AEPD (Spain) - EXP202104006
From GDPRhub
| AEPD - EXP202104006 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 4(12) GDPR Article 5(1)(f) GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR Article 83(4) GDPR Article 83(5) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 21.08.2021 |
| Decided: | 13.09.2023 |
| Published: | 13.09.2023 |
| Fine: | 56,000 EUR |
| Parties: | VODAFONE ESPAÑA, S.A.U. |
| National Case Number/Name: | EXP202104006 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | mgrd |
The DPA fined VODAFONE €56,000 for sharing confidential data of another customer while addressing a different customer's right of access. The controller benefitted from a €14,000 reduction in the original fine as they renounced to any form of appeal against the sanction
English Summary
Facts
On 21 August 2021 the data subject filed a complaint against Vodafone España, S.A.U., the controller, for violating their right of access.
The data subject requested VODAFONE to provide a copy of their commercial telephone contract, since the company was, allegedly, not applying the contracted tariff. After several unsuccessful attempts to receive their contract, the controller sent an email containing contract of another customer as well as an audio recording of that customer's data.
Holding
The DPA ('AEPD') highlighted the breach of confidentially and security by VODAFONE for sharing a commercial contract of another individual with the data subject, violating Article 5(1)(f) GDPR. According to the evidence presented, the data subject acquired access to name, ID number and telephone number of an unknown person without any authorization to disclose their data to third parties.
The AEPD, therefore, found a violation of Article 32 GDPR for not implementing the appropriate technical and organization measures to prevent such incident.
The AEPD fined VODAFONE €50,000 for violating Article 5(1)(f) GDPR and €20,000 for violating Article 32 GDPR. However, in this case, the AEPD gave two possibilities to VODAFONE to either acknowledge the liability, leading to a greater reduction in the final amount, totaling €42,000 or to pay a fine of €56,000 and renounce any form of appeal against the sanction.
VODAFONE opted for a voluntary payment option, paying a fine of €56,000. This payment utilized the reduction offered in the initial agreement for early payment, indicating a renunciation of any form of administrative appeal against the sanction.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11
File No.: EXP202104006
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTEER
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: On August 10, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against VODAFONE
SPAIN, S.A.U. (hereinafter, the claimed party), through the Agreement that is
transcribes:
<<
File No.: EXP202104006
AGREEMENT TO START SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following
FACTS
FIRST: A.A.A. (hereinafter, the complaining party) dated August 21, 2021
filed a claim with the Spanish Data Protection Agency. The
claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in
forward, VODAFONE). The reasons on which the claim is based are the following:
Indicates that you have requested a copy of your telephone contract from VODAFONE because it is not
applying the contracted rate. That he has requested it on several occasions without being
forward (infringement of your right to access your personal data). Finally
receives an email with another client's telephone contract, violating the
secrecy of the personal data of said client.
Along with the notification, an audio file in mp3 format is provided, in which you can
listening to a recording in which two people intervene, one on behalf of
VODAFONE, and another that identifies itself as B.B.B. with DNI ***NIF.1, owner of the line
phone ***PHONE.1. The recording is dated 07/28/2020.
There is no record of the date on which the complaining party has had access to said
recording, since he has not sent the email in which he states that he had
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/11
received. Likewise, the complaining party does not provide a document proving that it has
required VODAFONE its own contract.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to VODAFONE, so that
proceed to its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 11/08/2021 as stated in the
acknowledgment of receipt that appears in the file.
No response has been received to this transfer letter.
THIRD: On November 21, 2021, in accordance with article 65 of
the LOPDGDD, the claim presented by the complaining party was admitted for processing.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Previous issues
In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is
the processing of personal data, since VODAFONE
carries out, among other treatments, collection, registration, consultation, etc. of the following
personal data of natural persons, such as: name, identification number,
telephone number etc.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/11
VODAFONE carries out this activity in its capacity as data controller,
given that he is the one who determines the ends and means of such activity, by virtue of article
4.7 of the GDPR.
Article 4 section 12 of the GDPR broadly defines “violations of
security of personal data” (hereinafter security breach) as “all
those security violations that cause the destruction, loss or alteration
accidental or unlawful personal data transmitted, preserved or otherwise processed
form, or unauthorized communication or access to said data.”
In the present case, there is a personal data security breach in the
circumstances indicated above, categorized as a breach of confidentiality, by
a recording containing data has been sent to the complaining party
personal information of another person, thus allowing its knowledge by someone who is not
legitimized for it.
It should be noted that the identification of a security breach does not imply the
imposition of a sanction directly by this Agency, since it is necessary
analyze the diligence of those responsible and in charge and the security measures
applied.
Within the treatment principles provided for in article 5 of the RGPD, the
integrity and confidentiality of personal data is guaranteed in section 1.f)
of article 5 of the GDPR. For its part, the security of personal data comes
regulated in articles 32, 33 and 34 of the RGPD, which regulate the security of the
processing, notification of a breach of personal data security to
the control authority, as well as the communication to the interested party, respectively.
III
Article 5.1.f) of the GDPR
Article 5.1.f) “Principles relating to processing” of the GDPR establishes:
"1. The personal data will be:
(…)
f) treated in such a way as to ensure adequate safety of the
personal data, including protection against unauthorized processing or
unlawful and against its loss, destruction or accidental damage, through the application
of appropriate technical or organizational measures ("integrity and
confidentiality»).”
In the present case, it is clear that the personal data of a VODAFONE customer,
recorded in its database, were improperly exposed to the complaining party
who, according to his own statement, received them by email, having had
therefore access to the name, ID and telephone number of an unknown person, without
There is, of course, the authorization of said person to expose their data to a
Third, there is no legitimizing cause for it.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/11
In accordance with the evidence available in this agreement of
initiation of the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the known facts could constitute a
infringement, attributable to VODAFONE, due to violation of article 5.1.f) of the RGPD.
IV
Classification of the violation of article 5.1.f) of the RGPD
If confirmed, the aforementioned violation of article 5.1.f) of the RGPD could mean the
commission of the infractions classified in article 83.5 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:
“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:
a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. (…)”
V
Penalty for violation of article 5.1.f) of the RGPD
For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence currently available
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, the infraction in question is considered to be serious for the purposes of the
RGPD and that it is appropriate to graduate the sanction to be imposed in accordance with the following
criteria established by article 83.2 of the RGPD:
As mitigating factors:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/11
-The number of interested parties affected and the level of damages suffered
suffered (section a). This file deals with data from a single
person, and there is no evidence that such action has caused harm.
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
corrective measures” of the LOPDGDD:
As aggravating factors:
-The linking of the offender's activity with the performance of
processing of personal data (section b).
The activity of VODAFONE, provider of telephone and
Internet, and the high number of clients it has, entails the
handling a large number of personal data. This implies that they have
sufficient experience and should have adequate knowledge to
the processing of said data.
The balance of the circumstances contemplated in article 83.2 of the RGPD and the
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the
established in article 5.1.f) of the RGPD, allows initially setting a sanction of
€50,000 (fifty thousand euros).
SAW
Article 32 of the GDPR
Article 32 “Security of processing” of the GDPR establishes:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:
a)pseudonymization and encryption of personal data;
b) the ability to guarantee the confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
c)the ability to restore availability and access to personal data
quickly in the event of a physical or technical incident;
d)a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the security of the
treatment.
2. When evaluating the adequacy of the security level, particular consideration will be given to
takes into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/11
3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.
4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and
has access to personal data can only process said data following
instructions of the person responsible, unless it is obliged to do so by virtue of the Law of
the Union or the Member States.
In the present case, at the time of the breach, VODAFONE did not have
with the appropriate technical and organizational measures to avoid the incident, since
According to the complaining party, he was sent by email a
recording that corresponds to another client, where the personal data of
said client.
In accordance with the evidence available in this agreement of
initiation of the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the known facts could constitute a
infringement, attributable to VODAFONE, due to violation of article 32 of the RGPD.
VII
Classification of the violation of article 32 of the RGPD
If confirmed, the aforementioned violation of article 32 of the RGPD could mean the
commission of the infractions classified in article 83.4 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:
“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
a) the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39, 42 and 43; (…)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”
For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:
“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/11
f) The lack of adoption of those technical and organizational measures that
are appropriate to guarantee a level of security adequate to the
risk of the treatment, in the terms required by article 32.1 of the
Regulation (EU) 2016/679.
VIII
Penalty for violation of article 32 of the GDPR
For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence currently available
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, the infraction in question is considered to be serious for the purposes of the
RGPD and that the sanction to be imposed should be graduated in accordance with the following
criteria established by article 83.2 of the RGPD:
As mitigating factors:
-The number of interested parties affected and the level of damages suffered
suffered (section a). This file deals with data from a single
person, and there is no evidence that such action has caused harm.
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
“corrective measures” of the LOPDGDD:
As aggravating factors:
-The linking of the offender's activity with the performance of data processing
personal (section b). The activity of VODAFONE, service provider
telephone and internet, and the high number of clients it has, entails the
handling a large number of personal data. This implies that they have experience
sufficient and should have adequate knowledge for the treatment of
such data.
The balance of the circumstances contemplated in article 83.2 of the RGPD and the
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the
established in article 32 of the RGPD, allows initially setting a sanction of
€20,000 (twenty thousand euros).
IX
Imposition of measures
Among the corrective powers provided in article 58 “Powers” of the GDPR, in the
section 2.d) establishes that each control authority may “order the
responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where applicable, in a manner
certain manner and within a specified period….”
The Spanish Data Protection Agency in the resolution that puts an end to the
This procedure may order the adoption of measures, as established
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/11
in article 58.2.d) of the RGPD and in accordance with what is derived from the instruction
of the procedure, if necessary, in addition to sanctioning with a fine.
Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
FIRST: START SANCTIONING PROCEDURE against VODAFONE ESPAÑA,
S.A.U., with NIF A80907397, for the alleged violation of Article 5.1.f) of the RGPD
typified in Article 83.5 of the RGPD.
START SANCTIONING PROCEDURE against VODAFONE ESPAÑA, S.A.U., with
NIF A80907397, for the alleged violation of Article 32 of the RGPD, typified in the
Article 83.4 of the GDPR.
SECOND: APPOINT C.C.C. as instructor. and, as secretary, to D.D.D.,
indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).
THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.
FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be:
- For the alleged violation of article 5.1.f) of the RGPD, typified in article 83.5
of said rule, administrative fine of 50,000.00 euros
- For the alleged violation of article 32 of the RGPD, typified in article 83.4 of
said rule, administrative fine of 20,000.00 euros
FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF
A80907397, granting him a hearing period of ten business days to formulate
the allegations and present the evidence that you consider appropriate. In his writing of
allegations must provide your NIF and the procedure number that appears in the
heading of this document.
If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 56,000.00 euros, resolving the
procedure with the imposition of this sanction.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/11
Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 56,000.00 euros and its payment will imply termination
of the procedure.
The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 42,000.00 euros.
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (56,000.00 euros or 42,000.00 euros), you must make it effective
by depositing it into account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency in the banking entity
CAIXABANK, S.A., indicating in the concept the reference number of the
procedure that appears in the heading of this document and the cause of
reduction of the amount to which it is accepted.
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of nine months counting from the
date of the initiation agreement or, where applicable, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.
935-110422
Sea Spain Martí
Director of the Spanish Data Protection Agency
>>
SECOND: On September 7, 2022, the claimed party has proceeded to
payment of the penalty in the amount of 56,000 euros using one of the two
reductions provided for in the Inception Agreement transcribed above. Therefore, it has not
recognition of responsibility has been accredited.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/11
THIRD: The payment made entails the waiver of any action or resource pending.
administrative against the sanction, in relation to the facts referred to in the
Startup Agreement.
FOUNDATIONS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47 and 48.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”
II
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/11
The reduction percentage provided for in this section may be increased
“regularly.”
According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of procedure EXP202104006, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U..
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
937-240122
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
