AEPD (Spain) - PS/00262/2020
AEPD - PS/00262/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(2) GDPR Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 09.12.2020 |
Fine: | 40000 EUR |
Parties: | XFERA MÓVILES, S.A. |
National Case Number/Name: | PS/00262/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | CSO |
The Spanish DPA (AEPD) fined XFERA MÓVILES, S.A. €40000 for violating Article 6(1) GDPR by illegally processing personal data of the claimants in a fraudulent hiring. The defendant was not sufficiently diligent in verifying the identity of the persons hiring two telephone lines.
English Summary
Facts
The personal data of the claimants were used illegitimately to contract two telephone lines with the company XFERA MÓVILES, S.A. The decision does not provide a clear description of the facts. However, on the basis of the available information it seems that when the complainants learned what had happened, they reported it to the Guardia Civil (Spanish military police) and the AEPD.
Dispute
The key to this case was to determine whether or not the defendant applied adequate measures to verify the identity of the clients. The company claimed that when they learned that it was a fraudulent contract, they suspended the services and cancelled the debt generated. Likewise, they blocked the data of the data subjects and classified the contract as fraudulent.
Holding
The Spanish DPA concludes that the defendant has not been able to demonstrate that it adopted sufficient diligence measures to verify the identity of the clients before signing the contracts. Therefore, it breached Article 6(1) GDPR by processing personal data without a legitimate basis.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 Procedure No.: PS / 00262/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: The General Directorate of the Civil Guard (Company of Manzanares, Bolaños Post) transferred to the Spanish Agency for Data Protection, dated May 13, 2019, the actions followed in relation to a usurpation of identity in the contracting of telecommunications services, which took place on February 26, 2019. The claim filed by D. A.A.A. and Ms. B.B.B. (hereinafter the claimants). The claim is directed against XFERA MÓVILES, S.A. with NIF A82528548 (hereinafter, the claimed). Providing the following documentation: Certificate number 2019-000593-00000110 dated February 26, 2019 in which the claimants state that according to company information they have been two telephone lines and internet with numbers *** TELEPHONE 1 and *** TELEPHONE. 2 and with a charge account that is not owned. The Tomorrow of February 25, 2019 the telephone company is in contact with one of his daughters informing her that, if they do not pay the amounts owed to said numbers, the service would be interrupted. Summary of the actions carried out by the Bolaños Civil Guard de Calatrava (Ciudad Real). MASMOVIL (XFERA MÓVILES, S.A.) contracts for the telephone lines reported. SECOND: In view of the facts denounced, the General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigation actions carried out, it is verified that the person responsible for the treatment is the one claimed. Likewise, the following points are found: Examining the information provided by the Civil Guard, it is found that the Reported lines have been hired by people outside the claimants. No C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 outstanding debts were incurred by the claimants, since in the contracts contained the bank account of the people who had impersonated the identity of the claimants. These people, who used the ID of the claimants for both contracts, they lived in the same address of this and have been identified by the Civil Guard from the bank accounts provided in the hiring. Information requested from the respondent about the measures adopted after the receipt of the complaint before the Civil Guard of Bolaños of a possible impersonation of identity when contracting lines *** TELEPHONE.1 and *** TELEPHONE.2 and on the guarantees required for the accreditation of identity in the contracting of the referred phone lines. On January 16, 2020, the defendant states that according to his inquiries, the lines denounced have been classified as contracting fraudulent, and the debts associated with them have been forgiven. They provide a screenshot of the data that works in their systems of the reported lines. THIRD: On September 8, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure for the claimed party, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 6.1 of the RGPD, typified in Article 83.5 a) of the RGPD. FOURTH: Once the aforementioned commencement agreement was notified, the defendant submitted a written allegations in which, in summary, he stated that he had knowledge of the usurpation of the claimant's identity on February 25, 2019, providing subsequently denounced on February 26, 2019 and dated March 4, 2019, proceeded to the suspension of services and the cancellation of the debt generated to date for fraudulent contracts. This led to data blocking of the interested parties and the cataloging of the registration as fraudulent. They add that the lack of diligence in the custody of the DNI cannot be transferred to reclaimed. On the other hand, they manifest the inexistence of the elements of the right sanctioner, do not appreciate the concrete existence of the principle of responsibility, since that no fraudulent or culpable action is revealed from which the herself. Therefore, by not appreciating fraud or guilt on the part of the defendant, nor so even as a mere non-observance, in relation to the facts that give rise to the sanctioning procedure, it can only lead to the file. FIFTH: On October 13, 2020, the instructor of the procedure agreed to the opening of a period of practical tests, taking as incorporated the preliminary investigation actions, E / 08518/2019, as well as the documents provided by the claimed. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited: PROVEN FACTS FIRST: Two telephone lines and internet are registered in the name of the claimants. The usurpation of identity in the contracting of services telecommunications, took place on February 26, 2019. SECOND: The defendant acknowledges said error and thus in his allegations he manifests that the reported lines have been classified as fraudulent hires, and the debts associated with them have been forgiven. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II The defendant is accused of committing an offense for violation of the Article 6.1 of the RGPD. Article 6, Legality of treatment, of the RGPD establishes that: "1. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the performance of a contract in which the interested is part or for the application at the request of this of measures pre-contractual; (…) " Article 4 of the RGPD, Definitions, in section 11, states that: "11)" consent of the interested party ": any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data that they concern him ”. Also article 6, Treatment based on the consent of the affected, of the new Organic Law 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights (hereinafter LOPDGDD), states what: "1. In accordance with the provisions of article 4.11 of the Regulation (EU) 2016/679, the consent of the affected party is understood to be any manifestation of will free, specific, informed and unequivocal for which it accepts, either through a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 declaration or a clear affirmative action, the processing of personal data that concern. 2. When the data processing is intended to be based on consent of the affected party for a plurality of purposes, it will be necessary to record in a specific and unequivocal that said consent is granted for all of them. 3. The execution of the contract may not be subject to the consent of the affected party processing of personal data for purposes that are not related to the maintenance, development or control of the contractual relationship ”. Article 83.5 a) of the RGPD, considers that the infringement of “the principles basic for the treatment, including the conditions for consent in accordance with of articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the mentioned Article 83 of the aforementioned Regulation, “with administrative fines of € 20,000,000 maximum or, in the case of a company, of an equivalent amount at a maximum of 4% of the total global annual turnover of the financial year above, opting for the highest amount ”. On the other hand, the LOPDGDD in its article 72 indicates for the purposes of prescription: “Violations considered very serious: 1. In accordance with the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that and, in in particular, the following: (…) b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. (…) " III The documentation in the file provides evidence that the claimed, violated article 6.1 of the RGPD, since he processed the personal data without having any legitimacy for it. The personal data were incorporated into the company's information systems, without having accredited that he had legitimately hired, had his consent for the collection and subsequent processing of your personal data, or there is any other causes the treatment carried out to be legal. Well, with respect to the facts that are the subject of this claim, we must emphasize that the defendant has recognized this error and thus both in his writing dated January 16, 2019, as in the allegations to the Agreement to initiate the This sanctioning procedure has stated that the lines denounced have been classified as fraudulent contracts, and the debts associated with them have been forgiven. The lack of diligence displayed by the entity in complying with the Obligations imposed by the regulations for the protection of personal data It is thus obvious. A diligent compliance with the principle of legality in the treatment of third-party data requires that the person responsible for the treatment is in conditions to prove it (principle of proactive responsibility). IV C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 In order to establish the administrative fine to be imposed, they must observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which point out: "1. Each supervisory authority shall ensure that the imposition of fines administrative under this article for the infractions of this Regulations indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question yes, as well as the number of interested parties affected and the level of damages who have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to mitigate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge of the treatment, taking into account the technical or organizational measures that have applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the violation and mitigate the possible adverse effects of the violation; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in particular if the person in charge or the person in charge notified the infringement and, in such case, what extent; i) when the measures indicated in Article 58 (2) have been previously ordered against the person in charge or the person in charge in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement. In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: “2. According to the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offense. b) The linking of the offender's activity with the performance of treatments of personal data. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the offense. e) The existence of a merger process by absorption after the commission C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) To have, when not mandatory, a delegate for the protection of data. h) The submission by the person in charge or in charge, with character voluntary, to alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested." V In accordance with the provisions transcribed in order to fix the amount of the sanction of a fine to be imposed in the present case for the offense typified in the Article 83.5 of the RGPD for which the claimed person is responsible are estimated concurrent the following factors: Extenuating: - Any measure taken by the person in charge or in charge of the treatment to palliate the damages suffered by the interested parties (art.83.2. c) of the RGPD). Aggravating factors: - The intentionality or negligence of the infringement (article 83.2. B) of the RGPD). - Basic personal identifiers are affected (personal data (art.83.2. g) of the RGPD). - The evident link between the business activity of the claimed and the processing of personal data of clients or third parties (article 83.2.k, of the RGPD in relation to article 76.2.b, of the LOPDGDD) Therefore, in accordance with the applicable legislation and the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE XFERA MÓVILES, S.A., with NIF A82528548, for a violation of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, a fine of 40,000 euros. SECOND: NOTIFY this resolution to XFERA MÓVILES, S.A .. THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 Spanish Data Protection in the bank CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Notification received and once executive, if the execution date is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es