AEPD (Spain) - EXP202213023
From GDPRhub
| AEPD - EXP202213023 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6 GDPR Article 25 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 23.02.2022 |
| Decided: | 05.02.2025 |
| Published: | |
| Fine: | 1,200,000 EUR |
| Parties: | Orange Espagne |
| National Case Number/Name: | EXP202213023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | tjk |
The DPA fined a mobile phone provider €1.2 million for failing to prevent the issuance of a duplicate SIM to a third party who used it to gain access to the data subject's bank account. The DPA held that the provider failed to implement appropriate safeguards.
English Summary
Facts
In 2022, a duplicate of the SIM card owned by the data subject was made, without the data subject having requested it, by an agent of “TOWER PHONE, S.L.,” (the processor) acting as a franchise of ORANGE (the controller).
The data subject lodged a complaint with the DPA claiming, that as a result of the duplicate, €9,000 had been stolen from his bank accounts resulting from the SIM swapping scheme.
Such a scheme consists of a third party - impersonating the data subject - requesting a duplicate of the SIM card of their mobile phone from the provider to gain access to the data subject's online banking by receiving confirmation codes via the new SIM to eventually divert money from the data subject's account. The data subject only found out about this when it's original SIM was deactivated.
During parallel criminal investigation it was found, that not only the complaining data subject's SIM Card was wrongly duplicated by the franchise but the SIM swapping scheme was at least attempted in numerous instances with the same agent.
Holding
No consent for issuance of duplicate
The DPA held, that the issuance of a duplicate SIM card without the consent of the owner of the line, constitutes an infringement of Article 6(1) GDPR. The DPA stated, that it is clear from the franchise contract, that regarding the issuance of the duplicate SIM ORANGE is the controller and the franchisee only the processor as it's explicitly provided in the franchise contract, that the SIM duplication process is determined by ORANGE in accordance with Article 4(7) GDPR.
In light of Article 83(2)(a) GDPR, the DPA found, that the controller's action lead to a loss of control over the personal data by the data subject, which resulted in identity theft, and the performance of fraud. The DPA stated, that obtaining a duplicate SIM card may generally be a gateway to access other data that may lead to a significant financial loss for its owner, as happened in the case of the data subject. Additionally the DPA took numerous previous GDPR infringements committed by the controller into account, according Article 83(2)(e) GDPR. Thus, the DPA set a fine of €200,000 for the infringement of Article 6(1) GDPR.
Failure to ensure data protection by design and default
The DPA found that the principle of data protection by design pursuant to Article 25 GDPR requires that, the controller, from the moment that a possible processing of personal data is designed and planned, must determine all the elements that make up the processing, to effectively apply the principles of data protection, integrating the necessary guarantees in the processing with the ultimate aim of protecting the rights of the interested parties.
The DPA found, that the controller did not observe this principle when setting up the procedure to follow when requesting to manually issue a duplicate SIM card in-store. The DPA held, that while the controller provides for procedures that generally require an identity verification for the duplication process the controller implemented no mechanism to prevent incorrect use of its manual SIM duplication protocols by agents. Specifically the DPA found that the DPA had implemented no measures to verify that the information entered by the agent is not erroneous and that the request for a duplicate SIM card is submitted by the actual owner of the line.
Consequently, the DPA held that the controller had not adequately identified and analysed the risks that a manual process of SIM card duplicates entails for the rights and freedoms of natural persons, nor foreseen or applied those to the design of appropriate technical and organisational measures, to effectively apply the principles of data protection, as required by Article 25 GDPR.
The DPA stated, that such an infringement is classified in Article 83(4)GDPR. The DPA found the controller's behavior to be at least negligent considering that the activity of the controller is one of constant and abundant handling of personal data. Thus, the DPA held, that exquisite care in complying with the legal provisions must be insisted upon.
Additionally it considered the previous infringement committed by the controller or the processor and the Link between the offender's activity and the processing of personal data: the development of the business activity carried out by the entity requires continuous processing of personal data.
Thus the DPA set an administrative fine of €1,000,000 for the failure to implement appropriate safeguards by design and default.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/120
TABLE OF CONTENTS
BACKGROUND................................................................................................................1
FIRST: ..........................................................................................................................1
SECOND: .........................................................................................................................1
THIRD: ..........................................................................................................................2
FOURTH: ..........................................................................................................................2
FIFTH: ..............................................................................................................................5
SIXTH: ..............................................................................................................................5
SEVENTH: ..............................................................................................................................5
EIGHTH: ..............................................................................................................................5
NINTH: ..............................................................................................................................5
Preliminary: Reiteration of the allegations previously presented........................................5
First: Existence of criminal prejudice......................................................................6
Second: Regarding the factual assumption......................................................................6
Third: Regarding the role of the victim of ORANGE. On the Modus Operandi.................................8
Fourth: On the non-existence of a lack of legitimacy in the treatment of personal data of ORANGE.........................................................................................................9
Fifth: On the correct implementation of privacy by design and by default........................................................................................................................12
Sixth: Concurrence of infractions...................................................................................15
Seventh: On the inadmissibility of objective liability.......................................16
Eighth: On the measures adopted and implemented by ORANGE.................18
Ninth: Lack of proportionality of the sanction imposed.................................................20
TENTH:.................................................................................................................23
ELEVENTH:...................................................................................................23
TWELFTH:...................................................................................................23
First.- On the existence of criminal prejudice...................................................23
Second. On the factual assumption.................................................................................24
Third. On the criminal conduct of the agents..........................................................26
Fourth. On the absence of a lack of legitimacy in the processing of personal data of ORANGE........................................................................................................28
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/120
Fifth. On the correct implementation of privacy by design and by default.......................................................................................................................29
Sixth. On the existence of a competition of infractions.................................................................33
Seventh. On the inadmissibility of objective liability.................................................33
Eighth. On the measures adopted and implemented by ORANGE..............34
PROVEN FACTS..........................................................................................................37
FIRST: .........................................................................................................................38
SECOND: .........................................................................................................................39
THIRD: ..........................................................................................................................39
FOURTH.................................................................................................................................39
FIFTH: ................................................................................................................................40
SIXTH: ................................................................................................................................40
SEVENTH: ...............................................................................................................................40
EIGHTH: ................................................................................................................................41
NINTH: ................................................................................................................................41
TENTH: ................................................................................................................................42
ELEVENTH: ................................................................................................................................42
TWELFTH: ................................................................................................................................42
TENTH THIRD: .................................................................................................47
FOURTEENTH:.......................................................................................................51
LEGAL BASIS........................................................................................................56
I Jurisdiction.......................................................................................................56
II Preliminary issues...................................................................................................56
III Response to the allegations to the initiation agreement...................................................57
First: Existence of criminal prejudice......................................................................57
Second: Regarding the factual assumption......................................................................59
Third: Regarding the role of ORANGE as victim. On the Modus Operandi........................64
Fourth: On the non-existence of a lack of legitimacy in the processing of personal data of ORANGE.........................................................................................................68
Fifth: On the correct implementation of privacy by design and by default........................................................................................................................70
Sixth: Concurrent infringements...................................................................................76
Seventh: On the inadmissibility of objective liability.......................................84
Eighth: On the measures adopted and implemented by ORANGE.................88
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/120
Ninth: Lack of proportionality of the sanction imposed...................................................88
IV Response to the objections to the proposed resolution of the sanctioning procedure.................................................................................................................96
First. On the existence of criminal prejudice.................................................................96
Second. On the factual assumption..........................................................................98
Third. On the criminal conduct of the agents..........................................103
Fourth. On the nonexistence of a lack of legitimacy in the processing of personal data of ORANGE.........................................................................................................104
Fifth. On the correct implementation of privacy by design and by default.......................................................................................................................105
Sixth. On the existence of a concurrence of infractions................................................109
Seventh. On the inadmissibility of objective liability........................................110
Eighth. On the measures adopted and implemented by ORANGE...................112
9. On the lack of proportionality of the proposed sanction............................115
V Unfulfilled obligation..........................................................................................117
VI Classification and qualification of the infringement...........................................................119
VII Sanction for the infringement of article 6.1 of the GDPR..............................................119
VIII Data protection by design and by default...................................................120
IX Classification of the infringement of article 25...................................................................126
X Sanction for the infringement of article 25 of the GDPR...................................................126
XI Adoption of measures...................................................................................................128
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/120
File No.: EXP202213023
SANCTIONING PROCEDURE RESOLUTION
From the procedure instructed by the Spanish Data Protection Agency and based
on the following
BACKGROUND
FIRST: A.A.A. (hereinafter, the complaining party) filed a claim with the Spanish Data Protection Agency on November 23,
2022. The claim is directed against ORANGE ESPAGNE, S.A.U. with NIF A82009812 (hereinafter, ORANGE). The reasons on which the claim is based are the following:
The complaining party states that a duplicate of his SIM card has been made without
properly verifying his identity, and without having his ID, impersonating his
identity. The duplicate was made in an establishment of the entity on November 15, 2022.
The complainant states that as a result of the duplicate, money amounting to 9,000 euros has been stolen from his bank accounts.
Relevant documentation provided by the complainant:
- Official complaint form from the Community of Madrid.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), this complaint was forwarded to ORANGE, so that it could proceed to analyze it and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations.
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on 12/29/2022 as stated in the
acknowledgement of receipt that is in the file.
On 01/31/2023, this Agency received a response letter indicating the
following:
"Having confirmed the irregularity in the request for the duplicate, the Risk Analysis
team confirmed that two agents from the Point of Sale of the store at
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/120
ORANGE MADRID ***ADDRESS.1 had acted irregularly, using their
credentials from the internal systems of this company to activate the duplicate
SIM card.
Thus, it was possible to verify that, at the time of contracting, the
protocol established by this company was followed, passing (…) […]. This system
allows to identify that (…). However, despite the fact that the instructions
indicated to the distributors were followed, since it was the agents who acted
irregularly, (…)"
They also indicated that:
“[…] this company has taken the appropriate legal measures that are in its hands,
informing the distributor of the need to file a complaint against the
agents for whom they are responsible.
Additionally, in order to prevent the incident described from occurring
again as much as possible, the company has proceeded to track (…).
Also, on December 28, 2022, and prior to the notification of
this request, a mandatory training pill was transferred from the School of Sales to the entire
distribution channel to the Points of Sale in order to
help and make the sales teams aware of the risk of recruiting salespeople
to physically make duplicates from the Points of Sale.
Finally, this company proceeded to return the amounts charged for
the SIM change in the January 2023 invoice.”
THIRD: On February 3, 2023, in accordance with article 65 of the
LOPDGDD, the claim submitted by the complaining party was admitted for processing.
FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out preliminary investigations to clarify the facts in question, pursuant to the functions assigned to the control authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD, having knowledge of the following:
In the present inspection actions, ORANGE has been required to provide a detailed description of the Identity Verification System, the operation followed with this system and detailed information on the checks it carries out on identity documents. Confirmation was requested that this system (…).
ORANGE has replied in this regard as follows:
When requesting a commercial act at a point of sale, the agent collects the
identification document of the applicant (…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/120
As a general rule, the system does (…). However, (…).
It was this circumstance, in the case at hand, that allowed the agents (…) and
to make the duplicate SIM fraudulently, usurping the identity of the
complainant and therefore not proceeding to carry out the relevant (…), reason why
they managed to carry out the operation.
ORANGE has also been required to provide a copy of the contract signed with the
distributor in question, as well as a copy of all the instructions it had in relation
to the (…) of the clients in the context of making SIM duplicates. A copy of the instructions regarding the use of (…) was also requested.
A copy of the instructions was provided, published according to the documentation provided in
“Discover Orange”, “Residential” section, “Documentation required for registration and
other commercial acts of a V26 client” “Special reference to fraud in non-consented SIM changes”, for the point of sale it is specified that “the replacement SIM
will never be given to a person other than the owner, even if the authorization is signed”.
It also indicates that “the client’s document will always be validated in (…)” “if at
that time (…) an incident will be opened and the client will be asked to return the
next day”. The same is indicated for obtaining the SIM as for a SIM change.
A screenshot is also provided showing the tool used at the point of sale
which for SIM cards includes a “Documentation” button, which according to
the specification invokes (…).
They state that, exceptionally, (…).
They provide a copy of the contract with the franchisee in question. The Object of the contract
includes, among other activities, “SIM card replacement”. It contains a point, the twenty-second, on the processing of personal data and the twenty-third, on
confidentiality.
Regarding the reasons why the agents acted irregularly, the representatives
of the defendant state that it has been possible to verify that during the
first months of 2023, attacks on points of sale have increased,
recruiting salespeople to carry out criminal acts in exchange for large
financial rewards (CAT, Telco Anti-Fraud Committee). In the present case, the
distributor was informed of the need to take appropriate legal measures by filing a complaint
against the agents for whom they are responsible. The distributor filed it,
with preliminary proceedings opened no. XXX/20XX in the investigating court no. 53
of Madrid.
Regarding other measures taken to prevent these events from happening again
ORANGE indicates that the fraud prevention, security and office teams of the DPD have promoted the dissemination of a training pill throughout the distribution channel
with the aim of raising awareness among workers of the existing problem
and of the obligation to comply with all procedures and policies for
customer identification.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/120
They provide the URL where the information pill is published, verifying that
it contains a context/background section, which indicates, among other
circumstances, the high risk of SIM swapping and the need to
rigorously comply with all procedures and the customer identification policy
using the identity verification tool.
In the Legal Actions section, the legal actions and consequences that may result from failure to comply with the guidelines prescribed by the company are mentioned, with disciplinary sanctions for the employee who has carried out irregular conduct, as well as the fact that the judicial authorities may consider that the employee who has breached the guidelines established by the company is a participant as a necessary collaborator in the commission of a criminal offense, which may lead to prison sentences and financial compensation for the client who has been harmed by the action of SIM swapping.
In the “Use cases” section of the information pill, among other cases, (…) are specified. 13 use cases are accessed.
Finally, ORANGE has been asked to provide the contacts maintained with
the complainant, verifying that there is a contact dated November 16,
2022 in which the operator records the customer's complaint about the SIM duplicate, as well as
that the SIM change was made on the previous day. They recommend that the
customer change the password for the customer area.
FIFTH: According to the report collected from the AXESOR tool, the entity
ORANGE ESPAGNE, S.A.U. is a large company with a sales volume of (…)
and 3,068 employees.
SIXTH: On November 28, 2023, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party,
in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged
infringement of Article 6 of the GDPR and Article 25 of the GDPR, classified in Article 83.4
of the GDPR and Article 83.5 of the GDPR.
This initiation agreement, which was notified to ORANGE in accordance with the rules established
in the LPACAP, was collected on November 28, 2023, as stated in the
acknowledgement of receipt in the file.
SEVENTH: On November 30, 2023, ORANGE submitted a document
requesting an extension of the deadline for submitting allegations and that a copy of the file be provided.
EIGHTH: On December 4, 2023, the body in charge of the procedure
agrees to the requested extension of the deadline up to a maximum of 5 days, in accordance with the provisions of
article 32.1 of the LPACAP, and to send a copy of the
file to ORANGE.
The aforementioned agreement is notified to ORANGE on December 11, 2023, as
shown in the acknowledgment of receipt in the file.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/120
NINTH: On December 21, 2023, this Agency receives, in a timely manner, a letter from ORANGE in which it provides objections to the initiation agreement. In these allegations, in summary, it stated:
Preliminary: reiteration of the allegations previously presented.
ORANGE expresses its disagreement with the content of the initiation agreement and
ratifies and considers reproduced the allegations and arguments presented in its
previous writings, without prejudice to the power it has to influence, in these allegations presented, the points it
deems most relevant and add elements to challenge the grounds included in the initiation agreement of
the present sanctioning procedure.
First: existence of criminal prejudiciality.
ORANGE states that the facts subject to the initiation agreement are, in turn, the basis
of a criminal investigation in which it appears as an injured party, being, therefore,
subject to the principle of criminal prejudiciality provided for in article 10 of Organic Law 6/1985, of July 1, of the Judiciary.
Consequently, it states that the matter should be resolved in the criminal court, before
a ruling is made in the administrative court, and for this purpose, it cites article
22.1.g) of Law 39/2015, of October 1, on the Common Administrative Procedure
of Public Administrations, to request the suspension of this sanctioning procedure, according to which, the passage of the maximum legal period to resolve a
procedure and notify the resolution may be suspended when obtaining a prior ruling from a judicial body is essential for the
resolution of the procedure.
ORANGE bases the request for suspension on the provisions of article 77.4 of
the aforementioned Law 39/2015, according to which, in sanctioning procedures,
the facts declared proven by final criminal court rulings will bind
the Public Administrations with respect to the sanctioning procedures that they substantiate.
It also shows that criminal prejudiciality requires a triple identity
of subject, fact and basis, so that the principle of non bis in idem embedded in
Article 25 of the Constitution can be considered valid and applicable to the
specific case.
Thus, ORANGE states that:
- as regards the subject, the authorship of the facts in both procedures by the commercial agents is established.
- as regards the fact, there is a coincidence in dealing with the fraudulent issue of a
duplicate SIM card.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/120
- as regards the basis, it would be sanctioning on two occasions for the illegitimate and fraudulent
conduct of the agents, contrary to the protocols and procedures
established by ORANGE.
Finally, it states that it provides, as document 1, the complaint filed by the distributor
against the agents involved, and as document 2, the letter of appearance of ORANGE in the criminal case as an injured party.
Second: on the factual assumption.
ORANGE gives an account of the facts, which can be summarized as follows:
-On November 15, 2022, the complainant realized that he had no
line on his mobile phone, going to an ORANGE establishment to resolve
the incident. At this time, it is noted that a duplicate of his SIM card has been produced
fraudulently, and it is deactivated, thus resolving the incident that is the subject of the claim.
-When the incident became known, it was transferred to the Risk Analysis Group, confirming the duplicate SIM card, which was activated by a commercial agent at the ORANGE store on December 15, 2022. The risk analysis team concluded that the two point-of-sale agents had acted criminally with fraudulent intent, using their knowledge and internal systems to activate the duplicate.
-In the present case, (…).
The ORANGE protocol establishes that, although a notice must be generated to the Risk Analysis Group, commercial agents are allowed to continue the process for certain cases (…). This is allowed in cases of (…). Therefore, ORANGE
considers that the agents took advantage of their knowledge of the system to
commit the criminal act.
-ORANGE wishes to point out that before receiving the first request for
information sent by this AEPD in this case, it had already sent, through
the Risk Analysis Group and through the School of Salespeople, a mandatory
reinforcement pill for all points of sale, in which awareness was raised and
information was sent to encourage collaboration by the sales teams.
-On January 16, 2023, the company TOWER PHONE, S.L., in which the
distribution company to which the point of sale belongs is located, filed a complaint
with the Court of Instruction of Madrid against the two salespeople who participated
in the duplication of the SIM card.
ORANGE wishes to state that the issuance of a duplicate SIM card implies the
issuance of a SIM card without personal information, and that by itself it does not allow
access to banking or financial information.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/120
ORANGE makes this statement because it understands that this AEPD uses erroneous associations in the
initiation agreement to aggravate the situation in question, granting the duplicate SIM card the power to allow the commission of
banking operations, omitting a previous step, according to which the wrongdoers
must obtain and be able to use the bank credentials of the claimant
in order to identify themselves and, first of all, carry out the identity theft before their
financial institution.
It adds that this AEPD does not mention the role played by financial institutions
in these cases, nor is there evidence that, despite the economic damage to the claimant,
sanctioning procedures have been initiated against them. It considers that
this AEPD cannot sustain the imputation of guilt to this company on mere
statements lacking evidence, on which, in any case, it would be
necessary to evaluate the intervention and responsibility of the affected entities.
It adds that the AEPD intends to sanction the Sim Swapping frauds without attending to or
analyzing the specific factual situation, the associated damage, or the derived responsibilities,
without taking into account the diligence displayed by ORANGE in its actions
and in the adoption of security measures.
In this regard, it would like to mention the ruling of the National Court 6460/2022,
of December 23, 2022, which has annulled, for not being in accordance with the Law, the
resolution PS/00070/2019, and which states:
“The AEPD does not examine these claims that refer to certain
facts, nor does it make an assessment of the evidence produced in relation to them in the legal grounds,
nor are they connected to the privacy document, but rather it uses them to open a kind of general case
against the privacy policy”.
ORANGE wishes to state that, as in this procedure, this AEPD does not
refer to the specific factual assumption, and fails to assess the documentation provided,
establishing a generic discourse to legitimize an infringement of the data
protection regulations. He adds that this AEPD has imposed various sanctions on
ORANGE for complaints related to Sim Swapping in which the same legal reasoning is reproduced
without taking into account the facts or circumstances concurrent
in each case. He adds that this procedure is contrary to what is stated in the
judgment of the National Court cited, which emphasizes the need for the AEPD
to rigorously examine compliance with the principles of the administrative sanctioning
procedure in its resolutions.
Third: the role of victim of ORANGE. Regarding the Modus Operandi.
ORANGE summarizes the background of frauds with characteristics
similar to “Sim Swap”, indicating that at first the identity thefts
requested duplicate SIM cards in person, while at present they
concentrate on the request for duplicates and activation of SIM cards
through non-face-to-face channels.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/120
In the present sanctioning procedure, the duplicate SIM card was made by
two sales representatives from the company's sales point, who acted,
consequently, on behalf of ORANGE.
Therefore, ORANGE states that when it is the agents who decide to commit the
crime, taking advantage of ORANGE's means and systems, frustrating its
procedures and security measures, ORANGE's role is that of the injured party, since
the commission of the crime is carried out by its agents, and with it the breach of its
contractual obligations towards ORANGE and its distributors. Therefore, it understands
that it is not possible to demand from this company the full capacity to detect and
thwart such criminal acts.
At this point, ORANGE wishes to cite Ruling 35/2023, of the Criminal Chamber, Section 3 of
the AN, of January 30, 2023, which dismisses an appeal filed by
the Public Prosecutor's Office, confirming the dismissal and archiving of the investigation piece regarding the liability of two legal entities. Thus, in its
Legal Basis 2, in relation to crime prevention models and the
associated liability of the legal entity, it specifies:
“SECOND. – We reject the grounds for appeal alleged by the Public Prosecutor's Office,
accepting and reproducing the reasoning of the contested decision and the
jurisprudence cited on the criminal liability of legal entities in the
decision of 29.07.2021, to which the decision of 02.06.2022 refers in some aspects. At the
time when the contracts with (...) referred to in this
procedure took place, (...) had a Crime Prevention Model that complied with
the requirements provided for in article 31 bis CP. No model is infallible, and if a crime is committed by one of the subjects contemplated in the aforementioned precept, it does not necessarily imply that the crime prevention model adopted by the legal entity is inadequate, does not comply with current regulations or fails, since it would be enough to adopt a model that complies with all the rules to prevent the commission of crimes, which does not correspond to reality and precisely for this reason crime prevention models are subject to periodic reviews.
On this basis, ORANGE wishes to state that the Courts have been recognizing that the commission of a crime, even when committed within a legal entity, does not automatically determine guilt or lack of diligence.
It also states that ORANGE has documented the implementation of specific and adequate measures, as well as a procedure for requesting duplicate SIM cards, so that negligent action cannot be presumed.
For this reason, ORANGE wishes to reiterate that ORANGE is the victim of a criminal attack carried out through its own systems and from one of its points of sale. Furthermore, this is the
first time that this has occurred, and is completely new.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/120
Fourth: the absence of a lack of legitimacy in the processing of ORANGE's personal data.
ORANGE states that, during the process of duplicating the SIM card
that has led to the opening of this sanctioning procedure, ORANGE did not provide
any personal data of the complainant to any third party, and there was no
disclosure or unauthorized access to their personal data.
The court adds that the sanctioning file does not contain any other data processing
that could be classified as illegal, and there is no relationship between the facts that the AEPD
identifies as proven and the legal classification made of them.
It understands that the commission of the criminal acts is carried out by the agents
individually, and in opposition to the obligations imposed by ORANGE, its
procedures and protocols, and therefore, it cannot be attributed, automatically, to
an action by ORANGE. In this sense, they provide as documents 3 and 4 the
contract signed with the franchisee, in charge of the processing, as well as the addendum
of the novation of the same, to exemplify the contractual obligations assumed
by the agents.
On the other hand, ORANGE points out that the initiation agreement states, on page 6:
“On the other hand, the issuance of a duplicate SIM card involves the processing of the
personal data of its holder, since an identifiable natural person is considered to be any
person whose identity can be determined, directly or indirectly, in particular
by means of an identifier (Article 4.1) of the GDPR).
Therefore, the SIM card identifies a telephone number and this number, in turn,
identifies its holder. In this regard, the judgment of the CJEU in case C-101/2001 (Lindqvist) of 6.11.2003, paragraph 24, ECR, 2003 p.I-12971: The concept of “personal data” used in Article 3, paragraph 1 of Directive 95/46 includes, according to the definition in Article 2, letter a) of that Directive, “any information relating to an identified or identifiable natural person”. This concept undoubtedly includes the name of a person together with his telephone number or other information relating to his working conditions or his hobbies.
In short, both the data processed to issue a duplicate SIM card and
the SIM card (Subscriber Identity Module) that unambiguously and uniquely
identifies the subscriber on the network, are personal data, and their processing must be
subject to data protection regulations.
In this regard, it refers to the Judgment of the General Court of the European Union
(Eighth Chamber, Extended) of April 26, 2023, which determines that
the consideration of an alphanumeric code as personal data cannot be presumed, but that it is up to the supervisory authority to justify the ability to
relate personal data to a specific person, not being sufficient to
presuppose it merely because it could potentially allow an
identification.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/120
In this regard, this judgment states that it is up to the supervisory authority to "determine whether the possibility of combining the information that had been transmitted to (...) with the additional information held by the (...) constituted a means that (...) could reasonably use to identify the authors of the comments." To which it adds that: "Therefore, since the (...) did not investigate whether (...)
had legal and practically feasible means to be able to access the additional information to re-identify the authors of the comments, the (...)
could not conclude that the information transmitted to (...) constituted information on
an identifiable natural person, within the meaning of Article 3, point 1, of Regulation
2018/1725."
ORANGE wishes to state that the AEPD has not carried out any evidentiary activity in this regard, but rather directly assumes that the codes contained in the SIM card allow the identification of its owner.
It adds that the fact that the codes allow a network user to be technically distinguished from others for the correct management of communications does not imply that those involved in the process have the possibility of associating this information with a specific person, and, taking into account the ruling of the General Court, we would not be faced with a case of unlawful processing of personal data.
At this point, ORANGE cites the Supreme Court ruling of June 18, 2020 (appeal number 1074/2019, ruling number 815/2020) which states, in the case of a telephone number, that its consideration as personal data is doubtful,
in the following sense:
“Well, in the case at hand, apart from the telephone number of the affected complainants, which although by itself could not be considered personal data according to the ruling of this Court of September 17, 2008 (Rec.
353/2007), ADDRESS001 also proceeds to record the voice of the complainants through
the appropriate recording of the joke, which may be disseminated”
Thus, according to this ruling, even in the case of the telephone number, its consideration as personal data must be
justified, and it cannot be assumed that the complainants are not the
codes, whose capacity to be related to the owner of the line depends on the
availability or access to other data of the same.
In this sense, ORANGE understands that the codes (MSISDN and IMSI) are not
directly accessible information, but rather imply the performance of specific activities
with the mobile device, so it would not be possible to impute a treatment of data not legitimized by the mere possession of the card, and without it
being considered, as stated above, as personal data. In addition, it adds
that, even if it were interpreted that the technical information contained in the SIM card
could be considered personal data, there is no evidence of its knowledge by
the authors of the criminal act, so there is no basis to conclude that
there has been an illicit treatment of these data.
ORANGE points out that the statement included in the initiation agreement “In the
present case, it is proven that a SIM card has been duplicated
by the complainant to a third party, without his consent, and without
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/120
his ID”, would not reflect the specific facts, since, according to ORANGE, there is no record of the intervention of any third party, but rather it is the agents of
ORANGE themselves who access, by virtue of the permissions they have been granted, for the
performance of their work obligations, the tool normally, as authorized
users, and knowing the tool (…), they made fraudulent and
criminal use of it.
ORANGE states that it is not possible to completely eliminate the human factor in the
management of ORANGE processes, since sometimes it is necessary to
validate documents that may not be automated. It also considers that adopting
control measures for employees or keeping an exhaustive control of their activity or
sanctioning non-compliance with established protocols is not compatible with
labour regulations, and that it is not possible to demand absolute effectiveness of the
measures designed to prevent fraud, or in terms of risk analysis, it is not
possible to demand the existence of effective measures that guarantee a “zero risk”, since
this would imply materializing, de facto, the existence of objective liability.
Also, ORANGE states that it does not consider it proportionate to assume that, by
the mere fact of making a duplicate SIM card, it may lead to “the
production of a significant patrimonial loss” as indicated on page 6
of the start-up agreement. The Court considers that the ORANGE agents did not access the complainant's mobile phone or the information it contains, and insists that the SIM card does not contain the data of the mobile terminal or the installed applications, and to access these applications, the bank credentials must be known. Therefore, the Court considers that the initial agreement cannot support its charge based on statements that lack evidence, which mention facts that do not take place in this case. The Court states that this statement does not derive from any proven fact, and violates the principle of typicality and the presumption of innocence of ORANGE, by imputing guilt without sufficient evidence.
Finally, the Court wishes to state that it is not possible to impute to ORANGE the performance of data processing without legitimacy, since the processing carried out by ORANGE is based on the contractual relationship existing with the complainant, as stated in Recital 40 of the reasoning. Therefore, they understand that there is no
unlawful processing of the complainant's data, and that there is therefore no
infringement of article 6.1 of the GDPR.
Fifth: the correct implementation of privacy by design and by default.
ORANGE provides the following documents in relation to this issue:
-document no. 5, relating to the “Privacy Management Dashboard” that is shared
annually with the company.
-document no. 6, report containing the audit opinion corresponding to the
application of privacy principles by design and by default by ORANGE.
-document no. 7, data protection procedure by design and by default
of the company.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/120
On the other hand, it considers that the grounds included in the start agreement
regarding this breach are scarce, taking into account the extensive reproduction
of regulations and the recitals relating to this principle and the AEPD Guides on
this matter.
It insists that this Agency does not take into account, in the start agreement, that the
store agents are people hired by ORANGE or by the distributors and
franchises, and that their job is to carry out contracting processes, and other
complementary ones, designed by the company, and that in these, the
privacy and security of the information are taken into account, including the intervention of the
agents themselves.
The company adds that the agents have the task of carrying out the processes by verifying that they are
performed correctly, according to the instructions provided by ORANGE, and that
failing to do so would constitute a breach of contractual obligations, of the
internal instructions and protocols of the company.
ORANGE states that the automation of measures to support this task with
digital means facilitates and complements it, but cannot be interpreted as an
indispensable requirement, but rather as a reinforcement. In addition, it understands that the
legitimate possibility of ORANGE delegating supervision tasks to
designated users must be taken into account, without this constituting a breach of regulations, and
that prohibiting in a generalized way the taking of decisions by employees
would be contrary to what the GDPR proposes.
ORANGE states that the fact that a person intervenes in the process does not necessarily imply that there is no security, or that it is an incitement to employees to commit crimes, or presume that the majority of workers are more willing to commit fraud than to perform their duties. It adds that this is the first time this has happened.
In addition, it understands that it is contrary to the criteria set out in the Guide on presence control treatments using biometric systems, dated November 23, 2023,
which states:
“It is not mandatory, nor recommended, that the implementation of a treatment be limited exclusively to the selection of technological resources. In the options for
implementing a treatment, it is necessary to consider, among others, the use of human
resources, legal guarantees and organizational procedures”
Therefore, it understands that, in the case that has motivated the opening of this sanctioning
procedure, in which, after identifying a technical error that prevents the
performance of an ordinary management, means are enabled (…) to carry out the operation, which
must be considered as complementary, in such a way that the agent who
intervenes in the operation verifies (…).
ORANGE also wishes to point out that, sometimes, it is the clients themselves who
demand agility in carrying out the procedures they request, and that is why,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/120
alternative verification means are enabled, which are previously subject to the
corresponding risk analyses.
ORANGE points out that fraud prevention is entrusted to a
specific department of the company, which is the one that evaluates the risks according to
a specific protocol and methodology, providing the following documents to prove it:
- document 8, relating to the Group Risk Management Policy
- document 9, Risk Control and Management Policy
- document 10, which describes the operation of the Local Risk Committee
- document 11, which lists Orange's Internal Control Policy.
- document 12, Fraudulent Use of Data- 3 Parties, where there is a presentation that
was taken to the Local Risk Committee, in which express reference is made to the analysis
of the evolution of this risk.
With this, ORANGE wishes to state that it is incorrect to claim that this type of risk
has not been the subject of analysis, but rather has been increasing recently,
due to the case that has motivated the opening of this sanctioning procedure, and
wants to make clear that the risk had been classified as low, and therefore
there was no need to implement additional measures to those already in place, without this implying
that it acted in a corrective and not preventive manner. And as preventive measures
adopted, it wishes to point out:
-legal measures: contract with the franchisee, including a commitment to
confidentiality (documents no. 3 and document no. 4.
-organisational measures:
- communication of instructions such as the information pill
provided to Orange Agents,
-access control and registration of actions carried out by users, which
requires the use of non-transferable personal credentials, assigned by
ORANGE, and which allow the identification of the agent and the monitoring of
his activity.
-error management protocol, (…).
ORANGE adds that, in this case, the people were dismissed and are currently
under criminal prosecution, and that these measures are the consequence of
previously implemented deterrent measures to mitigate the risk of
this type of action being carried out.
It insists that it cannot be accepted that allowing the agent to
supervise the The correction of a process implies that there is no control over the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/120
process or that this measure is not in compliance with the GDPR, and that this statement
means that any process carried out by a person without digital control is
inadequate, something that ORANGE understands to be unsustainable. It adds that digital control is
susceptible to being incorrect or failing, making human control necessary.
ORANGE mentions at this point article 22 of the GDPR, regarding automated individual
decisions, which includes the right of everyone not to be subject to a
decision based solely on automated processing, as well as the right to
obtain human intervention by the controller, and understands that the
interpretation made by this AEPD that allowing the adoption of decisions
by a person constitutes a breach of the GDPR, is contrary to the spirit
of the regulation, which aims to encourage the intervention of people in the processes
to avoid biases, inaccuracies or errors derived from fully automated
processes.
In this way, it understands that contemplating human intervention before certain
machine errors would be in accordance with the GDPR and is also good practice. All
this is because it considers that it is never completely avoidable that a malicious
user may carry out an illegal action, being able to memorise personal
information of clients to make illegal use of them.
ORANGE recalls that, in this case, it would have been a fraudulent,
intentional action with the intention of gaining personal and financial benefit, and that,
regardless of the fact that, after having knowledge of the fact, the risk assigned to this potential fraud has been
updated and that the appropriate measures have been adopted
to limit it, this action required voluntary identification before the commission and
recording of the fact.
ORANGE expresses its disagreement with the fact that the fine of
one million euros is justified for the general breach of the principle of privacy by design
and for the company's default, even though the risks to the
non-automated management of a request had not been analyzed. It adds that it is not true that the
referred risk has not been taken into account, but that this cannot serve as a basis for
stating that a general principle of the GDPR is being breached. It considers that this is a generic and ambiguous provision and that it is merely a means of trying to
classify a fact that, strictly speaking, would not constitute a breach of a specific
obligation, and that the fact that it had not been considered a threat could not invalidate
the entire regulatory compliance system implemented by ORANGE.
Sixth: concurrence of infractions.
ORANGE understands that in this sanctioning procedure, the circumstances exist to
consider that there is a concurrence between the two imputed infractions, as
they were imposed based on a single act committed by the ORANGE agents.
In this way, ORANGE understands that the initiation agreement refers to a
single fact, subject and basis, which would be the adoption of measures in the
SIM card duplication procedure in the cases of manual intervention, which would constitute a case of medial competition in the criminal
course or a concurrence of offenses or crimes in the administrative
course, which applies "whenever the application of a provision prevents or subsumes the applicability of the other", and which
makes it contrary to the legal system to sanction the offender twice for the
same illegal act.
ORANGE understands that, from the initiation agreement it is extracted that, in relation to the
analyzed facts, there is a direct connection between the violations of the two
articles.
In this way, the infringement of article 6.1 GDPR, or the existence of an alleged
unlawful data processing was necessary and inevitable for a violation of the
principle of privacy by design and by default to take place, resulting from the
lack of sufficient security measures. Thus, if ORANGE had had
measures that would prevent the duplication of the SIM card, the infringement of the principle of privacy by design and by default of article 25
of the GDPR could not have been concluded.
Consequently, there would be a concurrence of infringements, since the commission of
one would necessarily imply the commission of the other.
ORANGE cites the Judgment of the National Court of April 24, 2013, Rec.
69/2011 according to which:
““In order to judge this second infringement, it is essential, in the opinion of the Court, to make
reference to the concurrence of infringements whose existence is also invoked in the
claim. To this end, the provisions of article 4.4 of Royal Decree 1398/1993 must be brought to mind, according to which: in the absence of specific regulation established in
the corresponding norm, when the commission of an infraction necessarily leads
to the commission of another or others, only the sanction corresponding to the most serious infraction committed
shall be imposed. Precept that has been interpreted by the Supreme Court of 8 February 1999 (Rec. 9/1996)
in the sense that the application of the medial competition requires a necessary derivation
of some infringements with respect to the others and vice versa, so it is essential
that one cannot be committed without executing the others”
ORANGE understands that, in the event of an infringement of articles 6.1 and 25
of the GDPR being appreciated, these would be concurrent infringements, and that the applicable sanction would be in
any case that corresponding to the breach of article 6.1 of the GDPR, taking into
account the provisions of article 29.5 of Law 40/2015, of 1 October, on the Legal Regime of the Public Sector, according to which:
“when the commission of an infringement necessarily results in the commission of another or
others, only the sanction corresponding to the most serious infringement committed
should be imposed.”
Furthermore, it refers to Guidelines 4/2022 on the calculation of administrative fines
under the GDPR, which stipulate the criteria that the administrative authority must follow to
assess, prior to the imposition of the sanction, the
possible occurrence of these fines.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/120
Seventh: on the inadmissibility of objective liability.
ORANGE states that the agreement to initiate the present sanctioning
file is based on an analysis of results, considering that the issuance of the
duplicate SIM card automatically entails the consideration that adequate
measures were not taken, thus automatically giving rise to direct
responsibility on the part of ORANGE, establishing an obligation of results.
ORANGE considers that this AEPD limits the obligation to the result, by pointing out that the
exceeding of the security measures by ORANGE agents entails the
automatic consideration that the measures were insufficient, and that this fact
means adopting a principle of objective responsibility vetoed by our legal system on numerous occasions by the Constitutional Court.
ORANGE refers to the principle of responsibility of article 28 of Law
40/2015, of October 1, which breaks with objective responsibility and ties responsibility to the concurrence of intent or fault.
In this way, ORANGE refers to the Constitutional Court's Judgment
76/1990, of April 26, in which the Administration would be required, when sanctioning, to prove the intentionality of the sanctioned party. And it adds that, in this judgment,
it was pointed out that the possibility of imposing a sanction requires the concurrence of
guilt in the degrees of intent and gross negligence or fault, mere negligence not being sufficient, as expressed in this way:
“mere human error cannot give rise, by itself (and especially when it occurs
in isolation), to the attribution of sanctioning consequences; since,
if this were done, a system of objective liability prohibited by
our constitutional order would be incurred”.
ORANGE states that this extensive interpretation of the sanctioning power
would also have been categorized as unacceptable by the Court of Justice of the
European Union in some judgments, citing:
-C-683/2021, referring to the material requirements that must be met to impose
an administrative fine under the GDPR.
Thus, ORANGE understands that since the occurrence of a culpable, intentional or negligent act on the part of ORANGE has not been proven, the conduct cannot be identified as a violation of the data protection regulations due to the fact that the data subject has been the victim of a criminal act, and therefore the imposition of a sanction is not appropriate.
In relation to objective liability, it cites the Supreme Court Judgment
5298/1994, of July 9, the Judgment of the Administrative Litigation Chamber of
the National Court, Section 1 of December 23, 2013, Rec. 341/2012;
Judgment of the Contentious Chamber of the National Court, of February 25,
2010, Appeal 226/2009; Supreme Court Judgment 543/2022, of February 15.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/120
In relation to the Supreme Court ruling 543/2022, of February 15, which
stated that
“the obligation to adopt the necessary measures to guarantee the security of
personal data cannot be considered as an obligation of result, which
implies that if a leak of personal data to a third party occurs, there is
liability regardless of the measures adopted and the activity
deployed by the person responsible” and adds that “the commitment that is acquired is to
adopt the technical and organizational means, as well as to deploy a
diligent activity in its implementation and use that tends to achieve the expected result
with means that can reasonably be described as suitable and sufficient for its
achievement, which is why they are called obligations of diligence or
behavior.”
ORANGE considers that while the obligation of result is responsible for
a harmful result due to the failure of the security system, in the obligation of means
it is sufficient to establish technically adequate measures and implement and use them with
reasonable diligence. And therefore, it considers that this initial agreement is not in accordance
with the law, by imposing on ORANGE an obligation of result, which would consist of
establishing infallible measures, by imputing an infringement of article 6.1 and article 25
of the GDPR based on the harmful fact that occurs due to the fraudulent intervention
of a third party, without taking into account the diligence used and without considering the
deployment of technically adequate and implemented measures.
It adds that it would not be feasible to implement unbreakable measures, since any
measure has vulnerabilities, nor is it enforceable by the applicable regulations,
and that this Agency undertakes a general case against SIM Swapping,
sanctioning the mere fact that it occurs, without analyzing the specific
fact, the associated damage, or the resulting responsibilities, and concluding the
violation of the data protection regulations by the mere fact of having been
the victim of a criminal activity, and without taking into account the diligence displayed by
ORANGE in its actions and in the adoption of security measures.
Eighth: regarding the measures adopted and implemented by ORANGE.
ORANGE states that it has adopted the following measures, both
previously and subsequently, in relation to the procedure for issuing duplicate SIM cards.
1. Measures implemented to prevent the commission of fraud arising from
identity theft.
a) The analysis and risk group periodically issues an instruction manual
called “Required documentation and delivery formats for commercial acts
with client v.26”, which includes the instructions to follow to analyze any
commercial act, including the duplication of SIM cards.
In relation to the request for a duplicate or activation of a SIM card, the
instructions that ORANGE agents must follow are included, including the
requirement to provide an identity document.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/120
Attached as document 14 are some screenshots of the
“discover ORANGE” tool with the information collected in the document for this purpose.
b) ORANGE informs that additional communications are being issued reiterating the
protocols for action in the SIM card duplicate processes.
c) Information and awareness campaigns aimed at customers, so that they take into account
the importance of keeping their credentials and identity documents in a secure manner.
d) other measures and modifications in its commercial and business processes:
-since August 12, 2022 (…).
-since August 12, 2022, the request for a SIM card duplicate (…).
-since April 2021, ORANGE has limited the channels for requesting a
SIM card duplicate, (…).
e) ORANGE is part of the Spanish Association for Digitalization and participates in
the “secure digital identity” project, which aims, among other things, to protect
against fraud and cyberattacks and to defend data privacy.
ORANGE markets the “SIM Swap service” application that allows to verify
(…).
2. Measures implemented by ORANGE to prevent the commission of fraud
derived from the impersonation of ORANGE agents and/or employees.
a) implementation of a double identification factor, with a pilot project in the testing phase
with certain users.
b) project (…).
c) traffic control tool, used as a security measure in the
prevention and detection of fraud, which allows the generation of alerts in the event of
detection of irregular contracts, and which in the case of duplicate SIM cards
would act as follows:
- (…).
-(…).
3. Measures adopted by ORANGE in relation to the present case, not included
in the previous sections.
a) internal investigation, which has identified the causes and mitigated the possibility of
similar situations occurring.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/120
b) complaint filed by the ORANGE distributor before the Security Forces and Corps against the agents responsible for the Point of Sale who committed the criminal act, and in which ORANGE has appeared as an injured party.
c) since December 14, 2022, ORANGE has proceeded to suspend
as a precautionary measure the option that allows point of sale agents, (…).
With these measures, ORANGE considers that both the will to
protect the rights of individuals and the use of an adequate level of
diligence by ORANGE are proven, and that it is updated and reviewed
periodically in accordance with the state of the art, the costs of application, the
nature, scope, context and purposes of the treatment.
Ninth: lack of proportionality of the sanction imposed.
ORANGE states at this time that it has demonstrated that it acted with due diligence in the implementation of measures in the processes of SIM card duplication, and that in this case the agents acted individually and
deliberately, breaking the company's standards and protocols.
In any case, it understands that the sanction included in the initiation agreement is
disproportionate given the circumstances and content of the alleged
infringement, which ORANGE denies.
ORANGE wishes to express its disagreement with the interpretation made by this
Agency in relation to the aggravating factors:
a) the nature, seriousness and duration of the infringement (article 83.2.a) RGPD.
ORANGE states that this aggravating factor is based on the possible commission of
fraudulent banking operations.
It considers that it is not legally acceptable to use the use of bank accounts, the monetary damages of the victims of fraud or the way in which these operations are carried out by financial institutions as an argument to justify the sanction imposed on ORANGE, insofar as `banking entities are the
only ones responsible for the security of their operations, as stated by the European Banking Authority, in its "Opinion on the implementation of the RTS on SCS
anf CSC" points 37 and 38, and where it is determined that the security credentials
used to carry out the secure authentication of users of payment services
are the responsibility of the entity managing the account services.
In relation to the aggravating factor referred to the infringement of article 25 RGPD, ORANGE understands that the initiation agreement takes into account all ORANGE clients in their entirety, which is estimated at 21 million clients. ORANGE wishes to state
that not all of these customers are natural persons, nor do they all request a duplicate SIM card, and therefore they cannot be considered as potentially affected.
To make this statement, it refers to the 04/2022 guidelines of the EDPB and in which,
when the potentially affected “interested parties” are mentioned, it would be
referring to natural persons, and in the sense of involved interested parties, or interested parties
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/120
who, although they have not directly perceived the damage or have been affected by its
effects, are within the factual situation.
Therefore, ORANGE understands that, in this factual situation, there is only one person involved
who would be the person who filed the claim.
In addition, it understands that the EDPB's references to the interested parties involved are not
applicable to the case of SIM Swapping, caused by fraudulent and malicious action, and especially in a case such as this, in which the agents
acted fraudulently against ORANGE's own systems.
b) any previous infringement committed by the controller or processor
(article 83.2.e GDPR)
ORANGE states that the assessment by this Agency of the previous infringements
imposed by the violation of article 6.1 GDPR has nothing to do with the
present factual situation.
Furthermore, in terms of classification, ORANGE has not had a resolution or
administrative procedure for the infringement of article 25 GDPR.
For this reason, it understands that this Agency cannot take into consideration, as
previous infringements, any type of infringement, without making distinctions in the types
and precepts of the law, treating all administrative procedures (which in
their majority are appealed and without a final resolution in court) as if they
were criminal records.
It also wishes to reiterate the particularities of the present sanctioning procedure,
referring to the commission of a criminal act by ORANGE agents, with no provision of data to unauthorized
third parties, nor any identity theft of the complainant to ORANGE taking place.
Furthermore, it insists that this is an isolated, specific and unprecedented case, and that this
particularity must be taken into account, and that it cannot be assimilated to other cases
where the fraud consisted of an external attack, with identity theft in person or
through a call or recording.
c) the link between the business activity of the respondent and the processing of personal data of clients or third parties (article 83.2.k GDPR in relation to article 76.2.b LOPDGDD.)
ORANGE states that this factor is ambiguous in its assessment to include it as an
aggravating factor, since said link does not imply a direct relationship with the alleged
infringement.
ORANGE understands that article 83.2.k) requires that said aggravating factor be put in
relation to the specific factual situation and, therefore, the processing of data does not
arises from an intention of the entity, but rather the commission of a crime
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/120
against ORANGE's own systems, and that therefore ORANGE is an injured party, and for this reason this aspect cannot be interpreted as an aggravating factor.
d) intention or negligence in the infringement.
ORANGE states that this Agency does not relate this aggravating factor, nor does it indicate its
application to the present factual situation.
Thus, it understands that, as stated by the CJEU when it stated that
the imposition of coercive sanctions by the administrative authority is only admissible
in cases where culpable conduct by the controller or processor is appreciated, the imposition of this aggravating factor must be reserved for cases
in which the intention or negligence is evident or serious.
Therefore, in this case, in which the event is caused by a criminal act not
attributable to ORANGE, it understands that this aggravating factor should not be imputed without
any reasoning in this regard.
On the other hand, ORANGE understands that the following
mitigating factors should have been taken into account:
-the respondent party proceeded to block the line as soon as it became aware of the
facts. (art. 83.2.c)
-no special categories of data have been processed (art. 83.2.g)
-the degree of cooperation between ORANGE and the AEPD. In this way, ORANGE wishes to
state that it has been proven that all requests for information have been answered in a timely manner, in order to remedy an
alleged infringement and mitigate its possible adverse effects (art. 83.2.f)
- adherence to codes of conduct pursuant to article 40 or certification mechanisms approved pursuant to article 42 (art. 83.2.j)
ORANGE provides as document no. 15 a certificate issued by AENOR, which
certifies that ORANGE has approved since September 4, 2023 a regulatory compliance system that complies with the requirements of article 31 bis
of the Penal Code, as well as the rest of the compliance standards and crime prevention matters, such as Circular 1/2016, of January 22, of the Attorney General's Office, aimed at mitigating any risk of committing crimes in the
framework of ORANGE's actions.
-the non-existent benefit obtained by ORANGE in the processing of the data that
occupies this sanctioning procedure, adding that, in any case, it would be
harmed, as already indicated, being an injured party in the criminal
proceedings in which the commission of the crime in question is reported (83.2.k)
Finally, ORANGE wishes to record and demonstrate that the measures in force at
the time of the alleged infringement complied with the most rigorous rules, guidelines,
standards and recommendations to be able to deal with the risks, and that they were
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/120
adequate and suitable taking into account the state of the art, the costs of
application and the nature, scope, context, purposes of the processing, and the risks to
the rights and freedoms of natural persons.
Finally, it requests that the present procedure be filed, and alternatively, that the
mitigating circumstances be taken into account and the procedure be concluded with a
warning, or that if it considers that a sanction should be imposed, that
the proposal included in the initiation agreement be moderated or modulated.
TENTH: On June 21, 2024, a resolution proposal was made,
proposing that the Director of the Spanish Data Protection Agency
sanction ORANGE ESPAGNE, S.A.U., with NIF A82009812,
-for an infringement of Article 6 of the GDPR, classified in article 83.5.a) of said
regulation, an administrative fine of 200,000 euros (two hundred thousand euros).
- for an infringement of Article 25 of the GDPR, as defined in Article 83.4 of said regulation, an administrative fine of 1,000,000 euros (one million euros).
That the Director of the Spanish Data Protection Agency order ORANGE ESPAGNE, S.A.U., with NIF A82009812, pursuant to Article 58.2.d) of the GDPR, within a period of 6 months, to notify this Agency of the measures it has adopted to ensure that the request for a duplicate is submitted by the owner of the line, regardless of the procedure used for its issuance.
This proposed resolution, which was notified to ORANGE in accordance with the rules established in the LPACAP, was collected on June 25, 2023, as stated in the acknowledgment of receipt in the file.
ELEVENTH: On June 26, 2024, this Agency received a
letter from ORANGE requesting an extension of the deadline to submit
allegations to the resolution proposal, which was agreed to on June 28, 2024.
TWELFTH: On July 17, 2024, this Agency received, in a timely manner, a letter from ORANGE in which it submitted
allegations to the resolution proposal. In summary, in these allegations, it stated:
ORANGE reiterates the allegations presented to the initiation agreement. In addition,
it wishes to state:
First. - Regarding the existence of criminal prejudice.
ORANGE expresses its disagreement with what has been expressed by this AEPD regarding
this issue. In this way, it states that the subject who has committed the
infringement has been the Agents hired by the distributor of the ORANGE brand.
It adds that this is especially relevant, because depending on what is
determined with respect to the actions of the agents and the type of crime that is
applied to them, the potential imputability of liability to ORANGE will be conditioned.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/120
With respect to the fact, it states that the coincidence is evident.
And with respect to the grounds, it states that there is an incompatibility between the
imposition of an administrative fine on ORANGE derived from a criminal act
of which it is a victim.
He adds that the AEPD intends that ORANGE should be held administratively liable for a criminal offence committed by agents of its distributors, for the mere fact that the crime is carried out by fraudulently manipulating the operation of its system. In this way, he points out that the distributor is a franchised company, belonging to the distribution channel, unrelated to ORANGE, which acts as the data processor and that the offence committed is carried out by employees of said franchise, contrary to the instructions documented by my representative.
ORANGE adds that this AEPD must assume that the conduct of the agents is
constitutive of a criminal offence.
Second. On the factual assumption.
2.1. On the consideration of the SIM as personal data.
ORANGE states that this Agency interprets that the SIM card not only contains,
but is personal data in itself.
The agency also insists that there is no evidence that any information that
could be contained in the SIM card has been processed.
It adds that a duplicate SIM card implies the issuance of an empty SIM card,
which would not allow per se access to banking or financial information.
Regarding the IMSI, it would be a code contained within the SIM card for a
technical purpose, and which is not directly accessible. In addition, there is no evidence
that this data was accessed by the Agents in the commission of the crime.
In this regard, ORANGE adds that, although it could be considered that this
information potentially makes the owner of the line identifiable, the possibility of
identification by third parties other than the operator would require additional
information to which they do not have access.
2.2. On the performance of banking operations.
ORANGE believes that this Agency uses these associations to aggravate the
fact that gave rise to this sanctioning procedure, granting the duplicate
SIM card the power to allow the commission of banking operations, bypassing
a previous step where criminals must obtain and use banking credentials, to identify themselves and carry out the identity theft before the financial
entity.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/120
It insists that this Agency does not analyze the responsibility of the banking entities affected by the identity theft.
In addition, ORANGE understands that, from this Agency, a transfer of responsibility for a banking operation is made to ORANGE, qualifying the obligations of the operators and those of the banking entities as
identical.
In its written statement of objections to the resolution proposal, ORANGE provides
statements in which it wishes to express its disagreement with the fact that
no action has been taken to ensure that banks provide information on the
functioning of their systems.
It goes on to state that it is worth asking why banks implemented in
2019 a reinforced authentication system considered insecure,
in violation of article 32 of the GDPR and why information has not yet been requested in this
regard.
It insists that this Agency transfers responsibility for a banking
operation to ORANGE, classifying the obligations as identical in an
unjustified manner. At this point it mentions statements by the European
Banking Authority, which would refer to the fact that banks are the only ones
responsible for the security of their operations.
He adds that ORANGE cannot be held responsible for the configuration of the sending of SMS as a second authentication factor used by those responsible for other
services such as banking operators. In this regard, he mentions Judgment
142/2024, of March 21, 2024, of the Provincial Court of Oviedo, in which the
victim had clicked on a link sent via SMS, resulting in unauthorized
access to his customer area, and a transfer of 6,000 euros
being made from the bank account, and in which the Provincial Court reiterated the
guilt of the banking entity.
2.3. Regarding the relationship of the perpetrators of the crime with ORANGE
ORANGE states that the agents are employees of a distributor of the ORANGE brand, which holds the role of Data Processor according to the provisions of
Article 28 of the GDPR. It adds that it is the data processor who must, when
acting on behalf of ORANGE, have the appropriate means to
detect and prevent fraudulent actions by its employees. At this point, they
refer to labor legislation, stating that, pursuant to Article 20, paragraphs
2 and 3 of the Workers' Statute, the power of control falls on the
employer on whom the employee depends, and therefore, in this case, it would depend on the
distributor of the ORANGE brand.
ORANGE refers to the fact that this AEPD would have alluded to the possibility that
ORANGE could establish control measures over the employees of its
franchisee.
ORANGE adds that, pursuant to the provisions of the Workers' Statute, it is
the distributor that must establish the control measures and not ORANGE itself.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/120
Finally, it states that it cannot be argued that there has been a
breach of Article 6 by ORANGE since the fraudulent conduct
corresponds to the employees of the treatment, who, contrary to the provisions
of Article 28 of the GDPR, have not followed the instructions of the person responsible for the
treatment.
Therefore, it understands that the responsibility for committing the infringement of article 6
of the GDPR should fall on the person in charge of the treatment.
Third. Regarding the criminal conduct of the agents.
ORANGE states that this AEPD makes a simplistic analysis of the problem
related to SIM SWAPPING, and that it cannot be claimed that the existence of
a type of infringement of this category implies that any of the ways in which organized crime may attempt to carry out
this type of action can be foreseen and avoided.
ORANGE insists that criminal activity evolves and this requires the adoption
of measures that were not foreseeable beforehand.
Thus, in the case that has motivated the opening of this sanctioning procedure, ORANGE states that this is a new criminal variant, which
implies that whoever must fulfill a role of guarantor of security, not only does not fulfill
their function adequately, but intentionally attacks said security, not being the previously detected threat.
ORANGE states that this Agency sanctions the mere fact that a
case of SIM SWAPPING fraud occurs, without considering or analyzing the typology of the fraud
committed in the specific case, the damage caused, or the
responsibilities derived from it, but that, independently of the above, and without taking
into account the diligence displayed by ORANGE in its performance and continuous adoption
of security measures, the existence of a violation of the
data protection regulations is concluded, by the mere fact of having been the victim of a
criminal activity.
ORANGE wishes to remind that, as a consequence of the diligent security measures and procedures it has implemented, criminals have been modifying their criminal techniques, which would constitute proof that there is a procedure for requesting duplicate ORANGE SIMs that has been designed taking into account privacy, and that involves the deployment of appropriate security measures.
It also adds that the appearance of these practices had already been highlighted
in the “Teleco Anti-Fraud Committee” held in March 2023, a few months
after the commission of this alleged event, confirming that in the previous months attacks were detected to recruit salespeople at points of sale.
The company adds that, as a result of the possibility that store agents may be corrupted and may engage in criminal activities such as those that have occurred,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/120
has carried out a new assessment of the risk attributed to this threat, and provides this assessment as
Document No. 1.
Furthermore, it insists that it cannot be interpreted that allowing a store agent to
make decisions on certain operational issues can be equated with
non-compliance with the GDPR. It states that, as has already been reported, manual intervention by agents has been
paralysed, but it wishes to point out that this is a preventive
measure while it determines the most suitable measures to mitigate the risk associated with this
threat, since this measure has a considerable and negative impact on the user experience, is not economically sustainable and is not
legally defensible.
It insists that the restrictive interpretation in relation to the intervention of an
employee to make decisions clashes with the regulation of the GDPR which, contrary
to what the AEPD intends, considers that the risk lies in the adoption of
automated decisions without human intervention.
It adds that the purpose of the agent's intervention is to avoid that, in
specific and duly assessed cases, a potential system error prevents the interested party from
accessing a contracted service, allowing the agent's validation.
However, ORANGE considers that this AEPD categorizes the parameterization of a
manual procedure for certain situations as a violation of article 25
of the GDPR from the perspective of privacy and in attention to the statements of this
Agency to stop the possibility of identity theft occurring
in SIM card duplicates.
ORANGE insists that it has designed internal procedures, taking into account
privacy, which serve to determine the means of processing and which are applied
effectively.
It understands that what has allowed the commission of the SIM SWAPPING fraud has not been the
flexibility assessed and controlled by ORANGE of the procedure, necessary for
assessed cases and under adequate guarantees, but the deliberate commission of an
illegal and fraudulent action by the agents hired by the person in charge of
ORANGE's processing.
ORANGE mentions at this point Order 35/2023 of the Criminal Chamber, Section 3
of the National Court, dated January 30, 2023, which dismisses an appeal filed by the Public Prosecutor's Office, confirming the dismissal and archiving
of the investigation piece regarding the liability of two legal entities.
In its Legal Basis 2, in relation to the crime prevention models and
associated liability of the legal entity, it specifies:
“SECOND. – We reject the grounds for appeal alleged by the Public Prosecutor,
accepting and reproducing the reasoning of the contested decision and the
jurisprudence cited on the criminal liability of legal entities in the
decision of 29.07.2021, to which the one of 02.06.2022 refers in some aspects.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/120
At the time the contracts were made with (...) referred to in this
procedure, (...) had a Crime Prevention Model that complied with
the requirements provided for in article 31 bis CP. No model is infallible, and if a
crime is committed by one of the subjects contemplated in the aforementioned precept, it does
not necessarily imply that the crime prevention model adopted by the legal entity is
inadequate, does not comply with current regulations or fails, since it would be
sufficient to adopt a model that complies with all the rules to prevent the commission of
crimes, which does not conform to reality and precisely for this reason crime prevention models are subject to periodic reviews.
With this, ORANGE wants to state that the Courts have been recognizing that
when a crime is committed within a legal entity, it does not automatically determine guilt or a lack of diligence on the part of the latter. And it adds that it has documented
the implementation of specific and adequate measures, as well as a
secure SIM card duplicate procedure, thus understanding that there would not have been negligent action on its part.
Fourth. On the absence of a lack of legitimacy in the processing of personal data by ORANGE.
ORANGE wishes to state that the events were carried out by employees of one of its data processors.
Therefore, when the resolution proposal states “In relation to this
issue, it is necessary to point out that the subject of this sanctioning procedure is not the conduct of ORANGE employees, but rather it is a matter of
verifying whether ORANGE's actions comply with the regulations for the protection of personal
data” ORANGE understands that this Agency expressly recognizes that
it intends to hold ORANGE responsible for the conduct of these agents, regardless of the fact that
this conduct constitutes a criminal offense.
ORANGE believes that this approach is inconsistent, since it
would be ignoring the fact that a company acts through people, and what is being
judged is precisely whether the actions of a person outside the organization,
contrary to ORANGE's instructions and clearly aimed at
causing harm to it.
ORANGE understands that the fraudulent issuance of a duplicate in a fraudulent manner by
the Agents would not constitute an action attributable to the company, insofar as
the agents employed by the ORANGE distributor sought to commit a crime.
It understands that this action is not attributable to ORANGE, since it would mean attributing to it
a criminal action directed against itself.
ORANGE reaffirms that the events that occurred in this case are those that
must be analyzed to identify a possible violation of the regulations, and not
potential infractions. It adds that the facts on which this
possible violation of the regulations is based must be proven and certain facts, and
it understands that it is not true that the duplicate of the SIM card was made by an employee of
ORANGE, but that it was made by an employee of a third company, unrelated to ORANGE,
which acted as the data processor. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/120
Therefore, it is not possible to attribute to ORANGE a lack of legitimacy in the processing of personal data by ORANGE, because what happened is that through
its systems ORANGE was limited to carrying out a process of processing a request for a duplicate SIM card, without having the capacity to recognize that the origin of
said request derived from an illicit action by the store agents, who only
should initiate the process at the request of the clients, and whose function is precisely
to ensure compliance with the process in its entirety, in accordance with the instructions
received and under the security measures and guarantee of identity verification
ordered by ORANGE.
Additionally, in the present case, during the duplication process the personal
data were inserted by the agents, and not by ORANGE, the origin of these being unknown. The Agency insists that the SIM card cannot be considered as personal data,
and that this has not been justified by this Agency. And that, if such consideration could be
maintained, the data processing would not be attributable to ORANGE,
but would have been carried out by a criminal who worked for an ORANGE data processor,
acting against the instructions and interests of ORANGE. It wishes to remind that the agents did not access the mobile phone of the
complainant, nor the information it may contain, as long as the mobile phone was in the
claimant's possession.
ORANGE insists that the SIM card does not contain the mobile phone data, and that
a duplicate SIM card does not allow a third party to access the owner's applications.
Therefore, it cannot be stated that there has been an illegitimate treatment of the complainant's data by ORANGE, due to the absence of intent or fault, and,
therefore, there would be no violation of article 6.1 of the GDPR.
Fifth. On the correct implementation of privacy by design and by default.
ORANGE wishes to state that, based on the statements included in the
proposed resolution, privacy by design has been taken into account,
based on the documentation submitted, the design of protocols and the establishment
of measures to ensure compliance with the principles of data protection.
In this sense, the process for issuing duplicate SIM cards involves
controls and security measures intended to ensure that SIM cards are issued at the request of customers and once their identity has been verified,
having taken into account the protection of the privacy of the interested parties.
However, ORANGE considers that this Agency is trying to disqualify the documentary evidence
under the sole premise of the result that has been produced in a specific case, in which a crime has been committed, in order to cast doubt on the validity of the
system, inferring that the set of measures implemented is not in accordance with the
principle of privacy by design, as if its compliance depended,
exclusively, on it being perfect and infallible, and making
subjective observations.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/120
At this point, it lists what has been mentioned in the resolution proposal with
regarding documents 5, 6 and 7.
It adds that ORANGE does have policies aimed at guaranteeing the application
of the principles of data protection in its business processes, regardless of the fact that the specific reference to the guarantees in terms of privacy is not identified in each of them, since, although they address the risks associated with this
matter, it is not the only one taken into account, in the same way that the criminal risks analyzed, or the economic or reputational risks, are not specified
in each of them.
Likewise, it states that there is no conflict between the interests of the
company and the protection of personal data, and that privacy by design
is guaranteed in all cases, not only from a formal point of view, but
as an inherent purpose of its daily activity.
In this sense, it would have provided the initial information that is provided for
any project in which personal data is processed in order to begin to regulate
the different activities always from a perspective that ensures privacy and
the protection of personal data. However, for each particular case, the measures that are considered appropriate are applied, such as the
training of personnel in charge of controlling the processes.
In addition, it wishes to remind that both the technical and organizational measures and the
guarantees provided for by article 25 of the GDPR are not fixed, nor do they require the
implementation of specific measures.
5.1. On the analysis of risks to rights and freedoms.
At this point, ORANGE states that it was already provided as document no. 12, in the
allegations to the start agreement, and that it was assessed by this Agency, in the resolution proposal.
Therefore, ORANGE states that this Agency cannot deny that the risk was not
identified, although it is presented by the Risk Committee adding
what was contributed by various areas.
In addition, it insists that the consideration of said risk level was not carried out in
2023, but was also done in 2021 and 2022, providing to
prove it the Annex Document 1, relative to the risk committee, which took place in
2022, and where it can be seen:
- the aggregate risk level for the risk “Fraudulent use of Data-3rd parties” was
low.
- a second slide is provided with the comparison with the previous year,
where this risk was already assessed and it was concluded that it was low.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/120
It adds that this same information for the year 2023 was provided as document no.
12, to highlight that it is the same analysis in different years, and in all of them it was
rated as low.
They provide as annex document 2 the Minutes of the Local Risk Committee for the year 2022
to show that the risk was also rated as low.
From the point of view of risk from the perspective of the rights and freedoms of the interested parties, they provide as Annex Document 3 the Risk Analysis for the
Rights and freedoms of the interested parties of the risk corresponding to the year 2022,
when the events occurred, where the risk was identified as low, and which,
according to ORANGE, was raised to the Risk Committee
ORANGE insists that, within the framework of the probability of materialization of the risk, it was
unlikely, because there was no evidence of its materialization in ORANGE,
with the opening of this sanctioning procedure the risk was classified as
medium, and is currently classified as high, and is being treated with new
measures to reduce the risk again.
For this reason, it wishes to state that it is incorrect to affirm that this type of risk has not been
the subject of analysis by ORANGE. And the evolution of the consideration of this type of risk has been increasing in recent times, due to the detection of the
first case of this type that would correspond to this procedure.
ORANGE wishes to state that this does not mean that it acts in a corrective and not
preventive manner, but that the risk had been classified as low, and, therefore, it had not been
considered necessary to implement additional measures to those already existing, given that
their effectiveness was supported by the absence of contingencies related to
the actions carried out by the agents in which an inappropriate use of
their credentials and permits was made for illicit purposes. It adds that this remains an
isolated incident.
It adds that preventive measures can be identified that this Agency did not
take into account in the resolution proposal and that they are:
-legal measures: contract with the franchisee that includes a commitment to
confidentiality.
-organizational measures.
- communication of instructions, such as the information pill provided to ORANGE
Agents.
- Access control and registration of actions executed by users.
- error management protocol.
ORANGE insists that the risk was identified, had been assessed and proportional measures had been implemented to mitigate it, assuming that the risk
was low, in line with the EDPB guidelines.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/120
Thus, in accordance with the identified risk, in relation to the duplicate SIM card, the procedure already analysed in the present sanctioning procedure was drawn up, and, in order to prevent possible circumstances in which the
(…).
In the case at hand, ORANGE continues, there was no failure in the security measures, but rather the personnel in charge of executing the process decided to attack it. Therefore, it insists that this Agency cannot equate the commission of a crime
by agents of the company itself with an alleged lack of implementation of privacy from the design of this company.
ORANGE insists that this Agency does not take this situation into account in the
proposed resolution.
In addition, ORANGE adds that, in the case of a duplicate SIM card, there are two
contradicting risks:
- false positives, a situation in which a malicious third party has requested a duplicate
SIM card
- false negative, a valid identity document that is rejected, and in which the
customer loses access to their mobile telephone service.
Therefore, ORANGE adds, the risk analysis in which this measure was considered,
was not based solely on business, as this Agency stated, but rather it considered the two risks mentioned above, deciding on this measure
from privacy by design.
ORANGE refers at this point to the EDPB which has considered, in its
guidelines 5/2022 on the use of facial recognition technology in the field of
law enforcement, the agility in management as one with a positive impact for the
interested parties themselves, and must be taken into consideration.
ORANGE expresses its disagreement with the statement made in the proposal referring to
the risk not having been foreseen, because it has already been stated that it had
been classified as a low risk, and, in addition, there was a visual and
face-to-face check by the agent himself, and there is also a subsequent control by the
Analysis and Risk Group of the company to evaluate whether this possibility was being
inappropriately used.
ORANGE states that, no matter how many controls are established, it is
never completely avoidable that a malicious user may carry out an illegal
action with respect to the information to which he has access.
ORANGE expresses its disagreement with the fact that an isolated event may
be of sufficient importance to simply declare the general breach of the
principle of privacy by design and by default of the company, and justify the sanction.
He states that this is a generic and ambiguous precept, which would not imply the
breach of any specific obligation, and insists that not having considered
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/120
a threat cannot invalidate the entire regulatory compliance system
implemented.
Finally, he wishes to state that, in relation to the “suspension” of the procedure
for the issuance of SIM card duplicates, this must be understood as a change
in the configuration of the process that is generated (…), and that it has occurred
as a precautionary measure until this procedure is concluded so that it does not condition its
development.
In this sense, an expert test is being carried out to evaluate the tool,
which will be provided later, which has not occurred.
Sixth. On the existence of a competition of infringements.
ORANGE states that the two infringements are based on the criminal conduct of the agents, which constitutes a case of concurrence of infringements in administrative proceedings.
In this sense, ORANGE understands that the decisive factor in determining whether this breach has actually occurred is the adequacy or not of the measures implemented. It states that, according to the arguments of this Agency, it would be concluded that there is a direct connection between the violations of both articles. It considers that the infringement of article 6 of the GDPR, that is, the existence of an (alleged)
unlawful data processing was necessary and inevitable for a violation of the principle of privacy by design and by default to take place, derived from the absence (indicated in terms of defense, supposedly) of sufficient security measures.
Seventh. On the inadmissibility of objective liability.
ORANGE insists that the resolution proposal is based exclusively on the
result, without taking into account that the event occurred due to the criminal and
deliberate conduct of the agents of the ORANGE distributor, who acted as the
data processor, corrupting the process and the measures stipulated by the latter.
ORANGE understands that the criminal conduct of the agents has automatically
determined that adequate measures were not adopted, automatically giving rise to the direct
responsibility of ORANGE.
Furthermore, it understands that this Agency has determined that a generic type of fraud has occurred
without assessing the specific circumstances of this case.
ORANGE understands that this Agency has erred in taking into account the following
considerations:
-firstly, the criminals were commercial agents of a point of sale of a
distributor, and not cybercriminals. (page 77 of the resolution proposal)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/120
-secondly, this Agency does not take into account the evolution of SIM SWAPPING fraud, considering that, in the event of a supposed fraud, the entity is responsible, regardless of the actions of the agents at the point of sale.
It insists that they had identified the risk, but it was considered as low risk, since it had not occurred previously.
ORANGE considers that, with respect to the payment services regulations, the obligations for both operators and banking entities would be classified as identical in an unjustified manner, since ORANGE cannot be held responsible for the deficiencies and decisions taken by the banks.
ORANGE states that, according to this Agency, the risks must be based on what is
reasonable and technically possible, and considers that, in this case, ORANGE
had placed its trust in its distributors. It also considers that
human intervention is inevitable.
It adds that this Agency expects ORANGE to foresee each and every one of the
threats that may occur, expecting a result in which the measures are
indefectible, overlooking threats that can hardly be foreseen, as would be
this case.
It is for this reason that it understands that this Agency would establish an obligation of
result, by pointing out that the commission of a criminal act in the environment of ORANGE
automatically entails its responsibility, regardless of the intent used
by the author, and the level of diligence used by ORANGE.
ORANGE states that this Agency has not assessed the jurisprudence
set forth in relation to the inadmissibility of objective liability in the field of
administrative sanctioning procedure.
Therefore, it understands that, as the occurrence of a culpable, intentional or negligent act on the part of ORANGE has not been proven, it is not appropriate to determine that
it has committed an infringement of the data protection regulations.
Eighth. Regarding the measures adopted and implemented by ORANGE.
ORANGE considers that it has already listed the measures it had deployed, both
previously and subsequently, and proceeds to list them again, so that,
this Agency can appreciate the constant evaluation and analysis of risks,
as well as the measures applied, which were modified as different types of SIM SWAPPING fraud have been
identified:
1. Measures implemented by ORANGE to prevent the commission of fraud
derived from the identity theft of its client.
-documentation already provided that is made available to agents and other
personnel with the capacity to carry out actions at ORANGE.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/120
-additional communications that reiterate the action protocols for the issuance
of SIM card duplicates.
-(…).
-ORANGE is part of the Spanish Association for Digitalization and participates in
the “Secure Digital Identity” project, which aims, among others, to protect against
fraud and cyberattacks and to defend data privacy.
-“SIM Swap service” (…).
2. Measures implemented by ORANGE to prevent the commission of fraud
derived from the impersonation of ORANGE agents and/or employees.
-implementation of a double identification factor, which is in the testing phase
with certain users.
-project (…).
-traffic control tools, which is used by the ORANGE Risk Analysis
Group, and which can generate alerts in the event of possible detections of
irregular contracts, and which works as follows in the case of
duplicate SIM cards:
- (…).
-(…).
3. measures adopted in relation to this case, not included in the
previous sections.
-the risk associated with this type of case has been modified, having a
greater impact on the company's protocols and actions.
-(…) has been provisionally suspended, which takes place in cases such as the
case that has motivated the opening of this sanctioning procedure, in order to
determine the appropriate measures to mitigate the identified risks.
In any case, ORANGE wishes to state that it carries out a constant control and
review of the existing risks in terms of SIM card duplicates, that the
protocols are updated and that measures are adopted in accordance with the identified risks,
without this allowing them to be imposed with the guarantee or requirement of infallibility.
ORANGE states that this Agency has not reviewed this breakdown, which it considers
to be essential to understand the threat and to be able to prevent and mitigate its
commission.
It adds that this Agency has previously archived procedures related to SIM Swapping, listing some of these procedures.
Therefore, ORANGE considers that both its will to
protect the rights of individuals and the use of an adequate level of
diligence have been proven, with which the existence of a zero risk is updated and
reviewed periodically in accordance with the state of the art, the costs of application, the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/120
nature, scope, context and purposes of the treatment, not being possible to
identify a violation of article 25 of the GDPR.
Ninth. On the lack of proportionality of the proposed sanction.
ORANGE declares that it has acted with due diligence in implementing
measures in the SIM card duplicate processes, but, in the event that this
Agency considers that there is such non-compliance, it understands that the sanction is
disproportionate, taking into account the circumstances and content of the infringement, to the
extent that it has been committed maliciously by agents of the distributor.
In this sense, it understands that the following aggravating factors used by this Agency have been
made without the circumstances concurring for their consideration:
-Nature, seriousness and duration of the infringement (art. 83.2.a) RGPD)
ORANGE understands that this aggravating factor is based on the possible commission of
fraudulent banking operations, and it is not acceptable that the use of bank accounts, the monetary
damages suffered by the victims of fraud, or the way in which these operations are carried
out by the banking entities are used as an argument to justify the sanction.
Furthermore, in relation to the imposition of the aggravating factor in the infringement of article 25, all of ORANGE's clients are taken into consideration.
ORANGE understands that factual assumptions that have not been
analyzed or documented cannot be taken into consideration, and this commission of a crime cannot be extrapolated to
all of this company's SIM card duplication processes.
It also considers that the "social alarm" generated by this type of practice cannot be classified as an aggravating factor, as it is a criminal activity of
organized groups that recruit employees of telecommunications companies.
- any infringement committed by the controller or processor (art. 83.2.e)
RGPD)
ORANGE reiterates its disagreement with the fact that this aggravating factor is used, since
the facts that motivated these procedures have nothing to do with the present factual assumption.
-the link between the business activity of the respondent and the processing of personal data of
clients or third parties (art. 83.2.k of the GDPR in relation to article
76.2.b) of the LOPDGDD)
ORANGE understands that, due to its activity, the processing of personal data is
necessary, but that, according to article 83.2.k) this aggravating factor would have to be applied
taking into account the specific case. Thus, in no case has it been ORANGE's will that this case should occur, and it reiterates that the operator has also been
harmed. Therefore, it understands that it is not possible to consider the application of this
aggravating factor.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/120
-intention or negligence in the infringement.
ORANGE expresses its disagreement with the provisions of the proposal in relation to
this aggravating circumstance, insofar as it is an unprecedented case caused by
the commission of a criminal act not attributable to ORANGE.
It also considers that this Agency has not taken into account the following
mitigating circumstances:
- ORANGE proceeded to block the line when it became aware of the facts (art.
83.2.c) GDPR).
It understands that ORANGE cannot be held responsible for the economic losses suffered by the
complainant.
- no special categories of data have been processed (art. 83.2.g)
- the degree of cooperation of ORANGE with this Agency. (art. 83.2.f)
-adherence to codes of conduct pursuant to article 40 or certification mechanisms approved pursuant to article 42 (art. 83.2.j)
-the non-existent benefit obtained by ORANGE (art. 83.2.k), stating that, in any case, it has been harmed.
Finally, ORANGE wishes to state and demonstrate that the measures in force at the time of the infringement complied with the rules, guidelines, standards and recommendations to be able to address the risks, that they were adequate and appropriate taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons.
In addition, it wishes to inform the Agency of its acceptance of any type of proposal or recommendation regarding compliance with the regulations.
For all these reasons, the Court requests that the present proceedings be filed, and alternatively that
a warning be issued, and ultimately that the proposed sanction be moderated or modulated.
From the actions carried out in the present procedure and from the documentation
in the file, the following have been proven:
PROVEN FACTS
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/120
FIRST: It is established that, on December 15, 2022, a duplicate of
the SIM card owned by the claimant was made, without having requested it, in the
establishment owned by “TOWER PHONE, S.L.,” located on the street
***ADDRESS.1 in Madrid, which acts as a franchise of ORANGE, as stated in
the franchise contract dated April 1, 2022.
Thus, in the franchise contract dated April 1, 2022 provided by
ORANGE with the entity TOWER PHONE S.L.U., it can be seen that observe:
“Background:
I. That the provision and marketing of various telecommunications, electronic communications and information society services forms part of ORANGE's activity and corporate purpose.
II. That ORANGE ESPAGNE S.L.U., in the development of its corporate purpose, markets its services and has implemented its commercial network in commercial traffic under the trademarks and other distinctive signs that are its own or whose trademark uses it is authorized to assign, being interested in appointing franchisees, (…)”
(…)
IV. (…).
V. (…).
(…).
Also, in the object of the contract it can be observed:
“(…).
(…).”
SECOND: ORANGE is responsible for the data processing referred to in
this procedure, since according to the definition in article 4.7 of the
RGPD, it is the one who determines the purpose and means of the processing carried out.
In the Twenty-second clause, regarding the processing of personal data, it is
appreciated:
“By virtue of this contract, the FRANCHISEE, in its capacity as data processor, will
carry out the processing of personal data necessary for the
correct provision of the services subject to this contract.”
THIRD: It is noted that, to request a duplicate SIM card, ORANGE has
implemented an automatic system for validating the identity document, but
that, in some cases (…) of the person requesting the duplicate SIM card,
(…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/120
FOURTH: ORANGE has stated that, at the time of contracting the SIM card duplicate of the complainant, “the protocol established by this
company was followed by passing an identity document through the verification system (…).”
“(…).
Regarding the question of whether the system (…) verifies the correspondence
of the document number and name of the document holder with the data of the
applicant of the procedure, (…).
Therefore, as a general rule, the system (…) does validate the name of the holder of the identity
document with the information of the applicant of the procedure, (…).”
FIFTH: (…).
SIXTH: ORANGE has acknowledged that the duplicate SIM card of the complainant had been produced due to an irregularity of agents working in the store where the duplicate SIM card was produced, (…).
SEVENTH: ORANGE has stated, in its letter dated March 30, 2023,
that it has given its employees the following instructions on how to proceed
with the use of the DNI validation system, and they are the following:
- it is mandatory not to make a change or duplicate SIM card to a
person other than the owner (or administrator or authorized person of the company that appears in
the systems). The person who is going to make a duplicate must provide a valid
identity document (in accordance with protocol), which will always be validated. (…)
- if at the time of the request the system does not work, the agent must open an
incident and summon the client to return the next day.
- the agent who manages a duplicate request must request the
identity documentation, (…).
- in cases where the identity document (…)”.
EIGHTH: ORANGE has stated in its written statement of allegations dated December 21, 2023, that it has implemented the following measures in cases of requests for duplicate SIM cards:
-Since August 12, 2022 (…).
-Since August 12, 2022 (…).
-Since April 2021, ORANGE has been limiting the channels through which a duplicate SIM card can be requested (…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/120
NINTH: ORANGE has stated in its written response to the transfer of the
claim, dated January 30, 2023, as well as in its written response to the
request, dated March 30, 2023, and in its allegations to the agreement to
start this sanctioning procedure, dated December 21, 2023, that it would have
adopted the following measures to prevent the commission of frauds derived from the
impersonation of agents and/or employees of ORANGE:
- on December 28, 2022, and prior to the notification of this
request, a mandatory training pill would have been transferred from the School of Salespeople to the
entire distribution channel to the points of sale in order to
help and raise awareness "the sales teams of the risk of recruiting salespeople
to physically make duplicates from the points of sale."
-- The dissemination of a training pill to the entire distribution channel
with the aim of raising awareness among workers of the existing problem
and of the obligation to comply with all procedures and policies of
customer identification would have been promoted.
-The implementation of a double identification factor would have been launched, whose
pilot project is already implemented, being in the testing phase.
-a project would have been launched (…).
-a tool of the Risk Analysis Group would have been launched, which
allows alerts to be generated in the event of possible detection of irregular
contracts, and which in the case of SIM card duplicates would act as follows:
(…).
(…).
- Since December 14, 2022, according to ORANGE in its written allegations to the agreement to initiate this sanctioning procedure, it has
proceeded to the precautionary suspension of the option that allows point-of-sale agents, (…), thus not being able to address any type of exception.
TENTH: In relation to the case that has motivated this sanctioning procedure,
ORANGE has stated, in its written allegations to this sanctioning procedure dated December 21, 2023, that it has carried out the following
actions:
-A complaint has been filed against the responsible agents.
-The agents involved were discharged from the establishment.
ELEVENTH: It is stated that, in the complaint filed by the entity TOWER PHONE, S.L., on January 12, 2023, the concept of SIM SWAPPING is defined as follows:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/120
“SIM Swapping is a cyber attack that consists of impersonating a person from their telephone service company and requesting a duplicate of the SIM card of their mobile phone in order to go to their online banking and operate with it, receiving SMS with the confirmation code for banking operations
on that new SIM, proceeding to divert the money from the current account of the impersonated person to another account owned by the criminals.
The victim, as in the present case, only finds out about the situation
when he or she no longer has coverage on his or her mobile phone and no matter how much he or she restarts the
device or tries to find coverage, he or she is unable to do so because, when the new duplicate SIM that the cybercriminals request from the telephone
service company comes into operation, the SIM that is inside the victim's phone stops
working."
TWELFTH: It is stated that in the complaint filed by TOWER PHONE
S.L., it is stated that "a complaint is filed against B.B.B. with NIE: (…) for possible
crime of:
(…)
It is also stated that when speaking about the concept of SIM Swapping, it is stated:
"First of all, it is important to explain what the facts reported here consist of
(SIM Swapping) carried out by the defendant C.C.C. on at least the 14th,
17th and 21st of December 2022 at his workplace, the Orange point of sale
located at (…) Madrid (***ADDRESS.2)”
(…)
In the fourth section of the complaint, regarding the reported facts, it states:
“Recently, my client has become aware of the facts that
we detail below, which have been duly verified and
compared with the respective internal departments of the company, through
the issuance of a report and attributed to the defendant.
Attached is an internal investigation report with its attached documents prepared and
signed by the store manager located at ***ADDRESS.1 Madrid, owned
by Tower Phone, S.L., (…). These annexes of the internal investigation report are the
following:
Annex 1: supporting documentation for B.B.B.'s working hours. on October 6, 2022 (first impersonation).
Annex 2: supporting documentation for B.B.B.'s working hours on October 7,
2022 (second impersonation).
Annex 3: supporting documentation for B.B.B.'s working hours on October 13,
2022 (third impersonation)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/120
Annex 4: supporting documentation for B.B.B.'s working hours on November 3, 2022 (fourth impersonation)
Annex 5: supporting documentation for B.B.B.'s working hours on November 15, 2022 (fifth impersonation)
FIRST OF ALL, my client became aware of the facts reported here
for the first time on October 20, 2022, when he went to the
ORANGE store located at ***ADDRESS.1 in Madrid (…) alerting that a few days
ago he came to the store and that the same day he was called supposedly from ORANGE. The
consultation at the store was about an unpaid bill, and the call corresponded
with the visit to the store and the unpaid bill to charge it by bank card. After
several failed attempts with his card, a boy contacted the client (…) and
told her that since they were from his country it was a scam, that she should not pay attention, and that
they received such information from customers through the stores. From the first
moment, the client directly accused B.B.B. (…) to which an email is sent to
the supervisor so that they are aware of these frauds. (…)
(…)
SECONDLY, on November 16, 2022, they call the person in charge of
the ORANGE store (located at ***ADDRESS.1), from the ORANGE store
in ***LOCATION.1, Madrid, indicating that on November 15, 2022 at
8:45 p.m. a duplicate card had been made to the client A.A.A. using
the code of the point of sale corresponding to the ORANGE store located at
***ADDRESS.1 in Madrid.
In light of these events, the person in charge of the ORANGE store at ***ADDRESS.1
asked the store staff if they had changed the SIM card the day before,
since it did not appear as invoiced in our billing system and it was
verified that the SIM card that had been used was in the store's stock. The
staff said that they had not done so and had no record of it. Since there are cameras
in the store, the video from the day of the events (November 15, 2023) was reviewed,
where it was observed that at the time when the duplicate card was made, they were
working (…) and B.B.B. was at the computer at the cash register, apparently talking on the
phone with a headset.
(…)
Given the seriousness of the events, all the information was sent that same day to the ORANGE
supervisor and an informative email was sent about what had happened.
(…)
Later, on November 18, the ORANGE telephone company responded to the same, informing this party that for this procedure, documentation and signature of another person had been used (…). Likewise, it is
confirmed to this party that said person went to make a duplicate card the day
before the fraud with the employee B.B.B. in the ORANGE store located
***ADDRESS.1, and it is correctly invoiced.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/120
(…)
It should be noted that, when making the duplicate card, the one currently in the system is cancelled and replaced by a new one, invalidating the previous card at the same time. These are normally made when the current card, for example, does not
work, the client has lost the mobile phone or it has been stolen. THE PROTOCOL
TO BE FOLLOWED TO MAKE A DUPLICATE is with the customer
in person at the store and with their original and valid document since we must
scan the document for validation and ensure that it is the owner of the line who
is changing the SIM card.
(…)
THIRDLY, and as a consequence of the fraud detailed above, this
party requests all available information from ORANGE in order to proceed
to suspend or remove the suspect B.B.B. from the store, and to do so, this
party needed its Cybersecurity department to ensure how many
duplicates from the store at ***ADDRESS.1 have been made, being Frauds,
their hours and the IP that made that duplicate. This IP is especially
relevant since it assures us that it was made from the store, and not from another external computer
or authorized PC.
This part received confirmation from ORANGE where the following duplicates were reported, all of them made with the IP (...) corresponding to the computers of the Orange Store ***ADDRESS.1:
1. DUPLICATE SIM CARD FRAUD (SIM SWAPPING) ON 06-10-2022,
20:42 HOURS AT THE ORANGE STORE POINT OF SALE ***ADDRESS.1,
MADRID.
On October 6, 2022 at 8:42 p.m., a duplicate of the SIM card (...), IMSI number (...) and belonging to the mobile number (...) owned by an ORANGE customer (...) with DNI (...) was produced. According to the geolocation of the IMEIS of the
terminals used for the SIM duplication, the impersonation took place in the
ORANGE store ***ADDRESS.1 in Madrid owned by my representative. In
order to prove this geolocation, this party will send a letter to the ORANGE marketing company
to provide said report.
Once it has been confirmed that the duplication was carried out in the ORANGE store
***ADDRESS.1 in Madrid owned by my representative, the timetables
that have been attached in the internal investigation report (Annex 1) show that
in the time slot (06/10/2022) at 8:42 p.m.) when the duplication took place, the
only worker who was working in said store was the one reported. In this
way, it can be confirmed 100% that B.B.B. was at his/her corresponding workplace (point of sale) on the dates and times when said
duplication occurred.
(…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/120
2. DUPLICATE SIM CARD FRAUD (SIM SWAPPING) ON DATE 07-10-2022,
20:36 HOURS AT THE ORANGE STORE POINT OF SALE ***ADDRESS.1,
MADRID.
On October 7, 2022 at 8:36 p.m., a duplicate card was produced
with SIM number (…), IMSI number (…) and belonging to the mobile number (…)
owned by the ORANGE customer (…) with ID (…). According to the geolocation of the
IMEIS of the terminals used to duplicate the SIM card, the impersonation
took place in the ORANGE store ***ADDRESS.1 in Madrid owned by my
representative. To prove this geolocation, this party will send a letter to the
ORANGE marketing company to provide said report.
Once it has been confirmed that the duplication was carried out in the ORANGE store
***ADDRESS.1 in Madrid owned by my representative, the timetables
that have been attached in the internal investigation report (Annex 2) show that
in the time slot (07/10/2022) at 8:36 p.m. when the duplication took place, the only
worker who was working in said store was the one reported. In this way,
it can be 100% confirmed that B.B.B. was at his/her corresponding workplace (point of sale) on the dates and times when said duplicate occurred.
(…)
3. SIM CARD DUPLICATE FRAUD (SIM SWAPPING) ON DATE 10-13-2022
18:43 HOURS AT THE ORANGE STORE POINT OF SALE ***ADDRESS.1
MADRID.
On October 13, 2022 at 6:43 p.m., a duplicate of the card with SIM number (…), IMSI number (…), and belonging to the mobile number
(…), property of the client (…) with ID (…), was produced. According to the location of the IMEIS of the
terminals used for the SIM duplicate, the impersonation occurred at the ORANGE store ***ADDRESS.1 in Madrid owned by my representative. To
prove this geolocation, this party will officially contact the ORANGE marketing company
to provide said report.
Once it has been confirmed that the duplicate was carried out in the Orange store
***ADDRESS.1 in Madrid owned by my representative, the timetables
that have been attached in the internal investigation report (Annex 3) show that
in the time slot (10/13/2022) at 6:43 p.m. when the duplicate occurred, the only
worker who was working in said store was the one reported. In this way,
it can be 100% confirmed that B.B.B. was in his corresponding workplace
(point of sale) on the dates and times when said duplicate occurred.
(…)
4. SIM CARD DUPLICATION FRAUD (SIM SWAPPING) ON 03-11-22 20:16
HOURS AT THE ORANGE STORE POINT OF SALE ***ADDRESS.1, MADRID.
On November 3, 2022 at 8:16 p.m., a duplicate of the
card with SIM number (…), IMSI number (…) and belonging to the mobile number
(…), property of the ORANGE client (…) with DNI (…), was produced. According to the geolocation of
the IMEIS of the terminals used for the SIM duplication, the impersonation
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/120
occurred in the Orange store ***ADDRESS.1 in Madrid owned by my
representative. In order to prove this geolocation, this party will send a letter to the
Orange marketing company to provide said report. It should be noted that said
fraud was alerted by Orange to my client on November 21, 2022.
(…)
Once it has been confirmed that the duplication was carried out in the Orange store
***ADDRESS.1 in Madrid owned by my client, the timetables
that have been attached in the internal investigation report (Annex 4) show that
in the time slot (03/11/2022) at 8:16 p.m. when the duplication occurred, the only
worker who was working in said store was the one reported. In this way,
it can be 100% confirmed that B.B.B. was in his corresponding workplace
(point of sale) on the dates and times when said duplication occurred.
(…)
5. SIM CARD DUPLICATION FRAUD (SIM SWAPPING) ON 11-15-2022,
8:16 PM AT THE ORANGE STORE POINT OF SALE ***ADDRESS.1,
MADRID.
On November 15, 2022 at 8:46 PM, a duplicate of the
card with SIM Number (…), IMSI Number: (…) and belonging to the mobile number
(…), owned by the Orange customer (…) with ID: (…), was produced. According to the geolocation of
the IMEIS of the terminals used for the SIM duplication, the impersonation
occurred in the Orange store ***ADDRESS.1 in Madrid owned by my
representative. To prove said geolocation, this party will send an official letter to the
Orange marketing company to provide said report.
Once it has been confirmed that the duplication was carried out in the Orange store
***ADDRESS.1 in Madrid owned by my client, the timetables
that have been attached in the internal investigation report (Annex 5) show that
in the time slot (11/15/2022) at 8:46 p.m. when the duplication occurred, the only
worker who was working in said store was the one reported. In this way,
it can be 100% confirmed that B.B.B. was in his corresponding workplace
(point of sale) on the dates and times when said duplication occurred.
(…)
“SIXTH, - The facts narrated may constitute a:
- POSSIBLE CRIME OF FRAUD WITH ELECTRONIC MEANS. (248.2 CP)
- AND/OR POSSIBLE CRIME OF THEFT (234 CP) AND/OR POSSIBLE MISAPPROPRIATION (235 CP AND FOLLOWING)
- AND/OR POSSIBLE IDENTITY THEFT WITH USURPATION OF CIVIL
STATUS (401 CP).
- AND/OR POSSIBLE CRIME OF COMPUTER INTRUSION AND INTERCEPTATION OF
COMPUTER DATA TRANSMISSIONS (197 BIS CP)”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/120
(…)
THIRTEENTH: ORANGE has submitted in its written allegations to the
agreement to initiate this sanctioning procedure, dated December 21,
2023, a “RGPD REPORT. AUDIT OPINION. APPLICATION OF PRIVACY PRINCIPLES BY DESIGN AND BY DEFAULT”, dated December 18, 2023, and in the conclusions it can be observed:
“(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).
(…).”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/120
FOURTEENTH: ORANGE has submitted in its written allegations to the agreement to
initiate this sanctioning procedure, a document entitled “Procedure.
Data Protection by design and by default”, with an initial version dated
04/04/2018, and, in its version 2.0 dated November 18, 2019, it can be observed
in section 4:
“4. Data Protection by Design
In compliance with the provisions of the Privacy by Design Guide
published by the AEPD, ORANGE is obliged to adopt privacy design strategies
oriented to applying the appropriate technical and organizational measures from the first phase of development of an information system or a
new project or service that involves data processing, and throughout its execution, as well as verifying and managing control over the collection, use and
disclosure of personal data processed from the first phase of processing personal data.
(…):
-(…).
-(…).
- (…).
(…).
(…).
(…).
(…).
5. Data protection by default.
(…).
(…):
-(…).
-(…).
-(…).
-(…).
(…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/120
(…).
6. Implementation of appropriate measures
(…).
(…).
(…).
(…).
(…):
- (…).
- (…).
- (…).
- (…).
- (…).
(…).
7. Compliance verification
(…):
- (…).
- (…).
- (…).
- (…).
- (…).
LEGAL BASIS
I
Competence
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/120
In accordance with the powers that article 58.2 of the GDPR grants to each supervisory authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
in a subsidiary manner, by the general rules on administrative procedures."
II
Preliminary questions
In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD,
the processing of personal data is recorded, since ORANGE
collects and stores, among others, the following personal data of
natural persons: name and surname, date of birth, email, and bank details, among other
processing.
ORANGE carries out this activity in its capacity as data controller, since it determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR.
First of all, it should be noted that Article 4.1 of the GDPR defines:
"personal data" as "any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
In this regard, it should be clarified that the SIM card is inserted into the mobile terminal. It is a smart card, in physical format and small in size, which
contains a chip in which the subscriber's service key is stored, used to identify himself to the network, that is, the client's mobile telephone line number MSISDN (Mobile Station Integrated Services Digital Network), as well as the subscriber's personal identification number IMSI (International Mobile Subscriber Identity) but can also provide other types of data such as information on the telephone list or the list of calls and messages.
On the other hand, the issuance of a duplicate SIM card involves the processing of the personal data of its holder, since any person whose identity can be determined, directly or indirectly, in particular, by means of an identifier, such as the telephone number, will be considered an identifiable natural person (Article 4.1) of the
RGPD).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/120
Therefore, the SIM card identifies a telephone number and this number in turn identifies its holder. In this sense, the judgment of the CJEU in case C-101/2001 (Lindqvist) of 6.11.2003, paragraph 24, Rec. 2003 p. I-12971: «The concept of
"personal data" used in Article 3, paragraph 1, of Directive 95/46
in accordance with the definition in Article 2, letter a) of the
Directive includes "all information relating to an identified or identifiable natural person". This
concept undoubtedly includes the name of a person together with his telephone number or
other information relating to his working conditions or his hobbies».
In short, both the data processed to issue a duplicate SIM card and the SIM card (Subscriber Identity Module) that uniquely and unambiguously identifies the subscriber on the network are personal data, and their processing must be subject to data protection regulations.
For its part, Article 6 GDPR regulates the lawfulness of processing.
Likewise, Article 25 GDPR regulates data protection by design and by default.
III
Response to the allegations to the initiation agreement
In response to the allegations presented by the respondent entity to the initiation agreement, the following should be noted:
First: Existence of criminal prejudice.
ORANGE makes this statement to the extent that a lawsuit has been filed
against the agents who acted in a criminal manner by making the duplicate SIM card, and that, as these facts are the basis of a criminal investigation in which it
appears as an injured party, it would be subject to the principle of criminal prejudiciality
provided for in article 10 of Organic Law 6/1985, of the Judiciary.
Consequently, it considers that the matter should be resolved in the criminal courts, before
a ruling is made in the administrative courts, proceeding with the suspension of
this sanctioning procedure, in accordance with the provisions of article 22.1.g)
of Law 39/2015, on the Common Administrative Procedure of Public Administrations,
to the extent that, according to article 77.4 of the aforementioned Law 39/2015, in
sanctioning procedures, the facts declared proven by
final criminal court decisions will bind the Public Administrations
with respect to the sanctioning procedures that they substantiate. Thus,
ORANGE understands that in this case there was a triple identity of subject, fact and
basis:
As for the subject, the authorship of the facts in both
procedures by the commercial agents would have been established.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/120
As for the fact, there would be a coincidence since it is the fraudulent issue of a
duplicate SIM card.
As for the basis, it would be sanctioning on two occasions for the
illegitimate and fraudulent conduct of the agents, contrary to the protocols and
procedures established by ORANGE.
In relation to this issue, this Agency considers it necessary to point out that, in
the present sanctioning file, however, there is no triple identity necessary
to apply article 77.4 of Law 39/2015 of subject, fact and basis between the
administrative infringement being assessed and the possible criminal infringements that
could arise from the claim filed before the court mentioned by ORANGE, to the extent that the offending subject is not the same.
Thus, ORANGE is the responsible party in the present sanctioning procedure, while the criminally responsible party would be the employee who duplicated the SIM card, as stated in the claim filed by ORANGE in its written statement of allegations.
In this regard, the Judgment of the National Court of 27/04/2012 (rec. 78/2010) is very enlightening, in whose second Legal Basis the Court rules in the following terms regarding the appellant's claim that the AEPD has infringed article 7 of the R.D. 1398/1993 (a rule that was in force until the
entry into force of the LPACAP):
“In this sense, Art. 7 of Royal Decree 1398/1993, of August 4, on the
procedure for the exercise of the sanctioning power, only provides for the
suspension of the administrative procedure when the effective and real existence of a criminal procedure is verified, if it is estimated that there is identity of subject, fact
and legal basis between the administrative infraction and the criminal infraction that
could correspond.
However, and for the occurrence of a criminal prejudiciality, it is required that this
directly conditions the decision to be taken or that it is essential
to resolve, conditions that do not occur in the case examined, in which there is
a separation between the facts for which the sanction is imposed in the resolution
now appealed and those that the appellant invokes as possible criminal offenses. Thus, and even if, in the present case and for the facts now in dispute,
criminal proceedings had also been initiated against the distribution company, the truth is that both the
sanctioning conduct and the protected legal asset are different in both cases
(contentious-administrative and criminal). In the criminal sphere, the protected legal asset is
a possible falsification of documents and fraud, and in the administrative sphere, on the other hand, the
power of disposition of personal data by its owner, so that
such objection by the defendant must be rejected.
Therefore, the question raised by ORANGE cannot prosper and must be
rejected.
Second: Regarding the factual assumption.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 54/120
ORANGE points out that the issue of a duplicate SIM card implies the
issuance of a SIM card without personal information, and that by itself it does not
allow access to banking or financial information.
In relation to this question, and as already included in the agreement to initiate this
sanctioning procedure, the SIM card is a card that is inserted into the
mobile terminal. This is a small, physical smart card containing a chip that stores the subscriber's service key used to identify themselves to the network, i.e. the customer's mobile telephone line number MSISDN (Mobile Station Integrated Services Digital Network), as well as the subscriber's personal identification number IMSI (International Mobile Subscriber Identity), but it can also provide other types of data such as information on the telephone list or the list of calls and messages.
In addition, the issue of a duplicate SIM card involves the processing of the personal data of its holder, since an identifiable natural person is considered to be any person whose identity can be determined, directly or indirectly, in particular by means of an identifier (Article 4.1 of the GDPR).
The SIM card therefore identifies a telephone number and this number in turn identifies its holder. In this regard, the judgment of the CJEU in Case C-101/2001 (Lindqvist) of 6.11.2003, paragraph 24, ECR 2003 p. I-12971: «The concept of "personal data" used in Article 3, paragraph 1, of Directive 95/46
in accordance with the definition given in Article 2, letter a) of that Directive, includes "any information relating to an identified or identifiable natural person". This concept undoubtedly includes the name of a person together with his telephone number or other information relating to his working conditions or his hobbies».
In short, both the data processed to issue a duplicate SIM card and the SIM card (Subscriber Identity Module) that unambiguously and uniquely identifies the subscriber on the network are personal data, and their processing must be subject to data protection regulations.
The National Court's ruling of 8 February 2024 states in this regard:
"We must start from the fact that the issuance of a duplicate SIM card involves the processing of the personal data of its owner, since, according to article 4.1 of the
RGPD, an identifiable natural person is considered to be any person whose identity can be determined, directly or indirectly, in particular by means of an identifier. Well, the SIM card is inserted into the mobile terminal. It is a smart card in physical format and small in size, which contains a chip in which the subscriber's service key is stored, used to identify himself to the network, that is, the client's mobile line number MSISDN (Mobile Station Integrated Services Digital Network) as well as the subscriber's personal identification number IMSI (International Mobile Subscriber Identity), but it can also provide other types of data such as information on the telephone list or the list of calls and messages.
And as highlighted in the contested resolution, since 2007, in Spain, in accordance with the Sole Additional Provision of Law 25/2007, of October 18, on the conservation of data related to electronic communications and public communications networks, it is required that the holders of all SIM cards, whether prepaid or contract, are duly identified and registered. Therefore, when obtaining a duplicate SIM card, the person requesting it must also identify themselves and ensure that their identity matches that of the holder.”
Likewise, the National Court ruling dated February 9, 2023,
also states the following:
“Well, the SIM card is a smart card that is inserted into the mobile terminal, which contains a chip in which the key to the subscriber service used to identify themselves to the network is stored.
Thus, the Attorney General's Office points out in a report from July 2016, cited by the
contested resolution: "according to the European standards for digital cellular
telecommunications systems, established by the European Telecommunications Standards Institute
(ETSI), a fully operational cellular mobile communications
device, colloquially called a "Mobile Phone", is
materially composed of two essential elements. First, the terminal
(...). Second, the user identification module, better known as
the "SIM card" (Subscriber Identity Module). This SIM card is interchangeable
between the different mobile terminals on the market and contains its digital chip
the information necessary to identify and authenticate the subscriber, included in the International
Mobile Subscriber Identity (IMSI), which unequivocally identifies the subscriber in
the cellular network. Without a valid IMSI, telephone services will not be accessible, except
in the case of an emergency call."
Therefore, the IMSI is the identification code in the cellular communications network
and is essential to identify the subscriber, and as it is stored in the SIM card,
whoever has said card (the impersonator) has the IMSI stored. In addition, as soon as the impersonator inserts the SIM in a terminal and turns it on, the IMSI will be
accessed and exchanged with the network.
Thus, to the extent that the IMSI installed in the SIM card allows
an individual to be singled out and therefore identified, it must be considered as personal
data, according to article 4 of the GDPR, which defines as such “any information
regarding an identified or identifiable natural person (the interested party); An identifiable natural person is considered to be any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
In other words, the inappropriate issuance of a person's mobile phone SIM card
to a third party who impersonates that person allows that third party to access the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 56/120
confidential information stored on the card and to the line of the legitimate SIM card holder, with a clear loss of confidentiality since the data is
transmitted to a third party illegally.
Please note that in Spain, since 2007, pursuant to the Sole Provision of
Law 25/2007, of October 18, it is required that the holders of all SIM cards
be duly identified and registered. This is important because the
identification of the subscriber will be essential to register the SIM card, which
will mean that when obtaining a duplicate of it, the person requesting it
must identify themselves and that their identity matches that of the holder.
In short, both the personal data (name, surname and ID) that are processed to
issue a duplicate SIM card, as well as the SIM card itself that
uniquely identifies the subscriber on the network, are personal data…”
In this sense, in relation to the fact of granting the duplicate SIM card the
power to allow the commission of banking operations, it should be noted that ORANGE itself, when filing the complaint against the agent who made the duplicate
SIM card that has motivated the opening of the present sanctioning procedure, has
defined the concept of SIM SWAPPING in the following way:
“SIM Swapping is a cyber attack that consists of impersonating a
person with their telephone service company and requesting a duplicate of the SIM card of their mobile phone in order to go to their online banking and operate with it, receiving the SMS with the confirmation code for banking operations
on that new SIM, proceeding to divert the money from the current account of the
impersonated person to another owned by the criminals.
The victim, as in the present case, only finds out about the situation
when he or she loses coverage on his or her mobile phone and no matter how much he or she
restarts the device or tries to find coverage, he or she is unable to do so, since, when the new duplicate SIM that the cybercriminals request from the telephone
service company comes into operation, the SIM that is in the victim's phone stops working."
In this sense, ORANGE itself confirms the concept of SIM Swapping, and that
its objective is to be able to access online banking, receiving SMS with the confirmation code
for banking operations on the new SIM, and proceed to divert the money from the current account of the impersonated person to another account owned by the
criminals. Therefore, in this aspect there is no doubt about the concept of SIM
Swapping and the reasons why duplicate SIM cards are requested.
In addition, in the present case, in relation to the infringement of article 6 of the
RGPD, what is being analyzed is the making of a duplicate SIM card
owned by the complainant and without his consent, in a store owned by
ORANGE.
Regarding the infringement of article 25 of the RGPD, ORANGE, in order to establish
the appropriate measures for the risk, must evaluate the possible risks for the
rights and freedoms of individuals, among which is that customers
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 57/120
suffer the well-known SIM Swapping attack by fraudulently obtaining a
duplicate of their SIM card, which entails the consequent loss of control over their
own personal data and possible financial losses. All this
regardless of the liability that financial institutions may incur
if they acted with a lack of diligence.
On the other hand, ORANGE also refers to the fact that, in the start agreement, erroneous associations are made to aggravate the factual situation by granting the duplicate SIM card the power to allow the commission of banking operations, omitting the previous step according to which the wrongdoers must obtain and be able to use the bank credentials of the claimant in order to identify themselves and carry out the identity theft before the financial institution.
It adds that this AEPD does not mention the role played by financial institutions
in these cases, and there is no record of any sanctioning procedures having been initiated
against them.
Regarding the liability of financial institutions, it should be noted that the
PSD2 Directive applies to payment services provided within the Union
(Article 2), and not to ORANGE, but it is also true that the issuance of a duplicate
SIM card to a third party who is not the owner of the line, gives the
impersonators control of the telephone line, and therefore, of the SMS sent to the
phone linked to the initial SIM card and thus to be able to access the
authentication code of the transaction.
According to Article 4.30 of the Directive, “strong authentication” is based on the
use of two or more elements categorized as knowledge (something that only
the user knows), possession (something that only the user possesses) and inherence (something that
the user is). These elements or factors are independent of each other and, therefore, the
violation of one does not compromise the reliability of the others.
The reason is very simple: the more elements there are to verify the user's identity, the more secure the transaction is.
In these cases, the impersonator must first enter the user name and password in the application or on the website of the online banking or payment service provider.
Secondly, to complete the electronic transaction or transaction that he wishes to carry out, the impersonator will normally receive, via SMS, an alphanumeric verification code on the mobile phone linked to that profile.
This code has a limited time validity and is single-use, that is,
it is only generated for that specific transaction and for a limited time.
Once the verification code has been entered, the transaction would be carried out and completed. It is assumed that only the user has the mobile device in his possession
(it would be the "something he has"), so when he receives the verification code on said mobile phone via SMS, his identity would be doubly authenticated. Therefore, it would not be enough for the impersonators to be able to commit fraud by knowing the
username and password with which the victim identifies himself, but it will be necessary for them to
intercept said confirmation code. Consequently, in order to carry out a
transfer, transaction or purchase without consent, that is, to carry out the
computer fraud, the cybercriminal must illegally access the verification codes
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 58/120
associated with each of these operations sent by the bank via SMS and the most common way to do this is by
obtaining a duplicate of the SIM card.
Therefore, it is necessary to carry out two completely different but
complementary actions.
Firstly, the access data to the online banking or payment provider owned by the person to be defrauded must be obtained, if we focus on the search for
financial enrichment.
And, secondly, the duplicate of the SIM card owned by the person to be defrauded must be obtained in order to obtain the confirmation SMS that the
customer will receive on his mobile terminal as double-factor authentication.
Well, the last of these actions - obtaining the duplicate - is where the facts of this procedure have been focused and not on those that occurred in the
first phase, which obviously remain outside the responsibility attributed to ORANGE in the present procedure.
On the other hand, ORANGE states that the AEPD intends to sanction SIM SWAPING frauds without considering or analysing the specific factual situation, the associated damage, or the resulting responsibilities, without taking into account the diligence displayed by ORANGE in its actions and in the adoption of security measures.
It adds that the AEPD fails to assess the documentation provided, establishing a generic discourse to legitimise an infringement of data protection regulations.
However, in relation to this issue, it is necessary to refer to the procedural moment in which ORANGE presents these allegations. In this regard, in accordance with the provisions of article 64 of Law 39/2015, on the Common Administrative Procedure of Public Administrations, referring to the “Agreement to initiate sanctioning procedures”, in section 2 it establishes:
“2. The initiation agreement must contain at least:
a) Identification of the person or persons presumed responsible.
b) The facts that motivate the initiation of the procedure, their possible qualification and the sanctions that may apply, without prejudice to what results from the instruction.
c) Identification of the instructor and, where appropriate, secretary of the procedure and the rule that
attributes such competence to them, with express indication of the regime of recusal of the same.
(d) The competent body for the resolution of the procedure and the rule that grants it such
competence, indicating the possibility that the presumed responsible party may
voluntarily acknowledge his responsibility, with the effects provided for in article
85.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 59/120
e) Provisional measures that have been agreed upon by the competent body
to initiate the sanctioning procedure, without prejudice to those that may be adopted
during the procedure in accordance with article 56.
f) Indication of the right to make allegations and to be heard in the procedure and
the time limits for exercising them, as well as an indication that, in the event of not making
allegations within the time limit provided for on the content of the initiation agreement, this
may be considered a resolution proposal when it contains a precise statement
on the imputed responsibility.”
Therefore, the agreement to initiate this sanctioning procedure contains
all the statements required by the applicable regulations.
Without prejudice to the above, the allegation raised by ORANGE cannot be
taken into account either, insofar as the factual situation is contemplated and assessed
when graduating the sanction associated with the infringements of articles 6 and 25 of the
RGPD, in section a) of article 83 of the RGPD.
With regard to the diligence of ORANGE, it must be taken into account that this
aspect has been assessed as an aggravating factor in the infringement of article 25 of the RGPD,
so it has been analysed. In relation to the measures adopted subsequently
it should be noted that they are assessed positively, but do not determine that the infringement of article 25 of the RGPD has not occurred.
Finally, the statement made by ORANGE regarding the Agency using a generic discourse, or the fact that the documents presented are not valued, as can be seen in this document and in the high number of proven facts, cannot be taken into account.
Third: Regarding ORANGE's role as victim. Regarding the Modus Operandi.
With this allegation, ORANGE shows that this is the issue of a
duplicate SIM card made in a different way to other cases, insofar as it had been made by two sales representatives at the company's
point of sale, who were consequently acting on behalf of ORANGE.
Before continuing with the rest of the arguments presented by ORANGE,
this AEPD wishes to state that the complaint filed with the Court of Instruction is directed
against B.B.B., for the possible crime of:
-possible crime of fraud with electronic means (238.2 CP)
-and/or possible crime of theft (234 CP) and/or possible misappropriation (235 CP and
following)
-and/or possible identity theft with usurpation of civil status (401 CP)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 60/120
-and/or possible crime of computer intrusion and interception of computer data
transmissions (197 bis CP)
- any other crime that may be appreciated from the investigation of this case.
The facts of the complaint filed show that the defendant
started working at the workplace located at ***ADDRESS.1 in Madrid, on
July 12, 2021. The defendant was working until December 11, 2022.
In addition, in Fact Four of the complaint, which discusses the reported facts,
up to 5 impersonations carried out by the ORANGE employee
of ***ADDRESS.1 in Madrid are recorded.
On the other hand, Fact Three of the complaint discusses the concept of SIM
SWAPPING as follows:
“First of all, it is important to explain what the facts reported here consist of
(SIM Swapping) carried out by the defendant C.C.C. on at least the days 14, 17 and 21 November 2022 at his workplace, the ORANGE point of sale
located at (…) (***ADDRESS.2).”
Therefore, although in its allegations ORANGE speaks of two workers from the
same store, it is clearly observed that two workers from two different stores
may have been involved in a case like the one reported by the
complainant. Furthermore, if we take into account the content of the complaint, in the
ORANGE store located at ***ADDRESS.1, 5 individuals were affected,
while, in the store located at (…) ****ADDRESS.2, 3 people were affected.
Once this clarification has been made, in the sense that it was not two workers from the same store who acted in an erroneous manner, but that they were workers who provided their services in two different stores, and that, from the content of the complaint filed by ORANGE before the Court of Instruction it is
clearly deduced that at least 8 people were affected, ORANGE's statements regarding the fact that it cannot be required to have the full capacity
to detect and frustrate such criminal acts must be rejected.
In this sense, the action that has determined that an event such as the one reported has occurred is given by the fact that the procedure that ORANGE had implemented to make a duplicate SIM card, (…).
This is explained by ORANGE in its written allegations to the start agreement, dated December 21, 2023, submitted to this Agency, in such a way that, according to ORANGE, "in the case at hand, ORANGE agents used
(...), which is why, when entering it into the system of (...). Thus, for this type of
documentation reading errors, the ORANGE Protocol establishes that, although
a notice must be generated to the Risk Analysis Group, commercial agents are allowed for
rated cases (...). This is due to the necessary opening of said
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 61/120
manuality within an absolutely automated system that must allow the
commercial act (...)".
This is why, in the present sanctioning procedure, the infringement of Article 25 of the GDPR has been imputed, since, according to it, the data controller, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity that the processing entails for the rights and freedoms of natural persons, must apply, both at the time of determining the means of processing and at the time of the processing itself, appropriate technical and organizational measures, in order to comply with the requirements of this Regulation and protect the rights of the interested parties.
This article imposes an obligation to design internal procedures at the time of determining the means of processing and to apply these procedures at the time of processing, in order to effectively ensure compliance with the data protection requirements.
ORANGE, in communicating the procedure it has implemented for the issuance of duplicate SIM cards, has reported that there are cases in which it may
proceed to (…).
The principle of data protection by design imposes that, from the earliest stages of planning a treatment, this principle must be considered: the person responsible for the treatment, from the moment in which a possible treatment of personal data is designed and
planned, must determine all the elements that make up the treatment, in order to effectively apply the principles of data protection, integrating the necessary guarantees in the
treatment with the ultimate purpose of, in compliance with the provisions of the GDPR,
protecting the rights of the interested parties.
With the system that ORANGE had implemented, as stated in its written
allegations to the agreement to initiate this sanctioning procedure, dated December 21, 2023, the agents were able to use (…) that may arise from the
delivery of a valid SIM card to a third party without the consent of its owner. Thus,
according to ORANGE, when the agents introduced (…). For this type of errors, according to
their statements, the ORANGE Protocol establishes that, although a notice must be generated
to the Risk Analysis Group, commercial agents are allowed for cases (…).
According to ORANGE, this is due to the necessary opening of said
manual within a completely automated system that must allow (…).
Thus, ORANGE articulated a protocol that had as its main objective the
performance of the commercial act, but that did not contemplate the risk of the issuance and
delivery of a SIM card to a person other than its owner. The notification to the Risk Analysis Group is clearly ineffective, since it did not succeed in detecting the identity theft, at least in the cases that this Agency is aware of through this procedure.
Therefore, from the design of the treatment, there were no longer measures in article 25 of the
RGPD to verify that the information entered was not erroneous, and to verify that the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 62/120
request for a duplicate card was being made by the owner of the line to whom,
also, the delivery was being made.
This means that ORANGE had not adequately identified and analysed the
risks that a manual process of SIM card duplicates entails for the
rights and freedoms of natural persons, nor planned or implemented from the design
the appropriate technical and organisational measures, to effectively apply the
data protection principles, required by article 25 GDPR.
The fundamental right to data protection also includes that the data
controllers integrate data protection into the design of the processing of personal
data, from the beginning and throughout the processing cycle, establishing for this purpose the
appropriate policies for compliance with this principle and the protection of the
rights of individuals, and that is precisely what ORANGE did not do and what
is being questioned in this sanctioning procedure, since the mechanism that ORANGE
had implemented had not even foreseen the obligation to issue
duplicate SIM cards by introducing (…), as ORANGE recognises in its
statement of allegations.
In any case, despite ORANGE's statements that the agents took advantage of their knowledge of the system to commit a criminal act, in their written statement of allegations they state that "since December 14, 2022, ORANGE has proceeded to the precautionary suspension of the option that allows point-of-sale agents, (...)". That is, despite everything stated and the defense that is made of the system that it had implemented, it has decided to suspend the system that allows the issuance of a duplicate SIM card (...).
For all the reasons stated, this allegation by ORANGE cannot be taken into account.
Fourth: On the absence of a lack of legitimacy in the processing of ORANGE's personal data.
ORANGE states that, during the process of duplicating the SIM card that has
led to the opening of this sanctioning procedure, no personal data of the complainant was provided to any third party, understanding that the commission of
the criminal acts by the agents is carried out individually, and in
contrary to the obligations imposed by ORANGE, and cannot be attributed individually to an action by ORANGE.
In relation to this issue, it is necessary to point out that the subject of this
sanctioning procedure is not the conduct of the ORANGE employees, but rather
it is a question of verifying whether the actions of ORANGE comply with the regulations on the
protection of personal data. Although the present procedure has its origin in a
fraudulent act by some ORANGE employees, it is no less true that
they acted on behalf of ORANGE and that it was ORANGE who provided a duplicate
of a SIM card (which, as already explained previously in this
procedure, is personal data in itself) to a person other than the owner of the line,
which constitutes a processing of personal data in the terms of article 4 of the
RGPD, without having legitimacy to do so, which would infringe article 6 of the RGPD,
as explained in Legal Basis IV of this document. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 63/120
Furthermore, the technical and organisational measures that ORANGE had implemented were
not adequate or effective to ensure the rights and freedoms of the
interested parties, which is why art. 25 of the GDPR would also be infringed, as explained in Legal Basis VII of
this document.
On the other hand, ORANGE once again expresses its disagreement with the fact that the SIM card is considered personal data, and to this end, it cites the Judgment of the
General Court of the European Union, (Eighth Chamber, enlarged) of April 26, 2023,
which determined that the consideration of an alphanumeric code as personal data cannot be presupposed, but that it is up to the supervisory authority
to justify the ability to relate personal data to a specific person, not being enough to presuppose it merely because it may potentially
allow for identification.
ORANGE insists that this Agency has not carried out any evidentiary activity and that
it directly presupposes that the codes contained in the SIM card allow
the identification of the holder.
This issue has been resolved in the second section of the response to these
allegations, when the following has been stated:
With regard to this issue, and as already included in the agreement to initiate this sanctioning procedure, the SIM card is a card that is inserted into the
mobile terminal. It is a smart card, in physical format and of reduced
dimensions, which contains a chip in which the subscriber's service key is stored
used to identify themselves to the network, that is, the mobile telephone line number of the
client MSISDN (Mobile Station Integrated Services Digital Network), as well as the subscriber's
personal identification number IMSI (International Mobile Subscriber Identity) but it can also
provide other types of data such as information on the telephone list or the list of calls and
messages.
Furthermore, the issuance of a duplicate SIM card involves the processing of the personal data of its holder, since any person whose identity can be determined, directly or indirectly, in particular by means of an identifier (Article 4.1 of the GDPR) will be considered an identifiable natural person.
Therefore, the SIM card identifies a telephone number and this number in turn identifies its holder, as recently recognized by the National Court, in a judgment of May 13, 2024, (R 0002336/2021) by declaring that “(…)
we must start from the fact that the issuance of a duplicate SIM card involves the
processing of the personal data of its holder since, according to Art. 4.1 of the GDPR, any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, is considered an identifiable natural person.
Identifier that constitutes the SIM card, inserted into the mobile terminal, as a smart card, in physical format and of reduced dimensions, which contains a chip in which the subscriber's service key is stored, used
to identify himself to the network, that is, the client's mobile telephone line number
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 64/120
MSISDN (Mobile Station Integrated Services Digital Network), as well as the subscriber's personal identification number IMSI (International Mobile Subscriber Identity), and which can also provide other types of data such as information on the telephone list or the list of calls and messages.
Since 2007, in Spain, in accordance with the Sole Additional Provision
of Law 25/2007, of 18 October, on the conservation of data relating to
electronic communications and public communications networks, it is required that
the holders of all SIM cards, whether prepaid or contract, are
duly identified and registered. Therefore, when obtaining a duplicate SIM card, the person requesting it must also identify himself and his
identity must match that of the holder”.
In this regard, the judgment of the CJEU in case C -101/2001 (Lindqvist) of
6.11.2003, paragraph 24, Rec. 2003 p. I-12971: «The concept of "personal data" used in Article 3(1) of Directive 95/46 includes, according to the definition given in Article 2(a) of that directive, "any information relating to an identified or identifiable natural person". This concept undoubtedly includes the name of a person together with his telephone number or other information relating to his working conditions or his hobbies».
In short, both the data processed to issue a duplicate SIM card and the SIM card (Subscriber Identity Module) which uniquely and unambiguously identifies the subscriber on the network are personal data, and their processing must be subject to data protection regulations.
Furthermore, and as also indicated in the second section of the response to these allegations, the National Court has also stated this in several other
judgments, such as in the judgment of February 8, 2024, and in that of February 9, 2023.
For all these reasons, it must be made clear that the fact that the
duplicate of the SIM card was carried out by an employee of ORANGE is irrelevant, since, with the
issuance of the duplicate card, the action is taken on behalf of ORANGE, which is the
controller of the personal data of its clients.
Thus, and as far as this Agency knows, ORANGE has not established
appropriate technical or organizational measures so that duplicates of the
SIM card were issued only to the persons who own them or to third parties with their
authorization.
Fifth: On the correct implementation of privacy by design and by default.
ORANGE expresses its disagreement with the fact that the infringement of article 25 of the GDPR is charged in this sanctioning procedure, and adds that, in the
contracting processes and other complementary processes designed by the company, they would have been designed taking into account the privacy and security of the
information, including the intervention of the agents themselves.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 65/120
According to ORANGE, the work of these agents is precisely to execute the
processes verifying that they are carried out correctly, and in accordance with the instructions
of ORANGE, and adds that the automation of measures to support this work with
digital means should be considered as an additional reinforcement for the performance
of the functions.
ORANGE goes further, pointing out the existence of a “legitimate possibility for the company to delegate supervision tasks to users designated for this purpose, without
this fact being comparable to any regulatory non-compliance”.
Regarding these allegations, it must be noted, first of all, that it must be taken into account
that article 25 of the GDPR falls within the general obligations
that Chapter IV of the GDPR establishes for the data controller, imposing a
design obligation at the time of determining the means of processing, which must effectively guarantee compliance with the principles of
data protection.
The GDPR requires controllers to establish the necessary technical and organizational
measures throughout the entire life cycle of the processing, both from the
initial moment in which the definition of the processing is carried out and the means are determined, as well as during its implementation and normal operation.
Data protection by design aims to apply the principles of data protection in the design processes of the systems and procedures of the organization on which the processing of data is based, with an eminently preventive purpose and aimed at avoiding possible damage to individuals and, collaterally, the damage that the modification or redesign of the systems in which the processing is carried out could cause to the organization, once developed and implemented, as a consequence of the identification of design errors that could cause damage or harm to the interested parties and their rights and freedoms.
In this order of ideas, recital 78 of the GDPR provides:
The protection of the rights and freedoms of natural persons with respect to the processing of personal data requires the adoption of appropriate technical and organizational measures in order to ensure compliance with the requirements of this Regulation. In order to be able to demonstrate compliance with this Regulation, the controller must adopt internal policies and implement measures that comply in particular with the principles of data protection by design and by default. Such measures could include, inter alia, minimising the processing of personal data, pseudonymising personal data as soon as possible, making the functions and processing of personal data transparent, allowing data subjects to monitor data processing and the controller to create and improve security features. When developing, designing,
selecting and using applications, services and products that are based on the
processing of personal data or that process personal data in order to
perform their function, producers of the products, services and applications should be
encouraged to take into account the right to data protection when developing and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 66/120
designing these products, services and applications, and to ensure, with
due regard to the state of the art, that controllers and processors are able to
fulfil their data protection obligations. The principles of data protection by design and by default
should also be taken into account in the context of public procurement.
Specifically, in light of recital 78 of the GDPR, the principle of data protection by design is the key to be followed by the data controller to demonstrate compliance with the GDPR, since the data controller must adopt internal policies and implement measures that comply in particular with the principles of data protection by design and by default.
The principle of privacy by design is an example of the shift from reactivity to proactivity and a direct manifestation of the risk approach imposed by the GDPR.
Part of proactive responsibility requires that, from the earliest stages of planning a treatment, this principle must be considered: the person responsible for the treatment, from the moment that a possible treatment of personal data is designed and planned, must determine all the elements that make up the treatment, in order to effectively apply the principles of data protection, integrating the necessary guarantees in the treatment with the ultimate goal of, in compliance with the provisions of the GDPR, protecting the rights of the interested parties.
Thus, and with respect to the risks that may be present in the treatment, the person responsible for the treatment will carry out an exercise of analysis and detection of the risks throughout the cycle of data treatment, with the primary and ultimate goal of protecting the rights and freedoms of the interested parties, and not only when the treatment actually occurs. This is stated in the Guidelines 4/2019 of the EDPB on Article 25 Data protection by design and by default
adopted on 20 October 2020.
The aforementioned Guidelines indicate in this regard that:
“35. The “time of determining the means of processing” refers to the period of time
in which the controller is deciding how it will carry out the processing and how it will occur, as well as the mechanisms that will be used to
carry out such processing. In the process of adopting such decisions, the
controller must assess the appropriate measures and guarantees to
effectively implement the principles and rights of data subjects in the processing,
and take into account elements such as the risks, the state of the art and the cost of
implementation, as well as the nature, scope, context and purposes. This includes the
time of acquisition and implementation of software and hardware and data
processing services.
36. Taking into account the PDDD from the beginning is crucial for the correct application of the principles and for the protection of the rights of the interested parties.
Furthermore, from the perspective of cost-effectiveness, it is also in the interest of the
data controllers to take the PDDD into account as soon as possible, since
it could later be difficult and costly to introduce changes to plans already formulated
and processing operations already designed”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 67/120
Likewise, the aforementioned Guidelines 4/2019 of the EDPB provide that “61. In order to
make the PDDD effective, the data controllers must apply the principles of
transparency, lawfulness, fairness, purpose limitation, data minimization,
accuracy, limitation of the retention period, integrity and confidentiality, and
proactive accountability. These principles are included in Article 5 and Recital 39 of the GDPR.”
The AEPD Privacy by Design Guide states that “Privacy by Design (hereinafter, PbD) involves using a risk management-oriented approach
and proactive responsibility to establish strategies that incorporate privacy protection throughout the entire life cycle of the object (whether it is a
system, a hardware or software product, a service or a process). The life cycle of the object
is understood as all the stages that it goes through, from its
conception to its retirement, including the development, production, operation, maintenance and retirement phases.”
The Guide states that “Privacy must be an integral and inseparable part of the
systems, applications, products and services, as well as the business practices and
processes of the organization. It is not an additional layer or module that is added to something
pre-existing, but must be integrated into the set of non-functional requirements
from the moment it is conceived and designed (…) Privacy is born in the
design, before the system is in operation and must be guaranteed throughout
the entire life cycle of the data”.
Therefore, the measures referred to in article 25 of the GDPR aim
to ensure that the company has integrated personal data protection into it, even before the
processing of personal data actually begins.
In this way, the aim is to ensure that personal data protection is
taken into consideration from the very beginning, from the moment of decision-making or
the moment of planning.
ORANGE, in its written allegations to the agreement to start this sanctioning procedure,
states that it complies with the provisions of
Article 25. To this end, it has stated that it is the office of the
Company's Data Protection Officer that intervenes to allow the launch of projects,
products and services that may impact the processing of personal data of ORANGE's
customers and users, and this would be reflected in the following
documents, which it provides together with its written allegations to the agreement to start this
sanctioning procedure:
- Document 5 relating to the “Privacy Management Dashboard”, which, according to
ORANGE, is shared annually with the company.
This document provided by ORANGE is a form in English, referring to the year 2023,
and in which fields relating to the processing of personal data that are processed in the company must be completed.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 68/120
- Document 6, which is a report containing the audit opinion
corresponding to the application of the principles of privacy by design and by
default. It is a report in which conclusions are drawn in which no type of action is
specified, but rather ORANGE takes into account “the
application of the Principle of Privacy by Design in order to try to proactively
anticipate events that may affect privacy, avoiding, as far as possible, their
materialization and, therefore, the impact on the rights and freedoms of those affected in terms of data protection.”
- Document 7, which is entitled “Data Protection Procedure
by design and by default.” This document shows that the application of this principle is intended, but it is not materialized in specific processes, but it is
only stated that it will be taken into account.
From this documentation it is concluded that, in these documents, a generic reference is made
to the possibility of the existence of risks, but they are not identified in a concrete
way, and no specific actions are foreseen with respect to the possibility of their
occurrence. These are not documents from which, after an evaluation of the
risks involved in the delivery of a duplicate SIM card to an unauthorized third
party, the application of certain procedures is derived, from the
beginning of the treatment, which contemplate specific effective measures for its mitigation.
It should not be forgotten that the GDPR aims to achieve the protection of the rights of the interested parties, and, therefore, the focus must be directed to the identification and evaluation of the risks to the rights and freedoms of the interested parties, with the subsequent adoption of technical and organizational measures of all kinds intended to prevent their materialization.
Thus, if the company's approach is not oriented to the risks to the rights and freedoms of the interested parties, as is the case here, not only will it not
provide effective protection for the interested parties, but it also constitutes a
breach of article 25 of the GDPR.
In its allegations to the agreement to initiate this sanctioning procedure,
ORANGE states that the action that has motivated the opening of this
sanctioning procedure is motivated by the fraudulent action of an agent who
has caused an error in the system to allow the performance of a commercial act
by misusing its permissions. ORANGE adds that this fraud was
considered to be low risk.
It also highlights that, when explaining this process, "it should
not be forgotten at any time that ORANGE is a telecommunications company that
provides services to its clients, and that they demand agility in
carrying out the procedures and processes they request. The delay in these processes
is perceived negatively, which requires that the established protocols be
compatible with an adequate user experience and, therefore, that there be
different options to meet the needs of the clients."
With this statement, the speed of the process of customer service is being prioritized over the guarantees of the rights of individuals.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 69/120
ORANGE has also stated that the implementation and supervision of
technical security measures is entrusted to the systems department, in the
case of fraud detection, although the detection of its possibility is
identified by the DPO office or any other area, while management is
coordinated from the specific department of the company specialized in fraud
prevention, which is the one that evaluates the risks according to a specific
protocol and methodology, providing the following documents to prove it, which
are:
1. Document 8, regarding the “group Risk Management Policy”.
This document is a document provided in English, in which reference is made in a theoretical manner to
what is considered a risk
2. Document 9, which contains the Risk Control and Management Policy.
This document is written in Spanish and the introduction states that it is a
Risk Control and Management model of ORANGE Spain, which is part of
the methodology developed by the ORANGE group, but the document is written in a theoretical manner, in such a way that no concrete
mention is made of the possibility that an employee could (…).
3. Document 10, which describes the operation of the Local Risk Committee
4. Document 11, which lists the ORANGE Internal Control Policy.
From these documents it is concluded that this is a documentation in which reference is made to the possibility of the existence of risks, but they are not identified in a concrete manner, and no specific actions are planned with respect to the possibility of situations such as those that have occurred in the present disciplinary procedure, to the extent that no specific mention is made of the possibility that an employee could (…).
It should not be forgotten that the GDPR aims to achieve the protection of the rights of the interested parties, and, therefore, the focus must be directed at the identification and evaluation of the risks in the rights and freedoms of the interested parties, with the subsequent adoption of technical and organizational measures of all kinds intended to prevent their materialization.
Thus, if the company's approach is not oriented towards the risks to the rights and freedoms of the interested parties, but is instead directed towards the risks to the company itself, not only will it not provide effective protection for the interested parties, but it also constitutes a breach of Article 25 of the GDPR.
ORANGE has also expressed its disagreement with the fact that human intervention cannot be carried out in the processes. However, at this point, what is being questioned is that ORANGE did not have any control planned
for cases in which it could be (…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 70/120
Therefore, the response given by ORANGE cannot be accepted since
a fully automated process is not being required, but rather the risk was not foreseen in the
implementation of the system, as no mechanism was implemented to prevent incorrect use of its manual protocols. All this, if we
take into account that the usual procedure for issuing duplicate SIM cards by ORANGE is automated, and it has stated in this same written statement that it has suspended the possibility of manual validation of the identity documents of SIM card applicants.
Furthermore, as already mentioned above, it should not be forgotten that
ORANGE has stated, when explaining this process, that, “it should not be lost sight of
at any time that ORANGE is a telecommunications company
that provides services to its clients, and that these demand agility in carrying out the
procedures and procedures they request. The delay in these procedures is perceived
in a negative way, which requires that the established protocols be compatible with
an adequate user experience and, therefore, different options be available
to meet the needs of the clients.”
For all the above reasons, this allegation by ORANGE cannot be taken into account, since
it is not a question of not being able to automate the procedures, but rather that the agility of the procedures does not justify nor can it be an impediment to not complying with the provisions of the data protection regulations, which are mandatory in cases such as the present one, in which personal data of the interested parties are being processed.
Sixth: Concurrent infringements.
ORANGE understands that the initiation agreement refers to a single fact, subject and basis, which would be the adoption of measures in the procedure for
duplicating the SIM card in the cases of manual intervention assessed, which
would constitute a case of medial competition in the criminal proceedings or a concurrence of
offences or crimes in the administrative proceedings, which applies "whenever the application of a
provision prevents or subsumes the applicability of the other", and which makes it
contrary to the legal system to sanction the offender twice for the same offence.
ORANGE understands that, from the initiation agreement it is clear that, in relation to the
analysed facts, there is a direct connection between the violations of the two
articles.
In this way, the infringement of article 6.1 GDPR, or the existence of an alleged
unlawful data processing was necessary and inevitable for a
violation of the principle of privacy by design and by default to take place, resulting from
not having sufficient security measures. Thus, if ORANGE had had
measures that would prevent the duplication of the SIM card, the infringement of the principle of privacy by design and by default of article 25
of the GDPR could not have been concluded.
Consequently, there would be a concurrence of infringements, since the commission of
one would necessarily imply the commission of the other.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 71/120
However, in relation to this issue, it must be taken into account that articles
6.1 and 25 are classified differently in the GDPR, they are classified
differently for the purposes of prescription by the LOPDGDD and each of them
has its own entity.
If ORANGE's statement were true, the violations of said
articles would not be classified as different violations.
Thus, article 6.1 of the GDPR establishes the assumptions that allow
the processing of personal data to be considered lawful.
In the present case, ORANGE was charged with issuing a SIM card in
the name of the complainant, without the latter having requested it and its delivery to an
unauthorized third party.
ORANGE has acknowledged this, both in its letter dated January 30, 2023,
and in its letter dated March 30, 2023, stating that said duplicate would have been produced, on November 15, 2022, without it having been requested
by the complainant.
Therefore, ORANGE issued a SIM card to a third party who was not the owner of the
line, and without following the procedure implemented by itself, since the duplicate
of the card has been issued without it having been requested by the owner of the line. In
short, it carried out these personal data processing operations without
any of the bases for legitimacy contemplated in art. 6 of the GDPR being met.
Consequently, the diligence used by ORANGE in
the identification of the person requesting the duplicate has been called into question.
In this regard, Recital 40 of the GDPR states:
“(40) In order for processing to be lawful, personal data must be processed with the
consent of the data subject or on another legitimate basis established by law, either in this Regulation or by virtue of another Union or Member State law to which this Regulation refers, including the
necessity to comply with the legal obligation applicable to the controller or the
necessity to perform a contract to which the data subject is a party or in order to
take steps at the request of the data subject prior to entering into a
contract.”
Furthermore, as a general rule, ORANGE processes the data of its clients under the provisions of
Article 6.1.b) of the GDPR, when processing is considered necessary for the
performance of a contract to which the data subject is a party or for the
application, at the request of the data subject, of pre-contractual measures. For the rest of the cases,
the legality of the treatment is based on the bases provided for in article 6.1.a) c),
e) and f) of the GDPR.
As already noted above, the processing carried out by ORANGE, in
this case, cannot be based on the provisions of section b of article 6.1, since
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 72/120
this duplicate SIM card was not based on the execution of any contract, as it was
not necessary for its execution nor had it been requested by the complaining party,
nor was the processing based on any other of those provided for in article 6.
On the other hand, article 25 of the GDPR provides:
“1. Taking into account the state of the art, the cost of implementation and the nature,
scope, context and purposes of the processing, as well as the risks of varying likelihood and
seriousness that the processing entails for the rights and freedoms of natural persons,
the data controller shall apply, both at the time of determining the
means of processing as at the time of the processing itself, appropriate technical and
organisational measures, such as pseudonymisation, designed to
effectively implement the principles of data protection, such as data minimisation, and
integrate the necessary safeguards into the processing, in order to comply with the requirements of
this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational measures to ensure that, by default, only those personal data that are necessary for each of the specific purposes of the processing are processed. This obligation shall apply to the quantity of personal data collected, the extent of their processing, their retention period and their accessibility. Such measures shall ensure in particular that, by default, personal data are not made available to an indeterminate number of natural persons without the intervention of the data subject.
3. A certification mechanism approved pursuant to Article 42 may be used as evidence of compliance with the obligations set out in paragraphs 1 and 2 of this Article.”
As can be seen, this article is based on the need to take into account a
series of elements:
-State of the art
-Cost of implementation
-Nature, scope, context and purposes of processing
-Risks that processing entails for the rights and freedoms of natural persons.
In addition, it imposes an obligation on the controller, who is the one who determines the purposes and means of processing, giving special relevance to the means.
And he must apply, both when determining the means of processing, and at the time of processing itself, appropriate technical and organizational measures, designed to
effectively apply the principles of data protection and integrate the guarantees that are necessary in the processing.
This has a double purpose:
-comply with the requirements of the GDPR
-protect the rights of interested parties.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 73/120
At this point, it is also necessary to take into account the provisions of recital 78 of the GDPR reproduced above.
Thus, the measures provided for in article 25 of the GDPR are not exclusively security measures, but rather the aim is for the company or organisation to have the protection of personal data integrated into it, into its organisation, into its ordinary operation, from the design stage. That is, it should be an integral and relevant part of it, even before the processing of personal data actually begins, from the moment of decision-making or from the moment of planning.
The obligation affects the entire organization and involves a continuous process of review and
feedback in order to verify whether all existing technical and organizational
measures of all kinds implemented by the organization are adequate to
comply with the requirements of the GDPR and protect the rights of data subjects.
In this way, if they are not adequate, they could be modified, or, where appropriate,
reinforced, incorporating new measures that guarantee more adequate
protection of personal data.
Therefore, in accordance with all this, it can be seen that the perspective or
angle through which reality is viewed is different from that provided for in
Article 6 of the GDPR.
In this sense, the GDPR articulates a complete system intended to
guarantee the protection of citizens' personal data, and to this end, it
focuses its attention on different aspects that must be examined by those
responsible for or in charge of processing.
Each article constitutes an angle from which to observe reality in order to
articulate the measures that guarantee adequate protection of personal data, and which must be taken into account to articulate protection in accordance with
the provisions of the GDPR.
In its written allegations to the initiation agreement, ORANGE states that "the
infringement of article 6.1 GDPR, or the existence of an alleged illegal data processing,
was necessary and inevitable for a violation of the principle of privacy by design and by default to take place, resulting from the lack of sufficient
security measures. Thus, if ORANGE had had measures that would have prevented
the duplication of the SIM card, it would not have been possible to conclude that the principle of privacy by design and by default of article 25 of the GDPR was infringed."
However, this statement cannot be accepted, since, as has been indicated, these are infringements that require the concurrence of different elements for their commission. Thus, on the one hand, it is necessary for the commission of the infringement of article 6 of the GDPR to carry out the processing of personal data without having diligently verified that there was a basis for legitimacy for this. And on the other hand, the infringement of article 25 requires the lack or deficient implementation from the design of appropriate measures to comply with the GDPR, which can occur regardless of whether data processing occurs without a basis for legitimacy. Obviously, in both infringements there must be a lack of diligence, but with respect to different conduct.
ORANGE cites the National Court's ruling of 24 April 2013, Rec.
69/2011, according to which:
“In order to judge this second infringement, it is essential, in the opinion of the Court, to refer
to the concurrence of infringements whose existence is also invoked in the
complaint. To this end, the provisions of article 4.4 of Royal Decree 1398/1993 must be brought to
reference, according to which: in the absence of specific regulation established in
the corresponding norm, when the commission of an infringement necessarily leads
to the commission of another or others, only the sanction corresponding to the most serious infringement committed
should be imposed.
Precept that has been interpreted by the Supreme Court of 8 February 1999 (Rec. 9/1996)
in the sense that the application of the medial competition requires a necessary derivation
of some infringements with respect to the others and vice versa, so it is essential
that one cannot be committed without executing the others”
ORANGE understands that, in the event of an infringement of articles 6.1 and 25
of the GDPR being appreciated, these would be concurrent infringements, and that the applicable sanction would be in
any case that corresponding to the breach of article 6.1 GDPR, taking into account the provisions of article 29.5 of Law 40/2015, of 1 October, on the Legal Regime of the Public Sector, according to which:
“when the commission of an infringement necessarily results in the commission of another or
others, only the sanction corresponding to the most serious infringement committed shall be imposed.”
However, it must be taken into account, in addition to what has been previously stated by
this Agency, that, first of all, article 29 of the LRJSP is not applicable
to the sanctioning regime imposed by the GDPR.
1. The GDPR is a complete system.
The GDPR is a community regulation directly applicable in the Member States,
which contains a new, closed, complete and global system intended to guarantee the
protection of personal data in a uniform manner throughout the European Union.
In relation, specifically and also, to the sanctioning regime provided for therein, its provisions apply immediately, directly and
completely, providing a complete and gap-free system that must be understood,
interpreted and integrated in an absolute, complete and integral manner, thus leaving intact
its ultimate purpose which is the effective and real guarantee of the fundamental right to the
Protection of Personal Data. The opposite determines the reduction of the
guarantees of the rights and freedoms of citizens.
In fact, a specific example of the absence of gaps in the GDPR system is article 83 of the GDPR, which determines the circumstances that may operate
as aggravating or mitigating factors with respect to an infringement (art. 83.2 of the GDPR) or which
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 75/120
specifies the existing rule regarding a possible media competition (art. 83.3 of the
GDPR).
To the above we must add that the GDPR does not allow the development or specification of
its provisions by the legislators of the Member States, except for what
the European legislator itself has specifically provided, delimiting it in a very
specific way (for example, the provision of art. 83.7 of the GDPR). The LOPDGDD only
develops or specifies some aspects of the GDPR to the extent that it allows it and to the
extent that it allows it.
This is because the purpose intended by the European legislator is to implement a
uniform system throughout the European Union that guarantees the rights and freedoms of
natural persons, that corrects behavior contrary to the GDPR, that encourages
compliance, that enables the free circulation of these data.
In this sense, recital 2 of the GDPR determines that,
“(2) The principles and rules relating to the protection of natural persons with regard to
the processing of their personal data must, whatever their nationality or residence, respect their fundamental rights and freedoms, in
particular the right to the protection of personal data. This Regulation aims to contribute to the full realisation of an area of freedom,
security and justice and of an economic union, to economic and social progress, to the
strengthening and convergence of economies within the internal market, as well as to the
well-being of natural persons. (emphasis added)
Recital 13 of the GDPR goes on to state that,
“(13) In order to ensure a consistent level of protection of natural persons throughout the
Union and to avoid divergences which hinder the free flow of personal data
within the internal market, a regulation is necessary which provides legal
certainty and transparency for economic operators, including micro, small and
medium-sized enterprises, and provides natural persons in all Member
States with the same level of enforceable rights and obligations and
responsibilities for controllers and processors, in order to
ensure consistent supervision of the processing of personal data and
equivalent sanctions across Member States, as well as effective cooperation
between supervisory authorities in different Member States. The proper
functioning of the internal market requires that the free flow of personal
data within the Union is not restricted or prohibited on grounds related to the
protection of natural persons with regard to the processing of personal
data.” (emphasis added)
In this system, the GDPR is not determined by fines. The corrective powers of the supervisory authorities provided for in art. 58.2 of the GDPR combined with the provisions of art. 83 of the GDPR show the prevalence of corrective measures
over fines.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 76/120
Thus, art. 83.2 of the GDPR states that “Administrative fines shall be imposed,
depending on the circumstances of each individual case, as an additional or substitute for
the measures contemplated in article 58, section 2, letters a) to h) and j).”.
In this way, corrective measures, which are all those provided for in art. 58.2 of
the GDPR except the fine, take precedence in this system, with the
financial fine being relegated to cases in which the circumstances of the specific case
determine that a fine be imposed together with the corrective measures or as a substitute for
them. And all of this with the aim of enforcing compliance with the GDPR, avoiding non-compliance, encouraging compliance and ensuring that infringement is not more profitable
than non-compliance.
For this reason, art. 83.1 of the GDPR provides that “Each supervisory authority shall ensure
that the imposition of administrative fines pursuant to this article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are in
each individual case effective, proportionate and dissuasive”.
Fines must be effective, proportionate and dissuasive in order to achieve
the purpose intended by the GDPR.
For this system to function with all its guarantees, it is necessary that several
elements are deployed in a complete and comprehensive manner. The application of rules other than the GDPR regarding the determination of fines in each of the Member States applying their national law, whether due to aggravating or mitigating circumstances not provided for in the GDPR - or in the LOPDGDD in the Spanish case - or whether
by the application of a medial competition other than that provided for in the GDPR, would reduce the effectiveness of the system, which would lose its meaning, its teleological purpose, resulting in the fact that
fines imposed for different infringements would cease to be effective,
proportionate and dissuasive. And in this way the interested parties would also be deprived of the
effective guarantee of their rights and freedoms, weakening the uniform application
of the GDPR. The mechanisms for protecting the rights and freedoms of citizens would be reduced and it would be contrary to the spirit of the GDPR.
The GDPR is endowed with its own principle of proportionality that must be
applied in its strict terms.
2. There is no legal loophole, there is no supplementary application of art. 29 of the GDPR.
In addition to the above, it should be noted that there is no legal loophole regarding the application of medial
contest. Neither the GDPR allows nor does the LOPDGDD provide for the supplementary application
of the provisions of art. 29 of the LRJSP.
In Title VIII of the LOPDGDD regarding "Procedures in the event of a possible
violation of data protection regulations", article 63 that opens the Title
provides that "The procedures processed by the Spanish Data Protection Agency
will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its
development and, as long as they do not contradict them, on a subsidiary basis, by the general rules on administrative
procedures." Although there is a clear reference to the LPACAP, there is no
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 77/120
subsidiary application established in respect of the LRJSP, which does not
contain in its articles any provision relating to any administrative procedure.
In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided
in art. 29 of the LRJSP, since the RGPD establishes its own, therefore,
there is no legal loophole or subsidiary application of the same, nor is there any application of
the section relating to medial competition and for identical reasons.
In the specific case examined, and without prejudice to the above, it should be noted
that there is no medial competition.
Article 29.5 of the LRJSP establishes that “When the commission of an infringement
necessarily results in the commission of another or others, only the
sanction corresponding to the most serious infringement committed shall be imposed.”
Thus, medial competition occurs when in a specific case the commission of
an infringement is a necessary means to commit another different one.
The established facts determine, as has been said, the commission of two
different infringements, without the violation of article 6 of the RGPD (lack of legitimacy in the
issuance of the duplicate SIM card of the complaining party), as ORANGE asserts, being the necessary means by which the infringement of article 25 of the RGPD occurs.
Finally, ORANGE refers to Guidelines 4/2022 on the calculation of administrative fines under the GDPR, which stipulate the criteria that the administrative authority must follow to assess, prior to the imposition of the sanction, the possible occurrence of these fines.
In relation to the quote from the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, in version 2.1, adopted on 24 May 2023, paragraph 22 refers to three types of concurrence, namely infringement, unity of action and plurality of actions:
“When examining the analysis of the Member States’ traditions regarding concurrence rules, as indicated in the case law of the CJEU5, and taking into account the different areas of application and legal consequences, these principles can be roughly grouped into the following three categories: -
Concurrence of infringements (chapter 3.1.1), - Unity of action (chapter 3.1.2), -
Plurality of actions (chapter 3.2).
In cases of concurrent infringements, the provision established in this regard
is that contained in article 83.3 of the GDPR, which establishes a quantitative limit in
these cases of concurrence:
“If a controller or processor intentionally or negligently fails to comply, for the same processing operations or linked operations,
with various provisions of this Regulation, the total amount of the administrative fine
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 78/120
will not exceed the amount provided for the most serious infringements.”
(emphasis added).
If we were to accept the argument put forward by ORANGE, it could be concluded that the “full applicability of medial competition” referring to the preferential application of article 29 of the LRJSP, in its sole claim to pay a single fine instead of the two imposed, displaces or annuls the validity of article 83.3 of the GDPR, which is why it is contrary to the legal system.
Lastly, and no less important, the AEPD does not sanction for the same offense, as ORANGE claims, but rather the commission of two different offenses, classified in a different way, has been established through proven facts, and there is, in addition, no medial competition in the specific case.
For all the above, this allegation is rejected.
Seventh: On the inadmissibility of objective liability.
In relation to this issue, ORANGE points out that the agreement to initiate
the present sanctioning procedure is based on an analysis of the results, insofar as
it would consider that the issuance of the duplicate SIM card
automatically entails the consideration that adequate measures were not taken,
thus automatically giving rise to direct liability on the part of ORANGE,
establishing an obligation of result.
ORANGE adds that this AEPD limits the obligation to the result, by pointing out that the
exceeding of the measures by ORANGE agents entails the automatic
consideration that the measures were insufficient, and that this fact means adopting
a principle of objective liability vetoed by our legal system on
numerous occasions by the Constitutional Court.
On the contrary, this Agency considers that the
deficiencies observed in the measures from the design adopted by ORANGE have been made clear, which
show non-compliance with art. 25 of the RGPD.
In this procedure, the existing risk that occurs from the application called PSD2 is being analyzed, which is when the type of fraud detailed in this sanctioning file begins to be carried out, through the use of a duplicate SIM card obtained improperly by a person other than its owner.
Thus, the infringement arose not only due to the lack of measures for the issuance of SIM duplicates, but also due to the need for their review and reinforcement. This is determined
in article 25 of the GDPR when it establishes: “…the data controller
shall apply, both at the time of determining the means of processing and at the
time of processing itself, appropriate technical and organizational measures…”
It is not enough to implement technical and organizational measures, but they must be
adapted and reviewed to mitigate the risks. The continuous advance of technology and
the evolution of treatments lead to the continuous appearance of new risks that
must be managed, as is the case with the SIM swapping attack, used for
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 79/120
some time by cybercriminals to carry out computer fraud. This is not
an unknown operation for ORANGE, the use of which may have
surprised it, so when evaluating the risks it should have taken this into account, which
translates into greater use by criminals of mechanisms to seize
duplicate SIM cards from customers, which cannot be ignored by
ORANGE. In this context, the GDPR requires that data controllers
review the measures from the design stage, establishing appropriate measures to demonstrate that
the rights and freedoms of individuals are guaranteed, taking into account, among
others, the "risks of varying probability and severity for the rights and freedoms
of natural persons" (Article 24.1) by applying the appropriate measures.
In the present case, the technical and organisational measures implemented from the
design stage have not been effective, as has been confirmed in the present
sanctioning procedure.
The technical and organisational measures must guarantee a level of protection
appropriate to the risk, which has not been done in this case.
To select the appropriate measures, the controller must base their decision on the risks
to individuals, as well as on what is reasonable and technically possible.
Article 28.2.a) of the LOPDGDD establishes some cases in which it already warns that it is
necessary to deal with greater risks than those that the controller could estimate if he
only took into account his own interests (identity theft, economic
damages, etc.).
As has already been pointed out previously in this sanctioning procedure, the
SIM card constitutes the physical medium through which the personal data of the affected
person is accessed. If their availability and control are not guaranteed, access to the personal data of the owner, as well as the possible use or uses by third parties, becomes a threat that can have devastating effects on the lives of these people.
The Constitutional Court pointed out in its Judgment 94/1998, of May 4, that we are faced with a fundamental right to data protection by which the person is guaranteed control over his or her data, any personal data, and over its use and destination, to avoid illicit trafficking of the same or harmful to the dignity and rights of those affected; in this way, the right to data protection is configured as a right of the citizen to oppose that certain personal data be used for purposes other than that which justified its obtaining.
The risk approach and the flexible risk model imposed by the GDPR - based
on the double configuration of security as a principle related to processing and
an obligation for the controller or processor - does not impose in
any case the infallibility of the measures, but rather their constant adaptation to a risk,
which, as in the case examined, is certain, probable and not negligible, high and with
a very significant impact on the rights and freedoms of citizens. During the investigation of the procedure it was found that the technical and organizational measures had not been adapted from the design to the risks posed by technological evolution, which seriously jeopardizes the rights of the interested parties, since the measures were not effective in avoiding or mitigating the increased risk of fraud that could be generated in the request for duplicate SIM cards, with the aim of perpetrating a SIM swapping attack. In addition, ORANGE cannot deny the fact that it processes personal data on a large scale. Thus, in fact, the principle of guilt applies in matters of sanctions (STC 15/1999, of July 4; 76/1990, of April 26; and 246/1991, of December 19), which means that some kind of intent or fault must be present. As
the STS of January 23, 1998 says, "...we can speak of a decided line of
jurisprudence that rejects objective liability in the sanctioning sphere of the Administration, requiring the concurrence of intent or fault, in line with the
interpretation of STC 76/1990, of April 26, when it indicates that the principle of
guilt can be inferred from the principles of legality and prohibition of excess
(article 25 of the Constitution) or from the requirements inherent to the Rule of Law."
The lack of diligence in implementing the appropriate measures at the source to
verify that the person requesting or activating the duplicate SIM card is the
owner of the card is, precisely, what constitutes the element of culpability.
As regards the fact that ORANGE was the victim of fraud, it should also be noted that
ORANGE must be in a position to establish mechanisms that prevent fraudulent
duplication of SIM cards from occurring, measures that respect the
integrity and confidentiality of the data and that prevent a third party from accessing data
that is not owned by it, since it is precisely the operator's responsibility to process personal
data in accordance with the GDPR (recitals 76, 77, 78, 79, 81 and 83 GDPR;
Article 32 of the GDPR and Article 28 of the LOPDGDD).
Regular testing, measurement and evaluation of the effectiveness of the technical and organizational measures applied to the processing are the responsibility of each controller and processor under the GDPR.
ORANGE as controller is therefore obliged to verify both the selection and the level of effectiveness of the technical and organizational means used. The thoroughness of this verification must be assessed through the prism of risk adequacy and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and purposes of the processing.
Certainly, the principle of responsibility provided for in article 28 of the LRJSP,
provides that: “Only natural and legal persons may be sanctioned for acts constituting an administrative
infraction, as well as, when a Law recognizes their capacity to act, groups of affected persons, unions and entities without legal personality and independent or autonomous assets, which are
responsible for the same by way of fraud or negligence.”
However, the way of attributing responsibility to legal persons does not
correspond to the forms of malicious or reckless culpability that are attributable
to human conduct. Thus, in the case of infringements committed by legal persons, although the element of guilt must be present, this is necessarily applied in a different way to that applied to natural persons.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 81/120
According to STC 246/1991 "(...) this different construction of the imputability of the authorship of the infringement to the legal person arises from the very nature of legal fiction to which these subjects respond. They lack the volitional element in the strict sense, but not the capacity to infringe the rules to which they are subject.
Capacity for infringement and, therefore, direct blameworthiness that derives from the legal asset protected by the rule that is infringed and the need for said protection to be truly effective and from the risk that, consequently, the legal person who is subject to compliance with said rule must assume" (in this sense STS of 24 November 2011, Rec 258/2009).
In addition to the above, following the judgment of 23 January 1998,
partially transcribed in the SSTS of 9 October 2009, Rec 5285/2005, and of 23 October 2010, Rec 1067/2006, "although the culpability of the conduct must
also be the subject of proof, it must be considered in order to assume the
corresponding burden, that ordinarily the volitional and cognitive elements
necessary to assess it form part of the proven typical conduct, and that their
exclusion requires that the absence of such elements be proven, or in its normative
side, that the diligence that was required by the person who claims their
nonexistence has been used; in short, the invocation of the absence of guilt is not enough for exculpation in the face of typically
unlawful behaviour."
Ultimate responsibility for processing remains with the data controller, who determines the existence of processing and its purpose.
It should be remembered that operators process their clients' data by determining ends and means. Therefore, it is the responsibility of operators (ORANGE, in this case) to implement appropriate measures to ensure compliance with the GDPR, so that if this principle is compromised due to a lack of diligence in implementing sufficient measures to do so, the operator in question will be held responsible for such infringement.
In this regard, the National Court's ruling of February 9, 2023
states:
“The principle of guilt derived from article 25CE, as pointed out by STC
246/1991, of December 19, constitutes a basic structural principle of administrative
sanctioning law, and is recognized in article 28.1 of Law
40/2015, of October 1, on the Legal Regime of the Public Sector, by providing that:
“Only natural or legal persons (…) who are responsible for them by
deceit or fault may be sanctioned for acts constituting an administrative infraction.”
Therefore, as stated in the STS of 18 March 2005, Rec. 7707/2000, it is evident that "an administrative offence could not be considered to have been committed if the subjective element of guilt were not present or, in other words, if the conduct typically constituting an administrative offence were not attributable to intent or fault."
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 82/120
With regard to the fact that the risks surrounding the duplication of SIM cards had not been identified
prior to the application of the PSD2 Directive, it should be noted
that the contested decision already states - page 872 - "In the present procedure,
the risk existing before the application of the so-called PSD2 is not being analyzed
but rather the risk that occurs from its application, which is when fraud begins to be used
through the use of a duplicate SIM card obtained improperly by a person other than its owner (…) in the present case the security
measures implemented are not sufficient to guarantee the confidentiality
of the personal data in question"
However, furthermore, it is clear that the risk of identity theft is permanently present in the business activity of (…). It is
a real risk with the ultimate purpose of impersonating another person and which seeks,
in cases such as the one examined, the contracting of products or the obtaining of a
duplicate of the SIM card by someone who is not the authentic owner of the same, a risk that
the appellant cannot claim was unknown to her.
Regarding the alleged objective liability, the contested decision does not consider (…) responsible for the result, but for a loss of confidentiality linked to the inadequacy of the security measures implemented and, ultimately, due to a lack of diligence on the part of said entity.
(…)
This lack of diligence on the part of (…), as the data controller, when implementing at source the appropriate security measures to verify that the person requesting or activating the duplicate SIM card is the owner of the card is what constitutes the element of culpability.
Consequently, the subjective element of culpability necessary to be able to sanction is present, which is incompatible with the existence of the alleged invincible error. The security measures implemented subsequently do not affect the commission of the infringement and, contrary to what the plaintiff claims, cannot support the application of an exonerating circumstance, without prejudice to the fact that they have been taken into consideration as an attenuating circumstance in article 83.2.c) of the GDPR when setting the sanction.»
Therefore, the allegation presented by ORANGE cannot be taken into account.
Eighth: Regarding the measures adopted and implemented by ORANGE.
ORANGE refers to all the measures implemented in relation to the procedure for issuing duplicate SIM cards, both previously and those implemented subsequently.
In this sense, it refers to:
1. Measures implemented to prevent the commission of fraud derived from identity theft.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 83/120
2. Measures implemented by ORANGE to prevent the commission of fraud
derived from the impersonation of agents and/or employees of ORANGE.
3. Measures adopted by ORANGE in relation to this case, not included
in the previous sections.
This question has already been answered in the fifth section of the response to these
allegations to which we refer.
Ninth: Lack of proportionality of the sanction imposed.
ORANGE makes this statement stating that it has demonstrated that it acted with
due diligence in the implementation of measures in the processes of SIM card duplication, and that in this case the agents acted individually and
deceitfully, breaking the company's standards and protocols.
In any case, it considers that the sanction included in the initiation agreement is
disproportionate considering the circumstances and content of the alleged
infringement, which ORANGE denies.
In relation to the non-compliance with the principle of proportionality, the RGPD
expressly provides for the possibility of graduation, through the provision of fines
that are susceptible to modulation, taking into account a series of circumstances of each
individual case that are effective, proportionate and dissuasive (article 83.1 and 2 RGPD),
general conditions for the imposition of administrative fines that have been the subject of analysis by this Agency, to which the
grading criteria provided for in the LOPDGDD must be added.
It should be noted that the agreed administrative fine will be effective because it will lead
the company to apply the technical and organizational measures that guarantee the
rights and freedoms of the interested parties, taking into account the value of the criticality of the
treatment.
It is also proportional to the identified infringement, in particular its seriousness, the
circle of individuals affected and the risks incurred and the
financial situation of the company.
Lastly, it is dissuasive. A deterrent fine is one that has a genuine
deterrent effect. In this regard, the judgment of the CJEU of 13 June 2013,
Versalis Spa v Commission, C-511/11, ECLI:EU:C:2013:386, states:
“94. With regard, first of all, to the reference to the Showa Denko
v Commission judgment, cited above, it should be noted that Versalis interprets it
incorrectly. Indeed, the Court of Justice, in stating in paragraph 23 of the judgment that the deterrent factor is assessed taking into account a multitude of factors and not only the particular situation of the undertaking in question, was referring to points 53 to 55 of the Opinion presented in that case by Advocate General Geelhoed, who had stated, in essence, that the deterrent multiplier coefficient may have as its object not only a "general deterrence", defined as an action to discourage all undertakings in general from committing the infringement in question, but also a "specific deterrence", consisting of dissuading the specific defendant from infringing the rules in the future. The Court therefore confirmed, in that judgment, only that the Commission was not required to limit its assessment to factors relating solely to the particular situation of the undertaking in question.”
“102. According to settled case-law, the purpose of the deterrent multiplying factor and of taking into account, in this context, the size and overall resources of the undertaking in question lies in the desired impact on the undertaking in question, since the penalty must not be insignificant, in particular in relation to the financial capacity of the undertaking (to that effect, see, inter alia, the judgment of 17 June 2010 in Case C-413/08 P Lafarge v Commission [2010] ECR I-5361, paragraph 104, and the order of 7 February 2012 in Case C-421/11 P Total and Elf Aquitaine v Commission [2012] ECR, paragraph 82).”
The Judgment of May 11, 2006 issued in the appeal for cassation
7133/2003 establishes that: “It must also be taken into account that one of the
guiding criteria for the application of said administrative sanctioning regime principle (criterion
included under the heading of “principle of proportionality” in section 2 of
article 131 of the aforementioned Law 30/1992) is that the imposition of monetary sanctions
should not mean that the commission of the typified infractions is more
beneficial for the offender than compliance with the infringed rules.”
Also important is the jurisprudence resulting from the Judgment of the Third Chamber
of the Supreme Court, issued on May 27, 2003 (rec. 3725/1999) which
says: Proportionality, specifically pertaining to the scope of sanctions,
constitutes one of the principles that govern Administrative Sanctioning Law, and
represents an instrument of control of the exercise of the sanctioning power by the
Administration within, even, the margins that, in principle, the applicable
norm indicates for such exercise. It is certainly a concept that is difficult to determine a priori, but that tends to adapt the sanction, by establishing its specific gradation within the indicated possible margins, to the seriousness of the act constituting the infringement, both in its aspect of unlawfulness and guilt,
considering as a whole the objective and subjective circumstances that make up the
presumptive sanctionable fact - and, in particular, as it results from article 131.3
LRJ and PAC, the intentionality or reiteration, the nature of the damages caused and
the recidivism-. (SSTS 19 July 1996, 2 February 1998 and 20 December 1999, among many others).
In this case, ORANGE stated that it had demonstrated that it had acted with diligence in the SIM card duplicate processes, and that, in this case, the agents acted individually and fraudulently, breaking the company's protocols.
Thus, this AEPD wishes to point out that, in this case, the agents' actions are not being examined, but rather the condition,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 85/120
characteristics and adequacy of the measures adopted by ORANGE, and the actions of the data controller in this regard.
ORANGE wishes to express its disagreement with the interpretation made by this Agency in relation to the aggravating factors:
a) the nature, seriousness and duration of the infringement (article 83.2.a) GDPR.
ORANGE states that this aggravating factor is based on the possible commission of
fraudulent banking operations, and considers that it is not legally acceptable to use as an argument the use of bank accounts, the monetary damages of the victims of fraud or the way in which these operations are carried out by financial institutions to justify the sanction imposed, insofar as `banking institutions are the only ones responsible for the security of their operations,
as stated by the European Banking Authority, in “Opinion on the implementation of
the RTS on SCS anf CSC” points 37 and 38, and where it is determined that the security credentials
used to perform the secure authentication of users of payment services are the responsibility of the entity managing the account services.
In this regard, the Agency considers that the nature of the infringement is very serious
since it entails a loss of disposition and control over personal data.
It has allowed criminals to steal identity by hijacking the telephone number after obtaining a duplicate of the SIM card. After the entry into force of the PSD2 Directive, as indicated, the mobile phone has come to play a very important role in making online payments as it is necessary for the
confirmation of transactions, and makes this device - and by extension the SIM card - a clear target for cybercriminals.
It should be noted that the PSD2 Directive applies to payment services provided
within the Union (Article 2), and not to ORANGE, but it is also true that the
issuance of a duplicate SIM card to a third party who is not the owner of the line, gives impersonators control of the telephone line, and therefore,
of the SMS sent to the telephone linked to the initial SIM card and thus to be able to
access the authentication code of the transaction.
It is true that the online banking access data must be known beforehand,
but it is also necessary to obtain a duplicate of the SIM card owned by the
person to be defrauded in order to obtain the confirmation SMS that the
customer will receive on his mobile terminal as two-factor authentication, and it is in this
action (in obtaining the duplicate) that has been taken into account in the present
sanctioning procedure.
In relation to the aggravating factor referred to the infringement of article 25 of the RGPD
ORANGE understands that not all of the clients it has should be taken into account,
since not all of them are natural persons, nor do they all request a duplicate of the SIM card.
Therefore, it understands that, in this case, there would only be one person involved, who would be the
person who filed the claim.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 86/120
However, this Agency has already determined that the liability imputed to ORANGE is for not having the appropriate technical and organisational measures to
guarantee the protection of customer data from the design stage.
The Agency considers that the level of potential damage is high, since access to
duplicates of these SIM cards allows fraudulent banking operations to be carried out in a
short period of time. By duplicating SIM cards, the alleged impersonators can gain control of the subscriber's line
and thus receive SMS messages addressed to the legitimate subscriber to confirm
online transactions with banking entities by impersonating them. These SMS messages are sent by banks as part of the two-step verification of transactions such as money transfers or online payments, and access to these SMS messages is often the reason for fraudulent duplication of SIM cards.
It is true that ORANGE is not responsible for the customer identification policies established by banks, nor can it be held liable for bank fraud. However, it is also true that if ORANGE were to ensure the identification and delivery procedure, the bank verification system could not even be activated. After the fraudster has activated the new SIM, he takes control of the telephone line and can then carry out fraudulent banking transactions by accessing the SMS messages that banks send to their customers. This sequence of events generates a
series of serious damages and losses that should have been taken into account in a
data protection impact assessment (recitals 89, 90, 91 and
Article 35 of the GDPR) or in the corresponding risk analysis. In short, from
the moment a duplicate is given to a person other than the owner of the line or
authorized person, the customer loses control of the line and the risks, damages and
losses multiply. In addition, the events occur with overwhelming immediacy.
In short, the application of Article 83.2.a) of the GDPR refers to the seriousness of the
Proven Facts, which is evident, among other things, in the social alarm
generated by the carrying out of these fraudulent practices and by the very high
probability of the risk materializing, without the number of
claims filed being a determining factor. And this is because what has been analyzed in the present sanctioning procedure are the technical and organizational measures implemented by
the data controller following the claim filed with the AEPD.
In relation to ORANGE's statement that not all clients
considered in the start-up agreement to establish the number of affected persons
are natural persons, it should be noted that this Agency has taken the data from its website, and
that it can provide the data on the number of clients who are natural persons, although
as already indicated, in the application of article 83.2.a) the
number of clients has been taken into account, but also the social alarm generated by the performance of these
fraudulent practices and by the very high probability of the risk materializing, and without
the number of claims filed being a determining factor
b) any previous infringement committed by the controller or processor
(article 83.2.e RGPD)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 87/120
ORANGE states that previous infringements should not be taken into account committed and sanctioned, since they are not related to the present case.
However, section e) of article 83.2 of the GDPR expressly includes
“any previous infringement committed by the controller”, so that all the cases that have been reflected in the initiation agreement
would fall within it, taking into account that at no time is it indicated that such infringements
must be the same as the case in question.
c) the link between the business activity of the respondent and the processing of
personal data of clients or third parties (article 83.2.k RGPD in relation to
article 76.2.b) LOPDGDD.)
ORANGE states that this factor is ambiguous in its assessment to include it as an
aggravating factor, since said link does not imply a direct relationship with the
alleged infringement, and, in addition, requires that said aggravating factor be put in relation to the
specific factual assumption, and therefore that the data processing does not arise from an
intention of the entity, but rather the commission of a crime takes place.
However, this Agency takes into account that the development of the business activity
performed by ORANGE requires continuous and large-scale processing of
personal data of clients, which includes the issuance of SIM card
duplicates, ORANGE is configured as one of the large telecommunications
operators in our country.
Furthermore, it cannot be forgotten that this specific factual situation is caused by a
lack of adequate technical and organisational measures on the part of ORANGE.
Finally, it should be added that the legislator is the one who foresaw the possibility of using this
aggravating factor and that the Agency is limited to applying it.
d) intentionality or negligence in the infringement.
ORANGE states that this Agency does not relate this aggravating factor, nor does it indicate its
application to the present factual situation.
Thus, it understands that, as stated by the CJEU when it stated that
the imposition of coercive sanctions by the administrative authority is only admissible
in cases where culpable conduct by the controller or
processor is appreciated, the imposition of this aggravating factor must be reserved for
cases where the intentionality or negligence is evident or serious.
Therefore, in this case, in which the assumption is caused by a criminal act not attributable to ORANGE, it is understood that this aggravating factor should not be imputed without any reasoning in this regard.
With regard to the fact that the factual assumption that has motivated the opening of this
sanctioning procedure is caused by a criminal act not attributable to ORANGE, what has already been stated in this resolution proposal is reiterated in relation to
the fact that what is imputed to ORANGE is the fact of not having implemented the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 88/120
necessary measures to prevent the duplication of the SIM card in the terms in which it has occurred. In this sense, if ORANGE had been diligent in implementing the appropriate measures for the issue of duplicate SIM cards, a situation such as that reported by the complainant would not have occurred.
In addition, it is considered that ORANGE's conduct corresponds to the type of infringement and the title of fault, considering that it has acted with gross negligence in the violation of
Article 25. As a large-scale repository of personal data, therefore, accustomed to or specifically dedicated to the management of customers' personal data, it must be especially diligent and careful in its
treatment. That is, from the perspective of fault, we are faced with a surmountable error, since, with the application of the appropriate technical and organizational measures,
these identity thefts could have been avoided.
Although the Agency considers that there was no intention on the part of ORANGE,
it concludes that it was negligent in not ensuring a procedure that guaranteed the
protection of the personal data of clients. Thus, a socially damaging result is produced that imposes the disapproval of the measures
implemented that were ineffective, regardless of the level of commitment
demonstrated, which is unquestionable.
Denying the occurrence of negligent action on the part of ORANGE would be equivalent
to recognizing that its conduct - by action or omission - has been diligent. Obviously, we do
not share this perspective of the facts, since the
lack of due diligence has been proven. A large company that processes its clients' personal data on a large scale,
in a systematic and continuous manner, must take extreme care in complying with its obligations regarding data
protection, as established by jurisprudence.
It is very illustrative that the SAN of October 17, 2007 (rec. 63/2006), assuming that these are entities whose activity involves continuous processing of customer data, indicates that “…the Supreme Court has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in assessing the degree of diligence, special consideration must be given to the professionalism or lack thereof of the subject, and there is
no doubt that, in the case now examined, when the activity of the appellant
is one of constant and abundant handling of personal data, it is necessary to insist on
the rigor and the exquisite care to comply with the legal provisions in this regard."
In this sense, it is of vital importance to establish and implement the necessary procedures and
measures, based on the characteristics and entity of the operator, that
allow to demonstrate that due diligence has been exercised when trying to
prevent identity theft from occurring. In addition, it must be possible to demonstrate
that the necessary precautions have been taken during the development of the business activity,
required by the regulations, to avoid damage that was foreseeable. It is
about having an objective level of care taking into account the specific circumstances
of the case that makes it possible to make clear that the person was aware of the possibility of
suffering identity theft, and that, with this, the appropriate measures were applied
to reduce the concretization of such risk to the minimum possible.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 89/120
On the other hand, ORANGE states that the following
mitigation factors should have been taken into account:
-the respondent party proceeded to block the line as soon as it became aware of the
facts. (art. 83.2.c).
This mitigating factor cannot be taken into account when, as a consequence of the
charged infringement, the complainant has suffered losses amounting to 9,000
euros.
-no special categories of data have been processed (art. 83.2.g).
This claim cannot be taken into account to the extent that processing personal data
included in the category of special data can be taken into account as an
aggravating factor for the calculation of the sanction, but never processing personal data that is
not included in this category can be considered as an attenuating factor when imposing a sanction.
In addition, it is taken into account that the SIM card is personal data that is
especially sensitive in nature, since it enables identity theft.
-the degree of cooperation of ORANGE with the AEPD. In this way, ORANGE wishes to
state that it has been proven that all requests for information have been answered in a timely manner, in order to
remedy an alleged infringement and mitigate its possible adverse effects (art. 83.2.f).
This claim cannot be taken into account to the extent that responding to the
requests for information sent from this Agency is an obligation of the
controller, as stated in the LOPDGDD.
- adherence to codes of conduct pursuant to article 40 or certification mechanisms
approved pursuant to article 42 (art. 83.2.j)
ORANGE provides as document no. 15 a certificate issued by AENOR, which
certifies that ORANGE has approved since September 4, 2023 a
regulatory compliance system that complies with the requirements of article 31 bis
of the Penal Code, as well as the rest of the compliance standards and crime prevention matters, such as Circular 1/2016, of January 22, of the Attorney General's Office,
aimed at mitigating any risk of commission of crimes within the framework of ORANGE's actions.
This certification cannot be taken into account when determining the corrective powers, since in this case it is not a question of proving that measures have been adopted to comply with criminal regulations, but rather of proving that data protection standards are met.
- the non-existent benefit obtained by ORANGE in the processing of the data that is the subject of this sanctioning procedure, adding that, in any case, it would be
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 90/120
harmed, as already indicated, being an injured party in the criminal procedure in which the commission of the crime in question is reported (83.2.k).
This allegation presented by ORANGE cannot be taken into account, insofar as
the fact that no benefits have been obtained cannot be considered
as an attenuating circumstance, in accordance with the judgment of the National Court, of
05/05/2021, rec. 1437/2020, which states: “It considers, on the other hand, that the non-commission of a previous infringement must be
considered as an attenuating circumstance. Well,
article 83.2 of the GDPR establishes that, for the imposition of the
administrative fine, the circumstance "e) any previous infringement committed
by the controller or the person in charge of the treatment" must be taken into account, among others. This is an
aggravating circumstance, the fact that the prerequisite for its application does not exist means
that it cannot be taken into consideration, but it does not imply or allow, as the
acting party claims, its application as an attenuating circumstance”; applied to the case under trial, the lack of the
prerequisite for its application with respect to art. 76.2.c) of the LOPDGDD, that is,
obtaining benefits as a result of the infringement, does not allow its application as
a mitigating circumstance.”
Thus, in accordance with the provisions of article 83.1 of the GDPR, admitting the absence
of benefits as a mitigating circumstance is not only contrary to the factual assumptions
contemplated in article 76.2.c), but also contrary to the provisions of
article 83.2.k) of the GDPR and the principles indicated.
Thus, assessing the absence of benefits as a mitigating circumstance would nullify the
deterrent effect of the fine, to the extent that it reduces the effect of the circumstances that
effectively affect its quantification, giving the responsible party a benefit that he has not earned. It would be an artificial reduction of the sanction that may lead to the understanding that violating the rule without obtaining benefits, financial or otherwise, will not produce a negative effect proportional to the seriousness of the infringing act.
In any case, the administrative fines established in the GDPR, in accordance with the provisions of article 83.2, are imposed based on the circumstances of each individual case and the absence of benefits is not considered to be an adequate and determining grading factor to assess the seriousness of the infringing conduct. Only in the event that this absence of benefits is relevant to
determine the degree of unlawfulness and culpability present in the specific infringing act may it be considered as an attenuating circumstance, in application of article
83.2.k) of the GDPR, which refers to “any other aggravating or attenuating factor
applicable to the circumstances of the case”.
IV
Response to the allegations to the proposed resolution of the sanctioning procedure
In relation to the allegations adduced to the proposed resolution of the present sanctioning procedure, the following are answered in the order
set forth by ORANGE:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 91/120
First. Regarding the existence of criminal prejudice.
ORANGE insists on its allegation referring to the existence of criminal prejudice
based on the fact that the subject who has committed the infringement has been the
Agents hired by the distributor.
It adds that this is especially relevant, because depending on what is
determined with respect to the actions of the agents and the type of crime applied to them, the potential imputability of liability to ORANGE will be conditioned.
Regarding the fact, it states that the coincidence is evident.
And with respect to the grounds, it states that there is an incompatibility between the
imposition of an administrative fine on ORANGE derived from a criminal act
of which it is a victim.
It adds that the AEPD intends that ORANGE be held administratively liable for a
criminal offence committed by Agents of its distributors, for the mere fact that the
crime is carried out by fraudulently manipulating the operation of its system. In
this way, it points out that the distributor is a franchised company, belonging to the
distribution channel, unrelated to ORANGE, which acts as the data processor and
the offence committed is carried out by the employees of said franchise, contrary to
the instructions documented by my representative.
ORANGE adds that this AEPD must assume that the conduct of the agents is
constitutive of a criminal offence.
In relation to the statement referring to the existence of criminal prejudice, this
Agency wishes to state that this issue has already been resolved in the previous
ground by responding to the allegations presented to the start agreement, and
refers to what is included in that point, and, therefore, the present allegation is rejected.
On the other hand, ORANGE questions having to answer for the infringement committed by
the Agents of its distributors. In this regard, according to the ECJ ruling of 5 December 2023 in Case C-683/21:
“83-As regards, secondly, the question of whether an administrative fine may be imposed under Article 83 of the GDPR on a controller in relation to processing operations carried out by a processor, it should be recalled that, according to the definition in Article 4, point 8, of the GDPR, a processor is understood to be “the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
84- Since, as indicated in paragraph 36 of this judgment, a controller is responsible not only for all processing of personal data carried out by it itself, but also for processing carried out on its behalf, that controller may be subject to an administrative fine pursuant to Article 83 of the GDPR in a situation where personal data are the subject of unlawful processing and where it is not it, but a processor it has contracted to, who has carried out the processing on its behalf.
Likewise, the SAN judgment of February 8, 2024, rec. 0002250/2021 also
states:
“Well, it has not been proven that the aforementioned companies, as
those in charge of the processing of the plaintiff, have determined the purposes and means of the
processing, nor have they used the data of the clients of the former for their own
purposes, nor have they interacted with interested parties outside the structure and
trade name of the appellant company, but rather they have acted under the name of
the plaintiff to fulfill the purposes of these, using the systems of the latter to carry out operations with the clients.
Therefore, art. 28.10 of the GDPR for an alleged attribution of
responsibility to the persons in charge, which also implies the exoneration of the
data controller, that is, of the company here appellant (…)”
In the present case, as has been established in the proven facts, the
data processor acted under a franchise regime, with ORANGE being the
one who provides all “the technical support, the know-how, the licenses for use of its
distinctive signs and the collaborations necessary for the achievement of the objectives
and purposes of this contract”. Furthermore, the processing of personal data was
carried out on ORANGE’s own information system.
To all this, it must be added that the duplicate SIM card is issued under the brand of
the ORANGE operator, and the client contracts with ORANGE, which is the one who provides the
telecommunications service. Without all this, the duplicate SIM card would be useless.
Therefore, in accordance with the above, this allegation by ORANGE cannot be taken into account.
Second. Regarding the factual assumption.
2.1. Regarding the consideration of the SIM card as personal data.
ORANGE states that this Agency interprets that the SIM card not only contains,
but is personal data in itself.
It also insists that there is no evidence that any information that
could be contained in the SIM card has been processed.
It adds that a duplicate SIM card implies the issuance of an empty SIM card,
which would not allow per se access to banking or financial information.
Regarding the IMSI, it would be a code contained within the SIM card for a
technical purpose, and which is not directly accessible. In addition, there is no evidence
that this data was accessed by the Agents in the commission of the crime.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 93/120
In this regard, ORANGE adds that, although it could be considered that this
information potentially makes the owner of the line identifiable, the possibility of
identification by third parties other than the operator would require
additional information to which they do not have access.
In relation to this issue, it should be noted that, as already stated in the
replies to the allegations submitted to the initiation agreement, in the section
“Second: on the factual situation”, the broad interpretation of the concept of
personal data has been included both in the judgment of the CJEU in case
C -101/2001(Lindqvist) of 6.11.2003, paragraph 24, ECR 2003 p. I-12971, as in
numerous rulings of the National Court that are also included in these
answers, to which reference must be made here.
There is no doubt that for ORANGE the holder of a SIM card is fully
identified and that he is also identified for the persons who request the
duplicate of the SIM card of the telephone number of a specific person. Therefore, this allegation cannot be taken into account.
2.2. Regarding the performance of banking operations.
ORANGE considers that this Agency uses these associations to aggravate the
factual assumption that gave rise to this sanctioning procedure, granting the duplicate
SIM card the power to allow the commission of banking operations, ignoring
a previous step where the criminals must obtain and use the banking
credentials, to identify themselves and carry out the identity theft before the
financial entity.
The agency insists that this agency does not analyze the responsibility of the banking entities affected by identity theft.
In addition, ORANGE understands that, from this Agency, a transfer of responsibility for a banking operation is made to ORANGE, qualifying the obligations of the operators and those of the banking entities as identical.
ORANGE, in its written objections to the resolution proposal, provides
statements in which it wishes to show its disagreement with the fact that no action has been
initiated to require the banking entities to report on the
functioning of their systems.
It goes on to state that it is worth asking why the banks implemented in
2019 a reinforced authentication system considered insecure,
contravening article 32 of the GDPR and why information has not yet been requested in this
regard. He insists that this Agency transfers responsibility for a banking operation to ORANGE, classifying the obligations as identical in an unjustified manner. He mentions at this point statements by the European Banking Authority, which would refer to the fact that banking entities are the only ones responsible for the security of their operations.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 94/120
He adds that ORANGE cannot be held responsible for the configuration of the sending of SMS as a second authentication factor used by those responsible for other services such as banking operators. In this regard, he mentions the Judgment
142/2024, of March 21, 2024 of the Provincial Court of Oviedo, in which the
victim had clicked on a link sent via SMS, resulting in unauthorized
access to his client area, and a transfer of 6,000 euros was made from the bank account, and in which the Provincial Court reiterated the
guilt of the bank.
This question, in contrast to what was alleged by ORANGE, is widely
answered in the previous ground in the response to its allegations to the start agreement, in the "Second" section also referring to the "factual assumption", to which reference must be made from
here, therefore rejecting this allegation.
2.3. On the relationship of the perpetrators of the criminal act with ORANGE.
ORANGE states that the agents are employees of a distributor of the ORANGE brand, which holds the role of Data Processor according to the provisions of Article 28 of the GDPR. It adds that it is the data processor who must, when acting on behalf of ORANGE, have the appropriate means to detect and prevent fraudulent actions by its employees. At this point, they refer to labor legislation, stating that, pursuant to Article 20, paragraphs 2 and 3 of the Workers' Statute, the power of control falls on the employer on whom the employee depends, and therefore, in this case, it would depend on the distributor of the ORANGE brand.
It is clear that it cannot be claimed that there has been a breach of Article 6 by ORANGE, since the wilful misconduct corresponds to the employees of the treatment, who, contrary to the provisions of Article 28 of the GDPR, have not followed the instructions of the data controller, and that, therefore, the responsibility for the commission of the infringement of Article 6 of the GDPR should fall on the data processor.
Regarding the issue of the controller and the processor, ORANGE had already mentioned the possible liability of the processor in section 1 of its allegations to the proposed resolution, and from here we refer to what was pointed out by this AEPD on that point.
However, in relation to the statements referring to the fact that the agents of the processor would not have followed the instructions of ORANGE as the controller, it is necessary to take into account the Guidelines 7/2020 of the EDPB, which determine that:
“30 Following the line of the approach based on the facts, the word “determine”
means that the entity that really exercises a decisive influence on the purposes and means of the treatment is the controller. Generally, the treatment contract
establishes who is the determining party (the controller) and who is the party that follows the instructions (the processor). Even where the processor offers a service that is predefined in a specific way, it must provide the controller with a detailed description
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 95/120
of the service, and the controller must make the final decision on approving the manner in which the processing will be carried out and request any changes it considers necessary.
Furthermore, the processor cannot modify, at a later time,
the essential elements of the processing without the controller's approval.
39. The question is where the line should be drawn between decisions reserved for the controller and those that can be left to the processor's discretion. It is clear that decisions on the purpose of processing must always be the responsibility of the controller.
40. As regards the determination of the means, a distinction must be made between essential and non-essential means. Essential means are traditionally and inherently reserved to the controller. These must be determined by the controller, although the determination of non-essential means may also be left to the controller.
Essential means are means closely linked to the purpose and scope of the processing, such as the type of personal data processed ("what data will be processed?"), the duration of processing ("how long will it be processed?"), the categories of recipients ("who will have access to the data?") and the categories of data subjects ("who owns the personal data processed?"). In addition to being related to the purpose of the processing, essential means are closely linked to the question of whether the processing is lawful, necessary and
proportionate. Non-essential means relate to more practical aspects of the processing itself, such as the choice of a particular type of hardware or software or the decision on the details of security measures, which may be left to the processor.
41. Although decisions on non-essential means may be left to the processor, the controller will still need to stipulate certain elements in the contract with the processor: for example, in relation to the security requirement, all measures required under Article 32 of the GDPR may be required to be taken. The contract should also provide that the processor will assist the controller in ensuring compliance with, for example, Article 32. In any case, the controller remains responsible for implementing appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is in compliance with the Regulation (Article 24). To do so, the controller must take into account the
nature, scope, context and purposes of the processing as well as the risks
to the rights and freedoms of natural persons. For this reason, the controller must be fully informed about the
means used, so that he can make an informed decision in this regard. In order
to enable the controller to demonstrate the lawfulness of the processing, it is advisable to
document, in the contract or other legally binding instrument between the controller and the processor, at least the
necessary technical and organisational measures.
(…)
80. Secondly, the processing must be carried out on behalf of a controller, but not under his direct authority or control. Acting “on behalf of” someone means serving the interests of another and refers to the legal concept of “delegation”. In the case of data protection regulations, the task of the
processor is to carry out the instructions given by the controller, at least as regards the purposes of the processing and the
essential elements of the means. The lawfulness of processing under Article 6 and, where applicable, Article 9 of the Regulation derives from the activity of the controller, and the
processor must only process the data in accordance with the instructions given by the controller. However, as noted above, the controller's instructions may leave some discretion as to how to best serve the controller's interests, thereby enabling the processor to choose the most appropriate technical and organizational means.32
81. Acting "on behalf of" someone also means that the processor cannot carry out the processing for its own purposes. As set out in Article 28(10), the processor will infringe the GDPR if it fails to follow the controller's instructions and begins to determine its own purposes and means of processing. In such cases, the processor will be deemed responsible for that processing and may be subject to penalties for failing to adhere to the controller's instructions.
As already noted above, the aforementioned CJEU held that “a data controller is responsible not only for all processing of personal data that it carries out itself, but also for processing carried out on its behalf, and that controller may be fined administratively under Article 83 of the GDPR in a situation where personal data are subject to unlawful processing and where it is not it, but a processor it has contracted with, who has carried out the processing on its behalf”.
In the present case, and as set out in the Proven Facts
of this Resolution, the SIM card is duplicated in an ORANGE establishment owned by the company “TOWER PHONE, S.L.,” which acts as ORANGE’s data processor.
Reference is also made to the franchise agreement of the two entities, dated April 1, 2022, in which it could be verified that:
“II. (…)”
V. (…).
(…).
(…)
“(…).
(…)
(…)”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 97/120
To all this, it must be added, as already indicated above, that the client, at
all times, is contracting the telephone services with ORANGE, since,
in accordance with everything indicated above and which appears in the franchise contract, it is ORANGE as the data controller that determines the
purpose and the means of the treatments carried out for the exercise of the activity, and
who actually provides the telephone service.
Therefore, based on the above, this allegation by ORANGE must be rejected.
Third. Regarding the criminal conduct of the agents.
With this claim, ORANGE is trying to have this case treated differently from the rest of the SIM SWAPPING cases, given that the case that
has motivated the opening of this sanctioning procedure would consist of a new criminal
variant.
However, this question was already answered in the allegations to the start agreement to which we refer here, in the Third section: the role of ORANGE as victim.
ORANGE states that it had the diligent security measures and procedures,
and as a consequence it has been the criminals who have evolved, and
that this would prove that it had an adequate privacy design.
He adds that the appearance of these practices would have been revealed in the
“Teleco Anti-Fraud Committee” held in March 2023, and that as a
consequence of the Agents being corrupted and able to carry out criminal activities, a new assessment of the risk attributed to this threat has been carried out,
providing a risk matrix as document no. 1, in which an element referring to SIM SWAPPING can be observed, but which is related to Phishing. And
nothing related to fraud by employees appears.
It also appears as an element “fraudulent Use of Data by 3 Parties/ Payment Fraud”.
ORANGE states that this matrix can be compared with the one provided as
document no. 12 in the allegations to the start agreement. This document 12 is entitled
“2023 Non Telco Fraud Risk map. Key risk” and there is also a section referring
to “Fraudulent use of Data-3rd Parties” and in this point “(…)”
However, the risk derived from employees being able to use their
credentials to commit criminal acts is not included in any of these tables either. The risk referring to “Fraudulent use of Data-3rd parties” is
written in a generic way, and this does not imply that the risk referred to by
ORANGE was analyzed and evaluated in light of the measures implemented
by ORANGE.
At this point, ORANGE insists that allowing a store agent to make decisions on certain issues cannot be interpreted as being equated with non-compliance with the GDPR, because it conflicts with the regulation contained therein, where the risk would be considered to lie in the adoption of automated decisions without human intervention. It added that the purpose of the agent's intervention was to prevent, in specific and limited cases, (…) the interested party from being prevented from accessing a contracted service.
ORANGE goes on to state that the Agency categorizes the parameterization of (…)
as a violation of article 25.
In relation to this issue, it is necessary to point out that this issue has also been
answered in the resolution proposal, in the sense that ORANGE has
implemented a system for the issuance of SIM cards in which (…), but no longer
only, as ORANGE states, when the (…).
(…).
Thus, ORANGE states that, (…). As ORANGE points out “(…).”
However, as has been demonstrated, (…).
For all the reasons stated, this allegation must be rejected.
Fourth. On the non-existence of a lack of legitimacy in the processing of personal data of ORANGE.
With this allegation, ORANGE wishes to insist that the acts that have led to the
opening of the sanctioning procedure have been carried out by employees of one of its
data processors, and understands that this Agency intends to hold
ORANGE responsible for the conduct of these agents, regardless of whether this conduct
may constitute a criminal offence.
This question, however, has already been answered in the second allegation, section 3
of Grounds III.
It should be remembered that what is being judged in this sanctioning procedure
with respect to the infringement of art. 6 of the GDPR is the fact that the
data of the complainant have been processed by issuing a duplicate of his SIM card,
without there being any basis for legitimacy. To issue the duplicate (…), which
shows that ORANGE did not have his consent. The SIM card has been
issued in the name of ORANGE, which means that ORANGE is the controller of the
processing and as such is responsible for ensuring that the processing carried out on its
behalf is based on any of the circumstances that legitimise the processing of personal
data.
It is ORANGE that must respond to the failure to comply with data protection,
without prejudice to any subsequent actions it may take.
Therefore, in light of all the above, this claim must be rejected.
Fifth. On the correct implementation of privacy by design and by default.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 99/120
ORANGE wishes to state that, based on the statements included in the
proposed resolution, privacy has been taken into account from the design,
based on the documentation submitted, the design of protocols and the
establishment of measures to ensure compliance with the principles of data protection.
In this sense, the process for issuing duplicate SIM cards involves
controls and security measures intended to ensure that SIM cards are issued at the request of customers and once their identity has been verified,
having taken into account the protection of the privacy of the interested parties, and believes
that this Agency is trying to disqualify documentary evidence under the sole premise that
a specific case has occurred in which a crime has been committed.
He adds that ORANGE does have policies aimed at ensuring the application of
the principles of data protection in its business processes, regardless of the fact that the specific reference to guarantees in terms of privacy is not identified in each of them, since, although they address the risks associated with this matter, it is not the only one taken into account, in the same way that the criminal risks analyzed, or the economic or reputational risks, are not specified in each of them.
In this sense, as already stated in the resolution proposal, the principle of
data protection by design imposes that, from the earliest stages of
processing planning, this principle must be considered: the controller
of the processing, from the moment in which any possible processing of personal data is
designed and planned, must determine all the elements that make up the
processing, in order to effectively apply the principles of data protection,
integrating the necessary guarantees in the processing with the ultimate aim of,
complying with the provisions of the GDPR, protecting the rights of the interested parties.
Therefore, from the design of the processing, there were no measures of article 25 of the
GDPR (…). The absence of measures to guarantee that the request for a duplicate card
was made by the owner of the line, together with the fact that it was not verified that
the delivery was made to the owner, is what constitutes a breach of the principle of
data protection by design.
This means that ORANGE had not adequately identified and analysed the risks that (…), nor anticipated or implemented from the design stage the appropriate technical and organisational measures to effectively apply the data protection principles required by Article 25 GDPR.
ORANGE merely states that it complied with the requirements provided for, and provides documentation stating that it takes this article into account, but none of them specifically indicate that the data protection principle had been implemented from the design stage and (…).
To resolve this issue, the Agency states that the initial documentation that it has already
provided is the initial information provided for any project in which
personal data is processed in order to begin regulating the different activities
from a perspective that ensures privacy and the protection of personal data,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 100/120
and that, for each particular case, the measures that are considered
corresponding are applied, such as the training of personnel in charge of the
processes. However, it has still not submitted said documentation. It states that
it provided document no. 12, in the allegations to the start agreement, which together with
document 1 presented in the written allegations to the resolution proposal,
would prove that the risk had indeed been identified.
However, this Agency understands that said documents do not prove
compliance with the principle of data protection by design. The aforementioned
document no. 12 to which it refers is dated in the year 2023 and is entitled (…).
In the document called 1 of the allegations to the resolution proposal, a risk matrix is
provided in which the risk “Fraudulent use of data-
3rd parties” is identified, without further development and is assessed as low risk but it is not indicated
whether the risk is for the rights and freedoms of the interested parties or for the continuity of the
business.
ORANGE provides as document 2 of its allegations to the proposal the minutes of the
Local Risk Committee for the year 2022 in which the OSP risk management policy and the OSP risk matrix are approved, among other issues, but from its content
it seems to be inferred that they assess the risk to the continuity of the business.
Document No. 3 also provides the residual risk map from the perspective of the rights and freedoms of the interested parties referring to the year 2022 where the risk of fraud was identified as low, and which according to ORANGE was discussed in the Local Risk Committee of the year 2022, whose minutes were attached as document No. 2.
In this sense, the aforementioned minutes of the Local Risk Committee, dated 10/3/2022,
includes in section 6. Risks: Integration Risk maps:
“(…).
(…).
(…).”
In turn, in section 8 of the minutes: Telco Fraud it is stated:
“(…).
(…).
(…).
(…).
(…).”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 101/120
In section 9 referring to Non-Telco Fraud, the following is added:
“(…).”
Regarding the risk map provided as document no. 3, entitled 2022 Non-Telco Fraud risk map: Fraudulent use of Data-3rd parties, it contains “(…)”
And states the following:
(…).
Well, according to ORANGE's allegations, this document would have been presented
to the Committee whose minutes it has provided as document no. 2, and would have been discussed therein, and yet there is no reference to it in the aforementioned minutes of the
committee. Furthermore, it must be taken into account that, despite the statements made by ORANGE,
this Agency continues to maintain that the risks to the rights and freedoms derived from this have not been foreseen (…). The internal risk that employees may commit some type of infringement has not been taken into account, but it is also
understood that the impact cannot be classified as limited based on the fact that the banking entities must return any charge made due to violations of their
systems.
This is a case in which the claimant had suffered economic losses amounting to 9,000 euros, without forgetting that in the complaint to the Court that ORANGE has submitted in its written allegations to the initial agreement, there are more people who could have been affected, even if they have not filed a claim with the AEPD. Thus, the impact that this risk has on the rights and freedoms of people is high, so the residual risk cannot be classified as low without the implementation of appropriate measures.
For all these reasons, this Agency has considered that, despite having submitted a document that would be dated 2022, it is understood that this cannot determine compliance with article 25 of the GDPR.
In relation to the rest of the questions raised by ORANGE, it should be noted that they have already been answered in the replies to the allegations to the initiation agreement, section Five, therefore, this allegation must be rejected.
Sixth. On the existence of a concurrence of infractions.
ORANGE states that the two infractions are based on the criminal conduct of the agents, which constitutes a case of concurrence of infractions in administrative proceedings.
In this sense, ORANGE understands that the decisive factor in determining whether this breach has actually occurred is the adequacy or not of the measures implemented. It states that, according to the arguments of this Agency, it would be concluded that there is a direct connection between the violations of both articles. Considers
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 102/120
that the infringement of article 6 of the GDPR, that is, the existence of an (alleged)
unlawful data processing was necessary and inevitable for a
violation of the principle of privacy by design and by default to take place, resulting from the
non-existence (indicated in terms of defence, supposedly) of sufficient
security measures.
In relation to this allegation, it should be noted that this AEPD reiterates its position in the
response given to the allegations to the initiation agreement, section Six.
It is not true that non-compliance with article 25 of the GDPR requires data processing
without a basis for legitimacy. Article 25 imposes an obligation on the data controller to
adopt the necessary measures to comply with the principle of data protection
by design, without it being necessary for the lack of measures or their poor
implementation to cause any other result contrary to the GDPR. It is the
non-compliance with the provisions of Article 25 that is sanctioned, which may
occur regardless of whether data processing occurs without a basis for
legitimacy, so this claim should be rejected.
Seventh. On the inadmissibility of objective liability.
ORANGE insists that the resolution proposal is based exclusively on the
result, without taking into account that the fact is caused by the criminal and
willful conduct of the agents of ORANGE, who acted as the data processor,
corrupting the process and the measures stipulated by it.
ORANGE understands that the criminal conduct of the agents has automatically determined that adequate measures were not adopted, automatically giving rise to the direct responsibility of ORANGE.
In addition, it understands that this Agency has determined that a generic type of fraud has occurred without assessing the specific circumstances of this case.
ORANGE understands that this Agency has erred in taking into account the following
considerations:
-firstly, the criminals were commercial agents at a point of sale of a
distributor, and not cybercriminals.
-secondly, this Agency does not take into account the evolution of the SIM
SWAPPING fraud, considering that, in the event of the production of an alleged fraud, the entity
is responsible, regardless of the actions of the agents at the point of
sale.
It insists that they had identified the risk, but it was considered as low risk, since it had not occurred previously.
ORANGE considers that, with regard to the payment services regulations, the obligations for both operators and banks are being
classified as identical in an unjustified way, since ORANGE cannot be held
responsible for the deficiencies and decisions taken by the banks.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 103/120
ORANGE states that, according to this Agency, the risks must be based on what is
reasonable and technically possible, and considers that, in this case, ORANGE
had placed its trust in its distributors. It also considers that
human intervention is inevitable.
It adds that this Agency intends for ORANGE to foresee each and every one of the
threats that may occur, hoping for a result in which the measures are
indefectible, overlooking threats that can hardly be foreseen, as
would be this case.
This is why it is understood that this Agency establishes an obligation of
result, by pointing out that the commission of a criminal act in the environment of ORANGE
automatically entails its responsibility, regardless of the intent used
by the perpetrator, and the level of diligence used by ORANGE.
ORANGE states that this Agency has not entered into an assessment of the jurisprudence
set forth in relation to the inadmissibility of objective liability in the field of
administrative sanctioning procedure.
Therefore, it understands that, since the occurrence of a culpable, intentional or negligent act on the part of ORANGE has not been proven, it is not appropriate to determine that
it has committed an infringement of the data protection regulations.
With regard to this allegation, this question has already been answered in the
reply to the allegations to the initiation agreement, in the seventh section: on the
inadmissibility of objective liability.
However, this Agency wishes to state that, contrary to ORANGE's allegations, which insist that this Agency intends for ORANGE to foresee
each and every threat that may occur, expecting a result in which the measures are
infallible, overlooking threats that can hardly be foreseen, as would be the case, Article 25 of the GDPR states: “…the controller shall implement, both at the time of determining the means of
processing and at the time of processing itself, appropriate technical and
organizational measures…”
The European Data Protection Board (EDPB) Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, Version 2.0, Adopted
on October 20, 2020, indicate:
“29 The GDPR adopts a consistent risk-based approach in many of its
provisions, in Articles 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 25, 32 and 35, in order to determine the appropriate technical and organizational measures to protect individuals and their personal data and to comply with the requirements of the GDPR. The protected assets are always the same (individuals, through the protection of their personal data), against the same risks (to individuals' rights), and taking into account the same circumstances (the nature, scope, context and purposes of the processing).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 104/120
30. When carrying out the risk analysis for compliance with Article 25, the data controller must determine the risks posed by a violation of the principles for the rights of data subjects, as well as their probability and severity, in order to apply measures that effectively mitigate the risks detected. In risk assessments, it is crucial to carry out a systematic and thorough evaluation of the processing. For example, a controller assesses the specific risks associated with the absence of freely given consent, which constitutes a violation of the principle of lawfulness, in the course of processing the personal data of children and young people under 18 years of age as a vulnerable group, in a case where there is no other legal basis, and applies appropriate measures to effectively address and mitigate the detected risks associated with this group of data subjects (emphasis added)
In short, compliance with the principle of data protection by design
requires identifying the specific risks to the rights and freedoms of individuals that the processing entails, analysing and assessing them in a way that allows determining and effectively applying from the start of the processing the specific technical and organisational measures to guarantee each of the principles of data protection, such as those of lawfulness, accuracy and confidentiality, which in this case has not been done.
As already pointed out in the reply to the allegations to the initiation agreement, it is
understood that ORANGE, when assessing the risks of using the application it has implemented to issue duplicate SIM cards, has not taken into account the
risks, as well as their impact on the rights and freedoms of individuals. It has already
been demonstrated that the impact that this possible risk had on the rights and
freedoms of individuals is high, and this had not been taken into account either. It was
the lack of diligence when implementing the appropriate measures at the source to
verify (…) that is, precisely, what constitutes the element of culpability.
It is therefore appropriate to reject this allegation by ORANGE.
Eighth. Regarding the measures adopted and implemented by ORANGE.
ORANGE states that it has already listed the measures it had deployed, both beforehand and afterwards, so that this Agency can assess the constant evolution and analysis of risks, as well as the measures applied, taking into account the evolution of the cases of SIM Swapping fraud.
ORANGE insists that it had established the following measures:
1. measures implemented by ORANGE to prevent the commission of frauds
derived from the identity theft of its client.
-documentation already provided that is made available to agents and other personnel
with the capacity to carry out actions at ORANGE.
-additional communications that reiterate the action protocols for the issuance
of SIM card duplicates.
-(…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 105/120
-ORANGE is part of the Spanish Association for Digitalisation and participates in
the “Secure Digital Identity” project, which aims, among others, to protect against
fraud and cyberattacks and to defend data privacy.
-(…).
2. Measures implemented by ORANGE to prevent the commission of fraud
derived from the impersonation of ORANGE agents and/or employees.
-implementation of a double identification factor, which is in the testing phase
with certain users.
-project (…).
-traffic control tools, which are used by the ORANGE Risk Analysis Group, and which can generate alerts in the event of possible detections of
irregular contracts, and which works as follows in the case of
duplicate SIM cards:
- (…).
-(…).
3. measures adopted in relation to this case, not included in the
previous sections.
-the risk associated with this type of case has been modified, having a greater impact
on the company's protocols and actions.
-the (…) that takes place in cases such as the case
that has motivated the opening of this sanctioning procedure has been provisionally suspended, in order to
determine the appropriate measures to mitigate the identified risks.
In any case, ORANGE wishes to state that it carries out a constant control and
review of the existing risks in terms of SIM card duplicates, that the
protocols are updated and that measures are adopted in accordance with the identified risks,
without this allowing them to impose the guarantee or requirement of infallibility.
ORANGE states that this breakdown has not been reviewed by this Agency, and
understands that it is necessary to understand the threat and to be able to prevent and mitigate its
commission, and adds that this would have proven its will to protect
the rights of individuals, in which the existence of a zero risk is
updated and reviewed.
This Agency understands that ORANGE continues to state that it complies with the
provisions of article 25 of the GDPR. In this case, it again lists the measures it had implemented, and states that this Agency has not taken them into account.
Some of the measures highlighted by ORANGE are not applicable
to cases in which the SIM card application is made in person. The
processing of data not only requires the establishment of cybersecurity
measures, but other measures are necessary to mitigate the risks that arise
(…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 106/120
ORANGE claims that the possibility of making duplicate SIM cards from the
customer area and from kiosks has been eliminated; (…) has been implemented; The risk associated with this type of situation has
been modified, having a greater impact
on the company's protocols and actions and the
(…) that takes place in situations such as the case that has motivated the opening of
this sanctioning procedure has been provisionally suspended, in order to determine the appropriate measures to
mitigate the identified risks.
Well, all these measures were not implemented by ORANGE
prior to this, but rather they were applied after the events, so
they were not taken into account from the design of the treatment, and therefore they
cannot be taken into account in the present case either.
In the fifth section of the response to the allegations to the start agreement, it is stated,
with respect to the documents provided by ORANGE, the following:
This is a document in which reference is made to the possibility of the
existence of risks, but they are not identified in a concrete manner, and no specific
actions are foreseen with respect to the possibility of situations occurring
such as the one that has occurred in the present sanctioning procedure, insofar as
no specific mention is made of the possibility that (…).
There is no document in which the risks are foreseen (…). It has already been
mentioned in the reply to these allegations that, from this Agency, it is not possible to
consider that the possibility of employees being able to make a duplicate SIM card cannot be classified as low, but this would not imply
that all employees are potential criminals, only that this possibility must be
assessed and measures taken in this regard, especially taking into account
what the impact is on the rights and freedoms of individuals.
ORANGE states that, (…).
For all these reasons, the allegation presented by ORANGE must be rejected.
9. Regarding the lack of proportionality of the proposed sanction.
ORANGE declares that it has acted with due diligence in the implementation of
measures in the SIM card duplicate processes, but, in the event that this
Agency considers that there is such non-compliance, it understands that the sanction is
disproportionate, taking into account the circumstances and content of the infringement, to the
extent that it has been committed in a wilful manner by agents of the distributor.
In this sense, it understands that the following aggravating factors used by this Agency have
been carried out without the circumstances concurring for their consideration:
-Nature, seriousness and duration of the infringement (art. 83.2.a) RGPD)
This allegation has already been answered in the allegations to the agreement to initiate this
sanctioning procedure, and therefore, it cannot be taken into account.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 107/120
- any infringement committed by the controller or processor (art. 83.2.e)
RGPD)
ORANGE reiterates its disagreement with the fact that this aggravating circumstance is used, since
the facts that motivated said procedures have nothing to do with the
present factual situation.
This allegation has already been answered in the allegations to the agreement to initiate this
sanctioning procedure, and therefore, it cannot be taken into account.
- the link between the business activity of the respondent and the processing of personal
data of clients or third parties (art. 83.2.k of the RGPD in relation to article
76.2.b) of the LOPDGDD).
This allegation has already been answered in the allegations to the agreement to initiate this
sanctioning procedure and it should be added that the business activity of ORANGE is
related to the processing of personal data, since it is obvious
that the activity of ORANGE necessarily involves the performance of a high number
of operations to process personal data of the natural persons who are clients of
said entity, which affects the diligence that must be displayed in compliance
with the obligations derived from this data processing.
-intention or negligence in the infringement.
This allegation has already been answered in the allegations to the agreement to initiate this
sanctioning procedure.
Regarding the application of this circumstance as an aggravating factor, the National Court has ruled in its SAN of March 1, 2024 (Appeal No.: 0001757 /2021) in which it considers that the application of the circumstance contemplated in article 83.2.b) of the GDPR is appropriate in the case of lack of diligence of entities that carry out data processing on a large scale, thus specifying that “(…) And in this sense, it should be noted that a company such as the
plaintiff that carries out processing of personal data of its clients on a large scale, in a systematic and continuous manner, must take extreme care in complying
with its obligations regarding data protection. The plaintiff emphasizes the
absence of intentionality when the provision also speaks of negligence and it is in
this lack of diligence that the contested resolution emphasizes in relation to
both infringements (…)”
For this reason, the application of the circumstance contemplated in article 83.2.b) of the GDPR is considered justified.
Likewise, it considers that this Agency has not taken into account the following
mitigating circumstances:
- ORANGE proceeded to block the line when it became aware of the facts. (art.
83.2.c) GDPR)
- no special categories of data have been processed (art. 83.2.g)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 108/120
- the degree of cooperation of ORANGE with this Agency. (art. 83.2.f)
-adherence to codes of conduct under article 40 or certification mechanisms approved under article 42 (art. 83.2.j)
-the non-existent benefit obtained by ORANGE (art. 83.2.k), stating that, in any case, it has been harmed.
All these questions have already been answered in the replies to the objections to the
initiation agreement, and it is appropriate to reject them.
V
Unfulfilled obligation
Article 6.1 of the GDPR establishes the assumptions that allow the processing of personal data to be considered lawful.
“1. The processing will only be lawful if at least one of the following
conditions is met:
a) the interested party has given his consent to the processing of his personal data
for one or more specific purposes;
b) the processing is necessary for the execution of a contract to which the interested party is a party or for the application at the request of the latter of pre-contractual measures;
c) the processing is necessary for compliance with a legal obligation applicable to the
data controller;
d) the processing is necessary to protect the vital interests of the interested party or another
natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The provisions of point (f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their tasks.”
In the present case, it is established that the SIM card of the complainant has been duplicated for a third party, without his or her consent, (…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 109/120
In this way, ORANGE acknowledges this fact in its letter dated January 30, 2023, stating: “Having therefore confirmed the irregularity in the
request for the duplicate, the Risk Analysis team confirmed that two agents at the
Point of Sale of the ORANGE MADRID store ***ADDRESS.1 had acted
irregularly, using their credentials from the internal systems of this company
to activate the duplicate SIM card.
ORANGE goes on to state that “it was possible to verify that, at the time of
contracting, the protocol established by this company was followed by passing an
identity document through the identity verification system […]. This
system makes it possible to identify that the identity documents are valid. However,
despite the fact that the instructions given to the distributors were followed, since
it was the agents who acted irregularly, to make the duplicate
they provided a valid identity document that did not correspond to that of the
complainant, which is why, when passing it through the system […], it was identified
as correct and the duplication process continued."
ORANGE has communicated that the procedure to follow, when requesting a
duplicate of the SIM card is the following: (…).
(…).
As a general rule, ORANGE adds that (…).
This was the circumstance, in the case at hand, (…).
Therefore, ORANGE provided a duplicate of the complainant's SIM card to
a third party, without the complainant's consent, (…).
Likewise, (…).
In this sense, Recital 40 of the GDPR states: “(40) For the processing to be lawful, personal data must be processed with the consent of the data subject or on any other legitimate basis provided for by law, whether in this Regulation or under other Union or Member State law referred to in this Regulation, including the need to comply with a legal obligation applicable to the controller or the need to perform a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”
Therefore, in accordance with the evidence available at this time
of the sanctioning procedure resolution, it is considered that the known facts,
that is, the issuance of a duplicate SIM card without the consent of the owner of the line
in this specific case, constitute an infringement, attributable to
ORANGE, for violation of article 6.1 of the RGPD.
VI
Classification and qualification of the infringement
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 110/120
The aforementioned infringement of article 6.1 of the RGPD involves the commission of the infringements
classified in article 83.5 of the RGPD which under the heading “General conditions
for the imposition of administrative fines” provides:
“Infringements of the following provisions shall be sanctioned, in accordance with
section 2, with administrative fines of EUR 20 000 000 or, in the case of an undertaking, an amount equivalent to a maximum of 4 % of the total annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9.”
For the purposes of the limitation period for infringements, the imputed infringement
shall be subject to a three-year statute of limitations, in accordance with article 72.1.b) of the LOPDGDD, which classifies the following conduct as
very serious:
“1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute
a substantial violation of the articles mentioned therein and, in particular, the following
are considered to be very serious and shall be subject to a three-year statute of limitations:
b) The processing of personal data without any of the conditions for the
lawfulness of the processing established in article 6 of Regulation (EU) 2016/679”
VII
Penalty for infringement of article 6.1 of the GDPR
For the purposes of deciding on the imposition of an administrative fine and its amount, in
accordance with the evidence available at this time In the case of
a resolution of the sanctioning procedure, it is considered that it is appropriate to graduate the
sanction to be imposed in accordance with the following criteria established in article
83.2 of the GDPR:
- The nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages they have suffered (section a): the action attributed to ORANGE involves a loss
of disposition and control of the personal data of the complainant, which has
resulted in identity theft, and the performance of fraudulent
banking activities. It is important to bear in mind that the
processing of personal data for the purpose of obtaining a duplicate SIM card
may be the gateway to access other data that may lead to a
significant financial loss for its owner, as happened in this case.
- Any previous infringement committed by the controller or processor (section e): it is noted that on 31 January 2023, a resolution was issued in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 111/120
procedure nº EXP202204288, in which a fine of 70,000 euros was imposed.
It is noted that on 30 January 2023, a resolution was issued in
procedure nº EXP202203638, in which a fine of 70,000 euros was also imposed. It is noted that, on November 10, 2021, a resolution was issued
in file PS/00022/2021, in which a fine of 700,000 euros was imposed.
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and corrective
measures” of the LOPDGDD:
As aggravating factors:
- Linking the offender's activity with the processing of personal data (section b): the development of the business activity
carried out by the entity requires continuous processing of personal data.
The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of
the LOPDGDD, with respect to the infringement committed by violating the provisions of
article 6.1 of the GDPR, allows for a fine of €200,000 (two hundred thousand euros) to be set.
VIII
Data protection by design and by default
Article 25 “Data protection by design and by default” of the GDPR states:
“1.Taking into account the state of the art, the cost of implementation and the nature,
scope, context and purposes of processing and the risks of varying likelihood and
severity that processing entails for the rights and freedoms of natural persons, the controller shall, both when determining the
means of processing and at the time of processing itself, implement appropriate technical and
organizational measures, such as pseudonymisation, designed to effectively implement the data protection
principles, such as data minimisation, and to integrate the necessary safeguards into the processing, in order to comply with the requirements of
this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational measures to ensure that, by default, only those personal data that are necessary for each of the specific purposes of the processing are processed. This obligation shall apply to the quantity of personal data collected, the extent of their processing, their retention period and their accessibility. Such measures shall ensure in particular that, by default, personal data are not made available to an indeterminate number of natural persons without the intervention of the data subject.
3. A certification mechanism approved pursuant to Article 42 may be used as evidence of compliance with the obligations set out in paragraphs 1 and 2 of this Article.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 112/120
This article is part of the general obligations that Chapter IV of the
RGPD establishes for the data controller, imposing an obligation to design
internal procedures at the time of determining the means of processing and,
to apply these procedures at the time of processing, to effectively
guarantee compliance with the data protection requirements, included in
the general Data Protection Regulation.
Likewise, recital 78 of the RGPD establishes:
“The protection of the rights and freedoms of natural persons with respect to the
processing of personal data requires the adoption of appropriate technical and
organizational measures in order to ensure compliance with the requirements of
this Regulation.
In order to be able to demonstrate compliance with this Regulation, the
data controller must adopt internal policies and implement measures that comply, in
particular, with the principles of data protection by design and by default.
Such measures could include, inter alia, minimising the processing of personal data, pseudonymising personal data as soon as possible, making personal data
processing and functions transparent, allowing data subjects to monitor data processing and the controller to create and
improve security features.
When developing, designing, selecting and using applications, services and products that
are based on the processing of personal data or that process personal data
in order to fulfil their function, producers of products, services and applications
should be encouraged to take into account the right to data protection when
developing and designing these products, services and applications, and to ensure,
with due regard to the state of the art, that controllers and processors are able to fulfil their
data protection obligations.
The principles of data protection by design and by default should also
be taken into account in the context of public procurement.”
In the present case, it must be taken into account that ORANGE is the controller,
by establishing the means and purposes for the processing of personal data.
Thus, for cases of issuing duplicate SIM cards in-store, ORANGE has communicated that the procedure to follow, when requesting a
duplicate SIM card, is (…).
However, ORANGE has informed that (…).
(…).
(…).
The principle of data protection by design requires that, from the earliest stages of planning a processing, this
principle must be considered: the controller, from the moment that a possible processing of personal data is designed and
planned, must determine all the elements that make up the processing, in order to effectively apply the
principles of data protection, integrating the necessary guarantees in the
processing with the ultimate aim of, in compliance with the provisions of the GDPR,
protecting the rights of the interested parties.
Thus, and with regard to the risks that may be present in the processing, the data controller will carry out an exercise of analysis and detection of the risks throughout the entire data processing cycle, with the primary and ultimate purpose of protecting the rights and freedoms of the interested parties, and not only when the processing actually takes place. This is expressed in the Guidelines 4/2019 of the EDPB on Article 25 Data Protection by Design and by Default, adopted on October 20, 2020.
The aforementioned Guidelines indicate in this regard that:
“35. The “moment of determining the means of processing” refers to the period of time in which the controller is deciding how it will carry out the processing and how it will occur, as well as the mechanisms that will be used to
carry out such processing. In the process of making such decisions, the controller should assess the appropriate measures and safeguards to
effectively implement the principles and rights of data subjects in the processing,
taking into account elements such as risks, state of the art and cost of
implementation, as well as the nature, scope, context and purposes. This includes the
timing of acquisition and implementation of software and hardware and data processing
services.
36. Taking into account the PDDD from the outset is crucial for the correct
application of the principles and for the protection of the rights of data subjects.
Furthermore, from a cost-effectiveness perspective, it is also in the
interest of controllers to take into account the PDDD as early as possible, as
it may be difficult and costly to introduce changes to already formulated plans
and already designed processing operations later on.”
To do so, the data controller must use the principles set out in Article
5 of the GDPR when designing the processing, which will serve to assess effective compliance with the GDPR.
Thus, the aforementioned Guidelines 4/2019 of the EDPB provide that:
“61. In order to make the PDDD effective, data controllers must apply the
principles of transparency, lawfulness, fairness, purpose limitation, data
minimization, accuracy, limitation of the retention period, integrity and
confidentiality, and proactive responsibility. These principles are set out in Article 5 and
recital 39 of the GDPR.”
The AEPD Privacy by Design Guide states that “Privacy by
design (hereinafter, PbD) involves using a risk management-oriented approach
and proactive responsibility to establish strategies that incorporate privacy
protection throughout the entire life cycle of the object (whether it is a
system, a hardware or software product, a service or a process). The life cycle
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 114/120
of the object is understood as all the stages that it goes through, from its
conception to its retirement, including the development, production, operation, maintenance and retirement phases.”
The Guide states that “Privacy must be an integral and inseparable part of the
systems, applications, products and services, as well as the business practices and
processes of the organization. It is not an additional layer or module that is added to something
pre-existing, but must be integrated into the set of non-functional requirements
from the moment it is conceived and designed (…) Privacy is born in the
design, before the system is in operation and must be guaranteed throughout the entire life cycle of the data”
Therefore, privacy by design, an obligation of the data controller that
is born before the system is in operation, is not mere additions that are
established on a system built with its back to the GDPR. Linked to the
building of a true culture of data protection in the organization, it also implies
for the sake of proactive responsibility the ability to document all the
decisions that are adopted with a “privacy design thinking” approach, demonstrating compliance
with the GDPR in this aspect as well.
The risk approach refers directly and immediately to a preventive system
tending to visualize, with respect to the processing of personal data, the risks to
the rights and freedoms of natural persons. In relation to the risks to these
rights and freedoms, the risks must be identified, their impact assessed and the
probability of them materializing assessed. Therefore, it is not the data that is protected, but
the people behind them.
The risks to the rights and freedoms of natural persons, derived from the
processing of personal data, may be of variable severity and probability and
cause physical, material or immaterial damage and harm, tangible or intangible
consequences, to the rights and freedoms of natural persons. Recital
75 of the GDPR and article 28.2 of the LOPDGDD compile some examples
of those considered by the legislator, but they are not the only ones. It will depend on the
treatment and the context in which it is carried out, the purposes, the personal data
processed, the people involved, the means used, etc.
From the documentation in the file, it has been noted that the
procedure used by ORANGE for issuing duplicate SIM cards
(…).
In the aforementioned AEPD Privacy by Design Guide,
various guidelines are established, which are not met in the case at hand:
“Any system, process or infrastructure that is going to use personal data
must be conceived and designed from scratch, identifying, a priori, the possible risks
to the rights and freedoms of the interested parties and minimizing them so that they do not
result in damage. A PbD policy is characterized by the adoption of
proactive measures that anticipate threats, identifying the weaknesses of the
systems to neutralize or minimize the risks instead of applying corrective
measures to resolve security incidents once they have occurred. That is, the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 115/120
PbD avoids the “policy of correction” and anticipates the materialization of the risk event”.
Privacy as default configuration:
“PbD seeks to provide the user with the highest level of privacy given the state of the art and, in particular, that personal data are automatically protected
in any system, application, product or service. The default configuration
should be established from the design at that level that is as respectful as possible in terms of
privacy. In the event that the subject does not take any configuration action, his privacy must be guaranteed and kept
intact, since it is integrated into the system and configured by default.”
Privacy built into the design phase:
“Privacy must be an integral and inseparable part of the systems, applications,
products and services, as well as the business practices and processes of the
organization. It is not an additional layer or module that is added to something pre-existing,
but must be integrated into the set of non-functional requirements from the
very moment it is conceived and designed. To ensure that privacy is
taken into account from the earliest stages of design, it must:
• Consider it as a necessary requirement in the life cycle of systems and services,
as well as in the design of the organization's processes.
• Carry out an analysis of the risks to the rights and freedoms of individuals and,
where appropriate, impact assessments relating to data protection, as an integral part
of the design of any new processing initiative.
• Document all decisions taken within the organisation with
a “privacy design thinking” approach
In this case, it has been found that ORANGE has not established measures from
the design of the treatment to comply with the principles of data protection,
such as the principles of legality, accuracy and confidentiality, in manual processes,
since there are no measures to verify that the information entered by the
employee is not erroneous and that the request for a duplicate SIM card is submitted by
the owner of the line.
This means that it has not adequately identified and analysed the risks that
a manual process of SIM card duplicates entails for the rights and
freedoms of natural persons, nor foreseen or applied from the design the appropriate
technical and organisational measures, to effectively apply the principles of data
protection, required by article 25 GDPR.
In this regard, it should be recalled that pursuant to Article 25 of the GDPR:
“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing and the risks of varying likelihood and severity that processing entails for the rights and freedoms of individuals,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 116/120
physical aspects, the controller shall, both when determining the means of processing and at the time of processing itself, implement appropriate technical and
organisational measures, such as pseudonymisation, designed to effectively implement the principles of data protection, such as data minimisation, and
integrate the necessary safeguards into the processing, in order to comply with the requirements of
this Regulation and protect the rights of data subjects.”
That is to say, the protection of the fundamental right to data protection does not consist
in a mere “reactive” wait for a problem to occur that may harm it,
but rather those responsible for the treatment must design (“data protection by design”), prior to the start of the treatment, the appropriate policies for the
protection of said fundamental right. And this includes all the aspects regulated
in the GDPR, starting with the obligations of transparency, respect for the exercise
of the rights established in the Regulation, and the establishment of all the technical and
organizational measures necessary to guarantee compliance with said rule. And
all of this must be planned and implemented prior to the start of the
treatment by the person responsible.
In this specific case, not having foreseen these measures from the design of the
procedure analyzed could determine that ORANGE did not have the
appropriate measures to prevent a situation such as the one that has occurred in the
present case from occurring, (…).
For all the above, it is clear that ORANGE has failed to comply with the obligation
to adopt technical and organizational measures from the beginning of the treatment, which
guarantee the rights and freedoms of people taking into account the risks
that this treatment entails, including the risk of impersonation or fraud and financial
loss, (…), as has been the case that has motivated the opening of this sanctioning
file.
Therefore, in accordance with the evidence available at this time
of resolution of the sanctioning procedure, it is considered that the known facts
constitute an infraction, attributable to ORANGE, for violation of article
25 of the RGPD.
IX
Classification of the infringement of article 25
The aforementioned infringement of article 25 of the GDPR involves the commission of the infringement
classified in article 83.4 of the GDPR, which under the heading “General conditions for
the imposition of administrative fines” provides:
“Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of up to EUR 10 000 000 or,
in the case of an undertaking, of an amount equivalent to a maximum of 2% of the
total global annual turnover of the preceding financial year, whichever is higher:
a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to
39, 42 and 43; (…)”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 117/120
For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:
“In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the
following are considered serious and will be subject to a two-year statute of limitations:
(…)
d) The failure to adopt those technical and organizational measures that are
appropriate to effectively apply the principles of data protection from
the design, as well as the failure to integrate the necessary guarantees in the
processing, in the terms required by article 25 of Regulation (EU) 2016/679. (…)”
X
Penalty for infringement of article 25 of the GDPR
For the purposes of deciding on the imposition of an administrative fine and its amount, in
accordance with the evidence available at the time of the resolution of the
sanctioning procedure, it is considered that it is appropriate to graduate the
sanction to be imposed in accordance with the following criteria established in article
83.2 of the GDPR:
- The nature, seriousness and duration of the infringement, taking into account the nature,
scope or purpose of the processing operation in question, as well as the
number of data subjects affected and the level of damages they have suffered
(section a): At least since the lack of adequate measures to
guarantee the confidentiality of the data of the interested parties was established, on November 15, 2022, until the date of the agreement to initiate this
sanctioning procedure, given that there is no record that appropriate measures had been adopted
from the beginning.
In addition, according to its website, ORANGE currently has more than 21
million customers. In this regard, it must be taken into account that this is an
infringement that affects the SIM card issuing procedure, and therefore, all
ORANGE customers are potentially affected.
Section 54.b.iv of the EDPB Guidelines 04/2022 includes, as one of the
circumstances to be assessed in the grading of the sanction: “The number of interested parties
specifically, but also potentially affected”, and clarifies in relation to this
criterion: “The higher the number of interested parties involved, the greater weighting
the supervisory authority may attribute to this factor. In many cases,
it may also be considered that the infringement assumes “systematic” connotations and, therefore, may affect, even at different times, additional data subjects who
have not submitted complaints or reports to the supervisory authority. The supervisory authority may, depending on the circumstances of the case, consider the relationship between the
number of data subjects affected and the total number of data subjects in that context
(for example, the number of citizens, customers or employees) in order to assess whether
the infringement is of a systemic nature”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 118/120
- Intention/ Negligence in the infringement (section b). In this sense, the Supreme Court has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, the professionalism or otherwise of the subject must be especially considered, and there is no doubt that, in the case now examined,
when the activity of the appellant is one of constant and abundant handling of personal data, the rigor and exquisite care in complying with the legal provisions in this regard must be insisted upon. [Judgment of the National Court of 17/10/2007
(rec. 63/2006)]
- Any previous infringement committed by the controller or the processor
(section e): it is known that, on January 31, 2023, a resolution was issued in
procedure no. EXP202204288, in which a fine of 70,000 euros was imposed.
It is known that, on January 30, 2023, a resolution was issued in procedure no.
EXP202203638, in which a fine of 70,000 euros was also imposed. It is known that,
on November 10, 2021, a resolution was issued in file
PS/00022/2021, in which a fine of 700,000 euros was imposed.
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and corrective
measures” of the LOPDGDD:
- Link between the offender's activity and the processing of personal data (section b): the development of the business activity
carried out by the entity requires continuous processing of personal data.
The balance of the circumstances contemplated in article 83.2 of the RGPD and 76.2 of
the LOPDGDD, with respect to the infringement committed by violating the provisions of
article 25 of the RGPD, allows for the establishment of an administrative fine of 1,000,000
euros. XI
Adoption of measures
In accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which
each supervisory authority may “order the controller or processor to
comply with the provisions of this Regulation, where appropriate, in a certain manner and
within a specified period…”, ORANGE is required to notify this Agency within 6 months of the measures it has adopted to
ensure that the request for a duplicate is submitted by the holder of the telephone
number, regardless of the procedure used for its issuance.
The imposition of this measure is compatible with the sanction consisting of an administrative
fine, as provided for in art. 83.2 of the GDPR.
Please note that failure to comply with the possible order to adopt measures imposed by
this body in the sanctioning resolution may be considered an
administrative infringement in accordance with the provisions of the GDPR, classified as
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 119/120
infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a
subsequent administrative sanctioning procedure.
Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO IMPOSE on ORANGE ESPAGNE, S.A.U., with NIF A82009812:
-for an infringement of article 6 of the GDPR, classified in article 83.5.a) of said
regulation, an administrative fine of 200,000 euros (two hundred thousand euros).
- for an infringement of article 25 of the GDPR, classified in article 83.4 of said
regulation, an administrative fine of 1,000,000 euros (one million euros).
That the Director of the Spanish Data Protection Agency orders ORANGE ESPAGNE, S.A.U., with NIF A82009812, pursuant to article 58.2.d) of the GDPR, to notify this Agency within 6 months of the measures it has adopted to ensure that the duplicate request is submitted by the owner of the telephone number, regardless of the procedure used for its issuance.
SECOND: ORDER ORANGE ESPAGNE, S.A.U., with NIF A82009812, pursuant to article 58.2.d) of the GDPR, to notify this Agency within 6 months of the measures it has adopted to ensure that the duplicate request is submitted by the owner of the telephone number, regardless of the procedure used for its issuance.
THIRD: NOTIFY this resolution to ORANGE ESPAGNE, S.A.U.
FOURTH: This resolution will be enforceable once the period for lodging the optional appeal for reconsideration has ended (one month from the day following the notification of this resolution) without the interested party having made use of this faculty.
The sanctioned party is warned that he must pay the imposed sanction once this resolution is enforceable, in accordance with the provisions of art. 98.1.b)
of the LPACAP, within the voluntary payment period established in art. 68 of the General Collection Regulations,
approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by depositing it,
indicating the NIF of the sanctioned party and the procedure number that appears in the
heading of this document, in the restricted account number IBAN: ES00-0000-
0000-0000-0000-0000, opened in the name of the Spanish Data Protection Agency
at the bank CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.
Once the notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the deadline for payment will be until the 5th of the second following month or the next business day thereafter.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 120/120
In accordance with the provisions of article 76.4 of the LOPDGDD and given that the
amount of the fine imposed is greater than one million euros, the information identifying the offender, the
infringement committed and the amount of the fine will be published in the Official State Gazette.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution or directly lodge an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1 of the aforementioned Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the
interested party expresses his intention to lodge an administrative appeal.
If this is the case, the interested party must formally communicate this fact by means of
a letter addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in art. 16.4 of
the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the
documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal
within two months from the day following the notification of this resolution, it will terminate the provisional suspension.
938-16012024
Mar España Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
