOPDGDD, and in accordance with Article 123 of the
LPACAP, the interested parties may, on an optional basis, file an appeal for replacement
to the Director of the Spanish Data Protection Agency within a
month from the day following notification of this resolution or directly
contentious-administrative appeal before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
Mar España Martí
Director of the Spanish Data Protection Agency