AEPD (Spain) - AEPD PS-00344-2022
|AEPD - AEPD PS-00344-2022|
|Relevant Law:||Article 6(1) GDPR|
|Parties:||ORANGE ESPAGNE, S.A.U.|
|National Case Number/Name:||AEPD PS-00344-2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Teresa López|
The Spanish DPA fined a telecommunications operator €30,000 for activating a SIM card without diligently verifying the identity of the subscriber. Since the subscriber fraudulently provided the controller with the data subject's personal information, the processing lacked any legal basis.
English Summary[edit | edit source]
Facts[edit | edit source]
A telecommunications service provider, ORANGE ESPAGNE, S.A.U. (the controller), registered a telephone number with a fraudulent third party who used the data subject's personal information. The data subject found out about the theft of their identity after receiving a call from the police informing them that fraud had been committed with the unlawfully contracted telephone number. Subsequently, the data subject filed a complaint with the Spanish DPA.
During the proceedings, the DPA received a written reply from the controller indicating that as soon as it became aware of the facts, it classified the number as an irregular activation, ordering the corresponding adjustments in favour of the data subject. The adjustements included the rectification of any incorrectly issued invoices and documents.
Holding[edit | edit source]
The DPA recalled that in order for the processing of personal data to be lawful, it needs to have a legal basis under Article 6(1) GDPR. In this case, the data subject did not consent to the processing nor entered any contract with the controller, rendering any subsequent processing unlawful. Furthermore, the controller did not adequately verify the identity of the person requesting the contract, in order to prevent identity theft.
The DPA held that the controller violated Article 6(1) GDPR by concluding a telephone contract with an unauthorised person, giving rise to the theft of the data subject's identity. Pursuant to Article 83 GDPR, the DPA imposed a fine on the controller. The DPA took into account aggravating circumstances provided in Article 76(2)(b) of the Spanish Data Protection Law, following Article 83(2)(k) GDPR, and set a fine of €50,000. In particular, the DPA considered as an aggravating factor the fact that the controller was a telecommunications services provider who processed personal data on a large scale.
However, the controller benefited from reductions due to voluntary payment and acknowledgement of guilt, with the final amount set to €30,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: EXP202204492 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On September 15, 2022, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure against ORANGE ESPAGNE, S.A.U. (hereinafter, the claimed party), through the Agreement that transcribe: << File No.: EXP202204492 AGREEMENT TO START THE SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following ACTS FIRST: On March 31, 2022 A.A.A. (hereinafter, the claiming party) filed a claim with the Spanish Data Protection Agency. The claim is directed against ORANGE ESPAGNE, S.A.U. with NIF A82009812 (in below, the claimed party). The reasons on which it is based is the registration of a telephone line with the claimed entity using your personal data without your consent. He indicates that he has been the victim of a crime of identity theft in hiring, receiving a call from the Granada Police in which they inform him that produced a crime of fraud with the fraudulently contracted telephone number. Accompany your complaint letter with a police report and presentation of claim before the Secretary of State for Telecommunications and Infrastructures Digital, of March 31, 2022. Likewise, provide the contracted telephone number- ***NIF.1. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereafter LOPDGDD), on May 9, 2022, said claim was transferred to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/10 claimed party, to proceed with its analysis and inform this Agency in the period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on May 10, 2022 as It appears in the acknowledgment of receipt that is in the file. On June 10, 2022, this Agency received a written response indicating that as soon as the facts exposed With the entry of this information requirement, the requested entity has transferred to the Risk Analysis Group of this company, which after carrying out the corresponding investigations, proceeded to classify as irregular activation the numbering ***NIF.1 associated with the claimant's DNI, ordering the corresponding economic adjustments in favor of the claimant, by virtue of which he has been left current payment with this company. Likewise, it is indicated that all recovery actions that may exist and, that the claimant's data has never been transferred to files of patrimonial solvency at the request of this company. They are manifested as concrete measures aimed at avoiding this type of fraudulent practices the following: • Controls in applications for registration/portability/in-flight migration: rules applied in scoring. Therefore, if it is rejected before activation, the registration would not take place. These actions are carried out by an external platform. • Daily controls on orders processed from CCNNPP (teleshopping and eshop). As in the previous case, if it is rejected before activation, there is no registration. • Audits on FIDE provider platforms, by provider analysts, who They report at the time of detection and weekly. The solution varies depending on the case, being able to find ourselves before: cancellations of orders and/or requests for portability, suspension of lines, cancellations of fixed provision, to cite a few examples. • Periodic checks of unpaid customers or concentration of bank accounts in JAZZTEL. • Management in the CRMs (company systems) of claims, escalated by different functional groups by unrecognized lines/orders. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/10 • Daily registration validation controls and identity portability, verifying in the census if the NIE or NIF coincides with the name and surnames that appear in the application. • Management of claims for inclusion in asset solvency files. As evidenced, through the control systems created, ORANGE has knowledge of the existence of possible irregularities in the contracting of services, and after the corresponding studies and analysis, is in a position to classify it as fraudulent, proceeding to stop any recovery action, as well as the rectification of all those invoices issued inappropriately. THIRD: On June 22, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant party was admitted for processing. FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Article 6.1 of the GDPR establishes the following: "1. Processing will only be lawful if at least one of the following conditions is met: nes: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect the vital interests of the data subject or of another Physical person; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/10 e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person in charge of the treatment or by a third party, provided that on said interests the interests or the fundamental rights and freedoms of the interested party do not prevail. that require the protection of personal data, particularly when the interest sado be a child The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions.” Article 72.1 b) of the LOPDGDD states that "according to what is established in the Article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe after three years, the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the fulfillment of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679.” II In accordance with the evidence available at this time, and without prejudice to what results from the investigation of this disciplinary procedure, it is considers that the claimed entity has violated the lawfulness of data processing personal, since it has formalized a contract of mobile telephony putting as holder of the same to the claimant, without duly verifying the data of the claimant, giving lead to the identity theft of the claimant. Thus, this Agency considers that the claimed entity has violated the Article 6.1 of the GDPR, which guarantees that personal data is processed lawfully, since the claimed entity appears to have processed the personal data of the claimant, without having the necessary legitimacy for it. IV. Article 58.2 of the GDPR provides the following: "Each control authority shall have of all of the following corrective powers listed below: d) order the person in charge or person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular; V Violation of article 6.1 of the GDPR can be sanctioned with a fine of 20,000 €000 maximum or, in the case of a company, an amount equivalent to 4% C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/10 maximum of the overall annual total turnover of the financial year above, opting for the one with the highest amount, in accordance with article 83.5 a) of the GDPR, which includes "breach of the basic principles for treatment, including the conditions for consent under articles 5,6,7 and 9”. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in article 83.2 of the GDPR, considering as aggravating circumstance according to article 76.2 b) LOPDGDD, the relationship of the person responsible with the processing of personal data. SAW The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. Therefore, it is appropriate to graduate the sanction to be imposed according to the criteria that establishes article 83.2 of the GDPR, and with the provisions of article 76 of the LOPDGDD, with respect to section k) of the aforementioned article 83.2 GDPR. Article 83.2 of the GDPR establishes that: "Administrative fines will be imposed, depending on the circumstances of each individual case, as an addition to or substitute for the measures contemplated in article Article 58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in each individual case dual will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infraction; c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/10 d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the potential adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” In the present case, without prejudice to what results from the instruction, it has been taken into account counts as an aggravating circumstance, the link of the person in charge with the data processing according to article 76.2 b) of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/10 For all these reasons, it is considered appropriate to impose a fine of €50,000 for the processing of personal data as the requested entity lacks legitimacy to it. Therefore, based on the foregoing, By the Director of the Spanish Data Protection Agency, HE REMEMBERS: FIRST: INITIATE SANCTION PROCEDURE against ORANGE ESPAGNE, S.A.U. with NIF A82009812, in accordance with the provisions of article 58.2.i) of the GDPR, for the alleged infringement of article 6.1 of the GDPR, typified in article 83.5.b) of the GDPR. SECOND: APPOINT as instructor R.R.R. and, as secretary, to S.S.S., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Legal Department of the Public Sector (LRJSP). THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the claim filed by the claimant and its documentation, the documents obtained and generated by the General Sub-directorate of Data Inspection during the investigation phase, as well as the report of previous inspection actions. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, would correspond a sanction of €50,000 (fifty thousand euros) without prejudice to what results from the instruction. FIFTH: NOTIFY this agreement to ORANGE ESPAGNE, S.A.U. with NIF A82009812, granting a hearing period of ten business days to formulate the allegations and present the evidence it deems appropriate. In his writing of allegations must provide your NIF and the procedure number that appears in the heading of this document If, within the stipulated period, he does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a reduction of 20% of the sanction that should be imposed in this proceeding. With the application of this reduction, the sanction would be established at €40,000, resolving the procedure with the imposition of both sanctions. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/10 In the same way, it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at €40,000 and its payment will imply the termination of the process. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate allegations at the opening of the procedure. Voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at 30,000 euros. In any case, the effectiveness of any of the two aforementioned reductions will be conditioned to the withdrawal or resignation of any action or appeal via administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts previously indicated €40,000 or €30,000, you must pay it through your deposit in the account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for reducing the amount to which welcomes. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue with the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months from the date of the initiation agreement or, where appropriate, of the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-260122 Mar Spain Marti Director of the Spanish Data Protection Agency >> SECOND: On October 26, 2022, the claimed party has proceeded to pay of the sanction in the amount of 30,000 euros making use of the two reductions provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/10 the opening of the procedure, entails the waiver of any action or appeal via against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Commencement Agreement. FUNDAMENTALS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter, LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. 3. In both cases, when the sanction is solely pecuniary in nature, the The competent body to resolve the procedure will apply reductions of at least 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or resource against the sanction. The percentage reduction provided for in this section may be increased according to regulations." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/10 According to what has been stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202204492, in in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to ORANGE ESPAGNE, S.A.U.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 936-040822 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es