AEPD (Spain) - PS/00155/2021
AEPD (Spain) - R/00389/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 58(1) GDPR Article 83(5)(e) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 20.05.2021 |
Published: | 25.05.2021 |
Fine: | 5000 EUR |
Parties: | VODAFONE ESPAÑA, S.A.U. |
National Case Number/Name: | R/00389/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined Vodafone €5000 (reduced to €3000) for hindering its functions during an investigation, as Vodafone did not comply with an order to provide information to the DPA.
English Summary
Facts
The Spanish DPA (AEPD) launched an investigation on Vodafone, following a complaint lodged by a data subject. The AEPD then started a sanctioning proceeding against Vodafone, and in the framework of their powers, granted by Article 58(1) GDPR, asked Vodafone for information regarding the case.
The AEPD, however, did not receive any response from Vodafone.
Holding
The AEPD considered this behaviour as a hindering of their functions, and therefore decided to sanction Vodafone in accordance with Article 83(5)(e) GDPR, for the non-compliance with an order pursuant to Article 58(1) GDPR.
For this infringement, the AEPD fined Vodafone €5000, that were reduced to €3000 for early payment and acknowledgement of responsibility.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 Procedure No.: PS / 00155/2021 RESOLUTION R / 00389/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTARY In the sanctioning procedure PS / 00155/2021, instructed by the Spanish Agency for Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed by A.A.A., and based on the following, BACKGROUND FIRST: On April 16, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against VODAFONE SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure No.: PS / 00155/2021 AGREEMENT TO START THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection, and in based on the following FACTS FIRST: On September 24, 2020, you entered this Agency Española de Protección de Datos a brief presented by A.A.A. (hereinafter referred to as the claimant), through which he makes a claim against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (hereinafter, the claimed one). SECOND: In view of the above, there are indications of a possible non-compliance with the provisions of Regulation (EU) 2016/679 (General Regulation C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 of Data Protection, hereinafter RGPD), which has motivated the opening of the file E / 08771/2020. In accordance with the provisions of article 65 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (Hereinafter LOPDGDD), the claim was transferred to the person in charge or the Delegate of Data Protection that in your case you have designated, requiring you to send to this Agency the information and documentation that was requested. This requirement information was not answered in time. The claim was accepted for processing with Date January 5, 2021. THIRD: The Subdirectorate General for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in question, by virtue of the powers of investigation granted to the authorities of control in article 57.1 of the RGPD, and in accordance with the provisions of Title VII, Chapter I, Second Section, of the aforementioned LOPDGDD. In the framework of the investigative actions, E / 00035/2021 was referred to the defendant a request for information, related to the claim outlined in section First, so that within ten business days, the information and documentation indicated therein. The request was registered departure on February 4, 2021 with number O00007128s2100006950. FOURTH: The request for information, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), was collected by the responsible dated February 8, 2021, as stated in the Notific @ certificate that is in the file. FIFTH: Regarding the required information, the person in charge has not sent any response to this Spanish Data Protection Agency. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/10 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and solve this procedure. II In accordance with the evidence available at the present time of agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the defendant has not sought the Spanish Agency for Data Protection the information you required. With the aforementioned conduct of the defendant, the investigative power that the article 58.1 of the RGPD confers on the control authorities, in this case, the AEPD, has been seen hampered. Therefore, the events described in the "Facts" section are deemed to constitute an infringement, attributable to the defendant, for violation of article 58.1 of the RGPD, which provides that each supervisory authority shall have, among its powers of investigation: “A) order the controller and the person in charge of the treatment and, where appropriate, the representative of the person in charge or the person in charge, who provide any information required for the performance of their duties; b) carry out investigations in the form of data protection audits; c) carry out a review of the certifications issued under article 42, paragraph 7; d) notify the person in charge or the person in charge of the treatment of the alleged infractions of this Regulation; e) obtain from the person in charge and in charge of the treatment access to all personal data and to all information necessary for the exercise of their functions; f) get access to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/10 all the premises of the controller and the processor, including any equipment and means of data processing, in accordance with the Procedural law of the Union or of the Member States. " III In accordance with the evidence available at the present time of agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the facts presented could constitute a infringement, attributable to the defendant. This offense is typified in article 83.5.e) of the RGPD, which considers as such: “no facilitate access in breach of article 58, paragraph 1 ”. The same article establishes that this offense can be punished with a fine. of twenty million euros (€ 20,000,000) or, in the case of a company, of an amount equivalent to four percent (4%) at most of the total annual global business volume of the previous financial year, opting for the of greater amount. For the purposes of the statute of limitations for infractions, the alleged infraction prescribes after three years, in accordance with article 72.1 of the LOPDGDD, which qualifies as the following conduct is very serious: “Ñ) Do not facilitate the access of the personnel of the data protection authority competent to personal data, information, premises, equipment and means of treatment that are required by the data protection authority for the exercise of its investigative powers. o) The resistance or obstruction of the exercise of the inspection function by the competent data protection authority. " IV C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/10 Based on the facts presented, without prejudice to what results from the instruction of the procedure, it is considered that it is appropriate to impute the defendant for the violation of article 58.1 of the RGPD typified in article 83.5 e) of the RGPD. The sanction that it would be appropriate to impose an administrative fine. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. On Consequently, the sanction to be imposed should be graduated in accordance with the criteria established in article 83.2 of the RGPD, and with the provisions of article 76 of the LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD. V Finally, the sanction to be imposed should be graduated in accordance with the criteria that establishes article 83.2 of the RGPD, and with the provisions of article 76 of the LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD. In the initial assessment, it is appreciated that no mitigating agent is applicable and have considered, as aggravating, the following facts: - Art. 83.2 b) RGPD: intentionality or negligence in the infringement. It is about of a company that is not newly created and should have procedures established for the fulfillment of the obligations that contemplates the data protection regulations, among them, to respond to the requirements of the supervisory authority. - Art. 83.2 k) RGPD: any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement. The claim refers to the particular case of a person, but the data processing to which it refers, can potentially affect a very high number of clients of the responsible entity or users of the service provided by the responsible entity. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/10 Therefore, based on the foregoing, By the Director of the Spanish Data Protection Agency, HE REMEMBERS: FIRST: INITIATE SANCTIONING PROCEDURE for VODAFONE ESPAÑA, S.A.U., with NIF A80907397, for the violation of article 58.1 of the RGPD, typified in the art. 83. 5 e) of the aforementioned RGPD. SECOND: APPOINT R.R.R. as instructor. and, as secretary, S.S.S., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Public Sector Legal (LRJSP). THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the information requirements issued by the Subdirectorate General for Inspection of Data in the framework of the files with reference code E / 08771/2020 and E / 00035/2021; and the accreditation of having practiced its notification. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the The penalty that may correspond would be 5,000.00 euros, without prejudice to what result of the instruction. FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF A80907397, granting you a hearing period of ten business days to formulate the allegations and present the evidence that it deems appropriate. In his writing of allegations, you must provide your NIF and the procedure number that appears in the heading of this document. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/10 If within the stipulated period it does not make allegations to this initiation agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of the LPACAP. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; which will entail a reduction of 20% of the sanction that should be imposed in the present procedure. With the application of this reduction, the penalty would be set at 4,000.00 euros, resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 4,000.00 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the preceding paragraph, it may be done at any time prior to the resolution. On In this case, if both reductions should be applied, the amount of the penalty would be established at 3,000.00 euros. In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts indicated above (4,000.00 euros or 3,000.00 euros), you must make it effective C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/10 by entering the account number ES00 0000 0000 0000 0000 0000 open to name of the Spanish Agency for Data Protection in the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure listed in the heading of this document and the cause of reduction of the amount to which it is accepted. Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. 972-070421 Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On May 17, 2021, the defendant has proceeded to pay the sanction in the amount of 3000 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts to which the Initiation Agreement refers. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/10 Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or to the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% on the amount of the proposed sanction, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditional on the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00155/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/10 day following notification of this act, as provided in article 46.1 of the referred Law. 936-031219 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es