AEPD (Spain) - PS/00111/2021
AEPD (Spain) - PS/00111/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 13.10.2021 |
Published: | 13.10.2021 |
Fine: | 40000 |
Parties: | Vodafone Spain |
National Case Number/Name: | PS/00111/2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | aepd.es (in ES) |
Initial Contributor: | FA |
The Spanish DPA fined Vodafone Spain €40,000 for violations of Articles 5(1)(f) and 32 GDPR. The complainant received multiple invoices intended for a customer of the company and was not properly helped when they attempted to resolve this.
English Summary
Facts
An individual repeatedly received emails containing Vodafone invoices belonging to a third party. They tried reaching out to the company by email and telephone to resolve this issue, but were never properly helped.
Thus, they filed a complaint to the Spanish DPA (AEPD), which informed Vodafone of the issue. The company assured the DPA it had both dealt with the problem and communicated the resolution to the complainant. They nonetheless kept receiving invoices. The DPA communicated this to the company, which then provided evidence the complainant's email address had been deleted from its systems. It claimed the problem was caused by the customer (that the invoices were actually intended for) entering the complainant's email address instead of their own.
Holding
The Spanish DPA held that Vodafone Spain unlawfully processed the complainant's personal data, as the company had no lawful basis to send them invoices belonging to one of its customers. It found this to constitute a severe and negligent (per Article 83(2)(a) and (b) GDPR) violation of Articles 5(1)(f) and 32 GDPR, as the complainant's data was neither processed with integrity and confidentiality nor appropriately safeguarded.
It originally imposed a fine of €30,000 for the violation of Article 5(1)(f) GDPR and €20,000 for the violation of Article 32 GDPR, but this was reduced to a total fine amounting to €40,000 because Vodafone Spain made use of a reduction proposed by the DPA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18 File No.: PS / 00111/2021 RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT VOLUNTARY Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On June 24, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against VODAFONE SPAIN, S.A.U. (hereinafter, the claimed party), through the Agreement that is transcribe: << Procedure No.: PS / 00111/2021 AGREEMENT TO START THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection and in based on the following FACTS FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated June 24, 2020 filed a claim with the Spanish Data Protection Agency. The claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in ahead, the claimed one). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/18 The reasons on which the claim is based are the sending by the entity claimed from telephone bills owned by a third party to the email address claimant's email. After informing the respondent, he has not got answer. He states that he sent on 06/17/2019 and 07/16/2019 emails emails to the addresses soporte@vodafone.es and tufacturavodafone@vodafone.es (the latter from which you receive the invoices). Too He claims to have called by phone without specifying the date stating “I called a couple sometimes to Vodafone, but it was impossible for me to have an intelligent conversation with a person, since they were passing me from operator to operator, from department to department and nobody knew anything, nobody wanted to attend me, nobody I could solve the problem ”. Date on which the claimed events took place: from May 16, 2019 until 01/18/2021. Relevant documentation provided by the claimant: Copy of the invoices and copy of the emails sent to the claimed to bring out the problem. SECOND: In view of the facts denounced in the claim and the documents provided by the claimant, and in accordance with the provisions of article 65.4 of Organic Law 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights (hereinafter, LOPDGDD), which consists of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, or to them when not They have been appointed, and for the purpose indicated in the aforementioned article, on date 4 August 2020, the claim was forwarded to the respondent (file of reference E / 6010/2020), so that it could proceed with its analysis and provide a response in the within one month. On 10/13/2020, this Agency has a response to the transfer of the claim, where the complained party assures that the incident has been solved and that communicated its resolution to the claimant. However, as reflected in the Resolution of file E / 6010/2020, on 12/01/2020, the affected party states that continues to receive invoices, as evidenced by copies of those received the month of October and November 2020 issued on October 8 and November 8 2020 respectively. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/18 THIRD: On 01/22/2021 a resolution was issued admitting the claim for processing, and the General Subdirectorate for Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the powers of investigation granted to the authorities of control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter RGPD), and in accordance with the provisions of the Title VII, Chapter I, Second Section, of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). The result of the investigation actions carried out is as follows: First.- Detailed information is required on the reasons why the The claimant has continued to receive invoices, a copy of which is provided, despite having declared its entity to this Agency, within the framework of file E / 06010/2020, with dated 10/13/2020, that the incident had been duly resolved. The representatives of the respondent state that: "As indicated in the allegations submitted to the request for information with reference number E / 06010/2020, sending invoice availability notices to the claimant to his email account occurred because another customer had I activate the sending of these notices to the claimant's email *** EMAIL.1. In August 2020, a fault ticket was opened to Sistemas for a solution to the problem detected since the system did not allow to delete the email from the claimant to those responsible for the customer service channel. The moment the email account was no longer visible in the systems, claimant assigned to another client for those responsible for customer service. The incident was considered solved, thus communicating it to this Agency in the response to the request for information indicated. However, it was found Subsequently, the changes made to the client's file in which the The claimant's email was not saved, so the email from the The complainant was not eliminated, so he continued to receive the notices. After receiving this request for information, the case has been reopened before the responsible for systems to proceed to the definitive solution of the incident. Inc. After making the appropriate modifications, we can confirm that on the 11th of February 2021, it has been possible to save the applied changes correctly, not The claimant's email account is already established as the recipient of the notices of invoice availability from another client. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/18 They provide a screenshot of the systems that shows the solution to the incident. Second.- Detailed information on the error made at the source is required, as well as at the attempt to correct it in October 2020, which has motivated the claimant to continue receiving invoices from the third party in question. The representatives of the defendant state that: “As has been stated in the previous section, the original error is that another client had activated the notifications of sending invoices to the email account Claimant's electronic mail, for this reason, was receiving the notices of availability of invoices in your email. This case has been studied in detail with those responsible for Systems and it has been been able to find out that this error was not caused by a system failure, but because the third customer had provided the email account of the claimant to send the invoices. The third client has been listed as fraudulent by the Vodafone investigation team (this having been resolved incidence), therefore, when accessing the client area via the web, it provided an address of email for sending invoices that turned out to be that of the claimant. This incident tried to be corrected between August and September 2020, eliminating the e-mail account of the claimant of the third party's file. However, in the processing of the ticket of this breakdown, the process of erasing this information does not it was completed, the changes not being saved definitively. For this reason, The claimant's email account has continued to be recorded in the file of the third client that did have these invoice availability notices active. " Third.- Detailed information on the procedure has also been required followed by the entity to send the invoices to the clients, showing both the procedure for the consignment of email addresses as well as the procedure for sending invoices to the addresses provided for each customer. It is requested to include a detailed explanation of the reason why the procedure established has allowed the claimant to continue to receive invoices, despite of the information obtained in the screenshot of the data of the third party provided to this Agency dated 10/13/2020, in which the email address does not appear. The representatives of the defendant state that: “Vodafone customers have the option to activate notifications of availability of invoice and sending of electronic invoice in which they are informed about the charge date of the amount in advance of the charge to your bank account, only in cases where C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/18 that the billing method is direct debit. For these assumptions, customers can request to receive these notices via e-mail or SMS. To activate these options, customers can request it at the time of registration the line or at a later time through Customer Service from Vodafone or the MiVodafone AppWeb. Through the indicated channels, customers have the options of: Activate the electronic invoice. Activate and modify the monthly notification of the availability of invoices. View the last three invoices in different formats. Download the invoices. In the case of the third client that turned out to be fraudulent, it is recorded in our systems that you have made modifications through the web area in the management of your billing where the claimant's address could be included for sending the notices of availability of invoices. " Fourth.- The claimed entity has been required to explain the reasons why the replied to the claimant's emails, nor were her requests for rectification of your personal data to avoid continuing to receive invoices from another customer. Evidence of the claimant's shipments is attached to the request, sent on 06/17/2019 and 07/16/2019 to the mailboxes support@vodafone.es and tufacturavodafone@vodafone.es. Documentary accreditation of the Answers issued, if applicable. The representatives of the respondent state that: "The emails support@vodafone.es and tufacturavodafone@vodafone.es do not They are email accounts that receive or attend customer requests. The mails that are forwarded to these mailboxes are returned to senders as not received, and the case of the mailbox relative to support@vodafone.es, a reply is sent automatic in which customers are redirected to the appropriate channels to be able to process your request, indicating the following: "Dear Customer: Thank you very much for contacting Vodafone. In order to respond to your query we need to identify you through My Vodafone where we can attend your request safely and you can also see C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/18 all the information related to your services. In case you are not registered in My Vodafone, click here. We also have at your disposal our customer service telephone number 22123 and You can solve your doubts in the Vodafone help section for private customers. If you are not a client, call us: Individuals: 1444 - Commercial Information - Information and contracting related to products that Vodafone sells. Free call 1704 - Commercial information and exclusive online promotions - Information and contracting related to the products that Vodafone sells. Call free. Hours of operation: Monday to Sunday from 9:00 a.m. to 9:00 p.m. 607 123 000- Helpline Thank you very much for your attention and best regards. Vodafone customer service * In case the links in this email do not work for you, copy them in your browser and access directly. My Vodafone Registration: http://www.vodafone.es/c/mivodafone/es/registro-nueva- key / # / register » Therefore, the communications sent to these mailboxes were not received by Vodafone and so the claimant was informed. In addition, the appropriate checks have been carried out and it has been possible to confirm that for Mrs. A.A.A. there is no interaction or ticket in which It is indicated that a claim has been received for these events. It is also confirmed that, with the email address of the claimant, *** EMAIL.1, there is no evidence that any mail has been received. " Attach screenshots of customer interactions. The claimant does not indicate the calls of his calls, nor does he provide evidence of them that allows contrasting the information tion. It is only verified that there are some interactions dated 07/30/2019 (date closest to the beginning of receipt of the invoices by the claimant) of the type "information" and code "open question", or "customer inquiry". They also attach a screen print of the aforementioned generic response from the mailbox medium. They attach a screen print of the client's email address indicating that in he also does not record receipt of any claim, and that he has not been able to give a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/18 reply if a claim has not been received in this regard from the claim- keep. Fifth.- It is required to provide a description of the detailed procedure for the care of the mailboxes support@vodafone.es and tufacturavodafone@vodafone.es and why which may not be answered or processed requests directed by customers to these two mailboxes as in the present case. Description of the controls established on the procedure described, to ensure the answering and processing of the requests received through these channels, and the reason why they failed in this case in two different dates and two different mailboxes The representatives of the defendant state that: "As indicated in the fourth allegation of this brief, the mailboxes indicated are not the communication channels on the part of the clients that Vodafone, has enabled, but mailboxes from which communications are issued towards customers. When a customer sends an email to these addresses, the messages are return and receive timely information on the channels through the which you can contact Vodafone to file your claims or any type of request. Therefore, these mailboxes are not enabled as a customer service channel, not receiving, also incoming emails. " Sixth.- Google searches have been carried out for these addresses, verifying that there are multiple occurrences of support@vodafone.es of third-party websites, and one of ayudacliente.vodafone.es in which there is a contract "Request for change of owner and Mobile Communications Services Contract Postpaid Individuals ”in pdf format with the following clause: "7. Customer Service and Claims. Vodafone provides the Customer with a service of support and information through www.vodafone.es, points of sale or agents authorized, at Customer Service 123, at the indicated registered office in these conditions or by email to soporte@vodafone.es. If he Client wants to file a claim must do so within one (1) month as long as the fact that motivates it is known, in writing to the registered office of Vodafone located at Avenida de América, 115, 28042, Madrid, by phone at 123 Customer Service or by email to support@vodafone.es. […]. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/18 After searching for the email address tufacturavodafone@vodafone.es only a result of a third party website is found citing that it is the address Sender of the invoices of the claimant entity. The Data Inspection has sent an email of test to the address support@vodafone.es verifying that after one minute approximately the mentioned automatic reply is received. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 04/27/2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, GDPR); recognizes each authority of control, and as established in art. 47 of Organic Law 3/2018, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/18 II The LOPGDD, in its article 5.1 indicates: "Duty of confidentiality": "1. Those responsible and in charge of data processing as well as all people who intervene in any phase of this will be subject to the duty of confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679. " III Article 5.1.f) of the RGPD establishes that personal data will be: "F) treated in such a way as to guarantee adequate data security personal data, including protection against unauthorized or illegal processing and against its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational ("integrity and confidentiality"). And section 2 of the same article 5 states: "2. The person responsible for the treatment will be responsible for compliance with the provisions in section 1 and able to demonstrate it (<< proactive responsibility >>). IV Regarding the security of personal data, article 32 of the RGPD “Security treatment ”, establishes that: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for people's rights and freedoms C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/18 physical, the person in charge and the person in charge of the treatment will apply technical measures and appropriate organizational arrangements to ensure a level of security appropriate to the risk, that in your case include, among others: a) pseudonymisation and encryption of personal data; b) the ability to ensure confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to personal data of quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular attention will be paid to take into account the risks presented by the data processing, in particular as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to such data. 3. Adherence to a code of conduct approved pursuant to Article 40 or a certification mechanism approved pursuant to Article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of this article. 4. The person in charge and the data controller will take measures to ensure that any person that acts under the authority of the person in charge or the person in charge and has access to data personal data can only process said data following instructions from the person in charge, unless required to do so under Union or State law members". V In accordance with the evidence available at the present time of agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the complainant carried out the data processing personal data of the claimant without having any legitimacy to do so, materialized in that they continue to receive telephone bills owned by a third party in the claimant's email address, even though they requested in the past the deletion of your data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/18 It should be noted that this Agency transferred the claim made by the claimant to the claimed, stating that the incident was already resolved. However, the claimant continued to receive telephone bills ownership of a third party in your email address. Consequently, it has carried out a treatment of personal data without having proven that it has with the legal authorization to do so. On the other hand, there are other significant evidences for the graduation of the infringement: Continued nature of the facts verified: from 05/16/2019 to 01/18/2021. Volume of the treatments carried out: an affected third party, owner of the invoices, person who was able to enter the claimant's email address as the address shipping, and the claimant who receives the invoices. The development of the business activity carried out by the entity requires a continuous processing of personal data. The entity carries out for the development of its activity a high volume of personal data processing. SAW The known facts could constitute an infringement, attributable to the claimed, for violation of article 5.1.f) of the RGPD, which governs the principles of integrity and confidentiality of the processing of personal data, as well as the proactive responsibility of the controller to demonstrate its compliance, as stated in section 2 of the same article 5 of the RGPD. On the other hand, there are clear indications that the respondent has violated article 32 of the RGPD, facilitating access to information related to personal data of a client by a third person outside the entity. The responsibility of the claimed is determined by unauthorized access. The entity is responsible for making decisions aimed at implementing in a effective the appropriate technical and organizational measures to ensure a level of security appropriate to the risk to ensure the confidentiality of the data and, between these, those aimed at restoring availability and preventing access to data in case physical or technical incident. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/18 Article 83.5 a) of the RGPD, considers that the infringement of "the basic principles for the treatment, including the conditions for consent under the Articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned Article 83 of the aforementioned Regulation, with administrative fines of € 20,000,000 as maximum or, in the case of a company, of an amount equivalent to 4% as maximum total annual global business volume of the previous financial year, opting for the highest amount. The LOPGDD in its article 72.1.a) establishes as: “Infractions considered very serious. 1. In accordance with the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that and, in in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679 ”. The violation of article 32 RGPD is typified in article 83.4.a) of the cited RGPD in the following terms: “4. Violations of the provisions following will be sanctioned, in accordance with section 2, with administrative fines of up to EUR 10 000 000 or, in the case of a company, of an amount equivalent to a maximum of 2% of the total global annual turnover of the previous financial year, opting for the highest amount: a) the obligations of the responsible and the person in charge in accordance with articles 8, 11, 25 to 39, 42 and 43. " (…) It establishes article 73 of the LOPDGDD, under the heading “Infractions considered serious ”, the following:“ In accordance with the provisions of article 83.4 of the Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned in that and, in in particular, the following: (…) f) Failure to adopt those technical measures and organizational arrangements that are appropriate to ensure an adequate level of security to the risk of treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. " In the present case, the offending circumstances provided for in article 83.5 and 83.4 of the RGPD and 72.1 a) and 73 section f) of the LOPDGDD, transcribed above. Article 58.2 of the RGPD provides: “Each supervisory authority will have all the following corrective powers: b) issue reprimands to a person responsible for the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/18 treatment or a processor when the processing operations have infringed the provisions of this Regulation; d) order the person responsible of the treatment or the person in charge of the treatment that puts the operations of treatment in accordance with the provisions of this Regulation, when proceed, in a specified way and within a specified period; i) impose a fine administrative pursuant to Article 83, in addition to the measures referred to in the this section or instead, depending on the circumstances of each case concrete;" In this sense, the actions taken by the claimed to the know the claim that was reported by this AEPD and the measures adopted, having to report them within the procedure, being able to in the resolution to adopt the appropriate ones for its adjustment to the regulations. Likewise, it is considered that the sanction to be imposed should be adjusted in accordance with the following criteria established in article 83.2 of the RGPD: As aggravating factors, in the present case, the following: The duration of the offense (article 83.2.a). A negligent action (article 83.2.b). Basic personal identifiers are affected, according to article 83.2.g). VII Therefore, in accordance with the foregoing, the Director of the Spanish Agency of Data Protection, AGREES: FIRST: INITIATE SANCTIONING PROCEDURE for VODAFONE ESPAÑA, S.A.U., with NIF A80907397, for the alleged violation of article 5.1.f) of the RGPD, punishable in accordance with the provisions of art. 83.5 of the aforementioned RGPD, and classified as very serious in article 72.1 a) of the LOPDGDD, and for the alleged infringement of the Article 32 of the RGPD, punishable in accordance with the provisions of Article 83.4 of the cited RGPD, and which is classified as serious in article 73 section f) of the LOPDGDD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/18 SECOND: ORDER VODAFONE ESPAÑA, S.A.U., with NIF A80907397, from in accordance with the provisions of article 58.2 d) of the RGPD, so that within ten days proceed to order the person in charge of the treatment, that the processing operations comply with the provisions of the RGPD. THIRD: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Public Sector Legal (LRJSP). FOURTH: INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and her documentation, the documents obtained and generated by the General Subdirectorate for Data Inspection during the investigation phase, as well as the report of previous Inspection actions. FIFTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the Penalty that may correspond would be: € 30,000 (thirty thousand euros) per offense of article 5.1 f) of the RGPD, regarding the violation of the principle of confidentiality and € 20,000 (twenty thousand euros) for violation of article 32 of the aforementioned RGPD, regarding the security of the processing of the personal data of its clients, without detriment of what results from the instruction. SIXTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF A80907397, granting you a hearing period of ten business days to formulate the allegations and present the evidence that it deems appropriate. In his writing of allegations, you must provide your NIF and the procedure number that appears in the heading of this document. If within the stipulated period it does not make allegations to this initiation agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; it which will entail a reduction of 20% of the penalty to be imposed in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/18 the present procedure. With the application of this reduction, the sanction would be established at € 40,000 (forty thousand euros), resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the penalty would be set at € 40,000 (forty thousand euros) and its payment will involve the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the preceding paragraph, it may be done at any time prior to the resolution. On In this case, if both reductions should be applied, the amount of the penalty would be set at € 30,000 (thirty thousand euros). In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts mentioned above € 40,000 (forty thousand euros) or € 30,000 (thirty thousand euros), You must make it effective by entering the account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it is accepted. Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/18 After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. 935-200320 Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On September 27, 2021, the claimed party has proceeded to payment of the sanction in the amount of 40,000 euros making use of one of the two reductions provided for in the Inception Agreement transcribed above. Therefore, it has not The acknowledgment of responsibility has been accredited. THIRD: The payment made entails the waiver of any action or recourse in progress. against the sanction, in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/18 Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or to the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% on the amount of the proposed sanction, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditional on the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. " In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00111/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 937-160721 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/18 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es