AEPD (Spain) - EXP202210101
AEPD - EXP202210101 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 15.08.2022 |
Decided: | 23.01.2024 |
Published: | |
Fine: | 200,000 EUR |
Parties: | Orange Espagne, S.A.U. |
National Case Number/Name: | EXP202210101 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA imposed a € 200,000 fine on a controller that granted a third party a duplicate SIM card without the data subject’s consent and without verifying the third party’s identity.
English Summary
Facts
On 15 August 2022, a complaint was filed with the Spanish DPA (AEPD) against Orange Espagne, S.A.U. (the controller) alleging that the controller provided a third party with a duplicate of the data subject’s SIM card without the data subject’s consent. The third party accessed the data subject’s banking data as a result, causing financial harm. When the data subject notified the controller of the incident and requested that the SIM card be annulled, the controller responded that they could not annul the card until the data subject received a new physical SIM card in a few days.
The DPA’s investigation found that the controller duplicated the data subject’s eSIM to a third party without their consent and without verifying the identity of the requesting party. The third party then accessed information contained in the phone including the data subject’s email address, bank details, passwords, and other personal data.
In its defense brief, the controller stated that upon detecting irregularities in the request for the duplicate SIM, it recorded the incident to prevent the accrual of charges for duplicate invoices. The controller also adjusted charges generated by the duplicate SIMs and blacklisted the International Mobile Equipment Identity of the device that created the duplicate SIM to prevent future malfeasance. In addition, the controller argued that the identity thief already had knowledge of personal data of the data subject which was not accessed through the controller.
Holding
The AEPD fined the controller € 200,000 for violating Article 6(1) GDPR.
The AEPD determined that the controller did not take the necessary precautions to avoid the occurrence of these events. It noted that even though the data subject informed the controller they had not requested the additional SIM card, the controller failed to immediately block the SIM. Its delay of three days thus allowed the third party to access the data subject’s banking data and impose financial harms.
The controller processed the data subject’s data under a contractual legal basis pursuant to Article 6(1)(b). The DPA thus concluded that in granting a third party access to a duplicate SIM card without the data subject’s consent and without verifying the identity of the third party, the controller lacked a legal basis for the processing and violated Article 6(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/28 File No.: EXP202210101 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following: BACKGROUND FIRST: D. A.A.A. (hereinafter, the complaining party) dated August 15, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against ORANGE ESPAGNE, S.A.U. with NIF A82009812 (in hereinafter, the claimed party or Orange). The grounds on which the claim is based are the following: The complaining party states that, without its consent, Orange provided a third party a duplicate of your mobile phone's SIM card and it accessed your data banking, and the consequence of which resulted in financial loss. Thus, he points out that on August 1, 2022, his mobile phone stopped working. function and received several emails regarding a consumption notice 100Mb of the contract and another email indicating the following: "It has been processed successfully activating your eSIM card. As a result of what happened, he contacted the claimed party requesting the annulment of the SIM card, indicating the claimed party "that they could not cancel said card for protocol", so he had to wait four days to physically receive a new and thus be able to cancel the previous one. And, provide the following relevant documentation: - Claim made to Orange. - Screen print of received messages (including the message regarding the activation of the eSIM card). - Screen print of calls made to the Customer Service Customer. - Screen print of the conversation held with the claimed party, through chat. In them it can be seen that the claimant indicates that his mobile phone has stopped working (his card is disabled) and that he has not requested no eSIM card, requests a new duplicate and Orange states that I would have to send it to him. - Complaint filed with the National Police on August 3, 2022. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/28 SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on October 3, 2022 as It appears in the acknowledgment of receipt that is in the file. On November 3, 2022, this Agency received a response letter indicating: << Orange informed the Risk Analysis Group of this company, which proceeded to carry out a study of the incidence, the details of which are reproduced next. Derived from the aforementioned analysis, it was detected that the duplicate e-SIM had been made by usurping the identity of the Claimant. In this sense, the usurper accessed the Client's private web area (hereinafter, APC) of the Claimant, subsequently initiating a conversation with the Digital Channel assisted and requesting through this means the duplicate eSIM. Having, therefore, verified the irregularity in the duplicate request, the Data Analysis team Riesgos confirmed that the Claimant, owner of the ***TELEFONO.1 line, has been, probably a victim of phishing, smishing or some other engineering instrument social (which has not been able to be identified by this company in the course of the investigations) through your APC from where the duplicate e-SIM was requested without a reset of the passwords had been requested, that is, the criminal already knew it previously. Upon detecting this irregularity in the request for the duplicate SIM, this impact on the internal systems of this company in order to prevent charges accrue for the generation of duplicate invoices. That is why not no additional charge was made in Orange to the Claimant for these events, nor the identity theft could contract more services or lines with the duplicate Claimant's SIM in Orange. Additionally, the IMEI of the device from which it was carried out was tracked. the duplicate of fraudulent e-SIM, including it in the internal BlackList, so that the itself could not be used again for these purposes. Finally, adjustments were made to the Claimant for the charges generated by the two duplicate SIMs, being informed of such extremes by the team who managed the incident. At the time of requesting a duplicate fraudulent e-SIM, the usurper accessed the Claimant's APC without having previously made a change or reset of password, requesting the electronic duplicate of the SIM card (E-sim), and, due to who adequately provided the Complainant's personal data, the QR of activation of the e-SIM via email, thus resulting in the activation of the duplicate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/28 That is, the identity theft had in his possession the personal data of the Claimant required to access your private area. Therefore, previously for him to have any contact with Orange, he already had knowledge of the personal data of the Claimant, which he did not access through this company. Thanks to having the Claimant's data at your disposal, it is possible for you to activate the duplicate SIM card. Thus, in the present case, it is evident that the incidence becomes, mainly, that the impersonator had access to the Claimant's credentials to access to the private area, prior to this entity intervening. From August 12, 2022, it is mandatory for clients to identify themselves strictly with your ID for any change or hiring you want to make from the Assisted Digital Channel through the APC, despite having accessed the platform with your username and password. Likewise, since the aforementioned date, it is not permitted to make duplicate SIM or E-mails. sim from the APC, referring the customer to a point of sale to manage said application. Likewise, and additionally, for the rest of the commercial acts, except As indicated, the duplicate sim/E-sim is being implemented gradually establish a mandatory validation system with Token, sent to the contract line>>. THIRD: On November 11, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: Request and activation of the eSIM In the transfer of the claim previously made, the claimed party stated that in the specific case of the claimant, the eSIM request route was the Private Area of the Client, accessing with the client's username and password. In these proceedings, the claimed party has been required to provide documentation that certifies access and request for the eSIM through that means, as well as documentation proving the conversation held by the applicant with the Assisted digital channel of the Client's Private Area. In the response, the claimed party indicates that the usurper gained access through said means, probably after being a victim of phishing, smishing or some other instrument C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/28 of social engineering, subsequently starting a conversation with the Digital Channel assisted and requesting through this means the duplicate eSIM. They provide, within the contacts registered with the client or his alleged impersonator, several dated 08/01/2022 that reflect that at 7:03 p.m. there was a change in the email address of the client, made from the Client Area, and at 20:07 sending an SMS informing you that you can scan the activation code of the eSIM. Among these contacts that provide, there are no other intermediate records, no However, the eSIM request must have occurred between both hours. On the other hand, when the requested party is required to provide the date of activation of the eSIM, provide an impression of a record from 20:06 on 08/01/2022 in which consists of “assisted digital channel” categorized as “change” “SIM card”, indicating the representatives of the entity that made the request at that time. At 20:26 it appears a contact with the text “the activation of your eSIM card has been successfully processed”. Incident resolution There are contacts subsequent to those already reported, consisting of communications from the complainant to the complained party indicating that they have not requested an eSIM to solve the problem: at 11:43 p.m. on the same day of the events (08/01/2022) it appears contact in which the customer asks why an eSIM has been contracted without request it. There are other contacts, including one the day after the events. (08/02/2022) with the annotation “client communicates because yesterday he wanted duplicate his sim but it arrived yesterday, the agent hired him an esim but [the client] states that he did not receive any email or SMS, he communicated to cancel the process and today he goes to duplicate the sim in the store but the system does not allow him allowed because the esim is waiting to be activated, it is indicated in solutions, one of them is to let the esim be canceled in 72 hours and then yes generate the duplicate.” There is a contact dated 08/03/2022 notifying of the delivery of the order corresponding to the new SIM. There is a contact dated 08/04/2022 indicating that has been delivered. The complained party has been requested to report on the reasons why it did not The eSIM card was deactivated when the facts were revealed by the claimant. The representatives of the claimed party state in this regard that due to the nature of this type of commercial acts that involve duplicate requests SIM card, call forwarding, changes in contact information, etc., the Established protocols for care by frontline personnel to These types of procedures are very strict and require formal measures, since be it the contribution of complaints or other identification policies for what is It is probable that the agent who attended to the claimant's request, by requiring the complaint and this not being provided, it is likely that the request could not be executed in First instance. They indicate that on August 3, 2022 the numbering was blocked due to theft/loss. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/28 FIFTH: According to the report collected from the AXESOR tool, the entity ORANGE ESPAGNE, S.A.U. is a large company established in 1998, and with a business volume of ***AMOUNT.1 euros in 2021. SIXTH: On July 25, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged violation of Article 6.1 of the RGPD, typified in Article 83.5 of the GDPR. SEVENTH: The aforementioned initiation agreement has been notified in accordance with the established rules In the LPACAP, the claimed party requested a copy of the file and extension of the deadline that was granted and presented a written statement of allegations in which, in summary, it was reiterates in the allegations made on November 3, 2022 and indicates: <<that Initially, identity thefts were concentrated in the request for duplicate SIM cards in person and physically; Currently, attempts to fraud have evolved especially in the digital field and are concentrated in request for duplicates and activation of SIM cards through non-face-to-face channels, if Well until now a duplicate physical SIM card was requested, we see that, as in In the current case, criminals focus their objective on electronic cards “e- SIM” and through channels protected with personal security credentials of the users, which shows an important sophistication in the techniques used by criminals who commit this type of identity theft crimes. They add that Orange has decided to deactivate this possibility of self-management through of the Private Area, establishing additional guarantee measures within the Assisted Digital Channel for the request to carry out procedures and contracts that such channel incorporates, requiring prior and mandatory, additional verification by direct control from the Fraud department, who will analyze the documentation of the client who requests a duplicate SIM card and will be the one to issue authorization to the management team that supports said assisted digital channel. Measure reviewed has been implemented in Orange systems on August 12, 2022. Likewise, they indicate that unauthorized access does not occur, but rather, as result of the prior and illicit obtaining of the claimant's access credentials, The third party is identified in the claimant's private area in an ordinary way. The Password protection is an access control technique, ensuring that only can be accessed by the person who knows the correct credentials, being the most widespread data security tool according to the state of the current technique. The identity theft at no time accessed the mobile phone - nor, consequently, to the information that it may contain -, while the telephone mobile phone is at all times in the possession of the Claimant, as he himself states in your claim. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/28 In this sense, it is necessary to rigorously establish the proven facts, as well as how to know the operation of each device: the SIM card does not contain the data of the telephone or mobile terminal, so access to a duplicate of it does not allow to a third party access to the applications that the Claimant may have installed on the same, such as the applications of banking entities. Additionally, in order to access banking applications, impersonators ID card must know the Claimant's banking credentials. The AEPD must clearly distinguish this fact, as it is based on it, despite be equivocal, its legal basis for the infringement. Derived from the above, no It is possible to attribute to this party the performance of data processing without legitimation, while the third party regularly identifies itself before Orange, within his private environment, the result of obtaining the Claimant's data in advance and supposedly illegal, without there being a password reset or indication on that date any of irregular access to said personal online area. Thus, Orange's data processing is legitimate, based on the relationship existing contractual agreement with the Claimant, as stated in Considering 40 extracted by the Agency in its justification. This is why there is no illegitimate processing of the Complainant's data nor can Orange be accused of fault diligence in identifying the same, as the Agency identifies in its Initiation Agreement, not being attributable to this party a violation of Article 6.1 of the GDPR. This Agency Initiation Agreement is based exclusively on an analysis of the result, considering that obtaining a duplicate e-SIM card for a third entails the automatic consideration that the personality of the contracting party and, therefore, in the opinion of the AEPD, the direct responsibility on the part of Orange. This is why it is not possible to assess Orange's guilt at this time. factual assumption, the assessment made by the Agency for commission of infringement by this company. In response to all this deployment of measures mentioned and designed by Orange, considers this part that is accredited, not only the firm will of this commercial law in the protection of the rights of individuals, but the use of a adequate level of diligence on the part of Orange with which, although it is not possible, due to limitations of technology and human resources, the existence of a zero risk, is updated and reviewed periodically according to the status of the technique, the costs of implementation, and the nature, scope, context and purposes of the treatment, as well as risks of varying probability and severity for the rights and freedoms of natural persons. As reflected in the allegations presented, Orange has demonstrated having acted with due diligence in identifying the Claimant, no data processing taking place without legitimacy. Without prejudice to the above, and in the hypothetical case that the Agency considers that there is some type of non-compliance, the sanction included in the Startup Agreement results, in any case, disproportionate, taking into account the circumstances and content of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/28 alleged infringement, which Orange strongly denies. In this sense, it is worth highlighting the following points that, according to the interpretation of the Agency, are classified as aggravating circumstances, without the circumstances concurring for their consideration in relation with the facts analyzed: Any previous infraction committed by the person responsible or data processor (article 83.2 e) of the GDPR. The assessment carried out by the Agency only takes into account the violations imposed for violation of article 6.1 of the RGPD, however, it covers different factual assumptions. This part has outlined throughout this writing the particularities of the present case, as well as the innovation of the techniques and means used by identity theft to carry out attempts to commission of fraud. The obvious link between the business activity of the defendant and the treatment of personal data of clients or third parties (article 83.2.k, of the RGPD in relation with article 76.2.b, of the LOPDGDD). While it is true that Orange's activity makes it necessary to process the personal data of its clients, the truth is that This factor is ambiguous in its assessment to include it as an aggravating factor, since said The link does not imply, by any means, a direct relationship with the alleged infringement. Article 83.2 k) requires that said aggravating circumstance be put in relation to the concrete factual assumption. In this sense, data processing does not arise from an intention of the entity, but rather that the commission of a crime takes place in which Orange is an injured party. For all Therefore, this aspect cannot be interpreted as an aggravating factor. Additionally, I would like point out in this part that the damage referred to by the Claimant, consisting of the theft of funds from their bank accounts, is not included in the activity of this business. ORANGE cannot be responsible for the security of third-party operations entities by the mere fact that they use telecommunications services. Additionally, and as established in article 83.2 of the RGPD and article 76.2 of the LOPDGDD, in addition to the mitigating circumstance already expressly recognized by the AEPD in its Startup Agreement: The claimed party proceeded to block the line as soon as had knowledge of the facts (art. 83.2 c); The following are presently present: extenuating circumstances that have not been considered in the appropriate grading of the sanction: At no time have special categories of data been processed. The degree of cooperation between Orange and the AEPD in order to remedy a alleged infringement and mitigate its possible adverse effects: it has been proven that all information requests have been responded to in a timely manner requested by this Agency, in line with the usual practice of this total company collaboration with the data protection authority. The non-existent benefit obtained by Orange derived from the processing of data that occupies this procedure. In any case, Orange has been harmed, as has already been pointed out, being part harmed even in the judicial procedure in which the commission of the crime that concerns us. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/28 Orange requests that a resolution be issued by means of which the file of the Procedure. Alternatively, complete the procedure by means of a warning and, ultimately, if it considers that the imposition of a sanction, moderate or modulate its proposal included in the Initiation Agreement notified to Orange, taking into account the arguments expressed in the body of this document of allegations>>. EIGHTH: On September 12, 2023, the instructor of the procedure agreed practice the following tests: <<1. The claim filed by A.A.A. and its documentation, the documents obtained and generated during the phase of admission for processing of the claim, and the report of prior investigation actions that are part of the procedure AI/00403/2022. 2.Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement to initiate the referenced sanctioning procedure, presented by ORANGE ESPAGNE, S.A.U., and the documentation that they accompanies>>. NINTH: On October 17, 2023, a proposed resolution was formulated, proposing that the Director of the Spanish Data Protection Agency sanction ORANGE ESPAGNE, S.A.U. with NIF A82009812, for the alleged violation of article 6.1) typified in article 83.5.a) of the aforementioned RGPD. with a fine of 200,000 euros (two hundred thousand euros). TENTH: Once the proposed resolution was notified, the claimed party requested an extension of the period granted to him and presented a written statement of allegations in which, in In summary, the allegations previously presented are reiterated in the allegations, and in synthesis states that: <<Although this part recognizes that the process of issuing A duplicate SIM card involves data processing, it must be noted that During the same, Orange has not made available to the impersonators identity no data. The only intervener who has provided data in this factual situation is the own identity theft, when accessing the Orange Private Customer Area, in specifically, by providing the username and password used as security credentials by the Claimant, necessary for access. After that, the applicant makes a request for a duplicate SIM card, which is granted by stating, through your security credentials, identified as the line holder. After that, an email is sent to you with the code to activate the SIM. In the present case, it is proven that what the impersonator had access to was a duplicate of an empty e-SIM card, without any personal information. And it does not appear any reference among the evidence in the file, that there had been accessed any personal information of the Claimant as a result of the making the duplicate SIM available. The SIM card does not contain the data of the telephone or mobile terminal, so access a duplicate of it does not allow a third party access to the applications that the Claimant may have installed on it, such as security applications. banking entities. Additionally, to be able to access the applications C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/28 banking, identity theft must know your banking credentials of the Claimant. Thus, Orange's data processing is legitimate, based on the relationship existing contractual agreement with the Claimant. During this process, it was not provided by from Orange any personal data to the applicant or any other person, so it is not unauthorized processing of personal data has occurred. The fact that the person carrying out the procedures does not correspond, supposedly, with the owner of the contract does not mean per se that there is any lack of legitimation in its treatment. It is a fact that banking entities are the only ones responsible for security of its operations, as stated by the European Banking Authority (hereinafter, the “EBA”) in the following pronouncements: • Opinion on the implementation of the RTS on SCA and CSC: in its section relating to who decides on the means to used for said authentication (points 37 and 38), rules that the credentials of security used to perform secure authentication of users of the payment services are the responsibility of the account services managing entity (in the case at hand, financial entities). • Qualification of SMS OTP as an authentication factor | European Banking Authority: indicates that the use of SMS ordinary is not feasible for the confirmation of banking operations, as it is not sufficiently safe in accordance with the standards of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on security services payment in the internal market (PSD2). In this sense, it indicates that: “article 22 (1) of the Regulation requires that ‘the Payment service providers will guarantee the confidentiality and integrity of the personalized security credentials of the payment service user, including authentication codes, during all phases of authentication' and the article 22(4) of the Delegated Regulation states that ‘service providers Payment gateways will ensure that the processing and routing of payment credentials custom security and authentication codes generated from in accordance with Chapter II take place in safe environments consistent with firm and widely recognized industry standards.” Therefore, there is no doubt that the payment service provider is subject to compliance with specific protection obligations in the processes of authentication of payment operations whose purpose is to minimize the probability execution of unauthorized operations, but in no case prevent them from occur. Thus, it contradicts any legal logic to transfer all responsibility to the entity that provides telephone services, being the mere communication channel selected by the financial institution itself and without its knowledge, in a manner any, that the data transmitted through the messages sent contain banking operations keys. Note that Orange does not offer online trust services to banking operators, nor does it offer services typical of a certification or accreditation entity. The C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/28 banking entities may not have contracted any service from Orange, and, even so, Use SMS to carry out your actions with clients. Therefore, it is not can hold Orange responsible for configuring SMS sending as a second authentication factor used by those responsible for other services, such as banking operators. Consequently, it is reiterated by this party that the responsibility of the operators telephone charges due to cases of identity theft for requesting copies SIM cards cannot cover those derived from banking operations that criminals can carry out as a result of security measures implemented by banking entities are inadequate. Orange cannot be responsible for the security of the operations of third parties by the mere fact that they use telecommunications services. Consequently, the reasoning followed to hold Orange responsible as operator for the Fraud to the banking entity is not legally acceptable. With this presentation, focused exclusively on the result, the Agency deduces directly that Orange has carried out negligent conduct, without considering, in any way, the measures deployed by this party. Therefore, in the opinion of the Agency, the overcoming of the security measures of Orange by a third party, regardless of its content, automatically entails the consideration of their actions as negligent. This legal reasoning supposes a clear materialization of objective responsibility in the sanctioning field, which is not admissible in our legal system. In this regard, the Supreme Court ruling 543/2022, dated February 15, 2022, establishes, in its Third Legal Foundation, and establishes jurisprudence; that: “The obligation to take the necessary measures to guarantee the security of personal data cannot be considered an obligation of result, which implies that produced a leakage of personal data to a third party, liability exists independently of the measures adopted and the activity carried out by the person responsible for the file or treatment.” Thus, the Supreme Court configures said obligation as one of means, in which (Third Legal Basis): “the commitment that is acquired is that of adopting technical and organizational means, as well as deploying an activity diligent in its implementation and use that tends to achieve the expected result with means that can reasonably be described as suitable and sufficient for its achievement, which is why they are called obligations of "diligence" or "of behavior". Therefore, in addition to what has been stated and as has been proven, the entity has with an adequate protocol for the correct processing of requests (whose effectiveness in preventing fraud is very high, exceeding 99%). It is also worth remembering that it is the Constitutional Court (hereinafter, TC), which, since its Sentence No. 76/1990, of April 26, has been warning of the problem of the inadmissibility of liability in our legal system objective and, consequently, the requirement in all cases that the Administration, When it comes to sanctioning, prove some degree of intentionality on the part of the sanctioned person. In this sense it is also worth mentioning what was stated by the National Court, among others, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/28 in its Judgment of the Administrative Litigation Chamber, Section 1, of 23 December 2013, Rec. 341/2012: “Indeed, in sanctioning matters, the principle of guilt (SSTC 15/1999, of July 4; 76/1990, of April 26; and 246/1991, of December 19), which means that some kind of fraud or guilt. As the Supreme Court ruling of January 23, 1998 says, “...we can speak of a decided jurisprudential line that rejects in the field sanctioning of the Administration the objective responsibility, demanding the concurrence of fraud or guilt, in line with the interpretation of STC 76/1990, of 26 of April, by pointing out that the principle of guilt can be inferred from the principles of legality and prohibition of excess (article 25 of the Constitution) or the demands inherent to the rule of law. The issue, therefore, must be resolved in accordance with the principles of law. punitive given that mere human error cannot give rise, by itself (and above all) everything when it occurs in isolation), to the attribution of consequences sanctioning; Well, if this were done, a system of responsibility would be incurred objective prohibited by our constitutional order. In the present case, the existence of strict control, prior and after contracting, the establishment of prior and a posteriori measures, as well as such as the existence of specific measures aimed at previously avoiding these practices (already indicated by this party in the allegations to the request of information from the AEPD). This is why it is not possible to assess Orange's guilt at this time. factual assumption, the assessment made by the Agency for commission of infringement by this company. That is, the existence of the ORANGE protocols and the introduction of improvements and new measures to increase its effectiveness, as well as the diligence of ORANGE in minimizing the impact and implementing the protocols, not However, in the justification, the AEPD classifies them as not adequate, in both “are susceptible to improvement.” Again, as has already been stated on numerous occasions, both in the response to the request as in the allegations in relation to the Agreement of Beginning of Sanctioning Procedure, this company has adapted the measures of security in a complementary way to the evolution of social engineering techniques used by cybercriminals. Therefore, the involvement and proactivity of this party in the protection of the rights of individuals, as well as the use of a level of adequate diligence on the part of Orange with which, although it is not possible, for limitation of technology and human resources, the existence of zero risk, is updated and reviewed periodically in accordance with the state of the art, costs of application, and the nature, scope, context and purposes of the processing, as well as as risks of varying probability and severity to the rights and freedoms of natural persons. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/28 For greater emphasis, the procedure established and applied by Orange, which the Agency has not evaluated, sends the client a notice simultaneously to the carrying out the procedure and managing the duplicate, so that it is necessarily used the email of the owner of the line, but also, for security, the owner of the line is informed direct telephone line. In fact, it is this measure implemented by Orange, As already noted, which enables the Claimant to identify that he has been a victim of a 'phishing' fraud. Thus, the Orange procedure incorporates additional security measures (which have proven in the present case to be effective), in compliance with the criteria stipulated by the National Court as accreditation of the display of diligence sufficient in requesting duplicate SIM cards. Orange has demonstrated, through both the allegations presented and in the previous documentation made available to this Agency, which has acted in all moment with due diligence in identifying the Claimant, not having place any data processing without legitimacy. Notwithstanding the above, in the hypothetical case that the Agency considers that there is any type of non-compliance, the sanction included in the Startup Agreement results, in in any case, disproportionate, taking into account the circumstances and content of the alleged infringement, which Orange strongly denies. In this sense, it is worth highlighting the following points that, according to the interpretation of the Agency are classified as aggravating circumstances, without the circumstances concurring to its consideration in relation to the facts analyzed: • Any previous infringement committed by the person responsible or in charge of the treatment (article 83.2e) of the GDPR. This party has indicated both in this document and in previous ones sent to this Agency, the particularities of the case at hand, as well as the innovation of the techniques and means used by identity theft to execute attempts to commit fraud. Said in terms of risk analysis, it is not possible to require the existence of measures • The evident link between the business activity of the defendant and the processing of personal data of clients or third parties (article 83.2.k, of the RGPD in relation to article 76.2.b, of the LOPDGDD). The processing of personal data by Orange is strictly necessary to be able to carry out the activities that characterize it as an operator. By therefore, impose the aggravating factor described taking into account that there is no relationship directly with the alleged infringement, does not agree with what is stated in article 83.2.k) since this requires that the aggravating factor in question be applied taking into account the case concrete. Thus, in no case has it been part of Orange's will that the situation in which the Claimant has been involved and it is necessary to reiterate that this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/28 operator has also been harmed by it. Therefore, it is not possible consider the application of this aggravating circumstance. Additionally, as has been stated Earlier in these allegations, I would like to point out this part that the damage to which the Claimant alludes, consisting of the theft of funds of their bank accounts, is not included in the activity of this company. As has already been pointed out in this document, banking entities are the solely responsible for the security of its operations (EBA, Opinion on the implementation of the RTS on SCA and CSC and Qualification of SMS OTP as an authentication factor). As an addition to the above, and as established in article 83.2 of the RGPD and the article 76.2 of the LOPDGDD, in addition to the mitigating circumstance already expressly recognized by the AEPD in its Initiation Agreement. • The claimed party proceeded to block the line as soon as it became aware of the facts (art. 83.2 c). The following extenuating circumstances exist here and have not been considered in the appropriate grading of the sanction: • At no time have special categories of data been processed. • The degree of cooperation between Orange and the AEPD in order to remedy a alleged infringement and mitigate its possible adverse effects: it has been proven that all information requests have been responded to in a timely manner requested by this Agency, in line with the usual practice of this total company collaboration with the data protection authority. In the letters sent to the AEPD, the measures have been outlined in detail. implemented regarding the circumstance in which the Complainant, therefore remedying the alleged infringement, mitigating, likewise, its effects. • The non-existent benefit obtained by Orange derived from the treatment of data that this procedure occupies. In any case, Orange has been harmed, as has already been pointed out, being part harmed even in the judicial procedure in which the commission of the crime that concerns us. Although the AEPD in its Proposal indicates that this cannot be considered a extenuating circumstance, Orange has not benefited in any case, but has been, Likewise, a victim of the actions of cybercriminals, like the Claimant. REQUESTS the Spanish Data Protection Agency to present the present writing, it is worth admitting it, the previous allegations are considered formulated and, after the appropriate procedures, issue a resolution by means of which the file is indicated from EXP2022101101. Subsidiarily, in the event that the AEPD decides against C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/28 of the legal basis that ORANGE supports, the AEPD is requested to have taking into account the mitigating circumstances based on the previous allegations and, consequently, the procedure ends with a warning and, in Ultimately, if you consider that the imposition of a sanction is appropriate, moderate or modulate its proposal included in the Sanction Proposal notified to ORANGE, taking into account the arguments expressed in the body of this document of allegations>>. Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS FIRST: The claimant makes a claim on August 15, 2022, stating that his mobile phone stopped working on August 1, 2022 and that received several emails regarding a consumer notice and another email email indicating that your eSIM card had been successfully activated. SECOND: It appears in the file that the eSIM card application process was through the claimant's Private Area on the Internet, they accessed the username and password of the claimant on August 1, 2022, and requested the generation of an e-card SIM and Orange proceeded to issue the duplicate card in the e-SIM mode. THIRD: Work in the file that Orange proceeded to send an email to the claimant with the notice of the e-SIM card request within the contacts registered with the client or his alleged impersonator, several dated August 1, 2022 which reflect that at 19:03 there was a change in the email address claimant's email, made from the Client Area and at 8:07 p.m. the sending of an SMS informing you that you can scan the eSIM activation code. FOURTH: It appears in the file that the claimant, after receiving the SMS from Orange, Contact the claimed party to request the cancellation of the duplicate card eSIM, indicating that it has not been done. FIFTH: It is stated that on August 3, 2022, the numbering of the telephone line for theft/loss. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/28 Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II Allegations In response to the allegations presented by the claimed entity, it should be noted the next: Regarding the issuance of duplicate is not sufficient to carry out operations bank accounts on behalf of the holders, certainly, to complete the scam, it is necessary for a third party to “impersonate” the identity of the data owner before the entity financial. Which entails, a priori, treatment outside the principle of legality. since a third party is processing data, since it has access to them, without any legal basis, in addition to the violation of other principles such as confidentiality. For this reason, this is a process where the diligence provided by the operators is essential to avoid this type of scams and violations of the RGPD. Diligence that translates into the establishment of appropriate measures to guarantee that the data processing complies with the RGPD. The actions of the banking entities that provide payment services, in which area this type of scam begins, since The third party has access to the credentials of the affected user and impersonates this. While these entities are responsible for the processing of the data of their clients, they have the same obligations as those indicated until now for the operators referring to compliance with the RGPD and the LOPDGDD, and also the derived from Royal Decree-Law 19/2018, of November 23, on payment services and other urgent measures in financial matters. Within the eSIM issuance process, a physical card is not needed, but to its activation requires that the applicant scan a QR code that is sent electronically (SMS or email). In the present case, it is proven that Orange provided a duplicate of the card eSIM of the complaining party to a third party, without their consent, who accessed the information contained in the mobile phone, such as bank details, passwords, email address and other personal data associated with the terminal. So Therefore, the defendant did not take the necessary precautions so that these events did not occur. they would produce. Well, it is proven that a third party accessed the Client's private web area of the Claimant, and proceeded to change his email address and initiating C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/28 subsequently a conversation with the Digital Channel assisted and requesting through This means the duplicate eSIM. It must be taken into account, without prejudice to what was indicated above, that when activation of the eSIM object of the claim occurred, the claimant received a notice of the claimed party, and was left without line, so he contacted by telephone stating not having requested the eSIM. It is important to highlight that even though the complaining party advised that there was no carried out that procedure. Orange did not block the phone thus allowing it to occur the impersonation due to the delay on the part of Orange in carrying out the blocking of the numeration. Two days later the numbering was blocked, and three days later They provided a new physical SIM. In view of the above, Orange cannot prove that it acted diligently and therefore consequently there was an unlawful processing of the personal data of the party complainant, thereby contravening article 6 of the GDPR. From the Proven Facts, it is deduced that ORANGE has provided a duplicate card eSIM to a third party other than the legitimate owner of the mobile line, after the third party of the existing security policy, which shows a breach of duty to protect customer information. This unauthorized access to the personal data of the affected party is decisive for subsequent actions carried out by the impersonators, since They take advantage of the period of time that elapses from August 1, 2022, date on that the user detects the fault on the line and contacts the operator, until August 3, 2022, when Orange blocked the line to carry out fraudulent banking operations, which without the duplicate eSIM card would have its realization became impossible. Denying the concurrence of negligent action on the part of ORANGE would be equivalent to recognize that their conduct - by action or omission - has been diligent. Obviously not We share this perspective of the facts, since the lack of due diligence. The SAN of October 17, 2007 is very illustrative. (rec. 63/2006), assuming that these are entities whose activity involves in continuous processing of customer data, indicates that “…the Supreme Court comes understanding that imprudence exists whenever a legal duty of care, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of data of a personnel must insist on rigor and exquisite care to conform to the legal precautions in this regard. Thus, in this sense, the ruling of the San National Court of September 19, 2023 (rec 403/2021), indicates that “… contracted the insurance policy with a third party without sufficient control or supervision insofar as it was not able to detect that, in reality, the The person who was expressing his willingness to hire was not who he said he was. Of the necessary precautions have been taken to ensure the identity of the person C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/28 contracting party (for which it would have been enough to attend to the incorrect answer to the client's identification and verification questions) in short, since there has not been acted with the necessary diligence, the complainant's data was processed without counting with your consent.” It is proven in the file that security has not been guaranteed appropriate in the processing of personal data, taking into account the result that identity theft has occurred. That is, a third party has managed to access to the personal data of the line owner without the security measures that ORANGE claims that they exist, they could have prevented it. Thus, we are faced with the concurrence of typical, illegal and culpable conduct. In short, the operator's rigor when monitoring who owns the eSIM card or person authorized by it who requests the duplicate, should meet strict requirements. It is not that the information to which refers is not contained in the eSIM card, but that, if in the process of Issuance of a duplicate eSIM card does not adequately verify identity of the applicant, the operator would be facilitating identity theft. Regarding the fact that the criminals have not managed to obtain personal data from ORANGE, so there can be no question of non-compliance with protective measures, point out that access to a duplicate eSIM card that makes your owner, responds to the definition of personal data in article 4.1) of the RGPD. In the present sanctioning procedure, the sanction is imposed because ORANGE provided a duplicate of the complaining party's eSIM card to a third party, without your consent and without verifying the identity of said third party, and for this reason imputes article 6.1 of the GDPR. In the case now examined, the AEPD, after carrying out the investigations timely, and in relation to a series of specific facts that it considers proven, includes them in the offending type that it considers appropriate, in accordance with the application and interpretation of the regulations, motivating in a neat and sufficient manner such performance. And the AEPD is bound by the principle of legality that involves the application and interpretation of the rules taking into account the factual situation specific that occurs in each case. Regarding the responsibility of ORANGE, it should be indicated that, in general terms ORANGE processes its clients' data under the provisions of article 6.1 b) of the RGPD, as it is considered a necessary processing for the execution of a contract in which the interested party is a party or for the application at his request of measures pre-contractual. In other cases, it bases the legality of the treatment on the bases provided for in article 6.1.a), c), e) and f) of the RGPD. On the other hand, to complete the scam, it is necessary for a third party to “impersonate the identity” of the data owner, to receive the duplicate eSIM card. Which entails, a priori, a treatment outside the principle of legality since a third party is processing data, since it has access to them, without any legal basis, in addition to the violation of other principles such as confidentiality. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/28 For this reason, this is a process where the diligence provided by the operators is essential to avoid this type of scams and violations of the RGPD. Diligence that translates into the establishment of appropriate measures to guarantee that appropriate security measures are implemented and maintained to protect effectively maintain the confidentiality, integrity and availability of all data personnel for whom they are responsible, or those who are in charge of another person responsible. The Constitutional Court indicated in its Sentence 94/1998, of May 4, that we We are faced with a fundamental right to data protection by which guarantees the person control over their data, any personal data, and on their use and destination, to avoid illicit trafficking or harm to the dignity and rights of those affected; In this way, the right to protection of data is configured as a citizen's power to oppose that certain personal data are used for purposes other than that justified its obtaining. For its part, in Sentence 292/2000, of November 30, it is considered as a autonomous and independent right that consists of a power of disposition and control over personal data that empowers the person to decide which of those data to provide to a third party, be it the State or an individual, or what this third party collect, and which also allows the individual to know who owns that data personal and for what, being able to oppose that possession or use. Regarding ORANGE's conduct, it is considered that it responds to the title of guilt. As a large-scale repository of personal data, therefore, accustomed or specifically dedicated to the management of personal data of the clients, must be especially diligent and careful in their treatment. That is to say, From the perspective of guilt, we are faced with a conquerable error, since with the application of appropriate technical and organizational measures, these impersonations of identity could have been avoided. It is recital 74 of the RGPD that says: The responsibility of the data controller for any data processing personal carried out by himself or on his own account. In particular, the person responsible must be obliged to apply timely and effective measures and must be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. These measures must take into account the nature, scope, context and purposes of the processing as well as the risk to the rights and freedoms of natural persons. Likewise, recital 79 says: The protection of the rights and freedoms of the interested parties, as well as the responsibility of the responsible and in charge of the treatment, also with regard to the supervision by the control authorities and the measures adopted by They require a clear attribution of responsibilities under this Regulation, including cases in which a controller determines the purposes and means of processing jointly with other controllers, or in which the treatment is carried out on behalf of a person responsible. The computer system and the technologies involved must be appropriate for avoid identity theft and be correctly configured. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/28 This Agency does not share ORANGE's statements regarding the circumstances that have been proven. It is true that there are protocols to prevent identity theft in these processes; that have been transferred to those involved in the processing; that have introduced improvements after learning of certain vulnerabilities; that there are penalties for non-compliance. However, we do not share the fact that these protocols or internal procedures can be considered adequate as long as they are susceptible to improvement. Identification mechanisms must be strengthened and authentication with technical and organizational measures that are especially appropriate to avoid impersonations. Regarding due diligence, it is recognized that ORANGE has acted diligently when it comes to minimizing the impact on those potentially affected by implementing new security measures to prevent the repetition of similar incidents in a future. Certainly, the principle of responsibility provided for in article 28 of the LRJSP, provides that: “They may only be sanctioned for acts that constitute an infraction administrative authority of natural and legal persons, as well as, when a Law recognize the capacity to act, the affected groups, the unions and entities without legal personality and independent or autonomous assets, which are responsible for them by way of fraud or guilt.” However, the method of attributing responsibility to legal entities is not corresponds to the intentional or reckless forms of guilt that are imputable to human behavior. So in the case of violations committed by legal entities, although the element of guilt must occur, it is necessarily applies in a different way than it does with respect to people physical. According to STC 246/1991 "(...) this different construction of the imputability of the authorship of the infringement of the legal entity arises from the very nature of fiction legal to which these subjects respond. The volitional element is missing in them in the sense strict, but not the ability to violate the rules to which they are subject. Capacity for infringement and, therefore, direct blameworthiness that derives from the good legal protected by the norm that is violated and the need for said protection is really effective and for the risk that, consequently, the person must assume legal entity that is subject to compliance with said norm" (in this sense STS of 24 of November 2011, Rec 258/2009). To the above it must be added, following the ruling of January 23, 1998, partially transcribed in the SSTS of October 9, 2009, Rec 5285/2005, and 23 of October 2010, Rec 1067/2006, that "although the culpability of the conduct must also be the subject of evidence, must be considered in order to assume the corresponding charge, which ordinarily the volitional and cognitive elements necessary to appreciate it are part of the proven typical behavior, and that its exclusion requires that the absence of such elements be proven, or in its regulations, that the diligence that was required by whoever claims his C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/28 nonexistence; is not enough, in short, to exculpate behavior "the invocation of the absence of fault is typically unlawful". Therefore, the lack of guilt is dismissed. The ultimate responsibility on the treatment continues to be attributed to the person responsible, who is the one who determines the existence of the treatment and its purpose. Let us remember that, in general, the operators process their clients' data under the provisions of article 6.1 b) of the RGPD, as it is considered a necessary treatment for the execution of a contract to which the interested party is a party (…). In the present case, it is proven that Orange provided a duplicate of the card eSIM of the complaining party to a third party, without its consent and without verifying the identity of said third party, which has accessed information contained in the phone mobile, such as bank details, passwords, email address and others personal data associated with the terminal. Thus, the defendant did not verify the personality of the person who requested the duplicate eSIM card, did not take the precautions necessary to prevent these events from occurring. Based on the above, in the case analyzed, the diligence used by the defendant to identify the person who requested a duplicate eSIM card. Well, it is proven as recognized by the claimed party in its written statement. response to this Agency, and in the allegations presented <<, the usurper accessed the private Client web area (hereinafter, APC) of the Claimant, initiating subsequently a conversation with the Digital Channel assisted and requesting through This means the duplicate eSIM. Having, therefore, verified the irregularity in the request for the duplicate, the Risk Analysis team confirmed that the Claimant, owner of the line ***TELEFONO.1, has probably been a victim of phishing, smishing or some other social engineering instrument (which could not be identified by this company in the course of the investigations) through its APC from where the duplicate e-SIM was requested without having requested a reset of the passwords, that is, the criminal already knew them previously>>. In accordance with the evidence available at this procedural moment, It is estimated that the conduct of the complained party violates article 6.1 of the RGPD which may constitute the infraction classified in article 83.5.a) of the aforementioned Regulation 2016/679. In this sense, Recital 40 of the GDPR states: “(40) For the processing to be lawful, personal data must be processed with the consent of the interested party or on some other legitimate basis established in accordance a Law, whether in this Regulation or under other Union law or of the Member States referred to in this Regulation, including the need to comply with the legal obligation applicable to the person responsible for the treatment or the need to execute a contract to which the interested party is a party or for the purpose of take measures at the request of the interested party prior to the conclusion of a contract." III C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/28 Unfulfilled Obligation Article 4 of the GDPR, under the heading “Definitions”, provides the following: “1) “personal data”: any information about an identified natural person or identifiable ("the interested party"); Any person will be considered an identifiable natural person whose identity can be determined, directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements of identity physical, physiological, genetic, mental, economic, cultural or social of said person; 2) "treatment": any operation or set of operations performed on personal data or sets of personal data, whether by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction.” 7) "responsible for the treatment" or "responsible": the natural or legal person, public authority, service or other body that, alone or jointly with others, determines the purposes and means of processing; whether Union or Member State law determines the purposes and means of the treatment, the person responsible for the treatment or the Specific criteria for their appointment may be established by Union Law. or of the Member States” ORANGE, is responsible for the processing of data referred to in the background exposed, since in accordance with the definition of article 4.7 of the RGPD is what determines the purpose and means of the treatments carried out with the purposes indicated in its Privacy Policy. Likewise, the issuance of a duplicate eSIM involves the processing of the data personal data of its owner since any identifiable natural person will be considered person whose identity can be determined, directly or indirectly, in particular via an identifier (Article 4.1 of the GDPR). The defendant is accused of committing an infraction due to violation of article 6 of the RGPD, “Legitimacy of processing”, which indicates in section 1 the assumptions in which that the processing of third party data is considered lawful: "1. Treatment will only be legal if at least one of the following is met conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/28 d) the processing is necessary to protect vital interests of the interested party or another Physical person; e) the processing is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the controller; f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that regarding said interests do not prevail over the interests or fundamental rights and freedoms of the interested party requiring the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph will not be application to the processing carried out by public authorities in the exercise of their functions.” IV Classification and Qualification of the infraction The infringement is classified in article 83.5 of the RGPD, which considers as such: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: 1. The basic principles for treatment, including the conditions for treatment consent in accordance with articles 5,6,7 and 9.” The LOPDGDD, for the purposes of the prescription of the infringement, qualifies in its article 72.1 of very serious infringement, in this case the limitation period being three years, <<b) The processing of personal data without any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679>> V Sanction The determination of the sanction that should be imposed in the present case requires observe the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively, they provide the following: "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of this Regulations indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/28 a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to pa- bundle the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, given gives an account of the technical or organizational measures that have been applied under the articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms fication approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirect. mind, through infringement.” Within this section, the LOPDGDD contemplates in its article 76, entitled “Sancio- tions and corrective measures”: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of medical treatments. personal information. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/28 c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which disputes exist between them and any interested party. 3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679.” In accordance with the precepts transcribed for the purposes of setting the amount of the sanction of fine to be imposed on the entity claimed as responsible for a classified infraction in article 83.5.a) of the RGPD and 72.1 b) of the LOPDGDD, are considered concurrent in the present case the following factors: As aggravating circumstances: - The circumstance of article 83.2.e) RGPD: “Any previous infraction committed by the responsible or the person in charge of the treatment”. Recital 148 of the GDPR states “In order to strengthen the application of the rules of this Regulation [...]” and indicates in this regard that “It must, however, Special attention should be paid to the nature, severity and duration of the infringement, its intentional character [...] or to any pertinent infringement [...]”. Thus, in accordance with section e) of article 83.2. GDPR, in determining the amount of the administrative fine sanction cannot fail to be valued all those previous infractions of the person responsible or of the person in charge of treatment in in order to gauge the illegality of the analyzed behavior or the guilt of the subject offender. Furthermore, a correct interpretation of the provision of article 83.2.e) RGPD does not can ignore the purpose pursued by the rule: to decide the amount of the sanction of administrative fine in the individual case raised, always taking into account that the sanction is proportional, effective and dissuasive. There are numerous sanctioning procedures processed by the AEPD in which The defendant has been sanctioned for violating article 6.1 GDPR: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/28 i.EXP202204288 Resolution issued on January 31, 2023 in which a penalty of 70,000 euros. The facts concerned a duplicate SIM card fraudulent without legitimacy. ii.EXP202203638. Resolution issued on January 30, 2023 in which a penalty of 70,000 euros. The facts concerned a duplicate SIM card fraudulent without legitimacy. - The evident link between the business activity of the defendant and the processing of personal data of clients or third parties (article 83.2.k, of the RGPD in relation to article 76.2.b, of the LOPDGDD). The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which, regarding entities whose activity involves continuous data processing of clients, indicates that “…the Supreme Court has been understanding that there is recklessness whenever a legal duty of care is neglected, that is, when the offender does not behave with the required diligence. And in assessing the degree of diligence, the professionalism or otherwise of the subject must be especially considered, and not There is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of personal data, it must be insisted on the rigor and exquisite care to comply with the legal preventions in this regard.” As extenuating circumstances: Orange requests that the following mitigating circumstances be appreciated: At no time have special categories of data been processed. The degree of Orange's cooperation with the AEPD in order to remedy an alleged infringement and mitigate its possible adverse effects. The non-existent benefit obtained by part of Orange derived from the data processing involved in this procedure. None of the circumstances invoked are admitted. Regarding the fact that special categories of data have not been treated, art. 83.2.g GDPR, It would be an aggravating circumstance, so it cannot be classified in that circumstance. extenuating. Article 83.2.d) RGPD: “The degree of responsibility of the person responsible or the person in charge of processing, taking into account the technical or organizational measures that have applied under articles 25 and 32;”. The defendant has limited herself to stating that the third party that contracted with her exceeded the company security policy without providing any evidence to show that obtained from the person who participated in the contracting any document that accredited that he was effectively the owner of the data that he had provided as his own or that articulated some mechanism that would allow the veracity of the data to be verified. identity provided. On the other hand, the principle of proactivity means transferring the person responsible for the treatment the obligation not only to comply with the regulations, but also to be able demonstrate compliance. Among the mechanisms that the RGPD contemplates to to achieve this are those provided for in article 25, “data protection from the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/28 design", according to which the person in charge must apply "both at the time of determine the means of treatment as at the time of the treatment itself.” technical and organizational measures that guarantee effective application of the principles of the GDPR regarding the processing it carries out. Article 83.2.f) of the GDPR refers to the “degree of cooperation with the authority of control in order to remedy the violation and mitigate the possible effects adverse of the infringement;”. The response of the defendant to the information request of the Inspection Subdirectorate did not fulfill these purposes, so it is not fit into that extenuating circumstance. The consideration of cooperation with the Agency as a mitigating circumstance, as claimed, is not linked to any of the cases in which it may be there is a collaboration or cooperation or requirement for the sake of a legal mandate, when the actions are due and required by Law, as in the case that we occupies To this end, the Committee's Guidelines 04/2022 must be taken into consideration. European Data Protection Regulation on the calculation of administrative fines with in accordance with the RGPD, in its version 2.1 adopted on May 24, 2023, which point out that “the ordinary duty of cooperation must be considered mandatory and, therefore, it should be considered neutral (and not a mitigating factor).” This is confirmed in the same EDPB Guidelines on the application and fixing of administrative fines for the purposes of Regulation 2016/679, adopted on 3 October 2017, which states that “That said, it would not be appropriate to have additionally take into account the cooperation required by law; For example, in any case requires the entity to allow the control authority access to the facilities to carry out audits or inspections. On the application of article 76.2.c) of the LOPDGDD, in connection with the article 83.2.k), lack of benefits obtained, it should be noted that such circumstance only It can operate as an aggravating circumstance and in no case as a mitigating circumstance. Article 83.2.k) of the GDPR refers to “any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement.” and the article 76.2c) of the LOPDGDD says that “2. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: [..] c) The benefits obtained as a consequence of the commission of the infraction.” Both provisions mentioned as a factor that can be taken into account in the graduation of the sanction the “benefits” obtained, but not the “absence” of these, which is what Orange alleges. Furthermore, in accordance with article 83.1 of the RGPD, the imposition of fine sanctions is governed by the following principles: they must be individualized for each particular case, be effective, proportionate and dissuasive. The admission that it operates as a mitigating factor, the absence of benefits is contrary to the spirit of article 83.1 of the GDPR and the principles governing the determination of the amount of the fine sanction. If, as a result of the commission of a violation of the RGPD, it is classified as mitigating factor that there have been no benefits, the deterrent purpose that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/28 It is fulfilled through sanction. Accept ORANGE's thesis in a case like the one in question would mean introducing an artificial reduction in the sanction that It is truly necessary to impose oneself; which results from considering the circumstances of article 83.2 RGPD that must be assessed. The Administrative Litigation Chamber of the National Court has warned that, the fact that in a specific case not all the elements that integrate a circumstance modifying responsibility that, by its nature, has an aggravating nature, it cannot lead to the conclusion that such circumstance is applicable as a mitigating factor. The pronouncement made by the National Court in its SAN of May 5, 2021 (Rec. 1437/2020) - even though that resolution is seen on the circumstance of section e) of article 83.2. of the GDPR, the commission previous infractions - can be extrapolated to the question raised, the claim of the demand that the “absence” of benefits be accepted as a mitigating factor, being thus that both the RGPD and the LOPDGDD refer only to “the benefits obtained”: - The claimed party proceeded to resolve the incident that was the subject of the claim in a manner effective (art. 83.2 c). It is appropriate to graduate the sanction to be imposed on the person complained of and set it at the amount of 200,000 € for the alleged violation of article 6.1) typified in article 83.5.a) of the cited GDPR. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE ORANGE ESPAGNE, S.A.U., with NIF A82009812, for a violation of Article 6.1 of the GDPR, typified by Article 83.5 of the GDPR, a fine for an amount of 200,000 euros (two hundred thousand euros). SECOND: NOTIFY this resolution to ORANGE ESPAGNE, S.A.U. THIRD: This resolution will be enforceable once the deadline to file the optional resource for replacement (one month counting from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned person is warned that he must make effective the sanction imposed once This resolution is executive, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Real Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, through your entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collection in executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/28 voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative procedure within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es