AEPD (Spain) - PS/00093/2019

From GDPRhub
Revision as of 16:13, 10 March 2022 by Kc (talk | contribs)
AEPD (Spain) - PS/00093/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 26.12.2019
Published: 07.01.2020
Fine: 44,000 EUR
Parties: Vodafone
National Case Number/Name: PS/00093/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

Vodafone has been fined € 44.000 for accidentally disclosing personal data to a third party.

English Summary

Facts

A third-party received several documents related to a contract with Vodaphone, containing the complainant's personal data. Thus, the complainant filed a complaint with the AEPD. Vodaphone claimed that a mistake has been made by on of its employee in good faith.

Dispute

Can a mistake made in good faith justify the sharing of personal data to a third-party?

Holding

Although Vodaphone insisted on the fact that a mistake has been made by an employee, the AEPD held that personal data was processed in a manner which does no ensure appropriate security. As a consequence, Vodaphone violated Article 5(1)(f) GDPR, as interpreted in the light of the last sentence of the recital 39 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Product No.: PS/00093/2019
938-051119


DECISION ON DISCIPLINARY PROCEEDINGS

From the procedure instructed by the Spanish Data Protection Agency and in consideration of the following


BACKGROUND

FIRST: On 07/08/2018, a claim made by Ms. A.A.A. was entered into the Spanish Data Protection Agency (AEPD), sent by the Catalan Data Protection Authority. (hereinafter, the claimant) against VODAFONE ESPAÑA, S.A.U., with NIF A80907397 (hereinafter, the claimed or VODAFONE).

The claimant filed a complaint on 18/06/2018 with the OMIC of the City Council of ***CITY COUNCIL.1 - which in turn forwarded the complaint to the Catalan Data Protection Authority - in which she stated that at the beginning of June 2018 she received a telephone call from an unknown person informing her that VODAFONE had sent her, in her name and at her address, documentation relating to a contract with the claimant which included her personal data.

A copy of the following documents is attached to the complaint:

- The claimant's VAT number: ***FIC1
- Several documents with the VODAFONE logo: a letter welcoming the customer and thanking him for the trust he has placed in the company; a contractual document ("Installment Sales Contract for Private Customers"), which is marked "copy for the customer" and which contains the following information: "Nº Línea asociada" ***TELÉFONO.1as "Customer Data", A.A.A., NIF ***NIF.1, VODAFONE telephone number ***TELÉFONO.1 and address "Street ***ADDRESS.1".
- An envelope with the VODAFONE logo and with the postal stamps addressed to
B.B.B., ***ADDRESS.2

SECOND: In view of the above facts, the AEPD carried out the following actions:

A.- In the context of file reference E/6509/2018, the SPCA, in accordance with the provisions of Article 94 of Royal Decree-Law 5/2018, on urgent measures for the adaptation of Spanish law to European Union regulations on data protection - a regulation that came into force on 31/07/2018 and was in force until its repeal by Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) - provided VODAFONE with a copy of the complaint. In that letter, dated 27/09/2018, VODAFONE was requested to inform about the causes that had motivated the
 



incidence that originated the complaint, on the measures adopted to prevent similar events from occurring in the future, and to prove that the complainant was informed of these issues.

The notification, through notific@, was accepted by the operator on 04/10/2018.

VODAFONE replied on 09/10/2018 and stated that the letter of complaint had been drawn up entirely in Catalan and was also illegible.

On 26/11/2018, it was agreed that the complaint would be processed.

B. Within the framework of the reference file E/10517/2018, Preliminary Investigation Actions are initiated under Article 11 of Royal Decree-Law 5/2018, currently Article 67 of the LOPDGDD.

The Data Inspectorate sent a request for information to VODAFONE on 28/01/2019, which responded on 01/02/2019.

The Acting Inspector issues the Report of Investigation Actions (signed on 15/02/2019) from which the following fragment is reproduced:

<On October 4, 2018, the complaint was transferred to the denounced entity, within the framework of actions E/6509/2018.
On 9 October 2018, VODAFONE replied to the transfer, stating that the complaint was not legible and that it was written in Catalan.
On 28 December, the present investigation proceedings began.
On 28 January 2019, a request for information was sent to VODAFONE in relation to the reported events:
On February 1, 2019, VODAFONE sent the Agency the following information regarding these events
In the absence of a reply to the transfer, on 12 December 2018, the present investigation is initiated.
On December 21, 2018 and January 29, 2019, TELEFONICA DE ESPAÑA S.A. has sent the following information to this Agency regarding the reported facts:
1 They provide a copy of the three addresses in their files associated with the complainant, which are the ones included in the contracts signed with the company, where it is verified that none of them coincides with the address to which the documentation of their contracting was sent.
Regarding the sending of the documentation by post to a different address
a.	They provide a copy of the information they are aware of regarding the incident, which includes
Dated 6 June 2018, "There is a case of fraud, I do not know
 



It seems that there was an error in the delivery and that several letters to a couple of clients were confused.
With the same date "Client indicates that an unknown person called him, that a letter arrived with his personal information".
Dated June 12, 2018, "I speak with the title. It says that he has received an envelope in which his name appeared, but inside the envelope appeared the data of another customer, the other customer has also received an envelope with the data of the customer xxxxxx, they have to go in the store with the envelopes to address them to the enabled dep. The situation cannot be managed from the fraud department".
2. With regard to the causes of the incident, they state that It was a specific error when sending the contract. Initially, the situation was investigated in case it was a case of fraud in contracting, but finally it was concluded that it was a specific error.>>

THIRD: On April 1, 2019, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against VODAFONE for the alleged infringement of Article 5.1(f) of the RGPD, as defined in Article 83.5 of Regulation (EU) 2016/679. The amount of the sanction of administrative fine fixed in the initiating agreement is 55,000 euros.

FOURTH: On April 16, 2019, the AEPD accepted the allegations of VODAFONE in relation to the agreement to initiate proceedings PS/00093/2019 for "alleged non-compliance with the provisions of Article 5.1(f) of the RGPD and Article 72.1(a) of the LOPDGDD".

The respondent states in its second plea

"Vodafone acknowledges its responsibility for the facts denounced, which have been motivated by human error in sending the contract to Ms. A.A.A., by inserting in the envelope the wrong address belonging to another person. As can be understood, in no case is there any intention, much less malice, in the actions of the person I represent, but rather the facts have been produced by human error, as demonstrated in the allegations made in information injunction E/10517/2018". (The underlining is from the AEPD)

"Therefore, while my client acknowledges the facts that occurred and the error that motivated them in accordance with Article 85 of Law 39/2015 of October 1,
...wishes to emphasize that, in accordance with the very doctrine of the AEPD, it is necessary to link the existence of human error with the absence of guilt that should govern all punitive action".

The respondent requests the "dismissal of the case and consequent closure of the proceedings" and "in the alternative" "to impose on my client the penalty in the amount of 44,000 euros, since my client has acknowledged the facts which have motivated the present sanctioning procedure, applying therefore the reduction of 20% in the amount of the penalty in accordance with Article 85 of the LPACAP". (The underlining is from the AEPD)
 



FIFTH: On 12/12/2019 a letter from the respondent was entered in the Register of the AEPD in which, after stating that she had made the relevant allegations in her defence against the agreement to initiate the sanctioning procedure PS/0093/2019 on 05/04/2019, she made this statement:

"Having acknowledged the facts that have motivated the present sanctioning procedure, and therefore requesting the application of the 20% reduction in the amount of the sanction in accordance with Article 85 of the LPACAP, in accordance with the aforementioned article, my represented party now proceeds to the withdrawal or renunciation of any action or appeal in administrative proceedings in relation to this case" (The underlining is from the AEPD)

SIXTH: Article 82.4 of Law 39/2015 on Common Administrative Procedure for Public Administrations (LPACAP) provides

"The hearing procedure may be dispensed with when no other facts, arguments or evidence than those put forward by the interested party appear in the proceedings or are taken into account in the decision".

Article 85.1 of the LPACAP reads as follows: "If the offender acknowledges his responsibility, the proceedings may be terminated by the imposition of the appropriate penalty. (The underlining is from the AEPD)


The following actions have been accredited

FACTS

1.- A.A.A., with DNI ***NIF.1 -whose copy is in the file-, presented on 18/06/2018 a claim against VODAFONE before the OMIC of the Town Hall of his residence. In her letter of complaint, she provided the following personal details: address ***DIRECTION.1 and telephone ***TELEPHONE.1. The complainant stated that at the beginning of June she received a telephone call from a person who told her that VODAFONE had sent her a letter with documents containing personal details of the complainant to her address, for her attention.

On 17/07/2019, the Town Council sent the claim against VODAFONE and the documents provided by the claimant to the Catalan Data Protection Authority. The latter sent the documentation to the AEPD on 07/08/2018.

2.- The documents provided by the claimant with her complaint are the following:

- The copy of the front of an envelope stamped by Correos with the VODAFONE logo in the lower left corner and the following details of the addressee: B.B.B., Avenida de ***DIRECCIÓN.2".

- A document with the logo of VODAFONE called "Contrato de venta a plazos para clientes particulares". In the upper right-hand corner is the statement "Copy for the customer", on the left "EU-5/87/6". In the body of the document
 



two boxes appear. In the first one, "Terminal data", the ***PHONE.1 is indicated as the "Associated line number". In the second one, "Customer data", the name and surname of the claimant (A.A.A.), his NIF (***NIF.1), the Vodafone telephone number (***PHONE.1) and the address (street ***ADDRESS.1) are indicated.

- Two documents with the anagram of the operator claimed relating, respectively, to the "Withdrawal" of the contract and the "General conditions of your tariff without applied promotions".

3.- In the course of the preliminary investigation proceedings E/10517/2018, VODAFONE responded in the following terms to the request for information made to it regarding the reasons why the documentation relating to a contract of the complainant had been sent by post to a third party (B.B.B.)

<< There is a case of fraud, it is not classified as fraud, it seems that there was a mailing error and that several letters to a couple of clients were confused. I hit you case and transcript.
I79853853 06/06/2018 21:01:00 12/06/2018 18:54:43 Not applicable FRAUD
12/06/2018 21:01:00 No subcases.

*** PHONE REGISTRATION 06/06/2018 21:04:16 rparien
Konecta Family ***
Client indicates that an unknown person called him. That he received a letter with his personal information from VF.
***PHONE.2 -Customer with document (customer nmro of the person who received your data)
L A letter has arrived with the details of another person

***NOTES 06/06/201821:0716 rparien. Type of action: Konecta Family Notes Register***
THE PHONE NUMBER OF THE CLIENT WHO HAS RECEIVED DOCUMENTATION FROM ANOTHER
PERSON - ***PHONE.3 [for internal use only]

***Notes 12/062018 18:53:53 cmtite. Type of action: FRAUD Note Log***
***NIF.1 I talk to the title, she says she has received an envelope with her name on it, but inside the envelope there is another customer's data, the other customer has also received an envelope with the customer's data ***NIF.1 you have to go to the store with the envelopes to send them to the fraud department>>
(The underlining is from the AEPD)


LEGAL FOUNDATIONS

I

By virtue of the powers that Article 58.2 of the RGPD recognises to each supervisory authority, and as established in Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.
 




II

Article 5 of the RGPD deals with the principles that should govern the processing of personal data and mentions among them "integrity and confidentiality". The precept states:

"1. Personal data shall be:
(…)
(f) processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing or accidental loss, destruction or damage, through the implementation of appropriate technical or organisational measures (<<integrity and confidentiality>>)".

Recital 39 of the RGPD says about this:
"All processing of personal data must be lawful and fair. It must be absolutely clear to natural persons that personal data concerning them are being collected, used, accessed or otherwise processed, and the extent to which such data are or will be processed. The principle of transparency requires that all information and communication relating to the processing of such data be easily accessible and understandable, and that simple and clear language be used. This principle concerns in particular information to the data subjects on the identity of the controller and on the purposes of the processing and additional information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of the personal data concerning them that are processed. Natural persons should be aware of the risks, rules, safeguards and rights concerning the processing of personal data and how to assert their rights in relation to the processing. In particular, the specific purposes of the processing of personal data should be explicit and legitimate, and should be determined at the time of collection. Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that their retention period is limited to a strict minimum. Personal data should only be processed if the purpose of the processing could not reasonably be achieved by other means. In order to ensure that personal data are not kept longer than necessary, the controller should set deadlines for their deletion or periodic review. All reasonable steps should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a way that ensures appropriate security and confidentiality of personal data, including to prevent unauthorised access to or use of such data and of the equipment used for processing. (The underlining is from the AEPD)

The infringement of article 5.1.f) of the RGPD is typified in article 83 of the aforementioned legal text. Under the heading "General conditions for the imposition of administrative fines", it says

“5. Infringements of the following provisions shall, in accordance with paragraph 2, be punishable by administrative fines of a maximum of EUR 20,000,000 or
 



in the case of a company, for an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, with the largest amount being chosen:

(a) The basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9

The Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), for the purposes of prescription, qualifies as very serious (Article 72.1.) "infringements that substantially violate the articles mentioned therein and, in particular, the following: a) The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU)2016/679.

III

VODAFONE is attributed in the present sanctioning file an infringement of Article 5.1.f) of the RGPD.

The documentation in the administrative file provides evidence that VODAFONE violated the principles of integrity and confidentiality.

According to the documentation in the file, it is proven that VODAFONE sent a third party (B.B.B.) documentation that included personal data of the complainant: name and two surnames; tax ID number; mobile phone number and postal address.

We refer in this respect to the documents provided by the Claimant: the copy of the envelope with the VODAFONE logo, in which the name, surname and address of the third party was included as the recipient, and the copy of a contract in the name of the Claimant - "copy for the client"- which incorporated its personal data. On the other hand, as stated by the complainant in its complaint to the OMIC
-that an unknown person had contacted her by telephone to inform her that she had received documents from the affected party in an envelope addressed to her. Explanation which fully coincides with the entries from the VODAFONE systems which the complainant provided to the AEPD in the course of the preliminary investigation.

The entries provided by VODAFONE are an internal document which, in the opinion of the entity, explains what happened. From the examination of these notes, it is evident that a third party called the operator on 06/06/2018. According to the annotation: "Customer indicates that an unknown person called him. That a letter containing his personal information arrived from VF. ***PHONE.2 -Customer with document (customer nmro of the person who received your data) L A letter arrived with the data d another person

"THE TELEPHONE NUMBER OF THE CLIENT WHO HAS ARRIVED DOCUMENTATION OF
OTHER PERSON - ***PHONE.3 [for internal use only]"

It is also evident from VODAFONE's notes that the claimant
 



(holder of the NIF ***NIF.1) contacted the operator's service by telephone on 12/06/2018 and explained, not only that another customer had received an envelope containing her personal details, but also that she had received an envelope containing her name but also documents relating to the person who had received hers: "***NIF.1 I am talking to the title, she says that she has received an envelope in which her name appeared, but inside the envelope were the details of another customer. The other customer has also received an envelope with the customer's details ***NIF.1".

It seems obvious, therefore, that both parties, the complainant and the third party who received its documents, had to access the information contained in the envelope received from VODAFONE in their name, but which concerned the other person, as only then could they come to know that the documentation they had received from the respondent was not theirs.

In view of the fact that VODAFONE violated the principles of integrity and confidentiality in relation to the personal data of the complainant - given that it sent a third party documents with personal data of the affected person and that the third party had to access this data as the only means to contact or identify the complainant before the entity under complaint - it is necessary to assess whether the complainant was at fault or whether it omitted to take the appropriate steps, given the circumstances of the case, which are essential for the conduct analysed to be subsumed under the type of violation of Article 83.5. of the RGPD.

In our sanctioning law, the principle of guilt prevails, which prevents the imposition of sanctions based on the objective responsibility of the alleged offender. The presence of the element of guilt in a broad sense, as a condition for the emergence of liability to punish, has been recognized by the Constitutional Court, among others, in its STC 76/1999, in which it states that administrative sanctions participate of the same nature as criminal sanctions, as they are one of the manifestations of the ius puniendi of the State and that, as a requirement derived from the principles of legal certainty and criminal legality enshrined in Articles 9.3 and
25.1 of the E.C., its existence is essential to impose it.

Article 28 of Law 40/2015 on the Legal Regime of the Public Sector, under the heading "Liability", states

"Only natural and legal persons, as well as, when a law recognizes their capacity to act, groups of affected persons, unions and entities without legal personality and independent or autonomous patrimonies, which are responsible for them by way of fraud or guilt, may be sanctioned for acts constituting an administrative infraction". (The underlining is from the AEPD)

In her allegations to the agreement at the beginning, the defendant has stated that we are dealing with a mere human error in which there has been no intentional or fraudulent intervention on her part, which is why, in her opinion, the proceedings should be closed.

In this respect, it should be remembered that, in accordance with article 5.2 of the RGPD (principle of proactive responsibility), the claimed entity should have provided the relevant documentation to prove that it had implemented the technical and organisational measures that guaranteed the appropriate level of security against the loss of
 



data or unauthorised processing. However, VODAFONE has made no such contribution, merely stating that this is "mere human error".

In compliance with the obligations that the RGPD imposes on the data controller, the latter must exercise the minimum diligence required by the circumstances of the case by adopting the relevant technical and organizational measures. The SAN of 29/04/2020 is illustrative - which, although it was issued in a case of fraudulent recruitment and under the previous regulations, can be perfectly extrapolated to the one before us - whose sixth legal basis reads: "The question is not whether the appellant treated the personal data of the complainant without her consent, as if she employed reasonable diligence in trying to identify the person with whom she signed the contract". (Emphasis added by the AEPD)

With regard to the element of culpability in the administrative sanctioning procedure, it seems appropriate to refer to the SAN of 30/05/2015 (ECR 163/2014) which links the 'reproachability' of a legal person for a certain conduct with the circumstance that it 'may or may not have provided effective protection for the legal good protected by the rule'. The second legal basis of the aforementioned judgment states:

< However, the way in which liability is attributed to legal persons does not correspond to the forms of intentional or reckless culpability that are attributable to human conduct. Therefore, in the case of offences committed by legal persons, even if the element of guilt must be present, it is necessarily applied differently from that of natural persons. According to STC 246/1999 "(...) this construction, different from the imputability of the authorship of the infraction to the legal person, arises from the very nature of legal fiction to which these subjects respond. They lack the volitional element in the strict sense, but not the capacity to infringe the rules to which they are subject. Capacity of infringement and, therefore, direct reproachability derived from the legal good protected by the rule being infringed and the need for such protection to be truly effective and for the risk that, consequently, must be assumed by the legal person that is subject to compliance with said rule">> (The underlining is from the AEPD)

In short, VODAFONE's conduct, which is a violation of the principles of integrity and confidentiality with respect to the complainant's personal data - name, two surnames, tax identification number, mobile phone number and address - since it sent the complainant's contract containing her personal data to a third party without having demonstrated that it had in place, at the time of the events, the necessary technical and organizational measures to guarantee the security and confidentiality of its clients' data in order to prevent events such as those in question, is in violation of Article 5.1.f) of the RGPD, an action that can be subsumed under the sanctioning type of article 83.5 of the RGPD.

IV

Article 58 of the RGPD, "Powers", states in point 2

"2 Each supervisory authority shall have all the following powers
 



corrections indicated below: (…)
(i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the individual case

In order to determine the administrative fine that should be imposed, the provisions of Articles 83.1 and 83.2 of the RGPD must be observed, and these provisions are indicated:

"Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive.

"Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. In deciding whether to impose an administrative fine and the amount of the fine in each individual case, due account shall be taken of the circumstances of the case:
(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage they have suffered;
(b) whether the infringement was intentional or negligent;
(c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures they have implemented pursuant to Articles 25 and 32;
(e) any previous breach committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority with a view to remedying the breach and mitigating the possible adverse effects of the breach;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the controller or processor notified the infringement;
(i) where the measures referred to in Article 58(2) were previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification schemes approved in accordance with Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains obtained or losses avoided, directly or indirectly, through the infringement.


With regard to article 83.2 (k) of the RGPD, the LOPDGDD, article 76, "Sanctions and corrective measures", provides:
 



"In accordance with the provisions of Article 83(2)(k) of Regulation (EU) 2016/679, the following may also be taken into account
(a) The continuing nature of the infringement.
(b) The link between the activity of the offender and the processing of personal data
(c) The benefits obtained as a result of the commission of the infringement.
(d) the possibility that the conduct of the data subject may have led to the commission of the infringement
(e) the existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity
(f) The effect on the rights of minors.
g) The availability, when it is not compulsory, of a data protection representative.
h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases where there are disputes between them and any interested party.


In accordance with the provisions transcribed above, for the purposes of setting the amount of the fine to be imposed on VODAFONE ESPAÑA, S.A.U., as the party responsible for an infringement under Article 83(5)(a) of the RGPD, it is necessary to make two clarifications. The first is that Article 83.2 RGPD requires the supervisory authority to ensure that the penalty to be imposed is in each case "effective, proportionate and dissuasive" and, the second, that the amount of the penalty provided for in the RGPD for the infringements referred to in Article 83.5 has as its maximum limit the greater of these two amounts: 20,000,000 euros or 4% of the total annual turnover of the previous financial year. In 2017, VODAFONE's turnover amounted to 4,978 million euros, 4% of which was 199,120,000 euros.

As indicated in the agreement to commence the proceedings, the following factors have a bearing on the unlawfulness and culpability of VODAFONE's actions and, therefore, on the determination of the amount of the penalty
-The purely local scope of the data processing carried out by the defendant.
-The persons affected by VODAFONE's conduct which allegedly infringes the RGPD were two.
-The damage caused to those affected by the processing of their data is not very significant.
-VODAFONE's lack of diligence can be described as minor. The facts are not due to the inaccuracy of the data in the entity's files. In this sense, the defendant provided this Agency with the three addresses that appear in its files associated with the claimant -none of which coincides with the address of the third party to which the document of the claimant with her personal data was sent- and also explained what the
 



from each of them.
- The obvious link between VODAFONE's business activity and the processing of personal data of clients or third parties (Article 83.2.k of the RGPD in relation to Article 76.2.b of the LOPDGDD)
- The turnover or activity figure of the entity (article 83.2.a, of the RGPD) We are in the presence of a large company in the telecommunications sector. The total annual volume for the 2017 financial year was 4,978,0000,000 euros.

- The scope of the processing (article 83.2.a, RGPD) as the personal data of the complainant affected by the infringement of article 5.1.f) RGPD were several: the name and two surnames, NIF, home address and mobile phone number.

V

Article 85 of the LPACAP states:

"If the offender acknowledges his responsibility, the proceedings may be terminated by the imposition of the appropriate penalty.
(…)
(...) where the penalty is purely financial in nature, the body responsible for deciding the procedure shall apply reductions of at least 20% to the amount of the penalty proposed, which may be cumulated. These reductions shall be determined in the notification of initiation of the procedure and their effectiveness shall be conditional upon the withdrawal or waiver of any administrative action or appeal against the penalty".

In its submissions to the agreement to initiate the penalty proceedings, dated 16/04/2019, VODAFONE acknowledged its responsibility for the facts complained of and requested that the 20% reduction in the amount of the penalty be applied, in accordance with Article 85 LPACAP.

In a letter dated 12/12/2019, VODAFONE stated that, having requested the application of the reduction in the amount of the penalty in accordance with Article 85 LPACAP, it proceeded, in relation to the case in question, to waive any action or appeal in administrative proceedings against the penalty.


Therefore, in accordance with the applicable legislation and having assessed the criteria for the graduation of the penalties whose existence has been established
the Director of the Spanish Data Protection Agency RESOLVES: FIRST: To impose on VODAFONE ESPAÑA, S.A.U., with NIF A80907397, for a
infringement of Article 5.1.f) of the RGPD, as defined in Article 83.5 of the RGPD, following the
application of Article 85(1) and (3) of LPACAP, a fine of EUR 44 000 (forty-four thousand euros).
 



SECOND: NOTICE this resolution to VODAFONE ESPAÑA, S.A.U.

THIRD: To warn the sanctioned party that it must make the sanction imposed effective once this resolution becomes enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of its payment, indicating the tax identification number of the sanctioned party and the procedure number that appears in the heading of this document, into the restricted account no. ES00 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.

Once the notification has been received and once it has been executed, if the date of execution is between the 1st and 15th of each month, inclusive, the deadline for making the voluntary payment will be up to the 20th of the following month or the immediately following working month, and if it is between the 16th and last day of each month, inclusive, the deadline for payment will be up to the 5th of the second following month or the immediately following working month.

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly lodge an administrative appeal with the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. You must also send the Agency the documentation that accredits the effective filing of the contentious-administrative appeal. If the Agency is not aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it will terminate the precautionary suspension.

Mar Spain Martí
 



Director of the Spanish Data Protection Agency