AEPD (Spain) - EXP202308186

From GDPRhub
AEPD - EXP202308186
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 58(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 20.09.2022
Decided: 24.03.2024
Published:
Fine: 200,000 EUR
Parties: Vodafone España, S.A.U.
National Case Number/Name: EXP202308186
European Case Law Identifier: n/a
Appeal: Appeal Dismissed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA fined a controller €200,000 after it failed to respond to the DPA's requests for further information, finding that it hindered the investigation in violation of Article 58(1) GDPR.

English Summary

Facts

On 20 September 2022, a data subject filed a complaint with the Spanish DPA (AEPD). The data subject had received numerous advertising calls from Vodafone España, S.A.U. (the controller) on various dates, from various phone numbers. This occurred despite the data subject being listed on no-call lists.

The controller noted that it has partners who carry out calls on its behalf. However, it claimed that there was no record in its database associating the phone numbers that called the data subject with the controller. It noted that its calling partners are subject to contractual requirements that ensure they will not use non-Vodafone phone numbers, and that the controller has stopped working with partners that failed to comply with contractual obligations including data protection standards.

The AEPD dismissed the complaint in part because some calls could not be tied to the controller (see EXP202210932). However, it requested further information from the controller with regard to certain calls from third parties made by Vodafone partners on behalf of the controller. However, the controller failed to respond or to provide the AEPD with the requested information. On 19 September 2023, the AEPD initiated sanctioning procedures against the controller for a presumed infraction of Article 58(1) GDPR. In October 2023, the controller affirmed that it had not provided the requested documents or facilitated the investigation. Nonetheless, it argued that it had collaborated with the AEPD at all times and had no intention of hindering the investigation. It claimed that it could not provide the requested information without proper judicial authorisation and without breaching data protection obligations. It also argued that the calls were not affiliated with Vodafone but instead with a new customer of the former partner, which Vodafone had ended its contract with. Finally, it claimed that even if it had provided the requested information, the investigation would have been unaffected because the owners of the numbers that made the calls did not respond to the AEPD’s requests.

The controller also pointed out that documents and investigations carried out in this case against third parties were not provided to the controller and requested full access. The AEPD refused to provide access on the basis that those proceedings were independent of the current one, and that the investigation of third parties is unrelated to the sanctioning proceeding.

Holding

The AEPD found that the controller had failed to provide the AEPD with the information it requested, thus hindering the AEPD’s duty of investigation and infringing Article 58(1) GDPR. The AEPD imposed a fine of €200,000.

Comment

The AEPD dismissed an internal appeal to this decision by the controller (see here) on 11 July 2024.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/19










     File No.: EXP202308186



               RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based

to the following


                                 BACKGROUND


FIRST: As a consequence of a claim presented to the Spanish Agency
of Data Protection against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in
hereinafter, the claimed party), showing signs of a possible breach of
the standards within the scope of the powers of the Spanish Agency for the Protection of
Data, actions were initiated with file number EXP202210932.


In accordance with the provisions of article 65 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(LOPDGDD hereinafter), the claim was transferred to the person in charge or to the Delegate
of Data Protection that may have been designated, requesting that you send
to this Agency the information and documentation that was indicated.


SECOND: On November 28, 2022, a response is received from the entity
claimed, registered at the outset with the numbers REGAGE22e00054090973 and
REGAGE22e00054091729, in which it indicates the following:


“The claim has taken place because it appears that Ms. A.A.A., in different
dates, has received commercial calls in the name of Vodafone, coming from the
calling numbers (…) ***PHONE.1 (…). According to the information available in the
Registry of Numbers and Telecommunications Operators of the Commission
National Markets and Competition Authority (CNMC), the numbers indicated

They previously belong to the following operators; (…) ***PHONE.1 a
Vodafone ONO; (…).

After carrying out the appropriate checks, we have verified that the lines
telephone numbers of the claimant, ***PHONE.2, ***PHONE.3 and ***PHONE.4,
They appear in ADigital's official Robinson list and in ADigital's internal Robinson list.

Vodafone. These numbers, according to the CNMC registry and as of December 28
November 2022, belong to VODAFONE ENABLER.
(…)
We have checked whether the calling numbers indicated in the request
information appears in our database with the telephone numbers they use

our collaborators to make recruitment calls. To this end, we have
verified that it does not appear in our database of numbers associated with our
collaborators who make recruitment calls on behalf of Vodafone. Thus,
It does not seem possible to relate the reception of the calls that reveal the
Mrs. A.A.A. in your claim with my client.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/19








(…)
On the other hand, a single database has been created with the list of phone numbers.
telephone number that each collaborator, distributor or supplier dedicated to

collection used in the performance of these services, in order to be able to identify
who is responsible for these calls. It is Vodafone's interest to ensure that
These companies do not use numbers other than Vodafone and they are all
are clearly identified and linked to the entity that uses it.
(…)
Likewise, currently Vodafone has stopped working with those entities that

have repeatedly failed to comply with the contractual obligations established by
Vodafone, as well as the legal provisions regarding data protection and
is in the middle of a selection of those collaborators who guarantee the
full compliance with current regulations.


THIRD.- The Agency requests certain information for cases in which the
call has been made by a third party.
Since the calling numbers indicated by Mrs. A.A.A. do not appear. in his complaint in
our database of telephone numbers used by our collaborators to
make recruitment calls, the contribution of
information.


FOURTH.- The Agency requests information about the “DECISION ADOPTED TO
PURPOSE OF THE CLAIM”.

A copy of the letter prepared to Ms. A.A.A. is provided as Document number 5. in

which informs you of the steps taken by my client to resolve
your claim. In this sense, the letter informs the claimant that
There is currently no data linked to your ID in Vodafone systems. No
However, there is data linked to your ID in Vodafone systems.
Enabler (Lowi), having active services with this brand.


Likewise, attached as Document number 6 is an internal report in which
confirms the deletion of the claimant's data in Vodafone systems.”

The claim was admitted for processing on December 2, 2022.


THIRD: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the investigative powers granted to the authorities of
control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter RGPD), and in accordance with the provisions of the

Title VII, Chapter I, Second Section, of the aforementioned LOPDGDD.

Within the framework of the investigation proceedings, they were sent to the requested party
three information requirements, related to the claim outlined in section
first, so that, within a period of ten business days, the

information and documentation that was indicated therein. The requirements were
registered departure on dates February 13, 2023, March 24, 2023 and March 12
May 2023.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/19








Specifically, information was required on up to three occasions regarding the following:

- Confirmation of the sending to the number ***PHONE.2 of the call made by the

line ***TELÉFONO.1 on June 16, 2022 between the hours of 12:00 and 14:00.

- Confirmation of the sending to the number ***PHONE.3 of the call made by the
line ***TELÉFONO.1 on June 16, 2022 between the hours of 12:00 and 14:00.

- Confirmation of the sending to the number ***PHONE.4 of the call made by the

line ***TELÉFONO.1 on June 16, 2022 between the hours of 12:00 and 14:00.

FOURTH: The information requirements, which were notified in accordance with the
rules established in Law 39/2015, of October 1, on the Procedure
Administrative Plan of Public Administrations (hereinafter, LPACAP), were

collected by the claimed party with dates February 22, 2023, March 29,
2023 and May 16, 2023, as stated in the acknowledgments of receipt in the
proceedings.

FIFTH: To the information requests sent to the claimed party
requesting confirmation of receipt in the claimant's numbers of the

calls made by the line ***PHONE.1, it was limited to answering, with
registered writings of entry dated March 8, 2023 and registration number
REGAGE23e00014439154 and dated May 22, 2023 and registration number
REGAGE23e00032372663, that the calling number belongs to another operator since
May 2021.


The claimed party has not given this Spanish Data Protection Agency the
required information.

SIXTH: VODAFONE ESPAÑA, S.A.U. is part of the VODAFONE business group

GROUP PLC, which has an annual business volume of 45,706 million
euros, according to the financial results published by the entity itself in
its annual report for fiscal year 2023.

SEVENTH: On September 19, 2023, the Director of the Spanish Agency
of Data Protection agreed to initiate sanctioning proceedings against the claimed party,

in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged violation of Article 58.1 of the RGPD, typified in
Article 83.5 of the GDPR Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter RGPD).


EIGHTH: The aforementioned initiation agreement was collected by the claimed party on date
September 27, 2023, as stated in the acknowledgment of receipt in the
proceedings.


NINTH: On September 27, 2023, writings are presented, registered in
entry with numbers REGAGE23e00064771967 and REGAGE23e00065138852, in the
that the claimed party requests the extension of the period initially granted for the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/19








formulation of allegations and access to the complete file of this
procedure.


This Agency facilitated access to the file and agreed to extend the deadline to formulate
allegations up to a maximum of five days, computed from the day following
the one in which the first period of allegations ended.

TENTH: On October 5, 2023, a registered document of entry is presented
with number REGAGE23e00067574223, in which the claimed party states that it is not

facilitated the writings and other investigations carried out by this Agency regarding
of the third parties involved in this investigation and requests again full access
to the file.

This Agency responded that file EXP202210932 is independent of the

present sanctioning procedure and that the investigative actions of said
file with respect to third parties are unrelated to the basis of this
sanctioning procedure, so they have not been incorporated into it, they do not
there being additional documentation to that included in the file previously
sent.


ELEVENTH: On October 19, 2023, allegations are presented to the agreement
start in writing registered entry with number REGAGE23e00070808627 in the
that the claimed party indicates that this Agency denied him access to a copy of the
present complete file.


Furthermore, first of all, the claimed party states that it has collaborated in all
moment with this Agency and that at no point has it had the intention of hindering
the investigation, he says, but to comply with all the legal requirements that, as an operator
of telecommunications, are required.


Thus, the claimed party says that the calling line ***PHONE.1 and the calls
***PHONE.2, ***PHONE.3 and ***PHONE.4 are their ownership, according to the
information available in the Registry of Numbering and Operators of
Telecommunications of the National Markets and Competition Commission.

Regarding the calling number ***PHONE.1, the claimed party says that it informed

this Agency that “it belonged to the reseller Akra Leuka Consulting, S.L., with
CIF B54498688 (hereinafter, “Akra Leuka Consulting”). With this information
We assume that the Agency sent a request for information to Akra Leuka
Consulting, which must have indicated that the final owner of the line was the company JESCOM
SARL AU. This information is inferred from the Archive Resolution of June 20,

2023 (hereinafter, the “Archive Resolution”), since the Agency has not provided
these investigations as part of the file of this procedure, despite the
requests sent by my client, limiting access to information and
hence Vodafone's defense capacity.”


Therefore, says the claimed party, said line did not belong to Vodafone since December 25.
May 2021, when it was reported to the aforementioned reseller. As proof, the part
claimed provides a screenshot of that reseller entity for fixed portability.
It also provides a screenshot of the website of the Commission's Registry of Operators

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/19








National Markets and Competition where it is observed that Akra Leuka
Consulting, S.L. is registered as a reseller.


The complained party goes on to say that, to the extent that the numbering was of the
reseller Akra Leuka Consulting, S.L., could not obtain information about the
calls sent by the line ***PHONE.1 that this Agency required. In it
in the event that the meaning of the requirement of this Agency was to request the
confirmation of receipt on the claimant's line of the call made by the
line ***PHONE.1, he adds, this information would refer to incoming traffic data,

information that is especially protected, he points out, by the Conservation Law
of data.

In relation to the traffic information, the claimed party comments that “in order to be able to
Accessing the system in which this information is archived requires

judicial authorization under the provisions of Law 25/2007, of October 18,
retention of data relating to electronic communications and networks
public communications (hereinafter, “Conservation Law”), specifically its
Article 1, the duty to transfer said traffic data, as well as location data
on natural and legal persons, operates only if carried out by
authorized agents, and whenever they are required through the corresponding

judicial authorization. Likewise, article 6.2 of the Conservation Law lists
Which are the authorized agents, specifically:
a) “Members of the Security Forces and Corps, when they perform
judicial police functions, in accordance with the provisions of article 547 of the Law
Organic 6/1985, of July 1, of the Judicial Branch.

b) The officials of the Deputy Directorate of Customs Surveillance, in the development of
their powers as judicial police, in accordance with section 1 of article 283
of the Criminal Procedure Law.
c) The personnel of the National Intelligence Center in the course of investigations of
security over people or entities, in accordance with the provisions of Law 11/2002,

of May 6, regulating the National Intelligence Center, and in the Organic Law
2/2002, of May 6, regulating prior judicial control of the National Center for
Intelligence."

In this sense, this legal reasoning has been defended by my client in
other occasions with regard to traffic data, such as, for example, in the

request with reference number EXP202211234, in which it was alleged before the
Agency the following:
Vodafone has a tool to manage, solely and exclusively, the
requests for information received through judicial or police requests
involving traffic information. Only through these mechanisms

Vodafone is authorized to access this information. It must be taken into account
Keep in mind that the use of this type of tools is extremely sensitive, and only
It can be used in very exceptional cases, as long as it comes
accompanied by a judicial or police information request prior to access to
the information requested.

[…]
For all this, and as stated in the previous allegations by my client,
the exclusion of the duty of collaboration on the part of Vodafone would apply,
included in article 52.3 of Organic Law 3/2018, of December 5, of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/19








Protection of Personal Data and guarantee of digital rights (hereinafter
LOPDGDD), which reserves the transfer of data only for compliance with
the obligations provided for in Law 25/2007, of October 18, on the conservation of

data relating to electronic communications and public networks
communications, and with prior judicial authorization requested by one of the agents
to authorize.
[…]
In this sense, my client requests that this Agency, to the extent possible
possible, justify the reason why you consider that the alleged exception does not apply.

This justification will be necessary to the extent that the tool used to
obtaining traffic information has, due to the type of information that
stores, a series of security, control and monitoring measures extremely
elevated. Both the system and the measures implemented are audited with
frequency and during such audits the reason for certain audits may be requested.

consultations, the reasons for which are assessed. Therefore, in terms of strict defense,
My client would need to provide legal justification of the entity
applicant to have accessed the system, processed traffic data and communicated said
information."

Ultimately, the claimed party concludes that it could not provide the traffic data

requested without having the proper judicial authorization. Likewise, he adds, the
responsibility for the calls made by the reseller's customers is in all
case of Akra Leuka Consulting, S.L.

The claimed party reiterates that it has always sought collaboration with this Agency and

that on the occasions in which information about calls made has been requested
through its lines, whose information can be confirmed by reviewing the billing and without
access traffic data, has sent said information to the Agency, such as,
For example, it says, in the requirement with reference number EXP202102025, whose
The allegations have the entry registration number REGAGE22e00016210068.


Secondly, the defendant argues that in the event that there were
provided the required information, contravening the obligations of the regulations of
data retention, the outcome of the Agency's investigation would not have
varied, then, he says, the holders of the numbers that executed the calls
object of the investigation have not responded to the requirements of this Agency.


Thirdly, the claimed party points out, subsidiarily, and in the event that
This Agency understands that it has violated article 58.1 of the RGPD, which cannot
appreciate the existence of guilt in the alleged infractions and, in
Consequently, he says, no sanction can be imposed, according to article 28.1 of the

Law 40/2015, of October 1, on the Legal Regime of the Public Sector.

Furthermore, it continues, continuing with the interpretation made by the Supreme Court,
For exculpation, the invocation of the absence of guilt will not be enough, but it will be
It is necessary that the diligence that was required by the person who claims his

non-existence (among others, the Supreme Court Ruling of January 23, 1998
[RJ 1998\601]). In this sense, the claimed party claims to have acted in all
moment in collaboration with this Agency, complying with the due diligence that
It is demandable, and no guilt can be attributed to him, he says.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/19









Fourthly, the claimed party indicates, subsidiarily, and in the event that
This Agency understands that there has been a violation and a sanction must be imposed, which

It must be modulated downwards taking into account extenuating circumstances. So,
reiterates, acted in compliance with the Conservation Law. Furthermore, he adds, his degree
of cooperation during the previous inspection actions was high, as evidenced by
all responses made to information requests and the
provided information that led, he adds, to this Agency being able to reach
identify those responsible for the calls, having completed the investigation,

he asserts, for reasons unrelated to his participation in the investigation. Finally, the
claimed party says that it has not obtained any type of benefit or avoided losses to
due to the alleged lack of collaboration.

By virtue of all of the above, the claimed party requests the archiving of these

actions because, he says, none of the alleged infractions had been committed and,
subsidiarily, that if any sanction is imposed, it is imposed in an amount
minimal.

TWELFTH: On January 11, 2024, a proposed resolution was formulated,
proposing that the Director of the Spanish Data Protection Agency

sanction the claimed party, for a violation of Article 58.1 of the RGPD, typified
in Article 83.5 of the GDPR, with a fine of €200,000.00. This proposal of
resolution was reliably notified to the claimed party on January 17
of 2024, as stated in the acknowledgment of receipt in the file.


THIRTEENTH: With dates January 18, 23 and 26, 2024, they are registered
entry, with numbers REGAGE24e00004378839, REGAGE24e00005285077 and
REGAGE24e00006323677, writings in which the claimed party requests the
extension of the period initially granted in the maximum time allowed by the
current legislation, under article 32 of the LPACAP.


This Agency agreed to extend the period to formulate allegations up to a maximum of
five days, computed from the day following the day on which the first
allegations period.

FOURTEENTH: With date February 7, 2024 and entry registration number

REGAGE24e00009843778, the claimed party presents a written statement of allegations to the
Proposal for a resolution, in which it states, “without prejudice to the fact that we refer to what
set forth in the allegations presented before the Initiation Agreement”, the following.

In the First Allegation, the claimed party once again states that it has not violated the

article 58.1 of the RGPD, which has collaborated at all times with the Agency and that in
No point, he says, has been intended to hinder the investigation, but rather to
comply with all the legal requirements that, as a telecommunications operator,
They are required.


Regarding the duty of collaboration, the complained party does not agree
with the affirmation of this Agency that in the present case it is not applicable
the exclusion of the duty of collaboration imposed by article 52 of the LOPDGDD,
since it cannot be accepted that the mere confirmation that a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/19








specific call between two numbers can be considered as traffic data
treated “exclusively” to comply with the obligations provided for in the law
25/2007. On the contrary, the claimed party understands that “this information is

protected to be offered solely and exclusively to authorized agents through
requests for information received through judicial requests or
police that involve traffic information.

Consequently, Vodafone could not provide the data requested by the Agency without,
as a result, access such traffic data. Likewise, and said in terms

of strict defense, the responsibility for the calls made by the clients of the
reseller is in all cases Akra Leuka Consulting, which may confirm said
information, not from Vodafone.

On the other hand, the Agency, in the Proposed Resolution, indicates that “[…] article 52

of the LOPDGDD expressly provides within the duty of collaboration that, in the
assuming that the conduct had been carried out through the use of a
fixed or mobile telephone service, information must be provided on “3rd The mere
confirmation that a specific call has been made between two numbers on a
certain date and time.” […] he was not being asked to provide specific data,
but mere confirmation.”


In this sense, my client does not deny the validity of this article, but rather
analyzed in conjunction with Law 25/2007, of October 18, on data conservation (in
(hereinafter, the “Data Preservation Law”). As a result, in certain cases, in
those that do not involve access to traffic data, have been provided to the Agency

confirmation of making calls, such as, for example, and as indicated in
the allegations to the Startup Agreement, in the request with reference number
EXP202102025, whose allegations have the entry registration number as
REGAGE22e00016210068.


In short, Vodafone has not violated article 58.1 of the RGPD and has offered the
Agency the information available in its systems and that it is authorized to communicate
in compliance with the multiple legal obligations that are required as
communications operator.”

In the Second Allegation, the defendant again argues that, in the case of

who had provided the required information, contravening, he says, the obligations
of the data retention regulations, the result of the investigation of no
would have changed, since the holders of the numbers that executed the calls
object of the investigation have not responded to the requirements of this Agency.


In this sense, the claimed party points out that “they have not wanted to question the
ability of the Agency to determine the need for the requested information, but
highlight that the seriousness of the potential infraction, in the event that it occurs
considered as such, it would have to be reduced, since the Agency, even contributing my
represented the required information, would not have been able to confirm the reason for the

themselves, not being able to conclude the original reason for this process, which is the realization
of commercial communications to Ms. A.A.A.'s line, nor sanction or warn
those responsible for them as they are outside the scope of competence
territory of the AEPD”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/19









In the Third Allegation, the claimed party affirms that it has implemented security systems
monitoring and auditing to control unauthorized, illegal or fraudulent activity
when it comes to commercial calls.


According to the claimed party, “this procedure is caused by a series of calls
commercials that Ms. A.A.A. claims, calls that were not authorized by
part of Vodafone and that are executed illegitimately or fraudulently.

In this sense, my client has implemented numerous controls for the
monitoring and auditing of these practices. Among other measures, Vodafone has

implemented the routing system, sales audits, etc.,
measures that have been brought to the attention of this Agency in the course of
other procedures. However, in this case we want to highlight what is related to the
“Deontological Code in Commercial Contact Operations” (hereinafter, the
“Code of Conduct”), signed by the main operators in the Spanish market on

July 19, 2021. This Code of Conduct establishes that the signatories
agree to mutual collaboration for investigation and adoption of measures
corresponding in cases in which an irregular practice is identified, such as
the case analyzed in this procedure. This measure demonstrates the diligence
implemented by my client to control, monitor and implement the
measures that are necessary to minimize these practices.”


In the Fourth Allegation, the claimed party states again that,
“Subsidiarily, and in the event that the Agency understands that Vodafone has
violated article 58.1 of the RGPD, the existence of guilt cannot be appreciated
in the infractions imputed to Vodafone and, consequently, it cannot be imposed on
the same sanction.”


Against the dismissal by this Agency of the lack of guilt to the
consider that the claimed party did not respond adequately to the
requirements made, thus calling into question the diligence
employee, the claimed party alleges that “it did respond adequately to the
information requirements, complying with the regulations that are considered applicable, in

specifically, the Data Preservation Law. Likewise, it has acted with diligence
due, not only complying with the applicable regulations, but has also implemented
measures to control unauthorized calls made by third parties other than
my client, such as, for example, through the collaboration processes of the
Code of Conduct.


Consequently, Vodafone has acted at all times in compliance with due diligence.
due that is required of him, and no guilt can be attributed to him.”

In the Fifth Allegation, the claimed party points out that, “Subsidiarily, and for the
in the event that the Agency understands that there has been a violation and a penalty must be imposed.

sanction to Vodafone, the following circumstances must be taken into account
aggravating and mitigating.

Regarding the applied aggravating circumstance of negligence in the infringement, the claimed party
reiterates that it acted in compliance with the Conservation Law. Thus, he says that “no

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/19








could provide the requested traffic data, without having proper authorization
judicial or police. It should not be understood that Vodafone's motivation in
Denial of said information responds to a malicious and intentional intention with the
in order to make the Agency's investigation difficult since Vodafone has collaborated in everything
moment in this investigation answering all possible information and, in addition,

It must be taken into account that the information requested from my client does not
would change the results of the investigation, since, as the AEPD indicates in its
file resolution, it would not clarify whether the reason for the calls was commercial for
be able to conclude violation of the LGTel or RGPD.”

The claimed party also insists that this Agency did not apply when evaluating

the sanction “The degree of cooperation with the supervisory authority in order to put
remedy the infringement and mitigate the possible adverse effects of the infringement.” In
In this sense, it reiterates that its degree of cooperation during the previous actions of
inspection was high, as proven by all the responses made to the
information requirements and the information provided that led, he says, to

This Agency has been able to identify those responsible for the calls,
having completed the investigation, he states, for reasons unrelated to his participation in
on the research. Furthermore, the claimed party says that, “in order to remedy
To this type of infractions my client has applied monitoring measures and
audit to monitor unauthorized, illegal or fraudulent activity in what
“regards commercial calls.”


By virtue of all of the above, the claimed party requests that the
dismissal of the file with the consequent archiving of the proceedings, for not
none of the alleged infractions having been committed and that, subsidiarily, in
If any sanction is imposed, it is imposed in a minimum amount, in light of the
indicated mitigating circumstances and the appropriate delimitation of the

responsibility in the processing of personal data of the affected parties.


In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:


                                PROVEN FACTS

FIRST: The information requirements indicated in the third and third background information
Fourth, they were notified to the claimed party in accordance with the provisions of the LPACAP
and collected as evidenced in the acknowledgments of receipt that appear in the
proceedings.


SECOND: To the requirements requesting confirmation of receipt in the
numbers of the claimant of the calls made by the line ***TELÉFONO.1, the
claimed party simply replied that the calling number belonged to another
operator since May 2021, despite having the requested information when being

VODAFONE ESPAÑA, S.A.U. the entity that operates the claimant's numbers
through one of its brands (LOWI).

THIRD: The notification of the agreement to initiate this procedure
sanctioning was collected by the claimed party on September 27, 2023.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/19









FOURTH: The claimed party has presented allegations to the agreement to start this
sanctioning procedure described in the eleventh antecedent.


FIFTH: The notification of the proposed resolution of this procedure
sanctioning was collected by the claimed party on January 17, 2024.

SIXTH: The claimed party has presented allegations to the proposed resolution
of this sanctioning procedure included in the fourteenth antecedent.


                           FOUNDATIONS OF LAW

                                           Yo
                                     Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
LOPDGDD, is competent to initiate and resolve this procedure the Director of the
Spanish Data Protection Agency.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures."

                                           II
                           Allegations to the initiation agreement


In response to the allegations presented by the claimed party, the following must be noted:
following.

Regarding the claim that this Agency denied the complained party access
to this complete file and this limited his ability to defend himself, as already stated.
indicated, the file of this procedure was sent complete and in good form. The

writings and other investigations carried out regarding the third parties involved in
the investigation that the claimed party requested are unrelated to the basis of the
present sanctioning procedure and are part of another file, the number
EXP202210932, independent of this one. As can be seen from the allegations
presented, the claimed party was aware of the information that was required and

whose lack of contribution is the origin of this sanctioning procedure, and has
had the opportunity to present as many allegations and evidence as it has considered
convenient for their defense, therefore the aforementioned defenselessness does not occur.

Regarding the claim of the claimed party that, if it had contributed

the required information, the result of the Agency's investigation would not have
varied, it should be noted that the offending type is completed with the lack of response to the
required information and is not conditioned to the eventual consequences of its lack
of observation, and that it is up to this Agency to assess the need for the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/19








investigation of the information required at the time it is carried out. It
Otherwise, it would mean accepting that it is not possible to demand compliance with the obligation.
legal right to meet the information requirements of this Agency as long as it is not
the actions are completed and their result is determined.


Regarding the argument of the claimed party that, in application of the Law
25/2007, of October 18, on conservation of data related to communications
electronic communications and public communications networks, could not facilitate this
Agency the requested data without having the proper judicial authorization, it is noted
that in the present case the aforementioned exclusion to the duty of
collaboration imposed by article 52 of the LOPDGDD, since it cannot

accept that mere confirmation that a specific call has been made
between two numbers can be considered as processed traffic data
“exclusively” to comply with the obligations provided for in Law 25/2007.

In this sense, article 52 of the LOPDGDD expressly provides within the

duty of collaboration that, in the event that the conduct had been carried out
through the use of a fixed or mobile telephone service, it must be provided
information about “3rd The mere confirmation that a call has been made
between two numbers on a certain date and time.”

In the now controversial case, the transfer of data was not being requested.

concrete, but the mere confirmation of information that the AEPD already had and that
transmitted to VDF for the purposes of confirmation, since the AEPD was aware of the
calling number, as well as the specific time and date in which said call was made.
produced the claimant's number.

And all this in addition to the fact that this confirmation of information is expressly

provided and determined by the legislator within the duty of collaboration of the
mentioned article 52 of the LOPDGDD.

Regarding the fact that the existence of guilt cannot be appreciated, it is recalled that,
certainly, the principle of responsibility provided for in article 28.1 of the Law
40/2015, of October 1, of the Legal Regime of the Public Sector, provides that: “Only

may be sanctioned for acts constituting an administrative infraction.
natural and legal persons, as well as, when a Law recognizes their capacity to
act, the groups of affected people, the unions and entities without legal personality and the
independent or autonomous assets, which are responsible for them
title of fraud or guilt.”


However, as ruled in STS 7887/2011 of November 24, 2011,
Rec. 258/2009, “(…) since its ruling 76/1990, of April 26, the Court
Constitutional Court has been declaring that it does not fit into the administrative sanctioning sphere
objective or no-fault liability, a doctrine that is reaffirmed in the ruling
164/2005, of June 20, 2005, by virtue of which the possibility of imposing

sanctions for the mere result, without proving a minimum of guilt even by way of
of mere negligence. Now, the way of attributing responsibility, to the
legal persons does not correspond to the forms of willful or intentional guilt
“reckless actions that are attributable to human conduct.”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 13/19








So it happens that, in the case of infringements committed by legal entities, although
the element of guilt must be present (see the ruling of this Chamber of the
Supreme Court of November 20, 2011 (cassation appeal in the interest of law

48/2007), this is necessarily applied in a different way than it is done with respect to
natural persons. According to STC 246/1991 “(...) this construction different from the
imputability of the authorship of the infringement to the legal entity arises from the legal entity itself.
nature of legal fiction to which these subjects respond. They lack the
volitional element in the strict sense, but not the ability to violate the rules to which
who are subjected. Capacity for infringement and, therefore, direct blameworthiness

derives from the legal good protected by the norm that is violated and the need for
said protection is really effective and for the risk that, consequently, must
assume the legal entity that is subject to compliance with said rule.”

To the above it must be added, following the ruling of January 23, 1998,

partially transcribed in STS 6262/2009, of October 9, 2009, Rec 5285/2005,
and STS 6336/2009, of October 23, 2009, Rec 1067/2006, that "although the
guilt of the conduct must also be proven, it must be considered in
order to the assumption of the corresponding load, which ordinarily the elements
volitional and cognitive functions necessary to appreciate that are part of the behavior
proven typical, and that its exclusion requires proving the absence of such

elements, or in its normative aspect, that the diligence that was
demandable by those who claim its non-existence; is not enough, in short, for exculpation against
the invocation of the absence of fault to typical unlawful behavior".

Consequently, the lack of guilt is rejected since the claimed party did not

responded appropriately to the requirements made by this Agency,
thus calling into question the diligence used.

Finally, the absence of benefits cannot be considered a mitigating factor in the agreement.
with the Judgment of the AN, of 05/05/2021, rec. 1437/2020, which indicates: “Consider, for

On the other hand, the non-commission of an infraction must be considered as mitigating
former. Well, article 83.2 of the RGPD establishes that it must be taken into account
for the imposition of the administrative fine, among others, circumstance "e) all
previous infringement committed by the person responsible or the person in charge of the treatment".
This is an aggravating circumstance, the fact that the budget does not exist for
Its application means that it cannot be taken into consideration, but it does not imply or

allows, as the plaintiff claims, its application as a mitigating circumstance”; applied to the case
prosecuted, the lack of the budget for its application with respect to art. 76.2.c) of the
LOPDGDD, that is, obtaining benefits as a result of the infringement, does not allow its
application as a mitigating factor.”


This graduation criterion is established in the LOPDGDD in accordance with the provisions
in article 83.2.k) of the RGPD, according to which administrative fines will be imposed
taking into account any “aggravating or mitigating factors applicable to the
circumstances of the case, such as financial benefits obtained or losses
avoided, directly or indirectly, through the infringement”, understanding that avoiding

A loss has the same nature for these purposes as obtaining profits.

If we add to this that the sanctions must be effective “in each individual case”,
proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/19








Admitting the absence of benefits as a mitigating circumstance is not only contrary to the
assumptions of facts contemplated in article 76.2.c), but also contrary to
what is established in article 83.2.k) of the RGPD and the principles indicated.


Thus, valuing the absence of benefits as a mitigating factor would nullify the effect
deterrent of the fine, to the extent that it reduces the effect of the circumstances that
effectively affect its quantification, reporting to the person responsible a benefit to the
that he has not deserved. It would be an artificial reduction of the sanction that can
lead to the understanding that violating the rule without obtaining benefits, financial or otherwise

Whatever it may be, it will not produce a negative effect proportional to the seriousness of the fact.
offender.

In any case, the administrative fines established in the RGPD, in accordance with the
established in its article 83.2, are imposed depending on the circumstances of each

individual case and it is not estimated that the absence of benefits is a factor of
appropriate and decisive grading to assess the severity of the behavior
offender. Only in the event that this absence of benefits is relevant to
determine the degree of illegality and guilt present in the specific
infringing action may be considered as a mitigating circumstance, in application of the article
83.2.k) of the GDPR, which refers to “any other aggravating or mitigating factor

applicable to the circumstances of the case.”

For all these reasons, it is not possible to grant the request of the claimed party regarding the file.
of this sanctioning file, as well as the reduction of the sanction
initially proposed under the mitigating circumstances indicated.


                                           III
                       Allegations to the Proposed Resolution

In response to the allegations to the Proposed resolution of this file

presented by the claimed party the following must be noted.

The allegations presented against the Proposed resolution of this file
largely reproduce the same arguments used against the Agreement
beginning and which, therefore, have already been answered by this Agency in the previous
basis of law, so, where appropriate, the corresponding

referrals to it.

Regarding the First Allegation, regarding the disagreement shown by the party
claimed regarding this Agency's assertion that in the present case there is no
the exclusion of the duty of collaboration imposed by article 52 applies

of the LOPDGDD, refers to what is stated in the previous legal basis, to which
It is pertinent to add the following.

When the request was made within the framework of the investigation, the party
claimed motivated its lack of response to the requested information in which said line

It belonged to another operator since May 2021.

Thus, at that time, the claimed party did not argue to the contrary, nor did it say in its
response that could not provide the information in accordance with Law 25/2007,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/19








argumentation made in this sanctioning procedure. That is, when
the connection to his own acts is unfavorable to him, when a procedure is opened
sanctioner. If really the reason why, according to the claimed party, it could not give

The information is due to what refers to Law 25/2007, it is not consistent that it gave
another different answer, which did not respond to what was asked in the request. All
This shows a lack of willingness to collaborate to provide the mere
confirmation of the existence of the call.

In relation to the Second Allegation, in response to the argument of the party

claimed that, if he had provided the required information, the
result of the investigation had not changed, so the severity of the
potential infringement, he says, in the event that it is considered as such, it would have to be seen
reduced, with respect to what has already been explained in the previous legal basis, it is possible
emphasize that the reason for this sanctioning procedure is not the carrying out of

commercial communications to Mrs. A.A.A.'s line. Specifically, this
procedure is initiated for the alleged violation of article 58.1 of the RGPD, classified
in article 83.5 of the RGPD, for not providing the information required for the
exercise of the functions of this Agency. Therefore, as already indicated, the type
offender is completed with the lack of response to the requested information and is not
conditions the eventual consequences of its lack of observation.


As regards the Third Allegation, the fact that the claimed party
would have implemented monitoring and auditing systems to control the
unauthorized, illegal or fraudulent activity regarding calls
commercial, as well as the one who has subscribed to the Code of Ethics in Transactions

of Commercial Contact, has no relation to the infringement that in this procedure
is being substantiated, which is not the making of commercial calls, but rather the
facilitate access to the information required in breach of article 58.1 of the
RGPD, so it cannot be taken into account as a mitigating factor.


Regarding the Fourth Allegation, regarding the opinion of the claimed party that there is no
the existence of guilt can be appreciated since he did answer, he says, of
in an appropriate manner to the information requirements, complying with the regulations that
considers applicable, specifically, the Data Conservation Law, it is possible to refer to
what has already been stated in the previous legal basis.


Regarding the Fifth Allegation, on the aggravating and mitigating circumstances
referred to by the claimed party, the following is indicated.

Regarding the applied aggravating factor of negligence in the infringement, reference is made to what
indicated in the previous legal basis.


In relation to the fact that this Agency did not apply when evaluating the sanction “The degree
cooperation with the supervisory authority in order to remedy the infringement and
mitigate the possible adverse effects of the infringement”, as alleged in the Agreement of
At the beginning, the claimed party adds that, “in order to remedy this type of

violations, my client has applied monitoring and auditing measures to
monitor unauthorized, illegal or fraudulent activity when it comes to calls
commercial." In this regard, it is reiterated that the violation for which this
procedure, as clearly stated in the foundations dedicated to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/19








unfulfilled obligation, classification and sanction, is not providing access to the
required information and not making commercial calls. Therefore, the
These measures are not related to the possible mitigation of the effects of the

infringement. To this it must be added that a
cooperation consisting of applying the necessary measures to control a
illicit activity, since this is a duty imposed on the data controller,
if possible, even more accentuated within the framework of the principle of proactive responsibility that
has developed the GDPR.


For all the above, it is not possible to grant the request of the claimed party regarding the
archive of this sanctioning file, as well as the reduction of the
sanction initially proposed by virtue of the mitigating circumstances indicated.

                                           IV

                                 Unfulfilled obligation

Based on the facts presented, it is considered that the claimed party has not
provided to the Spanish Data Protection Agency the information that
required.


The claimed entity did not respond to the requirements made by this Agency
in order to confirm receipt in the claimant's numbers of the
calls made, limiting themselves to answering that the calling number belonged to another
operator, instead of responding to how questionable it was about whether the
calls or not, information that must be known as it is VODAFONE ESPAÑA,

S.A.U. the entity that operates the claimant's numbers through one of its
brands (LOWI).

With the indicated conduct of the claimed party, the investigative power that the
Article 58.1 of the RGPD confers on the control authorities, in this case, the AEPD,

has been hindered.

Therefore, the facts described in the “Proven Facts” section are considered
constituting an infraction, attributable to the claimed party, for violation of the
article 58.1 of the RGPD, which provides that each supervisory authority will have, among
his investigative powers:


“a) order the person responsible and the person in charge of the treatment and, where appropriate, the
representative of the person responsible or the person in charge, who provide any information
that is required for the performance of its functions; b) carry out research in
form of data protection audits; c) carry out a review of the

certifications issued under Article 42, paragraph 7; d) notify the
responsible or to the person in charge of the treatment of the alleged violations of this
Regulation; e) obtain from the person responsible and the person in charge of the treatment access to
all personal data and all information necessary for the exercise of its
functions; f) obtain access to all the premises of the person responsible and the person in charge of the

processing, including any equipment and means of data processing, of
in accordance with the procedural law of the Union or of the Member States.”

                                           V

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/19








                       Classification and classification of the offense

The facts presented are considered to constitute an infraction, attributable to the party

claimed.

This infraction is classified in article 83.5.e) of the RGPD, which considers as such: “no
provide access in breach of Article 58(1).”

The same article establishes that this violation can be punished with a fine.

of twenty million euros (€20,000,000) maximum or, in the case of a
company, of an amount equivalent to four percent (4%) maximum of the
total global annual business volume of the previous financial year, opting for the
of greater amount.


For the purposes of the limitation period for infringements, the alleged infringement
prescribes after three years, in accordance with article 72.1 of the LOPDGDD, which qualifies as
The following behavior is very serious:

“ñ) Do not facilitate access by data protection authority personnel
competent to personal data, information, premises, equipment and means of

processing that is required by the data protection authority for the
exercise of its investigative powers.”

                                          SAW
                                  Imputed sanction


The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. In
Consequently, the sanction to be imposed must be graduated according to the criteria
established in article 83.2 of the RGPD, and with the provisions of article 76 of the

LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD.

Based on the facts presented, the sanction that should be imposed is a fine.
administrative for an amount of 200,000.00 euros, for the alleged violation of the
article 58.1 of the RGPD, typified in article 83.5 of said regulation.


It can be seen that no mitigating circumstance is applicable and they have been considered as
aggravating the following facts:

- Art. 83.2 b) RGPD: intentionality or negligence in the infringement.
The claimed entity did not provide the information required in the requirements

of this Agency, alleging a cause that does not justify the refusal to provide it. The
Confirmation of receipt of calls is a fact that must be known by
the one claimed as VODAFONE ENABLER (LOWI) is the operator of the numbers of the
claimant. The order to provide the information was reiterated without
responded to the question raised on neither of the two occasions.






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/19








Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE VODAFONE ESPAÑA, S.A.U., with NIF A80907397, for a
violation of Article 58.1 of the GDPR, typified in Article 83.5 of the GDPR, a
fine of 200,000.00 euros (TWO HUNDRED THOUSAND euros).

SECOND: ORDER VODAFONE ESPAÑA, S.A.U., with NIF A80907397, which, of

In accordance with the investigative power provided in article 58.1.a) of the RGPD,
facilitate, within a period of ten business days from when this resolution becomes final and
executive, the information required in the requirements made within the framework of the
actions with file number EXP202210932 and to which
reference in the background of this resolution.


Please note that not meeting the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its article 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.


THIRD: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U..

FOURTH: This resolution will be enforceable once the deadline to file the
optional resource for replacement (one month counting from the day following the
notification of this resolution) without the interested party having made use of this power.

The sanctioned person is warned that he must make effective the sanction imposed once
This resolution is executive, in accordance with the provisions of art. 98.1.b)
of the LPACAP, within the voluntary payment period established in art. 68 of the Regulations
General Collection, approved by Royal Decree 939/2005, of July 29, in
relation to art. 62 of Law 58/2003, of December 17, through its entry,

indicating the NIF of the sanctioned person and the procedure number that appears in the
heading of this document, in the restricted account IBAN number: ES00-0000-
0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the
Spanish Data Protection Agency in the banking entity CAIXABANK, S.A..
Otherwise, it will be collected during the executive period.


Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/19








contentious-administrative appeal before the Contentious-administrative Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the

referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative means if the

interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative procedure within a period of two months from the day following the

notification of this resolution would terminate the precautionary suspension.


                                                                                938-16012024
Sea Spain Martí
Director of the Spanish Data Protection Agency


































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es