AEPD (Spain) - PS/00429/2019
AEPD - PS/00429/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 04.03.2020 |
Published: | |
Fine: | 60.000 EUR |
Parties: | Vodafone España, S.AU |
National Case Number/Name: | PS/00429/2019 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish Data Protection Agency (AEPD) decided to impose a fine up to 60,000 € on Vodafone España, S.AU. (the data controller) for the infringement of the lawfulness of processing principle, as per Article 6(1) GDPR.
English Summary
Facts
The decision is the consequence of a complaint submitted by a Spanish citizen stating he has contracted the data controller telecommunications services as a new customer, but an employee of the data controller used his information and falsified his signature in order to register into another telecommunications company (Llamaya) as if the claimant had requested his portability right; such complaint included screenshots of the text messages received by the second telecom company, as well as delivery notes by Llamaya.
Dispute
The data controller did not answer to any AEPD investigation requests, so the AEPD started the corresponding sanction procedure. In such procedure, the data controller alleged that the infringement was due to a illegal use of data by the employee (as the data controller effectively applied the security protocols with the consent of the claimant during the contracting of the services and, as soon as the data controller got news of the problem, it marked the as a fraud and deregister its contracting), so there would be no guilt nor intentionality by the data controller.
Holding
Thus, the AEPD understood that not only there is a fraud in the contracting of the services and in using the name of the claimant without his consent, but also the data controller has infringed the lawfulness of processing principle (as it has not proved that it has even obtained the consent by the claimant for the contracting nor it carried out any due diligence in order to prove the identity of the claimant) and, after considering some aggravating circumstances [(i) the nature, severity and duration of the infringement, (ii) there is intentionality and or negligence by the data controller, (iii) personal identification data such as the name or the domicile have been affected, and (iv) the data controller has already committed other infringements], it decided to impose a fine of 60,000 € to the data controller.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
to be completed