AEPD (Spain) - PS/00308/2021
AEPD (Spain) - PS/00308/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 10.08.2021 |
Fine: | 50000 EUR |
Parties: | ORANGE ESPAGNE, S.A.U. |
National Case Number/Name: | PS/00308/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined Orange €50,000 (reduced to €30,000) for not having implemented adequate measures to avoid the processing of personal data without a valid legal basis, with regards to proper means of identification of clients to prevent identity fraud.
English Summary
Facts
A data subject filed a complaint with the Spanish DPA (AEPD). The complainant had started a phone number portability from one telecommunication company (Yoigo) to another one (MasMovil). However, the complainant regretted it and asked the company to stop and cancel the portability (before the new SIM card arrived). Something went wrong during the process, as the complainant did not have phone signal during a few days, to what Yoigo answered that they would solve it and send them a new SIM card.
Two days later, the complainant found that someone had been using their phone number to make bank transfer via a phone application called Bizum, that offers the possibility of making bank transfers using your phone number.
The complainant suspected that this had happened for reasons related with the portability problem, and contacted Yoigo, that answered that the SIM card had been destroyed.
Afterwards, the complainant discovered that their phone number was on Orange (another telecommunications company), but not anymore in the complainant's name.
The complainant hence reported this to the police and filed the complaint with the DPA.
The AEPD launched an investigation and received an answer by Xfera Moviles (owned by MasMovil) saying that a scammer had been trying to make a fake portability several times, and had been stopped by the automated systems against fraud, but hat they had been successful the last time they tried to, arranging then a portability with Orange for the phone number of the complainant.
Holding
The AEPD concluded that Orange had not put into place all the necessary and adequate measures to avoid unlawfully processing personal data, since they had no proper identity verification system for portability requests, which led to this facts.
Therefore, the AEPD fined Orange €50,000 for a violation of Article 6 GDPR, for the processing of personal data without a valid legal basis.
The fine was reduced to €30,000 for the acknowledgement of responsibility and early payment.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 File No.: PS / 00308/2021 RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT VOLUNTARY Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On July 9, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against ORANGE ESPAGNE, S.A.U. (hereinafter, the claimed party), through the Agreement that is transcribed: << Procedure No.: PS / 00308/2021 AGREEMENT TO START THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection and in based on the following ACTS FIRST: A.A.A. (hereinafter, the claimant) dated March 17, 2020 filed a claim with the Spanish Data Protection Agency. The claim is directed against ORANGE ESPAGNE, S.A.U., with CIF A82009812 (in forward, the claimed one). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/12 The reasons on which the claim is based are that on February 26, 2020, the claimant requested the portability of YOIGO to MASMOVIL, and although the next day telephonically canceled the portability carried out, one of the lines (*** PHONE. 1) was retained in MASMOVIL, despite assuring it that said portability was voided (so the SIM card was not delivered). On March 05, 2020, you do not have a mobile phone line, contact YOIGO and they will tell you that will solve it. On March 11, 2020, YOIGO sends you a new SIM card indicating that they would reactivate the service in 48 hours. Two days later (March 13, 2020), you discover that third parties are making unauthorized, high-value bank transfers from your account of BBVA (two of them by reimbursement by Bizum). Contact MASMOVIL, as you suspect that what happened has its cause in the disappearance of your SIM card and indicate that your card may have been destroyed by the carrier for security reasons. Who later discovers that his number *** TELEPHONE.1 belongs to Orange since March 13, 2020 and that it is not in your name. Along with the claim, provide a copy of the complaint to the police SECOND: In view of the facts denounced in the claim and the documents provided by the claimant, the Subdirectorate General for Inspection of Data proceeded to carry out preliminary investigation actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and of in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/3 As a result of the investigative actions carried out, it is verified that the responsible for the treatment is the claimed one. Likewise, the following points are found: On July 14, 2020, XFERA MÓVILES, S.A., sent this Agency the following information and statements: 1. That from February 26, 2020 to March 5, 2020 are received repeated requests for portability of the claimant's line, which are all ex officio shutdowns in systems due to fraud. This is possible because the operator donor and recipient (from YOIGO to MASMOVIL) belonged to the same company. 2. That the scammer's fourth attempt was not possible to stop the portability in the systems (portability times are very short), but stopped in logistics of so the SIM card was not delivered. 3. That the scammer tried portability again on 03/13/2020 and manages to carry out the portability, this time to the ORANGE company, so he had to pass the security of this company. On February 6, 2021, ORANGE ESPAGNE, S.A.U. sends this Agency the following information and statements: 1. That the request to the donor operator regarding portability was completed through the shared system SGP with the data corresponding to the claimant and was accepted by the donor operator. Provides a screenshot of a portability request dated February 13 March 2020 relative to the line *** PHONE. 1 and being name and surname and number The client's DNI those of the claimant. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/12 2. That the portability was done through the Online channel. 3. That they proceeded to inform by sending an SMS to the line object of portability as of March 12, 2020 with the following content: "Hello. you already have your order *** ORDER.1 in the store *** STORE.1 you have 7 days to come and pick it up Remember to bring the necessary documentation to pick up your order. that you can check in *** URL.1. In case of not taking it, we will not be able to deliver. And if you have not yet taken out Orange mobile insurance for your smartphone or tablet, ask for it in your store to protect it from theft / breakage *** URL.2 " A copy of the sms is provided. 4. Provide a copy of the DNI that served to prove the identity of the client stating in it the name of D. B.B.B. with DNI number *** NIF. 1. 5. A copy of the portability contract is provided where it appears: to. In the "Orange customer data" section there is B.B.B. with DNI number *** NIF. 1. b. The e-mail contains *** EMAIL. 1. c. In the "data of the owner of the donor operator line" section the Name and surname of the claimant with DNI number *** NIF.1. d. There is an indication of "Accepted by the customer electronically or by phone date 03-11-2020 14:08:42 ”by both the Orange client and the operator client donor. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/12 6. That the line *** TELEPHONE.1 was blocked, putting it at disposition of the claimant again. 7. That checks are being carried out to clarify what happened, as well how to apply the corresponding internal measures since the controls applied by the company in relation to verification of the identity of the contractor they were applied correctly. 8. That in recent months they have focused their efforts on implementing systems and measures to ensure the identity verification of the holder. That have as technologies already implemented the “Digital Signature” tool, which is software that allows to check if the DNI is in force, if it is one of those admitted by the policy of Orange or if it generates doubts for having non-matching data. They also have the "MobileConnect" tool for sending challenge / sms with a message that the customer you must accept on your device to continue with the management. 9. That, in response to the security mechanisms used to ensure the authenticity of the data provided by the client, as well as to verify their ownership of the line state that the SGP request to the donor operator with the data indicated by the user was validated and accepted by the donor operator. That Likewise, the communications indicated above were sent. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Organic Law 3/2018, of December 5, on the Protection of Personal Data and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/12 guarantee of digital rights, in its article 4.11 defines the consent of the interested as “any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a declaration or a clear affirmative action, the processing of personal data that concerns you ”. In this sense, article 6.1 of the RGPD establishes that “in accordance with provided in article 4.11 of Regulation (EU) 2016/679, it is understood by consent of the affected party any manifestation of free, specific will, informed and unequivocal by which it accepts, either through a statement or a clear affirmative action, the processing of personal data that concerns him ”. III In accordance with the available evidence, it is considered that, of the denounced facts, a data processing without legitimation is deduced, since the claimed entity carried out the portability object of this complaint, without ascertaining whether the The person requesting it was or was not the claimant, which is a violation of the Article 6 of the RGPD. In relation to the lack of security measures in the deliveries of Sim cards reported, indicate that a response is being given through the procedure sanctioner PS / 0022/2021 still in progress. IV Article 72.1 b) of the LOPDGDD states that “depending on what is established in the Article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe At three years, the infractions that suppose a substantial violation of the articles mentioned in that and in particular, the following: c) The processing of personal data without any of the conditions of legality of the treatment in article 6 of Regulation (EU) 2016/679. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/12 V Article 58.2 of the RGPD provides the following: “Each control authority will have of all of the following corrective powers listed below: b) direct a warning to any person in charge or in charge of the treatment when the processing operations have infringed the provisions of this Regulation; d) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified time frame; i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular; SAW This offense can be sanctioned with a fine of € 20,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of greater amount, in accordance with article 83.5 of the RGPD. Likewise, it is considered that the sanction to be imposed should be adjusted in accordance with the following criteria established in article 83.2 of the RGPD: As aggravating factors the following: In the present case we are dealing with unintentional negligent action, but significant you identified (article 83.2 b) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/8 Basic personal identifiers -image- are affected (art 83.2 g) Therefore, based on the foregoing, By the Director of the Spanish Data Protection Agency, HE REMEMBERS: FIRST: INITIATE SANCTIONING PROCEDURE against ORANGE ESPAGNE, S.A.U., with CIF A82009812, in accordance with the provisions of article 58.2.b) of the RGPD, for the alleged violation of article 6 of the RGPD, typified in article 83.5.b) of the GDPR SECOND: ORDER ORANGE ESPAGNE, S.A.U., with CIF A82009812, of in accordance with the provisions of article 58.2 d) of the RGPD, so that within ten days proceed to carry out the necessary actions so that the treatment of the data The personal data used comply with the provisions of the GDPR. THIRD: APPOINT C.C.C. as instructor. and, as secretary, to D.D.D., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Public Sector Legal (LRJSP). FOURTH: INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimants and their documentation, the documents obtained and generated by the General Subdirectorate for Data Inspection during the investigation phase, as well as the report of previous Inspection actions. FIFTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the The corresponding penalty would be 50,000 euros (fifty thousand euros) without detriment of what results from the instruction. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/12 SIX: NOTIFY this agreement ORANGE ESPAGNE, S.A.U., with CIF A82009812, granting a hearing period of ten business days to formulate the allegations and present the evidence that it deems appropriate. In his writing of allegations, you must provide your NIF and the procedure number that appears in the heading of this document. If within the stipulated period it does not make allegations to this initiation agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; it which will entail a reduction of 20% of the penalty to be imposed in the present procedure. With the application of this reduction, the sanction would be established at € 2,400 (two thousand four hundred euros), resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the penalty would be set at € 40,000 (forty thousand four hundred euros), and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the preceding paragraph, it may be done at any time prior to the resolution. In In this case, if both reductions should be applied, the amount of the penalty would be set at € 30,000 (thirty thousand euros). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/12 In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts mentioned above € 40,000 or € 30,000, you must make it effective through your deposit in the account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for Data Protection in Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which welcomes. Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On August 4, 2021, the claimed party has made the payment of the penalty in the amount of 30,000 euros making use of the two reductions provided for in the Initiation Agreement transcribed above, which implies the acknowledgment of responsibility. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/12 THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts to which the Initiation Agreement refers. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or to the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% on the amount of the proposed sanction, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditional on the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/12 In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00308/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to ORANGE ESPAGNE, S.A.U .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-160721 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es