AEPD (Spain) - PS/00155/2021

From GDPRhub
AEPD (Spain) - R/00389/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 58(1) GDPR
Article 83(5)(e) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 20.05.2021
Published: 25.05.2021
Fine: 5000 EUR
Parties: VODAFONE ESPAÑA, S.A.U.
National Case Number/Name: R/00389/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined Vodafone €5000 (reduced to €3000) for hindering its functions during an investigation, as Vodafone did not comply with an order to provide information to the DPA.

English Summary

Facts

The Spanish DPA (AEPD) launched an investigation on Vodafone, following a complaint lodged by a data subject. The AEPD then started a sanctioning proceeding against Vodafone, and in the framework of their powers, granted by Article 58(1) GDPR, asked Vodafone for information regarding the case.

The AEPD, however, did not receive any response from Vodafone.

Holding

The AEPD considered this behaviour as a hindering of their functions, and therefore decided to sanction Vodafone in accordance with Article 83(5)(e) GDPR, for the non-compliance with an order pursuant to Article 58(1) GDPR.

For this infringement, the AEPD fined Vodafone €5000, that were reduced to €3000 for early payment and acknowledgement of responsibility.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/10








     Procedure No.: PS / 00155/2021


RESOLUTION R / 00389/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY

In the sanctioning procedure PS / 00155/2021, instructed by the Spanish Agency for

Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed
by A.A.A., and based on the following,

                                 BACKGROUND


FIRST: On April 16, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against VODAFONE
SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed:


<<





Procedure No.: PS / 00155/2021






           AGREEMENT TO START THE SANCTIONING PROCEDURE



Of the actions carried out by the Spanish Agency for Data Protection, and in

based on the following






                                     FACTS




FIRST: On September 24, 2020, you entered this Agency
Española de Protección de Datos a brief presented by A.A.A. (hereinafter referred to as the
claimant), through which he makes a claim against VODAFONE ESPAÑA,

S.A.U. with NIF A80907397 (hereinafter, the claimed one).



SECOND: In view of the above, there are indications of a possible

non-compliance with the provisions of Regulation (EU) 2016/679 (General Regulation

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








of Data Protection, hereinafter RGPD), which has motivated the opening of the
file E / 08771/2020.




In accordance with the provisions of article 65 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights
(Hereinafter LOPDGDD), the claim was transferred to the person in charge or the Delegate
of Data Protection that in your case you have designated, requiring you to send

to this Agency the information and documentation that was requested. This requirement
information was not answered in time. The claim was accepted for processing with
Date January 5, 2021.




THIRD: The Subdirectorate General for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in

question, by virtue of the powers of investigation granted to the authorities of
control in article 57.1 of the RGPD, and in accordance with the provisions of Title

VII, Chapter I, Second Section, of the aforementioned LOPDGDD.



In the framework of the investigative actions, E / 00035/2021 was referred to the defendant

a request for information, related to the claim outlined in section
First, so that within ten business days, the
information and documentation indicated therein. The request was registered

departure on February 4, 2021 with number O00007128s2100006950.



FOURTH: The request for information, which was carried out in accordance with the regulations

established in Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), was collected by the

responsible dated February 8, 2021, as stated in the Notific @ certificate
that is in the file.






FIFTH: Regarding the required information, the person in charge has not sent
any response to this Spanish Data Protection Agency.







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








                             FOUNDATIONS OF LAW




                                              I



By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of

control, and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate

and solve this procedure.



                                              II




In accordance with the evidence available at the present time of
agreement to initiate the sanctioning procedure, and without prejudice to what results from the

instruction, it is considered that the defendant has not sought the Spanish Agency for
Data Protection the information you required.




With the aforementioned conduct of the defendant, the investigative power that the article
58.1 of the RGPD confers on the control authorities, in this case, the AEPD, has been
seen hampered.




Therefore, the events described in the "Facts" section are deemed to constitute
an infringement, attributable to the defendant, for violation of article 58.1 of the RGPD,

which provides that each supervisory authority shall have, among its powers of
investigation:




        “A) order the controller and the person in charge of the treatment and, where appropriate, the
        representative of the person in charge or the person in charge, who provide any

        information required for the performance of their duties; b) carry out
        investigations in the form of data protection audits; c) carry out
        a review of the certifications issued under article 42, paragraph

        7; d) notify the person in charge or the person in charge of the treatment of the alleged
        infractions of this Regulation; e) obtain from the person in charge and
        in charge of the treatment access to all personal data and to all

        information necessary for the exercise of their functions; f) get access to

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10








        all the premises of the controller and the processor, including
        any equipment and means of data processing, in accordance with the

        Procedural law of the Union or of the Member States. "




                                             III



In accordance with the evidence available at the present time of

agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the facts presented could constitute a
infringement, attributable to the defendant.




This offense is typified in article 83.5.e) of the RGPD, which considers as such: “no
facilitate access in breach of article 58, paragraph 1 ”.




The same article establishes that this offense can be punished with a fine.
of twenty million euros (€ 20,000,000) or, in the case of a

company, of an amount equivalent to four percent (4%) at most of the
total annual global business volume of the previous financial year, opting for the

of greater amount.



For the purposes of the statute of limitations for infractions, the alleged infraction

prescribes after three years, in accordance with article 72.1 of the LOPDGDD, which qualifies as
the following conduct is very serious:




        “Ñ) Do not facilitate the access of the personnel of the data protection authority
        competent to personal data, information, premises, equipment and means of
        treatment that are required by the data protection authority for
        the exercise of its investigative powers.

        o) The resistance or obstruction of the exercise of the inspection function by the

        competent data protection authority. "



                                             IV




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








Based on the facts presented, without prejudice to what results from the instruction of the
procedure, it is considered that it is appropriate to impute the defendant for the violation

of article 58.1 of the RGPD typified in article 83.5 e) of the RGPD. The sanction that
it would be appropriate to impose an administrative fine.




The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. On

Consequently, the sanction to be imposed should be graduated in accordance with the criteria
established in article 83.2 of the RGPD, and with the provisions of article 76 of the
LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD.




                                            V




Finally, the sanction to be imposed should be graduated in accordance with the criteria that
establishes article 83.2 of the RGPD, and with the provisions of article 76 of the
LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD.




In the initial assessment, it is appreciated that no mitigating agent is applicable and

have considered, as aggravating, the following facts:



        - Art. 83.2 b) RGPD: intentionality or negligence in the infringement. It is about

        of a company that is not newly created and should have
        procedures established for the fulfillment of the obligations that
        contemplates the data protection regulations, among them, to respond to

        the requirements of the supervisory authority.



        - Art. 83.2 k) RGPD: any other aggravating or mitigating factor applicable to the

        circumstances of the case, such as the financial benefits obtained or the
        losses avoided, directly or indirectly, through the infringement. The
        claim refers to the particular case of a person, but the

        data processing to which it refers, can potentially affect a
        very high number of clients of the responsible entity or users of the

        service provided by the responsible entity.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10











Therefore, based on the foregoing,



By the Director of the Spanish Data Protection Agency,




HE REMEMBERS:




FIRST: INITIATE SANCTIONING PROCEDURE for VODAFONE ESPAÑA,
S.A.U., with NIF A80907397, for the violation of article 58.1 of the RGPD, typified in

the art. 83. 5 e) of the aforementioned RGPD.



SECOND: APPOINT R.R.R. as instructor. and, as secretary, S.S.S.,

indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Public Sector Legal (LRJSP).




THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the

information requirements issued by the Subdirectorate General for Inspection of
Data in the framework of the files with reference code E / 08771/2020 and
E / 00035/2021; and the accreditation of having practiced its notification.




FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the

The penalty that may correspond would be 5,000.00 euros, without prejudice to what
result of the instruction.




FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF
A80907397, granting you a hearing period of ten business days to formulate

the allegations and present the evidence that it deems appropriate. In his writing of
allegations, you must provide your NIF and the procedure number that appears in the

heading of this document.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








If within the stipulated period it does not make allegations to this initiation agreement, the same
may be considered a resolution proposal, as established in article

64.2.f) of the LPACAP.




The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.



In accordance with the provisions of article 85 of the LPACAP, you may recognize your

responsibility within the term granted for the formulation of allegations to the
present initiation agreement; which will entail a reduction of 20% of the
sanction that should be imposed in the present procedure. With the application of this

reduction, the penalty would be set at 4,000.00 euros, resolving the
procedure with the imposition of this sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 4,000.00 euros and its payment will imply the termination
of the procedure.




The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment

of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the preceding paragraph, it may be done at any time prior to the resolution. On
In this case, if both reductions should be applied, the amount of the penalty would be
established at 3,000.00 euros.




In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in

administrative against the sanction.



In case you choose to proceed to the voluntary payment of any of the amounts

indicated above (4,000.00 euros or 3,000.00 euros), you must make it effective
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








by entering the account number ES00 0000 0000 0000 0000 0000 open to

name of the Spanish Agency for Data Protection in the bank
CAIXABANK, S.A., indicating in the concept the reference number of the
procedure listed in the heading of this document and the cause of

reduction of the amount to which it is accepted.




Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity
entered.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.






                                                                                 972-070421

Mar Spain Martí


Director of the Spanish Agency for Data Protection



>>


SECOND: On May 17, 2021, the defendant has proceeded to pay the
sanction in the amount of 3000 euros making use of the two planned reductions
in the Initiation Agreement transcribed above, which implies the recognition of the

responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to

the facts to which the Initiation Agreement refers.

                            FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and

38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.

                                            II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the

compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.

The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased

regulations.

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00155/2021, of

in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U ..

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal

administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10











day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                                936-031219
Mar Spain Martí

Director of the Spanish Agency for Data Protection































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es