AEPD (Spain) - EXP202204492

From GDPRhub
Revision as of 10:22, 4 January 2023 by Kk (talk | contribs) (adjusted short summary)
AEPD - AEPD PS-00344-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 31.03.2022
Decided:
Published: 21.12.2022
Fine: 30000 EUR
Parties: ORANGE ESPAGNE, S.A.U.
National Case Number/Name: AEPD PS-00344-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Teresa López

The Spanish DPA fined a telecommunications operator €30,000 for activating a SIM card without diligently verifying the identity of the subscriber. Since the subscriber fraudulently provided the controller with the data subject's personal information, the processing lacked any legal basis.

English Summary

Facts

A telecommunications service provider, ORANGE ESPAGNE, S.A.U. (the controller), registered a telephone number with a fraudulent third party who used the data subject's personal information. The data subject found out about the theft of their identity after receiving a call from the police informing them that fraud had been committed with the unlawfully contracted telephone number. Subsequently, the data subject filed a complaint with the Spanish DPA.

During the proceedings, the DPA received a written reply from the controller indicating that as soon as it became aware of the facts, it classified the number as an irregular activation, ordering the corresponding adjustments in favour of the data subject. The adjustements included the rectification of any incorrectly issued invoices and documents.

Holding

The DPA recalled that in order for the processing of personal data to be lawful, it needs to have a legal basis under Article 6(1) GDPR. In this case, the data subject did not consent to the processing nor entered any contract with the controller, rendering any subsequent processing unlawful. Furthermore, the controller did not adequately verify the identity of the person requesting the contract, in order to prevent identity theft.

The DPA held that the controller violated Article 6(1) GDPR by concluding a telephone contract with an unauthorised person, giving rise to the theft of the data subject's identity. Pursuant to Article 83 GDPR, the DPA imposed a fine on the controller. The DPA took into account aggravating circumstances provided in Article 76(2)(b) of the Spanish Data Protection Law, following Article 83(2)(k) GDPR, and set a fine of €50,000. In particular, the DPA considered as an aggravating factor the fact that the controller was a telecommunications services provider who processed personal data on a large scale.

However, the controller benefited from reductions due to voluntary payment and acknowledgement of guilt, with the final amount set to €30,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/10








     File No.: EXP202204492

       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT

                                    VOLUNTEER

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: On September 15, 2022, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure against ORANGE
ESPAGNE, S.A.U. (hereinafter, the claimed party), through the Agreement that
transcribe:


<<


File No.: EXP202204492



            AGREEMENT TO START THE SANCTION PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in

based on the following

                                      ACTS

FIRST: On March 31, 2022 A.A.A. (hereinafter, the claiming party)
filed a claim with the Spanish Data Protection Agency.


The claim is directed against ORANGE ESPAGNE, S.A.U. with NIF A82009812 (in
below, the claimed party).

The reasons on which it is based is the registration of a telephone line with the claimed entity

using your personal data without your consent.

He indicates that he has been the victim of a crime of identity theft in hiring,
receiving a call from the Granada Police in which they inform him that
produced a crime of fraud with the fraudulently contracted telephone number.


Accompany your complaint letter with a police report and presentation of
claim before the Secretary of State for Telecommunications and Infrastructures
Digital, of March 31, 2022.

Likewise, provide the contracted telephone number- ***NIF.1.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereafter LOPDGDD), on May 9, 2022, said claim was transferred to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/10








claimed party, to proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.


The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on May 10, 2022 as
It appears in the acknowledgment of receipt that is in the file.


On June 10, 2022, this Agency received a written response
indicating that as soon as the facts exposed
With the entry of this information requirement, the requested entity has
transferred to the Risk Analysis Group of this company, which after carrying out
the corresponding investigations, proceeded to classify as irregular activation the

numbering ***NIF.1 associated with the claimant's DNI, ordering the corresponding
economic adjustments in favor of the claimant, by virtue of which he has been left
current payment with this company.

Likewise, it is indicated that all recovery actions that
may exist and, that the claimant's data has never been transferred to files of

patrimonial solvency at the request of this company.

They are manifested as concrete measures aimed at avoiding this type of
fraudulent practices the following:


• Controls in applications for registration/portability/in-flight migration: rules applied in
scoring.

Therefore, if it is rejected before activation, the registration would not take place.


These actions are carried out by an external platform.

• Daily controls on orders processed from CCNNPP (teleshopping and eshop).

As in the previous case, if it is rejected before activation, there is no registration.


• Audits on FIDE provider platforms, by provider analysts, who
They report at the time of detection and weekly.

The solution varies depending on the case, being able to find ourselves before: cancellations of
orders and/or requests for portability, suspension of lines, cancellations of

fixed provision, to cite a few examples.

• Periodic checks of unpaid customers or concentration of bank accounts in
JAZZTEL.


• Management in the CRMs (company systems) of claims, escalated by
different functional groups by unrecognized lines/orders.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/10








• Daily registration validation controls and identity portability, verifying
in the census if the NIE or NIF coincides with the name and surnames that appear in the
application.


• Management of claims for inclusion in asset solvency files.

As evidenced, through the control systems created, ORANGE has
knowledge of the existence of possible irregularities in the contracting of
services, and after the corresponding studies and analysis, is in a position to

classify it as fraudulent, proceeding to stop any
recovery action, as well as the rectification of all those invoices issued
inappropriately.

THIRD: On June 22, 2022, in accordance with article 65 of the

LOPDGDD, the claim presented by the claimant party was admitted for processing.

                            FUNDAMENTALS OF LAW

                                             Yo


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to

initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."

                                             II


Article 6.1 of the GDPR establishes the following:

"1. Processing will only be lawful if at least one of the following conditions is met:

nes:
a) the interested party gave his consent for the processing of his personal data

for one or more specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;

c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;

d) the processing is necessary to protect the vital interests of the data subject or of another
Physical person;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/10








e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the data controller;

f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person in charge of the treatment or by a third party, provided that on said interests
the interests or the fundamental rights and freedoms of the interested party do not prevail.

that require the protection of personal data, particularly when the interest
sado be a child

The provisions of letter f) of the first paragraph shall not apply to the treatment carried out
by public authorities in the exercise of their functions.”

Article 72.1 b) of the LOPDGDD states that "according to what is established in the
Article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe
after three years, the infractions that suppose a substantial violation of the
articles mentioned therein and, in particular, the following:


b) The processing of personal data without the fulfillment of any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.”

                                            II


In accordance with the evidence available at this time, and
without prejudice to what results from the investigation of this disciplinary procedure, it is
considers that the claimed entity has violated the lawfulness of data processing
personal, since it has formalized a contract of mobile telephony putting as holder
of the same to the claimant, without duly verifying the data of the claimant, giving

lead to the identity theft of the claimant.

Thus, this Agency considers that the claimed entity has violated the
Article 6.1 of the GDPR, which guarantees that personal data is processed
lawfully, since the claimed entity appears to have processed the personal data of the

claimant, without having the necessary legitimacy for it.

                                            IV.

Article 58.2 of the GDPR provides the following: "Each control authority shall have

of all of the following corrective powers listed below:

d) order the person in charge or person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period;


i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;

                                            V


Violation of article 6.1 of the GDPR can be sanctioned with a fine of 20,000
€000 maximum or, in the case of a company, an amount equivalent to 4%

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/10








maximum of the overall annual total turnover of the financial year
above, opting for the one with the highest amount, in accordance with article 83.5 a) of the

GDPR, which includes "breach of the basic principles for treatment,
including the conditions for consent under articles 5,6,7 and 9”.




Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in article 83.2 of the GDPR, considering as
aggravating circumstance according to article 76.2 b) LOPDGDD, the relationship of the person responsible with the

processing of personal data.

                                          SAW



The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the GDPR.




Therefore, it is appropriate to graduate the sanction to be imposed according to the criteria that
establishes article 83.2 of the GDPR, and with the provisions of article 76 of the
LOPDGDD, with respect to section k) of the aforementioned article 83.2 GDPR.



Article 83.2 of the GDPR establishes that:

"Administrative fines will be imposed, depending on the circumstances of each
individual case, as an addition to or substitute for the measures contemplated in article

Article 58, section 2, letters a) to h) and j).

When deciding to impose an administrative fine and its amount in each individual case
dual will be duly taken into account:


a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that

have suffered;



b) intentionality or negligence in the infraction;




c) any measure taken by the controller or processor to
alleviate the damages and losses suffered by the interested parties;




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/10








d) the degree of responsibility of the controller or processor,

taking into account the technical or organizational measures that they have applied under
of articles 25 and 32;




e) any previous infringement committed by the controller or processor;



f) the degree of cooperation with the supervisory authority in order to remedy the

infringement and mitigate the potential adverse effects of the infringement;




g) the categories of personal data affected by the infringement;



h) the way in which the supervisory authority became aware of the infringement, in

particular whether the person in charge or the person in charge notified the infringement and, if so, in what
measure;




i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the

same matter, compliance with said measures;



 j) adherence to codes of conduct under article 40 or to mechanisms of

certification approved in accordance with article 42, and



k) any other aggravating or mitigating factor applicable to the circumstances of the case,

such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”



In the present case, without prejudice to what results from the instruction, it has been taken into account
counts as an aggravating circumstance, the link of the person in charge with the data processing

according to article 76.2 b) of the LOPDGDD.







C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/10








For all these reasons, it is considered appropriate to impose a fine of €50,000 for the
processing of personal data as the requested entity lacks legitimacy to

it.


Therefore, based on the foregoing,


By the Director of the Spanish Data Protection Agency,

HE REMEMBERS:

FIRST: INITIATE SANCTION PROCEDURE against ORANGE ESPAGNE,
S.A.U. with NIF A82009812, in accordance with the provisions of article 58.2.i) of the

GDPR, for the alleged infringement of article 6.1 of the GDPR, typified in article
83.5.b) of the GDPR.

SECOND: APPOINT as instructor R.R.R. and, as secretary, to S.S.S.,
indicating that any of them may be challenged, if applicable, in accordance with the

established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).

THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the
claim filed by the claimant and its documentation, the documents

obtained and generated by the General Sub-directorate of Data Inspection during the
investigation phase, as well as the report of previous inspection actions.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations,
would correspond a sanction of €50,000 (fifty thousand euros) without prejudice to what

results from the instruction.

FIFTH: NOTIFY this agreement to ORANGE ESPAGNE, S.A.U. with NIF
A82009812, granting a hearing period of ten business days to formulate
the allegations and present the evidence it deems appropriate. In his writing of
allegations must provide your NIF and the procedure number that appears in the

heading of this document

If, within the stipulated period, he does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a reduction of 20% of the

sanction that should be imposed in this proceeding. With the application of this
reduction, the sanction would be established at €40,000, resolving the
procedure with the imposition of both sanctions.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/10








In the same way, it may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at €40,000 and its payment will imply the termination of the
process.

The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate
allegations at the opening of the procedure. Voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain

established at 30,000 euros.

In any case, the effectiveness of any of the two aforementioned reductions will be
conditioned to the withdrawal or resignation of any action or appeal via
administrative against the sanction.


In the event that you choose to proceed with the voluntary payment of any of the amounts
previously indicated €40,000 or €30,000, you must pay it through your
deposit in the account number ES00 0000 0000 0000 0000 0000 opened in the name of the
Spanish Data Protection Agency at the bank CAIXABANK, S.A.,

indicating in the concept the reference number of the procedure that appears in the
heading of this document and the reason for reducing the amount to which
welcomes.

Likewise, you must send proof of income to the General Subdirectorate of

Inspection to continue with the procedure in accordance with the quantity
entered.

The procedure will have a maximum duration of nine months from the
date of the initiation agreement or, where appropriate, of the draft initiation agreement.

After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.

Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.



                                                                               935-260122
Mar Spain Marti
Director of the Spanish Data Protection Agency

>>


SECOND: On October 26, 2022, the claimed party has proceeded to pay
of the sanction in the amount of 30,000 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/10








the opening of the procedure, entails the waiver of any action or appeal via
against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Commencement Agreement.



                            FUNDAMENTALS OF LAW

                                            Yo
                                      Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."

                                            II

                             Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter, LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:


"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction has only a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the

inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
any moment prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.


3. In both cases, when the sanction is solely pecuniary in nature, the
The competent body to resolve the procedure will apply reductions of at least
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of

any administrative action or resource against the sanction.

The percentage reduction provided for in this section may be increased
according to regulations."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/10










According to what has been stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DECLARE the termination of procedure EXP202204492, in
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to ORANGE ESPAGNE, S.A.U..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the

referred Law.


                                                                                 936-040822
Mar Spain Marti
Director of the Spanish Data Protection Agency
































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es