AEPD (Spain) - EXP202206805
AEPD - EXP202206805 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR Article 83(2)(c) GDPR Article 83(2)(e) GDPR Article 83(5) GDPR Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of Digital Rights |
Type: | Complaint |
Outcome: | Upheld |
Started: | 23.05.2023 |
Decided: | |
Published: | |
Fine: | 100,000 EUR |
Parties: | XXX VODAFONE ESPAÑA, SAU |
National Case Number/Name: | EXP202206805 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Samuel Uzoigwe |
The Spanish Data Protection Authority (AEPD) fined a data controller the sum of €100,000 which was reduced to €80,000 for unlawfully processing the personal data of a data subject.
English Summary
Facts
The Spanish Data Protection Authority (AEPD) fined a data controller for unlawfully processing the personal data of its customer (data subject). The data controller assigned the duplicate of a mobile phone number of a data subject to a third party without the consent of the data subject. The third party using the duplicate, fraudulently gained access to the data subject’s bank details and carried out various non-consensual transactions, using the authentication SMS messages received through the phone number. The number was blocked the following day by the data controller, and a fraud victim check was activated by the data controller to prevent similar incidents from occurring in the future. The data controller was issued a new SIM card and was refunded the amount incurred in SIM card replacement management. The data subject complained to the Spanish Data Protection Authority (AEPD) on the grounds of unlawful processing of the data subject’s personal data.
Holding
The AEPD held that the data controller lacked any lawful basis under Article 6(1) of the GDPR to process the data subject’s personal data. In so holding, the DPA noted that the data controller did not act diligently in compliance with its obligation to guarantee that the personal data it processed respect the principle of legitimacy of processing. The call requesting for the issuance of a duplicate of the mobile phone number was received from abroad using a hidden number, and the individual processing the request on behalf of the data controller did not conduct appropriate diligence, to verify that the person making the request was the data subject who owned the number, prior to issuing the duplicate of the number.
The AEPD noted that although the data controller had a security policy for handling such requests, the procedure outlined in the policy was not followed, as if it had been followed, the request should have been denied. It further observed that the data controller did not clarify how it was proceeded with handling the request, nor does it have documentation or recordings in that regard.
The AEPD equally held that the processing also breached the provisions of Article 5(1)(a) of the GDPR as it was done unlawfully. As noted by the AEPD, in order for the data processing carried out by the data subject to be based on any of the circumstances legitimizing the processing, it would be necessary that, in its capacity as data controller, it could prove that the owner of the processed data was actually the one who provided it. In this circumstance the data controller failed in this obligation which led to identity fraud.
In awarding a fine of €100,000 the AEPD considered as mitigating factor under Article 83(2)(c) of the GDPR the fact that the data subject had proceeded to resolve the incident that was the subject of the complaint effectively by blocking the number the next day. The AEPD also considered the previous infractions of the data controller by virtue of Article 83(2)(e) in order to gauge the illegality of the data controller’s actions.
The AEPD relying on Article 85 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). reduced the fine to €80,000 on the grounds of voluntary payment, within the period permitted to do so.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
File No.: EXP202206805 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On June 22, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against VODAFONE SPAIN, S.A.U. (hereinafter, the claimed party), through the Agreement that is transcribes: << File No.: EXP202206805 AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following: FACTS FIRST: A.A.A. (hereinafter, the complaining party) dated May 23, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in hereinafter, the claimed party or Vodafone). The grounds on which the claim is based are the following: The complaining party states that on February 27, 2022, a third party without its consent, requested Vodafone through customer service for a duplicate of your SIM card. Later, when he realized that he had lost his line, he went to a check-in point. sale of Vodafone and there they confirmed that a third person had requested a new SIM card. Relevant documentation provided by the complaining party: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/13 • Copy of contract to expand telephone services signed in the name of the claimant in which the contact telephone number appears as ***TELEPHONE.1. In The contract includes the current account ***ACCOUNT.1. • Copy of the complaint filed with the Police and its respective extensions (on February 28, 2022 and March 1 and 24, 2022) together with the bank account movements. The complaint states that they have scammed XXXX € and provides the bank account of which he is the owner (***ACCOUNT.2). • Invoice relating to the duplicate (dated March 15, 2022). The claimant states that the concept “Proof of card replacement management fees” Billed SIM” has been charged twice (on February 27 and 28), • Copy of the claim documents, dated May 3, 2022, addressed to the customer service and data protection officer • Accreditation of the sending of the claim addressed to customer service and Copy of the response email received on May 14, 2022. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. On August 8, 2022, this Agency received a response letter indicating: <<that the claimed incident is currently resolved. In this sense, it has been verified that the duplicate SIM card on the mobile line ***TELEFONO.1 not recognized by the claimant was declared fraudulent on the 28th February 2022 by Vodafone's fraud department. Due As a result of the above, the fraudulent SIM card was blocked, subsequently issuing a new SIM card, and the claimant was reimbursed the amount of YY,Y€ for the SIM card replacement management costs included in the claimant's invoice. Likewise, the victim check was activated fraud to prevent similar incidents from occurring in the future>>. THIRD: In accordance with article 65 of the LOPDGDD, when presented before the Spanish Data Protection Agency (hereinafter, AEPD) a claim, it must evaluate its admissibility for processing, and must notify the complaining party the decision on the admission or non-admission for processing, within the period of three months since the claim was submitted to this Agency. If, after this period, said notification does not occur, it will be understood that The processing of the claim continues in accordance with the provisions of Title VIII of the law. This provision also applies to the procedures that the AEPD had to be processed in the exercise of the powers attributed to it by other laws. In this case, taking into account the above and that the claim was presented to this Agency, on May 23, 2022, it is communicated C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/13 that your claim has been admitted for processing on August 23 of the same year as three months have passed since it was entered into the AEPD. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: Result of the research actions: • The SIM card change was carried out through customer service, on 27 February 2022, and appears on Vodafone's screens "at the customer's request." • The SIM change was made by calling the call center from Norwegian numbering (+474). • On the associated screens there is a note regarding NOT LISTENING LLA WITH HIDDEN. Activate SIM ***PHONE.1 on 02/27/2022 • The duplicate SIM card on the mobile line ***TELEFONO.1 was declared as fraud on February 28, 2022 by Vodafone fraud department, proceeding to block the fraudulent SIM card, subsequently issuing a new SIM card. A fraud victim check was activated, including on the Customer Service screens Client “Do not provide information, when making modifications, product activation, orders, etc., if the client calls from lines other than those contracted in Vodafone, call hiding and international origin. Must be consulted and followed always the security policy.” • Vodafone does not have telephone recording since the call was not recorded. • The identity of the applicant is done following the guidelines described in the Policy of Security for Contracting of Individuals. Vodafone states that, since March 14, 2012, it has acted following the Security Policy for the Hiring of Individuals, which is gone progressively updating, and, in the case at hand, the modification was implemented on January 4, 2022. In the Policy provided by Vodafone, in the response to the transfer of the claim, no express reference is made to the steps and/or actions to be follow in case of telephone request to change and/or send SIM. However, it states that it will be verified prior to the management of the change of SIM that there has not been a change of address in the last month and that have requested previous SIM card shipments. Furthermore, he states that if the requester does not call from the same number on which the change is managed, the will request the telephone number associated with the SIM (“MSISDN”) along with the password. access from Customer Service or ID. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/13 FIFTH: According to the report collected from the AXESOR tool, the entity VODAFONE ESPAÑA, S.A.U. is a large company established in 1994, and with a business volume of 2,928,817,000 euros in 2022. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of the RGPD grants to each authority of control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, The Director of the Agency is competent to initiate and resolve this procedure. Spanish Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II Unfulfilled Obligation Well, the defendant is accused of committing an infraction due to violation of the Article 6 of the GDPR, “Legality of processing”, which states in section 1 the Cases in which the processing of third-party data is considered lawful: "1. Treatment will only be legal if at least one of the following is met conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect vital interests of the interested party or another Physical person; e) the processing is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the controller; f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that regarding said interests do not prevail over the interests or fundamental rights and freedoms of the interested party requiring the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph will not be C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/13 application to the processing carried out by public authorities in the exercise of their functions.” In the present case, it is proven that a third party on February 27, 2022 requested through a phone call to the Vodafone customer service center a duplicate of the SIM card of the complaining party, a duplicate that was provided to him, Therefore, said third party had access to your bank details and carried out various non-consensual operations, using the authentication SMS received, thus confirming them. So that the data processing carried out by the claimant could be based on Some of the legitimizing circumstances of the treatment would require that, in its status as data controller, could prove that the owner of the data treaties was actually the one who facilitated them. However, the defendant did not provide her response to the prior information request. to the admission for processing of this claim, no document or evidentiary element that proves the legal basis of the treatment carried out. Thus, in the response to the information request from the AEPD dated August 8, 2022, the defendant alleged <<It has been verified that the duplicate SIM card on The mobile line ***TELEFONO.1 not recognized by the claimant was declared as fraudulent on February 28, 2022 by Vodafone's fraud department. As a result of the above, the fraudulent SIM card was blocked, issuing subsequently a new SIM card, and the claimant was reimbursed for the amount of YY,Y€ for SIM card replacement management costs included in the claimant's invoice. Likewise, the check of victim of fraud to prevent similar incidents from occurring in the future>>. In line with what was stated above, Vodafone, recognizes in its letter dated October 28, 2022 that the duplicate SIM was fraudulent. Although politics provides security, does not clarify how it was proceeded in this case, nor does it have documentation or recordings. In addition, the call to request the duplicate was made from Norway and using a hidden number, so it was not possible to verify who requested the SIM. In short, in the case analyzed, the diligence used by part of the claimed to identify the person who requested the duplicate of the SIM card. In any case, the procedure implemented by the claimed party was not followed, since, If it had been done, it should have been denied. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/13 In view of the above, Vodafone cannot prove that this was followed. procedure and consequently there was illicit processing of the personal data of the complaining party, thereby contravening article 6 of the GDPR. In this sense, Recital 40 of the GDPR states: “(40) For the processing to be lawful, personal data must be processed with the consent of the interested party or on some other legitimate basis established in accordance a Law, whether in this Regulation or under other Union law or of the Member States referred to in this Regulation, including the need to comply with the legal obligation applicable to the person responsible for the treatment or the need to execute a contract to which the interested party is a party or for the purpose of take measures at the request of the interested party prior to the conclusion of a contract." III Classification and classification of the offense The infringement is classified in article 83.5 of the RGPD, which considers as such: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) The basic principles for treatment, including the conditions for treatment consent in accordance with articles 5,6,7 and 9.” The LOPDGD, for the purposes of the prescription of the infringement, qualifies in its article 72.1 of very serious infringement, in this case the limitation period being three years, “b) The processing of personal data without any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679”. IV Sanction proposal The determination of the sanction that should be imposed in the present case requires observe the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively, they provide the following: "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of this Regulations indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/13 Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, given account of the technical or organizational measures that have been applied under the articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through infringement.” Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanctions and corrective measures”: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/13 b) The linking of the offender's activity with the performance of medical treatments. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which disputes exist between them and any interested party. 3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679.” In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, for the purposes of setting the amount of the fine sanction impose the claimed entity as responsible for an infraction classified in the article 83.5.a) of the RGPD and 72.1 b) of the LOPDGDD, in an initial assessment, The following factors are considered concurrent in the present case: As aggravating factors: - The circumstance of article 83.2.e) RGPD: “Any previous infraction committed by the responsible or the person in charge of the treatment”. Recital 148 of the GDPR states “In order to strengthen the application of the rules of this Regulation [...]” and indicates in this regard that “It must, however, Special attention should be paid to the nature, severity and duration of the infringement, its intentional character [...] or to any pertinent infringement [...]”. Thus, in accordance with section e) of article 83.2. GDPR, in determining the amount of the administrative fine sanction cannot fail to be valued all those previous infractions of the person responsible or of the person in charge of treatment in in order to gauge the illegality of the analyzed behavior or the guilt of the subject offender. Furthermore, a correct interpretation of the provision of article 83.2.e) RGPD does not can ignore the purpose pursued by the rule: to decide the amount of the sanction of administrative fine in the individual case raised, always taking into account that the sanction is proportional, effective and dissuasive. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/13 The allegedly infringing conduct consisted of the processing of personal data without legitimation - fraudulent duplicate SIM - did not act diligently in the compliance with its obligation to ensure that personal data that deals with respect the principle of legality. Therefore, the omission of the appropriate diligence, aimed at the identification of the person who provided personal data of which they were not the owner as their own, allowed identity fraud and determined that the processing of personal data of the claimant made by the defendant lacked legal basis under the article 5.1.a) in relation to article 6.1. GDPR. There are numerous sanctioning procedures processed by the AEPD in which the defendant did not act with the required diligence, since it did not apply the necessary measures and appropriate to verify the identity of the contracting party or the third party that provided as your data of which you were not the owner. The procedures and sanctions in them were imposed to graduate the sanction that must be imposed for the violation of the article 6.1. GDPR that is attributed to you in this opening agreement. Reason why the defendant's history of violations, in which there was a significant omission of the necessary diligence to verify the identity of the person provided the personal data of a third party as his own, affects the guilt and illegality of the conduct assessed here. As an example, the resolutions issued by the AEPD are cited in the following sanctioning procedures processed against the defendant: i.EXP 202204287 Resolution issued on October 24, 2022 in which it was imposed a fine of 70,000 euros. The facts concerned a duplicate of the card Fraudulent SIM without legitimation. Vodafone took advantage of one of the two planned reductions. ii.EXP202103028. Resolution issued on November 29, 2022 in which it was imposed a fine of 70,000 euros. The facts concerned a duplicate of the card Fraudulent SIM without legitimation. Vodafone took advantage of one of the two reductions planned. iii.EXP202203914 Resolution issued on October 24, 2022 in which it was imposed a fine of 70,000 euros. The facts concerned a duplicate of the card Fraudulent SIM without legitimation. Vodafone took advantage of one of the two reductions planned. - The evident link between the business activity of the defendant and the processing of personal data of clients or third parties (article 83.2.k, of the RGPD in relation to article 76.2.b, of the LOPDGDD). The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which, regarding entities whose activity involves continuous data processing of clients, indicates that “…the Supreme Court has been understanding that there is recklessness whenever a legal duty of care is neglected, that is, when the offender does not behave with the required diligence. And in assessing the degree of diligence, the professionalism or otherwise of the subject must be especially considered, and not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/13 There is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of personal data, it must be insisted on the rigor and exquisite care to comply with the legal preventions in this regard.” As mitigating factors: The claimed party proceeded to resolve the incident that was the subject of the claim in a manner effective (art. 83.2 c). It is necessary to graduate the sanction to be imposed on the person complained of and set it at the amount of 100,000 € for the alleged violation of article 6.1) typified in article 83.5.a) of the cited GDPR. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection. HE REMEMBERS: FIRST: START SANCTIONING PROCEDURE against VODAFONE ESPAÑA, S.A.U. with NIF A80907397, for the alleged violation of article 6.1) typified in the article 83.5.a) of the aforementioned RGPD. SECOND: APPOINT R.R.R. as instructor. and as secretary to S.S.S., indicating that any of them may be challenged, if applicable, in accordance with the provisions in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation, the documents obtained and generated by the General Subdirectorate of Data Inspection. FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be for the violation of article 6.1 of the RGPD, typified in article 83.5 a) of the RGPD, the corresponding sanction would be a fine in the amount of 100,000 euros (one hundred thousand euros) without prejudice to what may result of the instruction. FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with NIF A80907397 granting him a hearing period of ten business days to formulate the allegations and present the evidence that you consider appropriate. In his writing of allegations must provide your NIF and the procedure number that appears in the heading of this document. If within the stipulated period you do not make allegations to this initial agreement, the same may be considered a proposal for a resolution, as established in the article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed was a fine, may recognize his responsibility within the period granted for the formulation of allegations to this initiation agreement; it which will entail a reduction of 20% for the penalty that must be imposed C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/13 in the present procedure, equivalent in this case to twenty thousand euros (€20,000). With the application of this reduction, the amount of the penalty would be established at eighty thousand euros (€80,000), resolving the procedure with the imposition of this sanction. Likewise, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, in accordance with the provisions of article 85.2 LPACAP, which will mean a reduction of 20% of the amount, equivalent in this case to twenty thousand euros (€20,000), for the alleged infraction. With the application of this reduction, the The amount of the penalty would be established at eighty thousand euros (€80,000) and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for the voluntary payment of the penalty is cumulative with that corresponding apply for recognition of responsibility, provided that this recognition of the responsibility becomes evident within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at sixty thousand euros (€60,000). In any case, the effectiveness of any of the two mentioned reductions will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above, 80,000 euros or 60,000 euros, you must make it effective by depositing it into account number ES00 0000 0000 0000 0000 0000 open to name of the Spanish Data Protection Agency at CAIXABANK Bank, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which welcomes Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. The procedure will have a maximum duration of twelve months from the date of the initiation agreement. After this period, its expiration will occur and, in consequently, the archive of actions; in accordance with the provisions of the article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. Sea Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On July 20, 2023, the claimed party has proceeded to pay the penalty in the amount of 80,000 euros making use of one of the two reductions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/13 provided for in the Initiation Agreement transcribed above. Therefore, it has not been left accredited recognition of responsibility. THIRD: The payment made entails the waiver of any action or resource pending. administrative against the sanction, in relation to the facts referred to in the Startup Agreement. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/13 The reduction percentage provided for in this section may be increased “regularly.” According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202206805, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 937-181022 Sea Spain Martí Director of the Spanish Data Protection Agency