AEPD (Spain) - PS/00114/2019
AEPD - PS/00114/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 55.000 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00114/2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | aepd.es (in ES) |
Initial Contributor: | Pablo Rossi |
AEPD fined telecoms company Telefonica EUR 55,000 for a breach of Article 6(1) GDPR. Personal data of the claimant were processed without her consent due to an identity theft. This resulted in the charge of four uncontracted phone line bills.
English Summary
Facts
The complainant stated that Telefonica registered several telephone lines in her name that she never contracted, charging from her bank account several bills related to these lines. The complainant also stated that she tried to contact the telecoms company several times, without being able to obtain the recording from which the telephone lines in question were contracted.
Telefonica, on its side, provided the AEPD with a recording in which a person identifies himself with the name, two surnames and ID number of the claimant, subsequently giving his consent to the hiring of the aforementioned telephone lines. However, no verification of the bank account number to which the telephone lines were to be charged can be heard on this recording.
Dispute
Despite the existence of identity theft by a third party, did Telefonica operate with the due diligence required to controllers by Article 6.1 of the GDPR?
Holding
AEPD considered that Telefonica, despite having provided a recording in which a person who identifies himself with the personal data of the claimant and gives consent to the hiring of the telephone lines in dispute, did not act with due diligence. The mobile line with which the third party fraudulently contracted the telephone lines was not owned by the claimant, so the telephone company should have made more verifications before charging the bills. In the recording, it was not verified which specific phone lines were being contracted, nor which bank account was going to be charged. The data processing was therefore carried out in breach of Article 6 (1) of the GDPR, as the consent obtained was not valid.
The scope of the unlawful processing (affecting several personal data), the evident link between Telefonica's professional activity and the processing of customers' personal data and the continued nature of the infringement were considered aggravating circumstances.
In view of the above, the amount of the fine for infringement of Article 6.1 of the GDPR was set at EUR 55,000.
Comment
This decision was appealed by Telefónica by means of an internal administrative appeal (RR/00344/2020) dated July 31st, 2020, in which the appellant declared that the AEPD did not take into account the pleadings document submitted by Telefónica three days before the AEPD decision was published (still in good time regarding the period for submitting pleadings). In that pleadings document, Telefónica offered to accept the voluntary payment of the first amount proposed by the AEPD (44,000€) and required the AEPD to close the sanctioning procedure, but the AEPD did not see such document until the decision was published. Accordingly, the AEPD has partially accepted the internal administrative appeal by Telefónica, with the consequent reduction to 44,000€ of the fine and the declaration of the sanctioning procedure as finished.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Procedure Nº: PS / 00114/2019 938-300320 RESOLUTION OF PENALTY PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: On 06/22/2018 a letter from Ms AAA (hereinafter, the claimant) has entered the Spanish Agency for Data Protection (AEPD) stating that “MOVISTAR”, the trade name under which They operate TELEFÓNICA MÓVILES ESPAÑA, SAU, and TELEFÓNICA DE ESPAÑA, SAU, has processed her personal data -name, two surnames, NIF and bank details- without her consent, since she has registered three telephone lines in her name that she denies having contracted. and he has passed three invoices in his bank account. He states that he filed a claim with MOVISTAR for these events, made it known to her that she had not made any contract and managed to have the “telephone numbers on April 27, 2018” removed, although, despite this, they have followed him going to the collection of new invoices in your bank account. She adds that the hiring was by telephone and that MOVISTAR has refused to provide her with the recording of the hiring that she allegedly had carried out. Provides a copy of the complaint that you filed with the Police (Office of Complaints- *** LOCALITY. 1) on 04/25/2018 in which he makes these declarations: - That in a bank account of which he is the owner in the entity CAIXABANK, (number ended in the digits *** DIGITS. 1) he was charged with the following MOVISTAR invoices: (i) Invoice *** INVOICE. 1, of 01 / 03/2018, for an amount of 83.91 euros. (ii) Invoice *** INVOICE. 2 of 04/01/2018, for an amount of 71.72 euros. - That when he makes a telephone claim with the company, they inform him that in January a telephone contract was made for the product "MOVISTAR FUSIÓN" associated with the line numbers *** TELEPHONE.1, *** PHONE. 2 and *** PHONE. 3. - That the operator had confirmed that the hiring was carried out by another person "named BBB, who claimed to be her husband, as can be heard in the recording they keep on the hiring and that the telemarketer stated." - "That precisely the complainant has been divorced for more than ten years, casually calling herself her ex-husband BBB" On 06/11/2018, the claimant filed a new complaint with the Police (Complaints Office- *** LOCATION. 1), an extension of the previous one, in which she states that, despite having withdrawn on 04/27 / 2018 the fraudulent lines, has received a new invoice from MOVISTAR, dated 06/01/2018, detailing the consumption made by the referred lines in the period between 04/18/2018 and 05/17/2018, invoice *** INVOICE. 3. Attach a copy of the following invoices for the “Fusion” product, bearing the anagram of MOVISTAR and the indication TELEFÓNICA DE ESPAÑA, SAU (hereinafter TDE or the one claimed): 1.- *** INVOICE. 1, issued on 03/01/2018. It contains the name of the claimant, as the holder of the contract and as the recipient of the invoice, and its NIF *** NIF.1 (of which you provide a copy). The contracted services are a fixed line (*** TELEPHONE.1) and the mobile line *** TELEPHONE.2. 2.- *** INVOICE. 2 of 04/01/2018, with identical data 3.- *** INVOICE. 4, from 01/05/2018, with identical data 4.- *** INVOICE. 3, from 06/01/2018, with identical data. SECOND: In view of the facts exposed, the AEPD carried out the following actions: A.- In the scope of the reference file E / 4627/2018, the AEPD, by letter dated 08/16/2018, sent TELEFÓNICA MÓVILES ESPAÑA, SAU, (TME) a copy of the claim and requested explanations on their actions in relation to the facts claimed. The notification, through the notific @ application , was accepted by this operator on 08/20/2018. TME responded to the request for information -in the framework of E / 4627 / 2018- on 09/10/2018 stating as "prior matter" the following: "It is interesting to show that the claim of Mrs. ... is directed to movistar which is the trade name of TME and Telefónica de España, SAU, hereinafter TDE, the latter being the one that provides the telecommunications service to which it is the aforementioned claim refers. ”(The underline is from the AEPD) TME made the statements and provided the documents that are detailed: - That he has sent a letter to the claimant in response to the claim that she has made before the AEPD and that has been definitively resolved. Accompany, as Annex 1, a copy of the letter that you sent to the claimant, dated 09/06/2018, signed by the DPD Office, with the following text: << (...) we answer the claim presented by you before the Spanish Agency for Data Protection ... (...) we inform you that a response has been given to the AEPD specifying the causes that have motivated the incident that led to your claim as well As the details of the measures adopted ... (...) inform you that given the special circumstances that have arisen in the case, my representative has proceeded to cancel all the invoices issued in relation to the lines whose removal was processed, leaving the issue definitely solved >>. That it acknowledges that the claimant requested on 04/25/2018 the removal of lines *** TELEPHONE.1, *** TELEPHONE.2 and *** TELEPHONE.3, regarding to which the Movistar Fusión service had been contracted and that, in addition to its withdrawal request, the claimant submitted a claim to which the respondent replied by letter, the copy of which it provides, integrated in the documents in Annex 2. They are part of the Annex 2 that the defendant sends the following documents to the AEPD: (i) A letter that the claimant addressed to MOVISTAR, signed on 06/11/2018, detailing that she was a client of MOVISTAR durin many years and unsubscribed in November 2017. That in January 2018 "someone impersonated my identity and Movistar continued to pay me installments in my bank account". That, after speaking with several operators of that company, he managed to unsubscribe the numbers on April 27, 2018 “And I informed him that I had not made that contract. Contract that was made by telephone recording ”. That MOVISTAR refuses to deliver a copy of the recording of the contract. Request a refund of the amounts collected. (ii) The copy of the complaint that the claimant filed at the Police Station on 04/25/2018 and the expansionary complaints of the previous one, dated 04/05/2018 and 06/11/2018. (iii) Copy of a letter that MOVISTAR sends to the claimant, dated 07/13/2018, linked to the telephone number *** TELEPHONE.1, of which we reproduce these fragments: <<… we indicate that we have reviewed your case in detail , indicating that we have taken the appropriate steps, in order to cancel the existing debt corresponding to the lines *** TELEPHONE.1, *** TELEPHONE.2 and *** PHONE. 3. >> - It adds that all the invoices that were issued in relation to the three aforementioned lines were canceled; that none were paid, so there is no refund to the claimant of any amount, and that her personal data was not communicated to capital solvency files. B.- On 13/12/2018 - within the framework of the reference file E / 10190 / 2018- investigative actions are carried out directed at TELEFÓNICA DE ESPAÑA, SAU (TDE or the claimed) On dates 12/21/2018 and 01/21/2019 the defendant has submitted the following information regarding the services contracted on behalf of the complainant: 1. According to the information in their systems, the telephone lines *** TELEPHONE.1, *** TELEPHONE.2 and *** TELEPHONE.3, whose services are marketed through the "Fusion" service, were registered. on behalf of the claimant on dates 22/01/2018 the first and on 14/01/2018 the last two. They were removed with dates 01/05/2018 (the first) and 25/04/2018, the last two. 2. They provide a copy of the contacts that appear in their files associated with the complainant, where they include the following: 2.1. Under the indication "Subject information", "Sales-Contracting typification ... Hera plus web", "Type of order management", this annotation is included in the observations section: “Emergia canarias b.alta of fixed destination fusion + soccer with mobile phone holder *** PHONE. 2 and additional high *** PHONE. 3. Grab *** RECORDING. 1(…) ” (The underline is from the AEPD) . Under the indication "General Contact Information *** CONTACT. 1” The client number “*** CLIENT No. 1”, the start and end date of the contact, in both cases on 04/23/2018 at 14.47.26 and 14.58.19, respectively; the indication of the telephone channel and in the observations section this annotation: “You request to be removed for identity theft, but you do not provide the number to unsubscribe. You I refer to store. I provide portability code for the delivery of the equipment in store " (The underline is from the AEPD) 1. Provides a printed copy of a document with the heading “Claim file”. Under the heading "Identification of the claim" is the claim number "*** CLAIM.1"; as "Typology" "Billing"; as "date of receipt" on "07/12/2018"; as "Target date" on "07/19/2018"; as "Bonus amount" "171.29"; as "Status of the claim", "estimated" and in the section "Confirmation of the payment order", "yes". 2. A recording is provided regarding the contracting of merger services on behalf of the claimant. In it, the company's interlocutor informs of the date -January 14, 2018- and asks for the name and surname. A voice is heard, distant and with sound in echo, which provides as identifying data the name and surname of the claimant. The company's interlocutor requests the DNI number and the contractor provides the number of the document that the claimant owns. The interlocutor of the company informs him that he has contracted the "Fusion" service. She asks if the fee is transferred to the bank account that she has provided, to which the contractor responds affirmatively. THIRD: The facts set forth in the complaint are subject to the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, relating to the Protection of Natural Persons with regard to the Treatment of Personal Data and the Free Circulation of these Data (RGPD), which is effective from 05/25/2018. It is not an obstacle to the application of the RGPD that the allegedly infringing conduct had been initiated when Organic Law 15/1999, on the Protection of Personal Data (LOPD) was in force. In this sense, it must be indicated, on the one hand, that the claimant has stated - and the defendant has confirmed it in her response to the request of this Agency, in file E / 4627/2018, dated 09/10/2018 - that he requested the claimed on 04/25/2018 the withdrawal of the telephone lines that had been registered in his name integrated in the product "FUSIÓN". On the other hand, that among the invoices that the defendant issued in the name of the complainant is one of 06/01/2018 (when the RGPD was already effective), invoice *** INVOICE. 3, for the service provided by both the fixed line as by mobile line *** PHONE. 2. With the same argumentative purpose, it is worth mentioning that on 07/13/2018, the defendant addressed a letter to the claimant, informing her that she had made the "appropriate steps to cancel the existing debt corresponding to the lines *** TELEPHONE .1, *** TELEPHONE.2 and *** TELEPHONE.3 ”. The aforementioned documents show that when Regulation (EU) 2016/679 was effectively applied (on 05/25/2018), the defendant continued to process the claimant's personal data without legitimation, associated with a debt to which the claimant was external derived, among others, from the services provided by the mobile line *** TELEPHONE. 2. Although the defendant began the treatment of the claimant's personal data in January 2018 (date on which the three controversial lines were registered associated with her personal data), therefore, when the LOPD was still in force, the conduct in which specifies the violation of the personal data protection regulations has been maintained over time until, at least, the beginning of July 2018, since, as recognized in the letter of July 13, this is when it is appropriate to cancel the amounts that had been invoiced to the claimant for the lines that registered her name, which included, as indicated, the mobile line *** TELEPHONE. 2. The infringement for which the claimed party is responsible participates of the nature of the so-called permanent infringements, in which the consummation is projected in time beyond the initial fact and extends throughout the period of time in which the data or personal data are subject to treatment. So, although on the date in which the offending conduct was initiated, the applicable rule was the LOPD, the applicable rule is the one in force when the offense is consummated. The Supreme Court has ruled on the rule that should be applied in those cases in which the offenses are prolonged in time and there has been a regulatory change while the offense is committed. The STS of 04/17/2002 (Rec. 466/2000) applied a provision that was not in force at the initial moment of commission of the infringement, but was effective in the subsequent ones in which the infringing conduct continued. The Judgment examined an assumption that dealt with the sanction imposed on a Judge for breach of her duty to abstain from Preliminary Proceedings. The sanctioned alleged the non-validity of article 417.8 of the LOPJ when the events occurred. The STS considered that the infraction had been committed from the date of the initiation of the Preliminary Proceedings until the moment when the Judge was suspended in the exercise of her functions, so that this rule did apply. The SAN is pronounced in the same sense on 09/16/2008 (Rec. 488/2006) FOURTH:On July 29, 2019, the Director of the Spanish Agency for Data Protection agreed to initiate sanction proceedings against TELEFÓNICA DE ESPAÑA, SAU, (hereinafter TDE or the one claimed), in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of article 6.1. of the RGPD, typified in article 83.5 of the RGPD. FIFTH:Once the initiation agreement has been notified, on 08/26/2019 the requested party submits allegations and requests that the sanctioning procedure be filed due to the absence of liability. In support of its claim, it adduces the following arguments: - It begins by stating that there are a series of circumstances that justify that TDE had processed the claimant's data linked to the line *** PHONE. 2. The circumstances described by the claimed are transcribed: “On January 14, 2018, BBB (holder of the numbering *** PHONE. 2) requests the portability of the line to Movistar, in order to integrate the line in the Merger contract, a recording of the portability verification is provided, the line is installed in Movistar in a pre-merger contract waiting to complete the procedures. On the same date Ms AAA [the claimant] contacts the company to formalize the Merger Contract of the lines *** PHONE.1, *** PHONE.2 and *** PHONE.3 (including the reference line) On February 8, 2018, under DBBB's verbal mandate and on behalf and authorization of its wife [name of the claimant] with DNI [the claimant's DNI], request the change of bank details ” (The underline is from the AEPD). - The scanned email sent on 08/23/2019 to the AEPD Inspection Branch includes this message: "... in relation to the sanctioning file PS / 00114/2019 is provided as proof of consent of the steps taken on the lines ***TELEPHONE 1, *** TELEPHONE. 2 and *** TELEPHONE. 3 on behalf from [the complainant]. Line Verifier Recording *** PHONE.2 The following voice recordings are attached. Recording of the Merger contract *** TELEPHONE.1, *** TELEPHONE.2 and *** PHONE. 3. Recording of change of bank account of the Merger contract ”. - He claims that the charges in the claimant's bank account began to be generated from the moment in which DBBB (hereinafter DBBB or the impersonator) makes the change of domicile "supposedly under the verbal command of his wife". - It invokes the "appearance of legitimacy with which it acted" TDE since the data provided by the impersonator were truthful and there was an appearance that it was the claimant who gave consent. - With regard to the evidence of the complainant's consent, the burden that corresponds to the entity claimed, states that “As is obvious, and as follows from what is stated in the file, it is impossible for my representative to prove the complainant's consent without the existence of the recording, but it can be proven through the existence of the payment of invoices and actions on the line that only as owner can carry out ”. - Insists on the non-existence of a violation of article 6.1. RGPD and adds that "proof that TDE has acted in accordance with the standard" is "the deception used and the usurpation of data by the impersonator". - It invokes the principle of presumption of innocence, given that the impersonator identified himself before TDE as the husband of the claimant and correctly provided him with all the identifying information requested (name, surname and ID). She argues that any sanctioning resolution requires certainty. of the imputed facts and the certainty of the guilty judgment and that the latter does not concur. Therefore, it concludes that it is neither appropriate to impose any sanction, nor was it appropriate, under the circumstances, to open this sanctioning file. SIXTH: On 06/11/2020 a trial period is opened in which it is agreed to practice the following evidentiary procedures: To consider the claim submitted and the documentation attached to it as reproduced; the documents and statements obtained both in the process of requesting information prior to admitting the claim, which was requested from TELEFÓNICA MÓVILES, SAU, and TELEFÓNICA DE ESPAÑA, SAU (TDE), as well as those obtained by virtue of the disclosure requirement that the Data Inspection made TDE and the Report of previous Inspection actions. Documents all of which make up, respectively, E / 4627/2018 and E / 10190/2018. Likewise, the allegations to the initiation agreement PS / 00114/2019 presented by TDE and the accompanying documentation were considered reproduced. The respondent was asked to provide the following documents to the procedure: “3.1.- The sound recording - audible - of the conversation held between that entity and DBBB on 02/08/2018 in which - according to what TDE has declared - that person,“ in the name and authorization of his wife Ms. [ the claimant] with DNI ****, request the change of bank details ”. In the brief for the opening of evidence, TDE was informed that the recording that it claimed to provide with its allegations to the initiation agreement, while inaudible, was non-existent for purposes of evidence. 3.2.- Document - whatever the medium in which it is recorded - that proves that the claimant either consented to TDE processing its bank details or granted its representation to DBBB in order to provide TDE with its bank details for the direct debit of the invoices derived from contracts that the claimant did not enter into. 3.3.- The document that proves that the owner of the mobile line *** TELEPHONE.2 -BBB - who had requested the portability of this line, of which he was the owner, from Vodafone to “MOVISTAR” - as evidenced by the recording the verification company that the defendant has sent to this Agency - consented to the change of ownership of the line in the name of the claimant and the latter also gave its consent to said change of ownership. ” A. The defendant evacuated the evidence process on 06/11/2020 and responded in the following terms: 1.- Regarding the evidence requested in point 3.1, TDE replied that the “aforementioned recording was and is audible”. It provides the recording and explains how to access the sound document. In the annex provided, it includes in point 1 the so-called "Recording request for bank details change" that we will reproduce. From the second 00: 18,25 you hear: “-As of today, February 8, 2018 we proceed to record the charge account change that you request. Tell us the line number you want to apply for. - ***TELEPHONE 1 -Yes -Eh ... *** PHONE. 1 -Please tell me a name, surname and ID of the owner. -Sorry, sorry, I gave you the wrong number. -It is *** TELEPHONE. 1 but the rest of the numbers have been said well. - Ah, okay, okay. -Effectively. -Indicate the name, surname and ID of the line owner - Yes AAA - DNI? - *** NIF.1 - Tell me your name, surname and ID - BBB -Yes - *** NIF.2 - How are you related to the owner? -Husband -Perfect -Tell us the number of the charge bank account in which you want to make, request, change -XXXX XXXX XXXXXXXX XXXX - Do you authorize us to make recurring charges to this bank account? - Yes -We proceed to make the modification. We end the recording ... " 2.- Regarding the evidence requested in point 3.2 of the evidence notification brief, the respondent replied in the following terms: “In this sense, the recording in which Dª. AAA contacts the company to formalize the contract Merger of the lines *** TELEPHONE.1, *** PHONE. 2 and *** TELEPHONE.3, in the attached document Nº 1 and as epigraph 2.2. In the same recording, Ms. AAA expressly authorizes the carrying out of the charges in the bank account indicated by the same, as stated in the Agreement of start of the sanctioning procedure of reference. " (The underline is from the AEPD) The annex provided by TDE with the response to the tests, point 2.2., Includes a sound document with this heading: "Document, whatever the medium on which it is established that proves that the claimant consented to TDE processing their bank details" We transcribe the sound document. In the second 00: 18,65 you hear: << - Look, as of today, January 14, 2018, we contract with MOVISTAR. Can you give us your name and two last names? -Yes, AAA - And your ID? - *** NIF.1 - Okay, you asked to contract what is the merger plus, okay ?, for a fee of 70.74 included (?), Okay? You agreed to receive our invoice by email, which you can also receive on paper. You have been informed of all conditions at Movistar.es/contracts. Do you authorize us to make the charges indicated in your bank account, which you have indicated to us? Do you know the conditions of service? -Yes -Okay, the recording is here. >> 3.-Regarding the test requested from TDE in point 3.3. of the written notification of evidence that consisted of proving that DBBB had consented to make a change of ownership of the line *** TELEPHONE. 2 in the name of the claimant and that the claimant had consented to such change of ownership-, responded in the following terms, referring to the answer to the question in point 3.2 .: “In document Annex Nº1 and as epigraph 2.2, the recording is attached in which Ms. AAA contacts the company to formalize, the contract Merger of the lines *** TELEPHONE.1, *** TELEPHONE.2 and *** PHONE. 3. Likewise, in Annex Nº1 and in section 2.1. DBBB's change of charge account of the mentioned lines is attached In this sense, it is interesting to highlight that the hiring of the mobile line *** PHONE. 2 The purpose of the pre-merger tariff was to integrate the aforementioned line into a Merger contract whose main line was *** TELEPHONE. 1 and whose contracting was carried out by whoever identified himself as AAA in the recording provided as Annex Nº 1, section 2.2. . " B. The result of the practical tests was as follows: 1º Despite the fact that it was required in the trial phase, TDE has not provided any recording in which the claimant, or who had been supplanting her identity, consented to change in her name the ownership of the line number *** TELEPHONE.2 that belonged DBBB and that -as stated by the operator- was subject to portability from the operator VODAFONE on the same date of 01/14/2018 in which the claimant allegedly entered into the FUSION contract. 2º In the recording of the conversation held on 01/14/2018 between TDE and the person who identified himself with the name, two surnames and NIF of the claimant and consented to the contracting of the Merger product, the line numbers object of the Merger contract or the twenty digits of the bank account. 3º In the recording of the conversation held on 02/08/2018 between TDE and DBBB in which it requests to change the direct debit bank account of the Fusion product invoices, the account number that it communicates to the operator belongs to the claimant. It is the claimant's bank account as he stated in his police complaint. It is in this account that MOVISTAR sent her the invoices, two charges, for products that she had not contracted. 4º In the recording of the conversation held on 02/08/2018 between TDE and DBBB in which it requests to carry out a change of the bank details of the direct debit of the invoices, there is no record of the consent of the owner so that their data banks were treated for this purpose. There is also no statement, neither by the operator nor by DBBB, that it was acting on behalf of and representing the alleged owner, that is, the claimant or by virtue of a verbal mandate (as TDE maintains) SEVENTH : Royal Decree 463/2020, "declaring the state of alarm for the management of the health crisis caused by Covid 19", published in the BOE on 03/14/2020, in its third Additional Provision, " Suspension of administrative deadlines ”, provided: "one. Terms are suspended and deadlines for processing procedures of public sector entities are interrupted. The calculation of the terms will be resumed at the moment the present royal decree or, where appropriate, its extensions, loses its validity. 2. The suspension of terms and the interruption of deadlines will apply to the entire public sector defined in Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations. ” This suspension was lifted on 06/01/2020. Royal Decree 537/2020, published in the Official State Gazette on 05/23/2020, establishes in article 9: “Administrative terms suspended by virtue of Royal Decree 463/2020, of March 14" "With effect from June 1, 2020, the computation of the administrative deadlines that have been suspended will be resumed, or restarted, if this had been foreseen in a norm with the rank of law approved during the validity of the state of alarm and its extensions ”(The underline is from the AEPD) SIXTH: Royal Decree 463/2020, "declaring the state of alarm for the management of the health crisis caused by Covid 19", published in the BOE on 03/14/2020, in its third Additional Provision, "Suspension administrative deadlines ", provided: "one. Terms are suspended and deadlines for processing procedures of public sector entities are interrupted. The calculation of the terms will be resumed at the moment the present royal decree or, where appropriate, its extensions, loses its validity. 2. The suspension of terms and the interruption of deadlines will apply to the entire public sector defined in Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations. ” This suspension was lifted on 06/01/2020. Royal Decree 537/2020, published in the Official State Gazette on 05/23/2020, establishes in article 9: “Administrative terms suspended by virtue of Royal Decree 463/2020, of March 14" "With effect from June 1, 2020, the computation of the administrative deadlines that have been suspended will be resumed, or restarted, if this had been foreseen in a norm with the rank of law approved during the validity of the state of alarm and its extensions ”(The underline is from the AEPD) The end date of the sanctioning procedure, date on which you must The resolution was issued and notified on 07/16/2020. The calendar days remaining on the date on which the suspension took effect to end the maximum duration period of the procedure (planned for 04/29/2020) It should be underlined that the addition of days after the suspension of deadlines has been lifted is the calendar days that mediated between the date on which the suspension took effect and the date on which the procedure should have ended had the aforementioned not occurred suspension. Important qualification while the resolution proposal erroneously indicated that the procedure ended on 07/13/2020 as a consequence of having added only business days and not calendar days. EIGHTH: The motion for a resolution was signed on 06/22/2020 and notified electronically on the same date. The acceptance of the electronic notification by TDE, as evidenced in the file, took place on 06/26/2020, so the period of ten business days granted to make allegations ended on 07/10/2020. As of 07/15/2020, there is no news that the complainant has made allegations. Of the actions carried out in these proceedings and the documentation in the file, the following have been established: PROVEN FACTS FIRST : The claimant, holder of the DNI *** NIF.1, whose copy is on file, states that TDE has registered several telephone lines in her name that she has not contracted and has collected several invoices related to these lines in a bank account owned by CAIXABANK. SECOND: The claimant has provided a copy of the complaints that she filed at the Police Station for these events to. In the first, dated 04/25/2018 (Proof number 3956/2018), he reports that he observed that in his bank account numbered ZZZZ ZZZZ ZZ ZZZZZZZZZZ, he had charged him two receipts for the following amounts, invoices and dates: Invoice *** INVOICE. 1, dated 03/01/2018, for an amount of 83.91 euros. Invoice *** INVOICE. 2, dated 04/01/2018, for an amount of 71.72 euros. That he filed a telephone claim with MOVISTAR that informed him that in January 2018 a telephone contract was made in his name for the product "Movistar Fusión" associated with the numbers *** TELEPHONE.1, *** TELEPHONE.2 and *** TELEPHONE .3. He denies having contracted, authorized it or provided his bank account. She adds that the defendant has confirmed that the hiring was carried out by another person named BBB who claimed to be her husband. Coincidentally, her ex-husband, from whom she has been divorced for more than ten years, is called BBB. That the invoices are domiciled in a locality on the island of *** LOCALITY. 2 therefore it supposes that the contracted service is enjoyed in that place. b. Complaint of 04/05/2018 (Atestado 4239/2018), extension of Atestado 3956/2018, in which it states that on 04/27/2018 it dropped the fraudulent lines and that, despite this, it has received a new invoice for the consumption made between 03/18/2018 and 04/17/2018 for an amount of 75.82 euros. c. Complaint of 06/11/2018 (Atestado 5477/2018), extension of Atestado 3956/2018, in which it explains that it dropped the fraudulent lines on 04/27/2018 and that on 06/01/2018 it has received a new invoice for the consumption made by the fraudulent lines in the period between 04/18/2018 and 05/17/2018. THIRD: TDE has provided the recording, dated 01/14/2018, in which a person who identifies himself with the name, two surnames and NIF of the claimant, gives his consent to the contracting of the Fusion product. In the recording of the conversation, the numbers of the telephone lines for which the Fusion service is contracted are never identified. The conversation that is the subject of this recording is reproduced in its entirety in the sixth Antecedent. FOURTH: TDE stated in the course of the preliminary investigation actions that, according to the information that worked on its systems, the telephone lines *** PHONE.1, *** PHONE.2 and *** PHONE.3, whose services are marketed through the Fusion product, were registered in the name of the claimant on the following dates: on 01/22/2018 the line *** TELEPHONE.1 and on 01/14/2018 the last two. And he adds that the first, fixed line, on 05/01/2018 and mobile lines on 04/25/2018 were removed. FIFTH: Screenshots from the TDE systems related to the contracted product on behalf of the claimant appear in the file. In one of them, with the identification “sale-contracting”, reference is made to “registration of a fixed destination for fusion + soccer with mobile phone *** TELEPHONE.2 and additional registration *** TELEPHONE.3” SIXTH: TDE has declared that the mobile line *** TELEPHONE.2 was owned by D. B.B.B. who requested portability from MOVISTAR on 01/14/2018. It is on that day -see Third Proven Fact- that the claimant allegedly contracted the Fusion product. SEVENTH: Despite the fact that it was requested in the trial phase, TDE has not provided any document that proves that once the line was carried *** TELEPHONE. 2 from VODAFONE to MOVISTAR, the claimant agreed to change the ownership of the line in her name, every time which was on behalf of DBBB EIGHTH: TDE has provided the recording, dated 01/14/2018, in which a person who identifies himself with the name, two surnames and NIF of the claimant, gives his consent to the contracting of the Fusion product. During the conversation, the details of any bank account are not provided. The only reference to a bank account is this: "Do you authorize us to make the charges indicated in your bank account, which you have indicated to us?" The conversation that is the subject of this recording is reproduced in its entirety in the sixth Antecedent. NINETH: The bank account number in which TDE domiciled the Fusion product invoices on behalf of the claimant, provided it to TDE DBBB by means of a call requesting a change in the domiciliation of the bank details of the Merger product registered in the name of the claimant. The recording provided by TDE is played: “-As of today, February 8, 2018 we proceed to record the charge account change that you request. Tell us the line number you want to apply for. - ***TELEPHONE 1 -Yes -Eh ... *** PHONE. 1 -Please tell me a name, surname and ID of the owner. -Sorry, sorry, I gave you the wrong number. -It is *** TELEPHONE. 1 but the rest of the numbers have been said well. - Ah, okay, okay. -Effectively. -Indicate the name, surname and ID of the line owner - Yes AAA - DNI? - *** NIF.1 - Tell me your name, surname and ID - BBB -Yes - *** NIF.2 - How are you related to the owner? -Husband -Perfect -Tell us the number of the charge bank account in which you want to make, request, change -XXXX XXXX XXXXXXXX XXXX - Do you authorize us to make recurring charges to this bank account? - Yes -We proceed to make the modification. We end the recording ... " TENTH: TDE has stated: "Therefore, from that moment on, charges begin to be generated in Ms. AAA's account, after the change of bank details made by DBBB, supposedly under the verbal command of her wife." (Allegations to the initiation agreement, First allegation, folio 2) ELEVENTH: The copy of four invoices with the anagram of MOVISTAR and the indication "Merger" issued in the name of the claimant: Invoice *** INVOICE.1, dated 03/01/2018, for an amount of 83.91 euros; bill *** INVOICE. 2, from 04/01/2018, for an amount of 71.72 euros; invoice *** INVOICE. 4, from 01/05/2018, for 75.82 euros and *** INVOICE. 3, from 01/06/2018 of 23.81 euros. This information is included in all of them: In the left heading, below the date the invoice number: Fixed line: ***TELEPHONE 1Line mobile: *** PHONE. 2" Below, the name and two last names of the claimant and her ID number. Direct debit from the AC and Pensions of Barcelona- La Caixa. TWELFTH: TME acknowledged in the response letter to the information request prior to the admission of the claim to be processed, that on 04/25/2018 the claimant requested the withdrawal of the three lines that it denies having contracted. FUNDAMENTALS OF LAW I The Director of the Spanish Agency for Data Protection is competent to resolve this procedure, in accordance with the provisions of art. 58.2 of the RGPD and in art. 47 and 48.1 of LOPDGDD. II The RGPD dedicates article 5 to the principles that must govern the treatment of personal data, a provision that provides: "one. The personal data will be: a) treated in a lawful, loyal and transparent manner with the interested party (<< legality, loyalty and transparency >>) (…) 2. The data controller will be responsible for compliance with the provisions of section 1 and able to demonstrate it (<< proactive responsibility >>) ” Article 6 of the RGPD, “Lawfulness of the treatment”, specifies in section 1 the cases in which the treatment of third-party data is considered lawful: "one. The treatment will only be lawful if it meets at least one of the following conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at its request of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the controller; d) the treatment is necessary to protect the vital interests of the interested party or of another natural person. e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the responsable of the treatment or by a third party, provided that the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data do not prevail over said interests, particularly when the interested party is a child (...) ” Article 4 of the RGPD, “Definitions”, offers in section 2 a legal concept of “treatment” as “any operation or set of operations carried out on personal data or set of personal data, whether by automated or non-automated procedures, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of enabling access, collation, interconnection, limitation, deletion or destruction ”. Likewise, article 4 of the RGPD, section 1, understands “personal data” “all information about an identified or identifiable natural person (<< the interested party >>); Any person whose identity can be determined directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical identity, shall be considered an identifiable natural person. , physiological, genetic, psychic, economic, cultural or social of said person; " The infringement for which the person claimed is responsible is provided for in article 83.5 of the RGPD: “Violations of the following provisions will be punished, in accordance with section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of a company, with an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, opting for the largest amount: a) The basic principles for treatment, including the conditions for consent pursuant to articles 5,6,7 and 9. " In turn, the LOPDGDD in its article 72.1. qualifies as a very serious infringement "b) The processing of personal data without any of the conditions of lawfulness of the treatment established in article 6 of Regulation (EU) 2016/679" and adds that this infringement prescribes after three years. III TDE is attributed an infringement of the principle of lawfulness, in particular article 6.1 RGPD, given that it processed the claimant's personal data -name, surname, NIF and bank details- linked to the mobile line *** TELEPHONE.2, whose Contracting on behalf of the claimant is not accredited. This, despite having provided a recording in which a person who identifies with the name, surname and NIF of the claimant gives consent to the contracting of the Fusion product. The mobile line was owned by DBBB, therefore, with respect to this line, it should have been proven that the claimant had authorized a change of ownership in her name prior to the time of the recording in which the claimant allegedly consents to the contracting of the Fusion product. As we will point out later, the entity claimed did not act in the present case with the minimum diligence required in order to comply with the obligations imposed on it by the RGPD. A. It has been proven in the file that TDE, in its capacity as provider of the Fusion service or product that it markets, processed the personal data of the claimant linked to three lines: *** TELEPHONE.1, *** TELEPHONE.2 and *** PHONE. 3. The entity, in order to prove that it was legitimized for the treatment of your personal data linked to the contracting of the Fusion product, has provided a recording in which someone identifies with the name two surnames and NIF of the claimant and gives consent to the contracting of that service. Without prejudice to stressing once again - it was already indicated in the initial agreement - that the sound of the recording is distant and strange, it must be emphasized that the recording does not identify in any case which telephone lines were the object of the contract of the Merger product to which, presumably, the claimant gave consent. The recording is dated - this is how it was heard at the beginning - on 01/14/2018. The Fusion product, as stated in the invoices issued by TDE, included the line *** PHONE. 2. This line belonged to DBBB and according to TDE it had been ported to MOVISTAR from VODAFONE the same day 01/14/2018. That is, the same day that the claimant allegedly gave consent to the contracting in her name of a product that included a fixed line and two mobiles. An extreme that must be stated in relation to the dates on which, according to TDE, the services linked to the lines were registered in the name of the claimant: the fixed line would have been registered on 01/22/2018 while the mobile line that belonged to DBBB was registered in the name of the claimant the same 14/01/2018. According to the information provided by the one claimed on 01/14/2018, the mobile line *** TELEPHONE.2 was carried by its VODAFONE holder to MOVISTAR. But in order for Merger allegedly contracted by the claimant to be integrated into the product, a change of ownership must necessarily have taken place from the former owner -DBBB- in the name of the claimant. TDE, despite the fact that it was requested by the instructor in the trial phase, did not provide any document in which the claimant gave her consent to the change in her name of ownership of the aforementioned mobile line. The entity limited itself to answering the requested evidence, reiterating arguments related to the only two recordings provided. To the request that she documentary proof that the claimant had consented to the mobile line of which she was the DBBB owner appear in her name, she answered the following: “In document Annex Nº1 and as epigraph 2.2, the recording is attached in which Ms. AAA contacts the company to formalize, the contract Merger of the lines *** TELEPHONE.1, *** TELEPHONE.2 and *** PHONE. 3. Likewise, in Annex Nº1 and in section 2.1. DBBB's change of charge account of the mentioned lines is attached In this sense, it is interesting to highlight that the hiring of the mobile line *** PHONE. 2 The purpose of the pre-merger tariff was to integrate the aforementioned line into a Merger contract whose main line was *** TELEPHONE. 1 and whose contracting was carried out by whoever identified himself as AAA in the recording provided as Annex No. 1 epigraph 2.2. ” The beneficiary operator who had to have managed the portability of the mobile line *** TELEPHONE 2 from VODAFONE was TELEFÓNICA MÓVILES ESPAÑA, SAU, whom this Agency addressed in the framework of E / 4627/2018, in writing received by the operator on 08/20/2018 with which the claim was transferred. This entity responded to the aforementioned request, which previously warned that the claim was directed against MOVISTAR, the trade name under which Both she and TDE operated and it was TDE "the one that provides the telecommunications service to which the aforementioned claim refers." TDE, in its capacity as responsible for the treatment of the data of the claimant as owner of the various lines for which it had allegedly contracted the “Fusion” product that this operator markets - among them the mobile line of which it had been the beneficiary operator TME - must have been in a position to prove that the mobile line *** TELEPHONE.2 was owned by the claimant on that date. The line was carried for the benefit of TME by DBBB on the same date on which the claimant allegedly contracts the Fusion product by telephone, so it was necessary for the claimant to consent to a change of ownership in her name prior to contracting a product or service that integrated, among others, the aforementioned line. End on which TDE has nothing credited. The RGPD refers in article 5.2 to the principle of proactive responsibility according to which the controller is not only responsible for compliance with the principles listed in article 5.1, so that the lawfulness is of interest here, but is also “capable to demonstrate it ”. Regarding the proof that the claimant had consented to a change of ownership in her name of the disputed mobile line, a burden that corresponds to the entity claimed, TDE stated in its allegations to the initiation agreement: “Obviously, and thus It follows from what is stated in the file, it is impossible for my represented to be able to prove the complainant's consent without the existence of the recording, but it can be proven by means of the payment of invoices and actions on the line that only as owner can carry out " (The underline is from the AEPD) The first police report is from 04/25/2018, when the defendant has passed the second charge to the claimant's bank account. By then, the affected party has not only filed a police complaint, but has previously taken the necessary steps with the operator, obtained a copy of the invoices and has tried unsuccessfully (as stated in the complaint filed with the Police) that TDE facilitate the recording of your intended contract. Nor can it be accepted that there is any action by the claimant in which she conducts herself as the alleged owner of the line, other than to manage her withdrawal after having filed claims for identity theft with the operator. Despite the fact that TDE bears the burden of proof that the claimant consented to succeed in the ownership of the mobile line *** TELEPHONE 2 (disputed line) to the previous owner, DBBB, and that the claimant has not provided any evidence In this regard, it argues in its defense the absence of liability based on the fact that it acted in accordance with the law and that it has been the victim of the deceit of the impersonator who used the personal data of the claimant. However, regardless of the deception to which the impersonator could have led him, the truth is that the defendant did not act with the diligence that the circumstances of the case required. As indicated, there is no document in the file that proves that the claimant -or the third party that had supplanted her identity- consented to the change of ownership to her name on the mobile line *** PHONE. 2 owned by DBBB, whose service was provided by VODAFONE and which was ported to MOVISTAR. The recording that works in the file in which who identifies with the personal data of the claimant contracts with TDE the Fusion product on 01/14/2018, does not serve as a legitimate basis for the treatment of the claimant's personal data associated with the line *** TELEPHONE. 2 in which the offending conduct is specified. As indicated, the offending conduct materializes in the treatment of the claimant's personal data linked, in particular, to the aforementioned mobile line. In this sense, we are referring to a line that already existed -in fact, the only one that exists at the time of concluding the Merger contract- and that on that same date is the cover of VODAFONE to MOVISTAR by its former owner. In order for such a line to be integrated into the Merger contract signed on behalf of the claimant with TDE, a change of ownership had to be previously managed. The claimant's consent for that change of ownership of the mobile line, to appear in her name, was a budget for the contracting of the Fusion product by who was identified before the operator with the personal data of the claimant (name,. The absence of any documentation provided by TDE that shows that it acted in accordance with the requirements imposed by the RGPD is an exponent of its lack of diligence and prevents, as it claims, the absence of liability for the absence of the subjective element of the infringement. . B. The documentation in the file also shows that TDE processed the claimant's bank details in violation of the lawful principle. The treatment of the data of the affected bank account in La Caixa is fully accredited. It was precisely the charges received in her account that led her to make a claim before TDE and later to file a complaint with the Police. TDE has argued in its defense that in the recording of 01/14/2018 the claimant provided her bank details. However, in the recording provided by TDE (see Proven Facts and Sixth Background) no bank account is provided. It only asks for your consent to direct the payments into the bank account that is already in the possession of the operator. The data of the bank account owned by the claimant in La Caixa was provided by a third party, DBBB, several days after the date of the recording of the contract and requesting for this purpose to make a “change” in the bank details that were already in operator power. On the other hand, TDE has acknowledged in its allegations to the initiation agreement that from the moment DBBB makes the change of domicile "supposedly under the verbal mandate of her wife" they began to send charges to the claimant. In the recording provided by TDE in which DBBB manages a change in the bank account to collect the invoices for the Merger product, this person provides as the direct debit account of the invoices the bank account of which the claimant is the owner. However, in the recording, DBBB is not heard at any time, nor does the TDE teleoperator ask her if she was intervening on behalf of the affected person, who she says is her wife, as TDE alleges in her defense. The defendant invokes that, as evidence of the recording, the third party, DBBB, identified herself as the claimant's husband and provided her personal data (name, surname and NIF) correctly. In the opinion of TDE, it is an exponent that it acted with the diligence that the circumstances of the case required, so that the treatment of the claimant's bank details, even though the conduct is unlawful, is not guilty and there is no need to demand sanctioning administrative responsibility. Faced with this argument, it is worth recalling the criterion repeatedly maintained by the Administrative Litigation Chamber of the National Court when personal data - as in this case happens with the claimant's bank details, as a result of a phone call made by DBBB to TDE days after the alleged hiring, the recording of which the claimant has provided, acting on his own behalf and identifying himself as the claimant's husband, changes the direct debit details and provides the claimant's bank account - they are provided by relatives or relatives of the owner. It results from the previous exposition that TDE violated article 6.1. RGPD by having processed the personal data of the claimant -name, two surnames and NIF-associated with the mobile line *** TELEPHONE.2 as well as their bank details, as they have not provided any proof of their legitimacy for the treatment carried out. The treatment of the data of the claimant by TDE without legitimation, linked to the aforementioned mobile line, was maintained until 07/13/2018, the date of the letter that addressed the claimant informing them of the cancellation of the invoices issued in their name. for the three lines associated with your data, including the mobile line cover, and, in any case, until the date of the last invoice issued, 06/01/2018. TDE's actions contrary to article 6.1. RGPD is subsumable in article 83.5.a) of the aforementioned Regulation 2016/679. IV In determining the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD must be observed. In turn, pursuant to article 83. 2.k GDPR, the circumstances described in article 76 LOPDGDD may also be taken into consideration. For the purposes of setting the amount of the fine that must be imposed on the person claimed as responsible for an offense established in article 83.5.a) of the RGPD, the concurrence as aggravating factors of the following circumstances modifying liability is appreciated: The scope of the treatment (article 83.2.a, RGPD) because the personal data of the claimant that has been processed without legitimation for it were various: the name and two last names, NIF and bank details. The evident link between TDE's business activity and the treatment of personal data of clients or third parties (article 83.2.k, of the RGPD in relation to article 76.2.b, of the LOPDGDD) The continued nature of the infraction (article 83.2.k of the RGPD in relation to article 76.2.a of the LOPDGDD) Therefore, in accordance with the applicable legislation and assessed the criteria for graduation of the sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: PENALTY TELEFONICA DE ESPAÑA, SAU., With NIF A82018474, for a violation of Article 6.1. of the RGPD, typified in article 83.5.a) of the RGPD, with an administrative fine of € 55,000 (fifty-five thousand euros). SECOND: NOTIFY this resolution to TELEFONICA DE ESPAÑA, SAU THIRD: Warn the sanctioned person that they must enforce the sanction imposed once this resolution becomes executive, in accordance with the provisions of article 98.1.b) of law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering, indicating the NIF of the sanctioned and the procedure number that appears in the heading of this document, in the restricted account number ES00 0000 0000 0000 0000 0000, opened at name of the Spanish Agency for Data Protection in the bank CAIXABANK, SA. Otherwise, Once the notification has been received and once it is enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or immediately after business month, and if is between the 16th and last day of each month, both inclusive, the payment term will be until the 5th of the second following month or immediately after business. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which ends the administrative procedure pursuant to art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, those interested may optionally file an appeal for reversal with the Director of the Spanish Agency for Data Protection within a period of one month from day after notification of this resolution or directly administrative contentious appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29 / 1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of said Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be provisionally suspended in administrative proceedings if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing to the Spanish Agency for Data Protection, presenting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web /], or through any of the other records provided in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. Mar España Marti Director of the Spanish Agency for Data Protection