AEPD (Spain) - EXP202206805

From GDPRhub
Revision as of 07:09, 4 October 2023 by Samy (talk | contribs) (→‎Holding)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202206805
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 83(2)(c) GDPR
Article 83(2)(e) GDPR
Article 83(5) GDPR
Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations
Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of Digital Rights
Type: Complaint
Outcome: Upheld
Started: 23.05.2023
Decided:
Published:
Fine: 100,000 EUR
Parties: XXX
VODAFONE ESPAÑA, SAU
National Case Number/Name: EXP202206805
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Samuel Uzoigwe

The Spanish Data Protection Authority (AEPD) fined a data controller the sum of €100,000 which was reduced to €80,000 for unlawfully processing the personal data of a data subject.

English Summary

Facts

The Spanish Data Protection Authority (AEPD) fined a data controller for unlawfully processing the personal data of its customer (data subject). The data controller assigned the duplicate of a mobile phone number of a data subject to a third party without the consent of the data subject. The third party, using the duplicate, fraudulently gained access to the data subject’s bank details and carried out various non-consensual transactions using the authentication SMS messages received through the phone number. The number was immediately blocked by the data controller after the incident, and a fraud victim check was activated by the data controller to prevent similar incidents from occurring in the future. The data controller was issued a new SIM card and was refunded the amount incurred in SIM card replacement management. The data subject complained to the Spanish Data Protection Authority (AEPD) on the grounds of unlawful processing of the data subject’s personal data.

Holding

The AEPD held that the data controller lacked any lawful basis under Article 6(1) of the GDPR to process the data subject’s personal data. In so holding, the DPA noted that the data controller did not act diligently in compliance with its obligation to guarantee that the personal data it processed respects the principle of legitimacy of processing. The call requesting the issuance of a duplicate of the mobile phone number was received from abroad using a hidden number, and the individual processing the request on behalf of the data controller did not conduct appropriate diligence to verify that the person making the request was the data subject who owned the number prior to issuing the duplicate of the number.

The AEPD noted that although the data controller had a security policy for handling such requests, the procedure outlined in the policy was not followed, as if it had been followed, the request should have been denied. It was further observed that the data controller did not clarify how it proceeded with handling the request, nor does it have documentation or recordings in that regard.

The AEPD equally held that the processing also breached the provisions of Article 5(1)(a) of the GDPR as it was done unlawfully. As noted by the AEPD, in order for the data processing carried out by the data controller to be legitimate, it was necessary that, in its capacity as data controller, it could prove that the owner of the processed data (the data subject) was actually the one who made the request. In this circumstance, the data controller failed to fulfill this obligation, which led to identity fraud.

In awarding a fine of €100,000, the AEPD considered as a mitigating factor under Article 83(2)(c) of the GDPR the fact that the data subject had proceeded to resolve the incident that was the subject of the complaint effectively by blocking the number the next day. The AEPD also considered the previous infractions of the data controller by virtue of Article 83(2)(e) of the GDPR in order to gauge the illegality of the data controller’s actions.

The AEPD, relying on Article 85 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (LPACAP), reduced the fine to €80,000 on the grounds of voluntary payment by the data controller, within the period permitted to do so.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

File No.: EXP202206805
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTEER
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: On June 22, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against VODAFONE
SPAIN, S.A.U. (hereinafter, the claimed party), through the Agreement that is
transcribes:
<<
File No.: EXP202206805
AGREEMENT TO START SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following:
FACTS
FIRST: A.A.A. (hereinafter, the complaining party) dated May 23, 2022
filed a claim with the Spanish Data Protection Agency. The
claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in
hereinafter, the claimed party or Vodafone). The grounds on which the claim is based
are the following:
The complaining party states that on February 27, 2022, a third party without its
consent, requested Vodafone through customer service for a duplicate of your
SIM card.
Later, when he realized that he had lost his line, he went to a check-in point.
sale of Vodafone and there they confirmed that a third person had requested a
new SIM card.
Relevant documentation provided by the complaining party:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
2/13
• Copy of contract to expand telephone services signed in the name of
the claimant in which the contact telephone number appears as ***TELEPHONE.1. In
The contract includes the current account ***ACCOUNT.1.
• Copy of the complaint filed with the Police and its respective extensions
(on February 28, 2022 and March 1 and 24, 2022) together with the
bank account movements. The complaint states that they have
scammed XXXX € and provides the bank account of which he is the owner
(***ACCOUNT.2).
• Invoice relating to the duplicate (dated March 15, 2022). The claimant
states that the concept “Proof of card replacement management fees”
Billed SIM” has been charged twice (on February 27 and 28),
• Copy of the claim documents, dated May 3, 2022, addressed to the
customer service and data protection officer
• Accreditation of the sending of the claim addressed to customer service and Copy
of the response email received on May 14, 2022.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.
On August 8, 2022, this Agency received a response letter
indicating: <<that the claimed incident is currently resolved. In this
sense, it has been verified that the duplicate SIM card on the mobile line
***TELEFONO.1 not recognized by the claimant was declared fraudulent on the 28th
February 2022 by Vodafone's fraud department. Due
As a result of the above, the fraudulent SIM card was blocked, subsequently issuing a
new SIM card, and the claimant was reimbursed the amount of YY,Y€
for the SIM card replacement management costs included in the
claimant's invoice. Likewise, the victim check was activated
fraud to prevent similar incidents from occurring in the future>>.
THIRD: In accordance with article 65 of the LOPDGDD, when presented
before the Spanish Data Protection Agency (hereinafter, AEPD) a
claim, it must evaluate its admissibility for processing, and must notify the
complaining party the decision on the admission or non-admission for processing, within the period of
three months since the claim was submitted to this Agency.
If, after this period, said notification does not occur, it will be understood that
The processing of the claim continues in accordance with the provisions of Title VIII of
the law.
This provision also applies to the procedures that the AEPD
had to be processed in the exercise of the powers attributed to it by other
laws. In this case, taking into account the above and that the
claim was presented to this Agency, on May 23, 2022, it is communicated
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
3/13
that your claim has been admitted for processing on August 23 of the same year as
three months have passed since it was entered into the AEPD.
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:
Result of the research actions:
• The SIM card change was carried out through customer service, on 27
February 2022, and appears on Vodafone's screens "at the customer's request."
• The SIM change was made by calling the call center
from Norwegian numbering (+474).
• On the associated screens there is a note regarding NOT LISTENING
LLA WITH HIDDEN. Activate SIM ***PHONE.1 on 02/27/2022
• The duplicate SIM card on the mobile line ***TELEFONO.1 was declared as
fraud on February 28, 2022 by Vodafone fraud department,
proceeding to block the fraudulent SIM card, subsequently issuing a
new SIM card.
A fraud victim check was activated, including on the Customer Service screens
Client “Do not provide information, when making modifications, product activation,
orders, etc., if the client calls from lines other than those contracted in
Vodafone, call hiding and international origin. Must be consulted and followed
always the security policy.”
• Vodafone does not have telephone recording since the call was not recorded.
• The identity of the applicant is done following the guidelines described in the Policy
of Security for Contracting of Individuals.
Vodafone states that, since March 14, 2012, it has acted following the
Security Policy for the Hiring of Individuals, which is gone
progressively updating, and, in the case at hand, the modification was
implemented on January 4, 2022.
In the Policy provided by Vodafone, in the response to the transfer of the
claim, no express reference is made to the steps and/or actions to be
follow in case of telephone request to change and/or send SIM.
However, it states that it will be verified prior to the management of the
change of SIM that there has not been a change of address in the last month and that
have requested previous SIM card shipments. Furthermore, he states that if the
requester does not call from the same number on which the change is managed, the
will request the telephone number associated with the SIM (“MSISDN”) along with the password.
access from Customer Service or ID.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
4/13
FIFTH: According to the report collected from the AXESOR tool, the entity
VODAFONE ESPAÑA, S.A.U. is a large company established in 1994, and with
a business volume of 2,928,817,000 euros in 2022.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
The Director of the Agency is competent to initiate and resolve this procedure.
Spanish Data Protection.
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”
II
Unfulfilled Obligation
Well, the defendant is accused of committing an infraction due to violation of the
Article 6 of the GDPR, “Legality of processing”, which states in section 1 the
Cases in which the processing of third-party data is considered lawful:
"1. Treatment will only be legal if at least one of the following is met
conditions:
a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;
b) the processing is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;
c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;
d) the processing is necessary to protect vital interests of the interested party or another
Physical person;
e) the processing is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the controller;
f) the processing is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that regarding said
interests do not prevail over the interests or fundamental rights and freedoms of the
interested party requiring the protection of personal data, in particular when the
interested is a child. The provisions of letter f) of the first paragraph will not be
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
5/13
application to the processing carried out by public authorities in the exercise of their
functions.”
In the present case, it is proven that a third party on February 27, 2022
requested through a phone call to the Vodafone customer service center
a duplicate of the SIM card of the complaining party, a duplicate that was provided to him,
Therefore, said third party had access to your bank details and carried out various
non-consensual operations, using the authentication SMS received,
thus confirming them.
So that the data processing carried out by the claimant could be based on
Some of the legitimizing circumstances of the treatment would require that, in its
status as data controller, could prove that the owner of the data
treaties was actually the one who facilitated them.
However, the defendant did not provide her response to the prior information request.
to the admission for processing of this claim, no document or evidentiary element
that proves the legal basis of the treatment carried out.
Thus, in the response to the information request from the AEPD dated August 8,
2022, the defendant alleged <<It has been verified that the duplicate SIM card on
The mobile line ***TELEFONO.1 not recognized by the claimant was declared as
fraudulent on February 28, 2022 by Vodafone's fraud department.
As a result of the above, the fraudulent SIM card was blocked, issuing
subsequently a new SIM card, and the claimant was reimbursed for the
amount of YY,Y€ for SIM card replacement management costs
included in the claimant's invoice. Likewise, the check of
victim of fraud to prevent similar incidents from occurring in the
future>>.
In line with what was stated above, Vodafone, recognizes in its letter dated
October 28, 2022 that the duplicate SIM was fraudulent. Although politics provides
security, does not clarify how it was proceeded in this case, nor does it have documentation or
recordings. In addition, the call to request the duplicate was made from Norway
and using a hidden number, so it was not possible to verify who requested the
SIM.
In short, in the case analyzed, the diligence used by
part of the claimed to identify the person who requested the duplicate of the
SIM card.
In any case, the procedure implemented by the claimed party was not followed, since,
If it had been done, it should have been denied.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
6/13
In view of the above, Vodafone cannot prove that this was followed.
procedure and consequently there was illicit processing of the personal data of
the complaining party, thereby contravening article 6 of the GDPR.
In this sense, Recital 40 of the GDPR states:
“(40) For the processing to be lawful, personal data must be processed with the
consent of the interested party or on some other legitimate basis established in accordance
a Law, whether in this Regulation or under other Union law
or of the Member States referred to in this Regulation, including the
need to comply with the legal obligation applicable to the person responsible for the treatment or the
need to execute a contract to which the interested party is a party or for the purpose of
take measures at the request of the interested party prior to the conclusion of a
contract."
III
Classification and classification of the offense
The infringement is classified in article 83.5 of the RGPD, which considers as such:
"5. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
a) The basic principles for treatment, including the conditions for treatment
consent in accordance with articles 5,6,7 and 9.”
The LOPDGD, for the purposes of the prescription of the infringement, qualifies in its article 72.1
of very serious infringement, in this case the limitation period being three years, “b)
The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679”.
IV
Sanction proposal
The determination of the sanction that should be imposed in the present case requires
observe the provisions of articles 83.1 and 2 of the RGPD, precepts that,
respectively, they provide the following:
"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.”
"2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
7/13
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment to alleviate
the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person responsible or in charge of the treatment, given
account of the technical or organizational measures that have been applied under the
articles 25 and 32;
e) any previous infringement committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;
i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or certification mechanisms
approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or indirectly,
through infringement.”
Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanctions
and corrective measures”:
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuous nature of the infringement.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
8/13
b) The linking of the offender's activity with the performance of medical treatments.
personal information.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected person could have induced the commission
of the infringement.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Have, when not mandatory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
disputes exist between them and any interested party.
3. It will be possible, complementary or alternatively, the adoption, when appropriate, of
the remaining corrective measures referred to in article 83.2 of the Regulation
(EU) 2016/679.”
In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, for the purposes of setting the amount of the fine sanction
impose the claimed entity as responsible for an infraction classified in the
article 83.5.a) of the RGPD and 72.1 b) of the LOPDGDD, in an initial assessment,
The following factors are considered concurrent in the present case:
As aggravating factors:
- The circumstance of article 83.2.e) RGPD: “Any previous infraction committed by the
responsible or the person in charge of the treatment”.
Recital 148 of the GDPR states “In order to strengthen the application of the rules
of this Regulation [...]” and indicates in this regard that “It must, however,
Special attention should be paid to the nature, severity and duration of the infringement, its
intentional character [...] or to any pertinent infringement [...]”.
Thus, in accordance with section e) of article 83.2. GDPR, in determining the
amount of the administrative fine sanction cannot fail to be valued all
those previous infractions of the person responsible or of the person in charge of treatment in
in order to gauge the illegality of the analyzed behavior or the guilt of the subject
offender.
Furthermore, a correct interpretation of the provision of article 83.2.e) RGPD does not
can ignore the purpose pursued by the rule: to decide the amount of the sanction of
administrative fine in the individual case raised, always taking into account that the
sanction is proportional, effective and dissuasive.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
9/13
The allegedly infringing conduct consisted of the processing of personal data
without legitimation - fraudulent duplicate SIM - did not act diligently in the
compliance with its obligation to ensure that personal data
that deals with respect the principle of legality.
Therefore, the omission of the appropriate diligence, aimed at the
identification of the person who provided personal data of which they were not the owner as their own,
allowed identity fraud and determined that the processing of personal data
of the claimant made by the defendant lacked legal basis under the
article 5.1.a) in relation to article 6.1. GDPR.
There are numerous sanctioning procedures processed by the AEPD in which
the defendant did not act with the required diligence, since it did not apply the necessary measures
and appropriate to verify the identity of the contracting party or the third party that provided as
your data of which you were not the owner. The procedures and sanctions in them
were imposed to graduate the sanction that must be imposed for the violation of the
article 6.1. GDPR that is attributed to you in this opening agreement.
Reason why the defendant's history of violations, in which there was a
significant omission of the necessary diligence to verify the identity of the person
provided the personal data of a third party as his own, affects the guilt and
illegality of the conduct assessed here.
As an example, the resolutions issued by the AEPD are cited in the following
sanctioning procedures processed against the defendant:
i.EXP 202204287 Resolution issued on October 24, 2022 in which it was imposed
a fine of 70,000 euros. The facts concerned a duplicate of the card
Fraudulent SIM without legitimation. Vodafone took advantage of one of the two
planned reductions.
ii.EXP202103028. Resolution issued on November 29, 2022 in which it was imposed
a fine of 70,000 euros. The facts concerned a duplicate of the card
Fraudulent SIM without legitimation. Vodafone took advantage of one of the two reductions
planned.
iii.EXP202203914 Resolution issued on October 24, 2022 in which it was imposed
a fine of 70,000 euros. The facts concerned a duplicate of the card
Fraudulent SIM without legitimation. Vodafone took advantage of one of the two reductions
planned.
- The evident link between the business activity of the defendant and the
processing of personal data of clients or third parties (article 83.2.k, of the RGPD
in relation to article 76.2.b, of the LOPDGDD).
The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,
regarding entities whose activity involves continuous data processing
of clients, indicates that “…the Supreme Court has been understanding that there is
recklessness whenever a legal duty of care is neglected, that is, when the
offender does not behave with the required diligence. And in assessing the degree of
diligence, the professionalism or otherwise of the subject must be especially considered, and not
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
10/13
There is no doubt that, in the case now examined, when the activity of the appellant
is constant and abundant handling of personal data, it must be insisted on
the rigor and exquisite care to comply with the legal preventions in this regard.”
As mitigating factors:
The claimed party proceeded to resolve the incident that was the subject of the claim in a manner
effective (art. 83.2 c).
It is necessary to graduate the sanction to be imposed on the person complained of and set it at the amount of 100,000
€ for the alleged violation of article 6.1) typified in article 83.5.a) of the
cited GDPR.
Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection.
HE REMEMBERS:
FIRST: START SANCTIONING PROCEDURE against VODAFONE ESPAÑA,
S.A.U. with NIF A80907397, for the alleged violation of article 6.1) typified in the
article 83.5.a) of the aforementioned RGPD.
SECOND: APPOINT R.R.R. as instructor. and as secretary to S.S.S., indicating
that any of them may be challenged, if applicable, in accordance with the provisions
in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the
Public Sector (LRJSP).
THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and its documentation, the documents
obtained and generated by the General Subdirectorate of Data Inspection.
FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be for the violation of article 6.1 of the RGPD,
typified in article 83.5 a) of the RGPD, the corresponding sanction would be a
fine in the amount of 100,000 euros (one hundred thousand euros) without prejudice to what may result
of the instruction.
FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with NIF
A80907397 granting him a hearing period of ten business days to formulate
the allegations and present the evidence that you consider appropriate. In his writing of
allegations must provide your NIF and the procedure number that appears in the
heading of this document.
If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, in the event that the
sanction to be imposed was a fine, may recognize his responsibility within the
period granted for the formulation of allegations to this initiation agreement; it
which will entail a reduction of 20% for the penalty that must be imposed
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
11/13
in the present procedure, equivalent in this case to twenty thousand euros (€20,000).
With the application of this reduction, the amount of the penalty would be established at
eighty thousand euros (€80,000), resolving the procedure with the imposition of this
sanction.
Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction,
in accordance with the provisions of article 85.2 LPACAP, which will mean a
reduction of 20% of the amount, equivalent in this case to twenty thousand
euros (€20,000), for the alleged infraction. With the application of this reduction, the
The amount of the penalty would be established at eighty thousand euros (€80,000) and its payment
will imply the termination of the procedure, without prejudice to the imposition of the
corresponding measures.
The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at sixty thousand euros (€60,000).
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above, 80,000 euros or 60,000 euros, you must make it effective
by depositing it into account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the reason for the reduction of the amount to which
welcomes
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After this period, its expiration will occur and, in
consequently, the archive of actions; in accordance with the provisions of the
article 64 of the LOPDGDD.
Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.
Sea Spain Martí
Director of the Spanish Data Protection Agency
>>
SECOND: On July 20, 2023, the claimed party has proceeded to pay
the penalty in the amount of 80,000 euros making use of one of the two reductions
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
12/13
provided for in the Initiation Agreement transcribed above. Therefore, it has not been left
accredited recognition of responsibility.
THIRD: The payment made entails the waiver of any action or resource pending.
administrative against the sanction, in relation to the facts referred to in the
Startup Agreement.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
13/13
The reduction percentage provided for in this section may be increased
“regularly.”
According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of procedure EXP202206805, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U..
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
937-181022
Sea Spain Martí
Director of the Spanish Data Protection Agency