AEPD (Spain) - EXP202210101
From GDPRhub
| AEPD - EXP202210101 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 15.08.2022 |
| Decided: | 23.01.2024 |
| Published: | |
| Fine: | 200,000 EUR |
| Parties: | Orange Espagne, S.A.U. |
| National Case Number/Name: | EXP202210101 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | lm |
The DPA imposed a € 200,000 fine on a controller that granted a third party a duplicate SIM card without the data subject’s consent and without verifying the third party’s identity.
English Summary
Facts
On 15 August 2022, a complaint was filed with the Spanish DPA (AEPD) against Orange Espagne, S.A.U. (the controller) alleging that the controller provided a third party with a duplicate of the data subject’s SIM card without the data subject’s consent. The third party accessed the data subject’s banking data as a result, causing financial harm. When the data subject notified the controller of the incident and requested that the SIM card be annulled, the controller responded that they could not annul the card until the data subject received a new physical SIM card in a few days.
The DPA’s investigation found that the controller duplicated the data subject’s eSIM to a third party without their consent and without verifying the identity of the requesting party. The third party then accessed information contained in the phone including the data subject’s email address, bank details, passwords, and other personal data.
In its defense brief, the controller stated that upon detecting irregularities in the request for the duplicate SIM, it recorded the incident to prevent the accrual of charges for duplicate invoices. The controller also adjusted charges generated by the duplicate SIMs and blacklisted the International Mobile Equipment Identity of the device that created the duplicate SIM to prevent future malfeasance. In addition, the controller argued that the identity thief already had knowledge of personal data of the data subject which was not accessed through the controller.
Holding
The AEPD fined the controller € 200,000 for violating Article 6(1) GDPR.
The AEPD determined that the controller did not take the necessary precautions to avoid the occurrence of these events. It noted that even though the data subject informed the controller they had not requested the additional SIM card, the controller failed to immediately block the SIM. Its delay of three days thus allowed the third party to access the data subject’s banking data and cause financial harms.
The controller processed the data subject’s data under a contractual legal basis pursuant to Article 6(1)(b). The AEPD thus concluded that in granting a third party access to a duplicate SIM card without the data subject’s consent and without verifying the identity of the third party, the controller lacked a legal basis for the processing and violated Article 6(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/28
File No.: EXP202210101
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based
to the following:
BACKGROUND
FIRST: D. A.A.A. (hereinafter, the complaining party) dated August 15,
2022 filed a claim with the Spanish Data Protection Agency. The
claim is directed against ORANGE ESPAGNE, S.A.U. with NIF A82009812 (in
hereinafter, the claimed party or Orange). The grounds on which the claim is based are
the following:
The complaining party states that, without its consent, Orange provided a third party
a duplicate of your mobile phone's SIM card and it accessed your data
banking, and the consequence of which resulted in financial loss.
Thus, he points out that on August 1, 2022, his mobile phone stopped working.
function and received several emails regarding a consumption notice
100Mb of the contract and another email indicating the following: "It has been processed
successfully activating your eSIM card.
As a result of what happened, he contacted the claimed party requesting the annulment of the
SIM card, indicating the claimed party "that they could not cancel said card for
protocol", so he had to wait four days to physically receive a new
and thus be able to cancel the previous one.
And, provide the following relevant documentation:
- Claim made to Orange.
- Screen print of received messages (including the message
regarding the activation of the eSIM card).
- Screen print of calls made to the Customer Service
Customer.
- Screen print of the conversation held with the claimed party,
through chat. In them it can be seen that the claimant indicates that his mobile phone has
stopped working (his card is disabled) and that he has not requested
no eSIM card, requests a new duplicate and Orange states that
I would have to send it to him.
- Complaint filed with the National Police on August 3, 2022.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/28
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on October 3, 2022 as
It appears in the acknowledgment of receipt that is in the file.
On November 3, 2022, this Agency received a response letter
indicating: << Orange informed the Risk Analysis Group of this company,
which proceeded to carry out a study of the incidence, the details of which are reproduced
next. Derived from the aforementioned analysis, it was detected that the
duplicate e-SIM had been made by usurping the identity of the Claimant.
In this sense, the usurper accessed the Client's private web area (hereinafter,
APC) of the Claimant, subsequently initiating a conversation with the Digital Channel
assisted and requesting through this means the duplicate eSIM. Having, therefore,
verified the irregularity in the duplicate request, the Data Analysis team
Riesgos confirmed that the Claimant, owner of the ***TELEFONO.1 line, has been,
probably a victim of phishing, smishing or some other engineering instrument
social (which has not been able to be identified by this company in the course of the
investigations) through your APC from where the duplicate e-SIM was requested without
a reset of the passwords had been requested, that is, the criminal already knew it
previously.
Upon detecting this irregularity in the request for the duplicate SIM, this
impact on the internal systems of this company in order to prevent
charges accrue for the generation of duplicate invoices. That is why not
no additional charge was made in Orange to the Claimant for these events, nor the
identity theft could contract more services or lines with the duplicate
Claimant's SIM in Orange.
Additionally, the IMEI of the device from which it was carried out was tracked.
the duplicate of fraudulent e-SIM, including it in the internal BlackList, so that the
itself could not be used again for these purposes.
Finally, adjustments were made to the Claimant for the charges generated by
the two duplicate SIMs, being informed of such extremes by the team
who managed the incident.
At the time of requesting a duplicate fraudulent e-SIM, the usurper accessed
the Claimant's APC without having previously made a change or reset of
password, requesting the electronic duplicate of the SIM card (E-sim), and, due to
who adequately provided the Complainant's personal data, the QR of
activation of the e-SIM via email, thus resulting in the activation of the duplicate.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/28
That is, the identity theft had in his possession the personal data of the
Claimant required to access your private area. Therefore, previously
for him to have any contact with Orange, he already had knowledge of the
personal data of the Claimant, which he did not access through this company.
Thanks to having the Claimant's data at your disposal, it is possible for you to activate
the duplicate SIM card.
Thus, in the present case, it is evident that the incidence becomes, mainly,
that the impersonator had access to the Claimant's credentials to access
to the private area, prior to this entity intervening.
From August 12, 2022, it is mandatory for clients to identify themselves
strictly with your ID for any change or hiring you want to make
from the Assisted Digital Channel through the APC, despite having accessed the
platform with your username and password.
Likewise, since the aforementioned date, it is not permitted to make duplicate SIM or E-mails.
sim from the APC, referring the customer to a point of sale to manage said
application.
Likewise, and additionally, for the rest of the commercial acts, except
As indicated, the duplicate sim/E-sim is being implemented
gradually establish a mandatory validation system with Token, sent to
the contract line>>.
THIRD: On November 11, 2022, in accordance with article 65 of
the LOPDGDD, the claim presented by the complaining party was admitted for processing.
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:
Request and activation of the eSIM
In the transfer of the claim previously made, the claimed party stated
that in the specific case of the claimant, the eSIM request route was the Private Area
of the Client, accessing with the client's username and password.
In these proceedings, the claimed party has been required to provide
documentation that certifies access and request for the eSIM through that means, as well as
documentation proving the conversation held by the applicant with the
Assisted digital channel of the Client's Private Area.
In the response, the claimed party indicates that the usurper gained access through said means,
probably after being a victim of phishing, smishing or some other instrument
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/28
of social engineering, subsequently starting a conversation with the Digital Channel
assisted and requesting through this means the duplicate eSIM.
They provide, within the contacts registered with the client or his alleged impersonator,
several dated 08/01/2022 that reflect that at 7:03 p.m. there was a change in the
email address of the client, made from the Client Area, and at
20:07 sending an SMS informing you that you can scan the activation code
of the eSIM. Among these contacts that provide, there are no other intermediate records, no
However, the eSIM request must have occurred between both hours.
On the other hand, when the requested party is required to provide the date of activation of the
eSIM, provide an impression of a record from 20:06 on 08/01/2022 in which
consists of “assisted digital channel” categorized as “change” “SIM card”, indicating the
representatives of the entity that made the request at that time. At 20:26 it appears
a contact with the text “the activation of your eSIM card has been successfully processed”.
Incident resolution
There are contacts subsequent to those already reported, consisting of communications from the
complainant to the complained party indicating that they have not requested an eSIM to
solve the problem: at 11:43 p.m. on the same day of the events (08/01/2022) it appears
contact in which the customer asks why an eSIM has been contracted without
request it. There are other contacts, including one the day after the events.
(08/02/2022) with the annotation “client communicates because yesterday he wanted
duplicate his sim but it arrived yesterday, the agent hired him an esim but [the
client] states that he did not receive any email or SMS, he communicated to
cancel the process and today he goes to duplicate the sim in the store but the system does not allow him
allowed because the esim is waiting to be activated, it is indicated in
solutions, one of them is to let the esim be canceled in 72 hours and then yes
generate the duplicate.”
There is a contact dated 08/03/2022 notifying of the delivery of the order
corresponding to the new SIM. There is a contact dated 08/04/2022 indicating
that has been delivered.
The complained party has been requested to report on the reasons why it did not
The eSIM card was deactivated when the facts were revealed by the
claimant.
The representatives of the claimed party state in this regard that due to the
nature of this type of commercial acts that involve duplicate requests
SIM card, call forwarding, changes in contact information, etc., the
Established protocols for care by frontline personnel to
These types of procedures are very strict and require formal measures, since
be it the contribution of complaints or other identification policies for what is
It is probable that the agent who attended to the claimant's request, by requiring the
complaint and this not being provided, it is likely that the request could not be executed in
First instance.
They indicate that on August 3, 2022 the numbering was blocked due to theft/loss.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/28
FIFTH: According to the report collected from the AXESOR tool, the entity
ORANGE ESPAGNE, S.A.U. is a large company established in 1998, and with
a business volume of ***AMOUNT.1 euros in 2021.
SIXTH: On July 25, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged violation of Article 6.1 of the RGPD, typified in
Article 83.5 of the GDPR.
SEVENTH: The aforementioned initiation agreement has been notified in accordance with the established rules
In the LPACAP, the claimed party requested a copy of the file and extension of the deadline
that was granted and presented a written statement of allegations in which, in summary, it was
reiterates in the allegations made on November 3, 2022 and indicates: <<that
Initially, identity thefts were concentrated in the request for
duplicate SIM cards in person and physically; Currently, attempts to
fraud have evolved especially in the digital field and are concentrated in
request for duplicates and activation of SIM cards through non-face-to-face channels, if
Well until now a duplicate physical SIM card was requested, we see that, as in
In the current case, criminals focus their objective on electronic cards “e-
SIM” and through channels protected with personal security credentials of the
users, which shows an important sophistication in the techniques used by
criminals who commit this type of identity theft crimes.
They add that Orange has decided to deactivate this possibility of self-management through
of the Private Area, establishing additional guarantee measures within the
Assisted Digital Channel for the request to carry out procedures and contracts that
such channel incorporates, requiring prior and mandatory, additional verification
by direct control from the Fraud department, who will analyze the
documentation of the client who requests a duplicate SIM card and will be the one to issue
authorization to the management team that supports said assisted digital channel. Measure
reviewed has been implemented in Orange systems on August 12,
2022.
Likewise, they indicate that unauthorized access does not occur, but rather, as
result of the prior and illicit obtaining of the claimant's access credentials,
The third party is identified in the claimant's private area in an ordinary way. The
Password protection is an access control technique, ensuring that only
can be accessed by the person who knows the correct credentials,
being the most widespread data security tool according to the state of the
current technique.
The identity theft at no time accessed the mobile phone - nor,
consequently, to the information that it may contain -, while the telephone
mobile phone is at all times in the possession of the Claimant, as he himself states
in your claim.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/28
In this sense, it is necessary to rigorously establish the proven facts, as well as
how to know the operation of each device: the SIM card does not contain the data of the
telephone or mobile terminal, so access to a duplicate of it does not allow
to a third party access to the applications that the Claimant may have installed on
the same, such as the applications of banking entities.
Additionally, in order to access banking applications, impersonators
ID card must know the Claimant's banking credentials.
The AEPD must clearly distinguish this fact, as it is based on it, despite
be equivocal, its legal basis for the infringement. Derived from the above, no
It is possible to attribute to this party the performance of data processing without
legitimation, while the third party regularly identifies itself before Orange, within
his private environment, the result of obtaining the Claimant's data in advance
and supposedly illegal, without there being a password reset or indication on that date
any of irregular access to said personal online area.
Thus, Orange's data processing is legitimate, based on the relationship
existing contractual agreement with the Claimant, as stated in Considering 40
extracted by the Agency in its justification. This is why there is no
illegitimate processing of the Complainant's data nor can Orange be accused of fault
diligence in identifying the same, as the Agency identifies in its
Initiation Agreement, not being attributable to this party a violation of Article 6.1 of the
GDPR.
This Agency Initiation Agreement is based exclusively on an analysis of the
result, considering that obtaining a duplicate e-SIM card for a
third entails the automatic consideration that the personality of the
contracting party and, therefore, in the opinion of the AEPD, the
direct responsibility on the part of Orange.
This is why it is not possible to assess Orange's guilt at this time.
factual assumption, the assessment made by the
Agency for commission of infringement by this company.
In response to all this deployment of measures mentioned and designed by
Orange, considers this part that is accredited, not only the firm will of this
commercial law in the protection of the rights of individuals, but the use of a
adequate level of diligence on the part of Orange with which, although it is not
possible, due to limitations of technology and human resources, the existence of a
zero risk, is updated and reviewed periodically according to the status of the
technique, the costs of implementation, and the nature, scope, context and purposes of the
treatment, as well as risks of varying probability and severity for the rights
and freedoms of natural persons.
As reflected in the allegations presented, Orange has
demonstrated having acted with due diligence in identifying the
Claimant, no data processing taking place without legitimacy. Without
prejudice to the above, and in the hypothetical case that the Agency considers that
there is some type of non-compliance, the sanction included in the Startup Agreement results,
in any case, disproportionate, taking into account the circumstances and content of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/28
alleged infringement, which Orange strongly denies. In this sense, it is worth highlighting
the following points that, according to the interpretation of the Agency, are classified as
aggravating circumstances, without the circumstances concurring for their consideration in relation
with the facts analyzed: Any previous infraction committed by the person responsible or
data processor (article 83.2 e) of the GDPR.
The assessment carried out by the Agency only takes into account the violations
imposed for violation of article 6.1 of the RGPD, however, it covers
different factual assumptions. This part has outlined throughout this writing
the particularities of the present case, as well as the innovation of the techniques and
means used by identity theft to carry out attempts to
commission of fraud.
The obvious link between the business activity of the defendant and the treatment
of personal data of clients or third parties (article 83.2.k, of the RGPD in relation
with article 76.2.b, of the LOPDGDD). While it is true that Orange's activity
makes it necessary to process the personal data of its clients, the truth is that
This factor is ambiguous in its assessment to include it as an aggravating factor, since said
The link does not imply, by any means, a direct relationship with the alleged
infringement. Article 83.2 k) requires that said aggravating circumstance be put in relation to the
concrete factual assumption.
In this sense, data processing does not arise from an intention of the entity, but rather
that the commission of a crime takes place in which Orange is an injured party. For all
Therefore, this aspect cannot be interpreted as an aggravating factor. Additionally, I would like
point out in this part that the damage referred to by the Claimant, consisting of the
theft of funds from their bank accounts, is not included in the
activity of this business.
ORANGE cannot be responsible for the security of third-party operations
entities by the mere fact that they use telecommunications services.
Additionally, and as established in article 83.2 of the RGPD and article 76.2
of the LOPDGDD, in addition to the mitigating circumstance already expressly recognized by the AEPD
in its Startup Agreement: The claimed party proceeded to block the line as soon as
had knowledge of the facts (art. 83.2 c); The following are presently present:
extenuating circumstances that have not been considered in the appropriate grading
of the sanction: At no time have special categories of data been processed.
The degree of cooperation between Orange and the AEPD in order to remedy a
alleged infringement and mitigate its possible adverse effects: it has been proven
that all information requests have been responded to in a timely manner
requested by this Agency, in line with the usual practice of this total company
collaboration with the data protection authority. The non-existent benefit
obtained by Orange derived from the processing of data that occupies this
procedure.
In any case, Orange has been harmed, as has already been pointed out, being part
harmed even in the judicial procedure in which the commission of the
crime that concerns us.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/28
Orange requests that a resolution be issued by means of which the file of the
Procedure. Alternatively, complete the procedure by means of a
warning and, ultimately, if it considers that the imposition of a
sanction, moderate or modulate its proposal included in the Initiation Agreement notified to
Orange, taking into account the arguments expressed in the body of this document
of allegations>>.
EIGHTH: On September 12, 2023, the instructor of the procedure agreed
practice the following tests: <<1. The
claim filed by A.A.A. and its documentation, the documents obtained and
generated during the phase of admission for processing of the claim, and the report of
prior investigation actions that are part of the procedure
AI/00403/2022. 2.Likewise, it is considered reproduced for evidentiary purposes, the
allegations to the agreement to initiate the referenced sanctioning procedure,
presented by ORANGE ESPAGNE, S.A.U., and the documentation that they
accompanies>>.
NINTH: On October 17, 2023, a proposed resolution was formulated,
proposing that the Director of the Spanish Data Protection Agency
sanction ORANGE ESPAGNE, S.A.U. with NIF A82009812, for the alleged
violation of article 6.1) typified in article 83.5.a) of the aforementioned RGPD. with a
fine of 200,000 euros (two hundred thousand euros).
TENTH: Once the proposed resolution was notified, the claimed party requested an extension
of the period granted to him and presented a written statement of allegations in which, in
In summary, the allegations previously presented are reiterated in the allegations, and in
synthesis states that: <<Although this part recognizes that the process of issuing
A duplicate SIM card involves data processing, it must be noted that
During the same, Orange has not made available to the impersonators
identity no data.
The only intervener who has provided data in this factual situation is the
own identity theft, when accessing the Orange Private Customer Area, in
specifically, by providing the username and password used as security credentials
by the Claimant, necessary for access.
After that, the applicant makes a request for a duplicate SIM card, which is
granted by stating, through your security credentials, identified as the
line holder. After that, an email is sent to you with the code to activate the SIM.
In the present case, it is proven that what the impersonator had access to was a
duplicate of an empty e-SIM card, without any personal information. And it does not appear
any reference among the evidence in the file, that there had been
accessed any personal information of the Claimant as a result of the
making the duplicate SIM available.
The SIM card does not contain the data of the telephone or mobile terminal, so access
a duplicate of it does not allow a third party access to the applications that the
Claimant may have installed on it, such as security applications.
banking entities. Additionally, to be able to access the applications
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/28
banking, identity theft must know your banking credentials
of the Claimant.
Thus, Orange's data processing is legitimate, based on the relationship
existing contractual agreement with the Claimant. During this process, it was not provided by
from Orange any personal data to the applicant or any other person, so it is not
unauthorized processing of personal data has occurred.
The fact that the person carrying out the procedures does not correspond,
supposedly, with the owner of the contract does not mean per se that there is any lack of
legitimation in its treatment.
It is a fact that banking entities are the only ones responsible for security
of its operations, as stated by the European Banking Authority (hereinafter,
the “EBA”) in the following pronouncements: • Opinion on the implementation of the
RTS on SCA and CSC: in its section relating to who decides on the means to
used for said authentication (points 37 and 38), rules that the credentials of
security used to perform secure authentication of users of the
payment services are the responsibility of the account services managing entity (in
the case at hand, financial entities). • Qualification of SMS OTP as an
authentication factor | European Banking Authority: indicates that the use of SMS
ordinary is not feasible for the confirmation of banking operations, as it is not
sufficiently safe in accordance with the standards of Directive (EU) 2015/2366 of the
European Parliament and of the Council of 25 November 2015 on security services
payment in the internal market (PSD2).
In this sense, it indicates that: “article 22 (1) of the Regulation requires that ‘the
Payment service providers will guarantee the confidentiality and integrity of the
personalized security credentials of the payment service user, including
authentication codes, during all phases of authentication' and the article
22(4) of the Delegated Regulation states that ‘service providers
Payment gateways will ensure that the processing and routing of payment credentials
custom security and authentication codes generated from
in accordance with Chapter II take place in safe environments consistent with
firm and widely recognized industry standards.”
Therefore, there is no doubt that the payment service provider is subject
to compliance with specific protection obligations in the processes of
authentication of payment operations whose purpose is to minimize the probability
execution of unauthorized operations, but in no case prevent them from
occur.
Thus, it contradicts any legal logic to transfer all responsibility to the entity
that provides telephone services, being the mere communication channel
selected by the financial institution itself and without its knowledge, in a manner
any, that the data transmitted through the messages sent contain
banking operations keys.
Note that Orange does not offer online trust services to banking operators,
nor does it offer services typical of a certification or accreditation entity. The
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/28
banking entities may not have contracted any service from Orange, and, even so,
Use SMS to carry out your actions with clients. Therefore, it is not
can hold Orange responsible for configuring SMS sending as a second
authentication factor used by those responsible for other services, such as
banking operators.
Consequently, it is reiterated by this party that the responsibility of the operators
telephone charges due to cases of identity theft for requesting copies
SIM cards cannot cover those derived from banking operations that
criminals can carry out as a result of security measures
implemented by banking entities are inadequate.
Orange cannot be responsible for the security of the operations of third parties
by the mere fact that they use telecommunications services. Consequently, the
reasoning followed to hold Orange responsible as operator for the
Fraud to the banking entity is not legally acceptable.
With this presentation, focused exclusively on the result, the Agency deduces
directly that Orange has carried out negligent conduct, without considering,
in any way, the measures deployed by this party.
Therefore, in the opinion of the Agency, the overcoming of the security measures of
Orange by a third party, regardless of its content, automatically entails
the consideration of their actions as negligent. This legal reasoning supposes
a clear materialization of objective responsibility in the sanctioning field,
which is not admissible in our legal system. In this regard, the
Supreme Court ruling 543/2022, dated February 15, 2022, establishes,
in its Third Legal Foundation, and establishes jurisprudence; that: “The obligation to
take the necessary measures to guarantee the security of personal data
cannot be considered an obligation of result, which implies that produced a
leakage of personal data to a third party, liability exists independently
of the measures adopted and the activity carried out by the person responsible for the file
or treatment.” Thus, the Supreme Court configures said obligation as one of
means, in which (Third Legal Basis): “the commitment that is acquired is
that of adopting technical and organizational means, as well as deploying an activity
diligent in its implementation and use that tends to achieve the expected result
with means that can reasonably be described as suitable and sufficient for its
achievement, which is why they are called obligations of "diligence" or "of
behavior".
Therefore, in addition to what has been stated and as has been proven, the entity has
with an adequate protocol for the correct processing of requests (whose
effectiveness in preventing fraud is very high, exceeding 99%).
It is also worth remembering that it is the Constitutional Court (hereinafter, TC),
which, since its Sentence No. 76/1990, of April 26, has been warning of the
problem of the inadmissibility of liability in our legal system
objective and, consequently, the requirement in all cases that the Administration,
When it comes to sanctioning, prove some degree of intentionality on the part of the sanctioned person. In this
sense it is also worth mentioning what was stated by the National Court, among others,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/28
in its Judgment of the Administrative Litigation Chamber, Section 1, of 23
December 2013, Rec. 341/2012: “Indeed, in sanctioning matters, the
principle of guilt (SSTC 15/1999, of July 4; 76/1990, of April 26; and
246/1991, of December 19), which means that some kind of
fraud or guilt. As the Supreme Court ruling of January 23, 1998 says,
“...we can speak of a decided jurisprudential line that rejects in the field
sanctioning of the Administration the objective responsibility, demanding the
concurrence of fraud or guilt, in line with the interpretation of STC 76/1990, of 26
of April, by pointing out that the principle of guilt can be inferred from the principles of
legality and prohibition of excess (article 25 of the Constitution) or the demands
inherent to the rule of law.
The issue, therefore, must be resolved in accordance with the principles of law.
punitive given that mere human error cannot give rise, by itself (and above all)
everything when it occurs in isolation), to the attribution of consequences
sanctioning; Well, if this were done, a system of responsibility would be incurred
objective prohibited by our constitutional order.
In the present case, the existence of strict control, prior and
after contracting, the establishment of prior and a posteriori measures, as well as
such as the existence of specific measures aimed at previously avoiding these
practices (already indicated by this party in the allegations to the request of
information from the AEPD).
This is why it is not possible to assess Orange's guilt at this time.
factual assumption, the assessment made by the
Agency for commission of infringement by this company.
That is, the existence of the ORANGE protocols and the introduction of
improvements and new measures to increase its effectiveness, as well as the diligence of
ORANGE in minimizing the impact and implementing the protocols, not
However, in the justification, the AEPD classifies them as not adequate, in
both “are susceptible to improvement.”
Again, as has already been stated on numerous occasions, both in the
response to the request as in the allegations in relation to the Agreement of
Beginning of Sanctioning Procedure, this company has adapted the measures of
security in a complementary way to the evolution of social engineering techniques
used by cybercriminals.
Therefore, the involvement and proactivity of this party in the
protection of the rights of individuals, as well as the use of a level of
adequate diligence on the part of Orange with which, although it is not possible, for
limitation of technology and human resources, the existence of zero risk, is
updated and reviewed periodically in accordance with the state of the art, costs
of application, and the nature, scope, context and purposes of the processing, as well as
as risks of varying probability and severity to the rights and freedoms of
natural persons.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/28
For greater emphasis, the procedure established and applied by Orange, which the
Agency has not evaluated, sends the client a notice simultaneously to the
carrying out the procedure and managing the duplicate, so that it is necessarily used
the email of the owner of the line, but also, for security, the owner of the line is informed
direct telephone line. In fact, it is this measure implemented by Orange,
As already noted, which enables the Claimant to identify that he has been a victim
of a 'phishing' fraud.
Thus, the Orange procedure incorporates additional security measures (which have
proven in the present case to be effective), in compliance with the criteria
stipulated by the National Court as accreditation of the display of diligence
sufficient in requesting duplicate SIM cards.
Orange has demonstrated, through both the allegations presented and in the
previous documentation made available to this Agency, which has acted in all
moment with due diligence in identifying the Claimant, not having
place any data processing without legitimacy.
Notwithstanding the above, in the hypothetical case that the Agency considers that there is
any type of non-compliance, the sanction included in the Startup Agreement results, in
in any case, disproportionate, taking into account the circumstances and content of the
alleged infringement, which Orange strongly denies.
In this sense, it is worth highlighting the following points that, according to the interpretation
of the Agency are classified as aggravating circumstances, without the circumstances concurring to
its consideration in relation to the facts analyzed:
• Any previous infringement committed by the person responsible or in charge of the treatment
(article 83.2e) of the GDPR.
This party has indicated both in this document and in previous ones sent to
this Agency, the particularities of the case at hand, as well as the innovation
of the techniques and means used by identity theft to execute
attempts to commit fraud.
Said in terms of risk analysis, it is not possible to require the existence of measures
• The evident link between the business activity of the defendant and the
processing of personal data of clients or third parties (article 83.2.k, of the RGPD
in relation to article 76.2.b, of the LOPDGDD).
The processing of personal data by Orange is strictly necessary
to be able to carry out the activities that characterize it as an operator. By
therefore, impose the aggravating factor described taking into account that there is no relationship
directly with the alleged infringement, does not agree with what is stated in article 83.2.k)
since this requires that the aggravating factor in question be applied taking into account the
case concrete.
Thus, in no case has it been part of Orange's will that the
situation in which the Claimant has been involved and it is necessary to reiterate that this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/28
operator has also been harmed by it. Therefore, it is not possible
consider the application of this aggravating circumstance. Additionally, as has been stated
Earlier in these allegations, I would like to point out this part that the
damage to which the Claimant alludes, consisting of the theft of funds
of their bank accounts, is not included in the activity of this company.
As has already been pointed out in this document, banking entities are the
solely responsible for the security of its operations (EBA, Opinion on the
implementation of the RTS on SCA and CSC and Qualification of SMS OTP as an
authentication factor).
As an addition to the above, and as established in article 83.2 of the RGPD and the
article 76.2 of the LOPDGDD, in addition to the mitigating circumstance already expressly recognized
by the AEPD in its Initiation Agreement.
• The claimed party proceeded to block the line as soon as it became aware of the
facts (art. 83.2 c).
The following extenuating circumstances exist here and have not been
considered in the appropriate grading of the sanction:
• At no time have special categories of data been processed.
• The degree of cooperation between Orange and the AEPD in order to remedy a
alleged infringement and mitigate its possible adverse effects: it has been proven
that all information requests have been responded to in a timely manner
requested by this Agency, in line with the usual practice of this total company
collaboration with the data protection authority.
In the letters sent to the AEPD, the measures have been outlined in detail.
implemented regarding the circumstance in which the
Complainant, therefore remedying the alleged infringement, mitigating,
likewise, its effects.
• The non-existent benefit obtained by Orange derived from the treatment of
data that this procedure occupies.
In any case, Orange has been harmed, as has already been pointed out, being part
harmed even in the judicial procedure in which the commission of the
crime that concerns us.
Although the AEPD in its Proposal indicates that this cannot be considered a
extenuating circumstance, Orange has not benefited in any case, but has been,
Likewise, a victim of the actions of cybercriminals, like the
Claimant.
REQUESTS the Spanish Data Protection Agency to present the
present writing, it is worth admitting it, the previous allegations are considered formulated and,
after the appropriate procedures, issue a resolution by means of which the file is indicated
from EXP2022101101. Subsidiarily, in the event that the AEPD decides against
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/28
of the legal basis that ORANGE supports, the AEPD is requested to have
taking into account the mitigating circumstances based on the previous allegations
and, consequently, the procedure ends with a warning and, in
Ultimately, if you consider that the imposition of a sanction is appropriate, moderate or
modulate its proposal included in the Sanction Proposal notified to ORANGE,
taking into account the arguments expressed in the body of this document of
allegations>>.
Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:
PROVEN FACTS
FIRST: The claimant makes a claim on August 15, 2022,
stating that his mobile phone stopped working on August 1, 2022 and that
received several emails regarding a consumer notice and another email
email indicating that your eSIM card had been successfully activated.
SECOND: It appears in the file that the eSIM card application process was
through the claimant's Private Area on the Internet, they accessed the username and password
of the claimant on August 1, 2022, and requested the generation of an e-card
SIM and Orange proceeded to issue the duplicate card in the e-SIM mode.
THIRD: Work in the file that Orange proceeded to send an email
to the claimant with the notice of the e-SIM card request within the contacts
registered with the client or his alleged impersonator, several dated August 1,
2022 which reflect that at 19:03 there was a change in the email address
claimant's email, made from the Client Area and at 8:07 p.m. the sending
of an SMS informing you that you can scan the eSIM activation code.
FOURTH: It appears in the file that the claimant, after receiving the SMS from Orange,
Contact the claimed party to request the cancellation of the duplicate card
eSIM, indicating that it has not been done.
FIFTH: It is stated that on August 3, 2022, the numbering of the
telephone line for theft/loss.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/28
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”
II
Allegations
In response to the allegations presented by the claimed entity, it should be noted
the next:
Regarding the issuance of duplicate is not sufficient to carry out operations
bank accounts on behalf of the holders, certainly, to complete the scam, it is
necessary for a third party to “impersonate” the identity of the data owner before the entity
financial. Which entails, a priori, treatment outside the principle of legality.
since a third party is processing data, since it has access to them, without any legal basis,
in addition to the violation of other principles such as confidentiality.
For this reason, this is a process where the diligence provided by the
operators is essential to avoid this type of scams and violations of the RGPD.
Diligence that translates into the establishment of appropriate measures to guarantee
that the data processing complies with the RGPD.
The actions of the banking entities that
provide payment services, in which area this type of scam begins, since
The third party has access to the credentials of the affected user and impersonates
this.
While these entities are responsible for the processing of the data of their
clients, they have the same obligations as those indicated until now for the
operators referring to compliance with the RGPD and the LOPDGDD, and also the
derived from Royal Decree-Law 19/2018, of November 23, on payment services and
other urgent measures in financial matters.
Within the eSIM issuance process, a physical card is not needed, but to
its activation requires that the applicant scan a QR code that is
sent electronically (SMS or email).
In the present case, it is proven that Orange provided a duplicate of the card
eSIM of the complaining party to a third party, without their consent, who accessed the
information contained in the mobile phone, such as bank details, passwords,
email address and other personal data associated with the terminal. So
Therefore, the defendant did not take the necessary precautions so that these events did not occur.
they would produce.
Well, it is proven that a third party accessed the Client's private web area
of the Claimant, and proceeded to change his email address and initiating
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/28
subsequently a conversation with the Digital Channel assisted and requesting through
This means the duplicate eSIM.
It must be taken into account, without prejudice to what was indicated above, that when
activation of the eSIM object of the claim occurred, the claimant received a notice
of the claimed party, and was left without line, so he contacted by telephone
stating not having requested the eSIM.
It is important to highlight that even though the complaining party advised that there was no
carried out that procedure. Orange did not block the phone thus allowing it to occur
the impersonation due to the delay on the part of Orange in carrying out the blocking of the
numeration. Two days later the numbering was blocked, and three days later
They provided a new physical SIM.
In view of the above, Orange cannot prove that it acted diligently and therefore
consequently there was an unlawful processing of the personal data of the party
complainant, thereby contravening article 6 of the GDPR.
From the Proven Facts, it is deduced that ORANGE has provided a duplicate card
eSIM to a third party other than the legitimate owner of the mobile line, after the
third party of the existing security policy, which shows a
breach of duty to protect customer information.
This unauthorized access to the personal data of the affected party is decisive
for subsequent actions carried out by the impersonators, since
They take advantage of the period of time that elapses from August 1, 2022, date on
that the user detects the fault on the line and contacts the operator,
until August 3, 2022, when Orange blocked the line to carry out
fraudulent banking operations, which without the duplicate eSIM card would have
its realization became impossible.
Denying the concurrence of negligent action on the part of ORANGE would be equivalent
to recognize that their conduct - by action or omission - has been diligent. Obviously not
We share this perspective of the facts, since the
lack of due diligence. The SAN of October 17, 2007 is very illustrative.
(rec. 63/2006), assuming that these are entities whose activity involves
in continuous processing of customer data, indicates that “…the Supreme Court comes
understanding that imprudence exists whenever a legal duty of
care, that is, when the offender does not behave with the required diligence. And in the
assessment of the degree of diligence, special consideration must be given to professionalism
or not of the subject, and there is no doubt that, in the case now examined, when the
activity of the appellant is constant and abundant handling of data of a
personnel must insist on rigor and exquisite care to conform to the
legal precautions in this regard.
Thus, in this sense, the ruling of the San National Court of September 19,
2023 (rec 403/2021), indicates that “… contracted the insurance policy with a third party without
sufficient control or supervision insofar as it was not able to detect that, in reality, the
The person who was expressing his willingness to hire was not who he said he was. Of
the necessary precautions have been taken to ensure the identity of the person
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/28
contracting party (for which it would have been enough to attend to the incorrect answer to
the client's identification and verification questions) in short, since there has not been
acted with the necessary diligence, the complainant's data was processed without counting
with your consent.”
It is proven in the file that security has not been guaranteed
appropriate in the processing of personal data, taking into account the result that
identity theft has occurred. That is, a third party has managed to access
to the personal data of the line owner without the security measures that
ORANGE claims that they exist, they could have prevented it. Thus, we are faced with the
concurrence of typical, illegal and culpable conduct.
In short, the operator's rigor when monitoring who owns the
eSIM card or person authorized by it who requests the duplicate, should
meet strict requirements. It is not that the information to which
refers is not contained in the eSIM card, but that, if in the process of
Issuance of a duplicate eSIM card does not adequately verify identity
of the applicant, the operator would be facilitating identity theft.
Regarding the fact that the criminals have not managed to obtain personal data from
ORANGE, so there can be no question of non-compliance with protective measures,
point out that access to a duplicate eSIM card that makes your
owner, responds to the definition of personal data in article 4.1) of the RGPD.
In the present sanctioning procedure, the sanction is imposed because
ORANGE provided a duplicate of the complaining party's eSIM card to a third party,
without your consent and without verifying the identity of said third party, and for this reason
imputes article 6.1 of the GDPR.
In the case now examined, the AEPD, after carrying out the investigations
timely, and in relation to a series of specific facts that it considers proven,
includes them in the offending type that it considers appropriate, in accordance with the
application and interpretation of the regulations, motivating in a neat and sufficient manner such
performance. And the AEPD is bound by the principle of legality that
involves the application and interpretation of the rules taking into account the factual situation
specific that occurs in each case.
Regarding the responsibility of ORANGE, it should be indicated that, in general terms
ORANGE processes its clients' data under the provisions of article 6.1 b)
of the RGPD, as it is considered a necessary processing for the execution of a contract
in which the interested party is a party or for the application at his request of measures
pre-contractual. In other cases, it bases the legality of the treatment on the bases
provided for in article 6.1.a), c), e) and f) of the RGPD.
On the other hand, to complete the scam, it is necessary for a third party to “impersonate the
identity” of the data owner, to receive the duplicate eSIM card. Which
entails, a priori, a treatment outside the principle of legality since a third party is
processing data, since it has access to them, without any legal basis, in addition to the
violation of other principles such as confidentiality.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/28
For this reason, this is a process where the diligence provided by the
operators is essential to avoid this type of scams and violations of the RGPD.
Diligence that translates into the establishment of appropriate measures to guarantee
that appropriate security measures are implemented and maintained to protect
effectively maintain the confidentiality, integrity and availability of all data
personnel for whom they are responsible, or those who are in charge of
another person responsible.
The Constitutional Court indicated in its Sentence 94/1998, of May 4, that we
We are faced with a fundamental right to data protection by which
guarantees the person control over their data, any personal data, and
on their use and destination, to avoid illicit trafficking or harm to the
dignity and rights of those affected; In this way, the right to protection of
data is configured as a citizen's power to oppose that
certain personal data are used for purposes other than that justified
its obtaining.
For its part, in Sentence 292/2000, of November 30, it is considered as a
autonomous and independent right that consists of a power of disposition and
control over personal data that empowers the person to decide which of those
data to provide to a third party, be it the State or an individual, or what this
third party collect, and which also allows the individual to know who owns that data
personal and for what, being able to oppose that possession or use.
Regarding ORANGE's conduct, it is considered that it responds to the title of guilt.
As a large-scale repository of personal data, therefore, accustomed
or specifically dedicated to the management of personal data of the
clients, must be especially diligent and careful in their treatment. That is to say,
From the perspective of guilt, we are faced with a conquerable error, since with the
application of appropriate technical and organizational measures, these impersonations
of identity could have been avoided.
It is recital 74 of the RGPD that says: The
responsibility of the data controller for any data processing
personal carried out by himself or on his own account. In particular, the person responsible must
be obliged to apply timely and effective measures and must be able to demonstrate the
compliance of processing activities with this Regulation, including the
effectiveness of the measures. These measures must take into account the nature,
scope, context and purposes of the processing as well as the risk to the rights and
freedoms of natural persons. Likewise, recital 79 says: The protection
of the rights and freedoms of the interested parties, as well as the responsibility of the
responsible and in charge of the treatment, also with regard to the
supervision by the control authorities and the measures adopted by
They require a clear attribution of responsibilities under this
Regulation, including cases in which a controller determines the purposes and
means of processing jointly with other controllers, or in which the
treatment is carried out on behalf of a person responsible.
The computer system and the technologies involved must be appropriate for
avoid identity theft and be correctly configured.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/28
This Agency does not share ORANGE's statements regarding the
circumstances that have been proven.
It is true that there are protocols to prevent identity theft in these
processes; that have been transferred to those involved in the processing; that have
introduced improvements after learning of certain vulnerabilities; that there are penalties
for non-compliance. However, we do not share the fact that these protocols
or internal procedures can be considered adequate as long as they are
susceptible to improvement. Identification mechanisms must be strengthened and
authentication with technical and organizational measures that are especially
appropriate to avoid impersonations.
Regarding due diligence, it is recognized that ORANGE has acted
diligently when it comes to minimizing the impact on those potentially affected by implementing
new security measures to prevent the repetition of similar incidents in a
future.
Certainly, the principle of responsibility provided for in article 28 of the LRJSP,
provides that: “They may only be sanctioned for acts that constitute an infraction
administrative authority of natural and legal persons, as well as, when a Law
recognize the capacity to act, the affected groups, the unions and entities without
legal personality and independent or autonomous assets, which are
responsible for them by way of fraud or guilt.”
However, the method of attributing responsibility to legal entities is not
corresponds to the intentional or reckless forms of guilt that are imputable
to human behavior. So in the case of violations committed by
legal entities, although the element of guilt must occur, it is
necessarily applies in a different way than it does with respect to people
physical.
According to STC 246/1991 "(...) this different construction of the imputability of the
authorship of the infringement of the legal entity arises from the very nature of fiction
legal to which these subjects respond. The volitional element is missing in them in the sense
strict, but not the ability to violate the rules to which they are subject.
Capacity for infringement and, therefore, direct blameworthiness that derives from the good
legal protected by the norm that is violated and the need for said protection
is really effective and for the risk that, consequently, the person must assume
legal entity that is subject to compliance with said norm" (in this sense STS of 24
of November 2011, Rec 258/2009).
To the above it must be added, following the ruling of January 23, 1998,
partially transcribed in the SSTS of October 9, 2009, Rec 5285/2005, and 23
of October 2010, Rec 1067/2006, that "although the culpability of the conduct must
also be the subject of evidence, must be considered in order to assume the
corresponding charge, which ordinarily the volitional and cognitive elements
necessary to appreciate it are part of the proven typical behavior, and that its
exclusion requires that the absence of such elements be proven, or in its
regulations, that the diligence that was required by whoever claims his
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/28
nonexistence; is not enough, in short, to exculpate behavior
"the invocation of the absence of fault is typically unlawful".
Therefore, the lack of guilt is dismissed. The ultimate responsibility
on the treatment continues to be attributed to the person responsible, who is the one who determines the
existence of the treatment and its purpose. Let us remember that, in general, the
operators process their clients' data under the provisions of article 6.1
b) of the RGPD, as it is considered a necessary treatment for the execution of a
contract to which the interested party is a party (…).
In the present case, it is proven that Orange provided a duplicate of the card
eSIM of the complaining party to a third party, without its consent and without verifying the
identity of said third party, which has accessed information contained in the phone
mobile, such as bank details, passwords, email address and others
personal data associated with the terminal. Thus, the defendant did not verify the
personality of the person who requested the duplicate eSIM card, did not take the precautions
necessary to prevent these events from occurring.
Based on the above, in the case analyzed, the
diligence used by the defendant to identify the person who requested
a duplicate eSIM card.
Well, it is proven as recognized by the claimed party in its written statement.
response to this Agency, and in the allegations presented <<, the usurper
accessed the private Client web area (hereinafter, APC) of the Claimant, initiating
subsequently a conversation with the Digital Channel assisted and requesting through
This means the duplicate eSIM. Having, therefore, verified the irregularity in the
request for the duplicate, the Risk Analysis team confirmed that the Claimant,
owner of the line ***TELEFONO.1, has probably been a victim of phishing,
smishing or some other social engineering instrument (which could not be
identified by this company in the course of the investigations) through its APC
from where the duplicate e-SIM was requested without having requested a reset of the
passwords, that is, the criminal already knew them previously>>.
In accordance with the evidence available at this procedural moment,
It is estimated that the conduct of the complained party violates article 6.1 of the RGPD
which may constitute the infraction classified in article 83.5.a) of the aforementioned
Regulation 2016/679.
In this sense, Recital 40 of the GDPR states:
“(40) For the processing to be lawful, personal data must be processed with the
consent of the interested party or on some other legitimate basis established in accordance
a Law, whether in this Regulation or under other Union law
or of the Member States referred to in this Regulation, including the
need to comply with the legal obligation applicable to the person responsible for the treatment or the
need to execute a contract to which the interested party is a party or for the purpose of
take measures at the request of the interested party prior to the conclusion of a
contract."
III
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/28
Unfulfilled Obligation
Article 4 of the GDPR, under the heading “Definitions”, provides the following:
“1) “personal data”: any information about an identified natural person or
identifiable ("the interested party"); Any person will be considered an identifiable natural person
whose identity can be determined, directly or indirectly, in particular by
an identifier, such as a name, an identification number, data
location, an online identifier or one or more elements of identity
physical, physiological, genetic, mental, economic, cultural or social of said person;
2) "treatment": any operation or set of operations performed on
personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction.”
7) "responsible for the treatment" or "responsible": the natural or legal person,
public authority, service or other body that, alone or jointly with others, determines the
purposes and means of processing; whether Union or Member State law
determines the purposes and means of the treatment, the person responsible for the treatment or the
Specific criteria for their appointment may be established by Union Law.
or of the Member States”
ORANGE, is responsible for the processing of data referred to in the
background exposed, since in accordance with the definition of article 4.7 of the
RGPD is what determines the purpose and means of the treatments carried out with the
purposes indicated in its Privacy Policy.
Likewise, the issuance of a duplicate eSIM involves the processing of the data
personal data of its owner since any identifiable natural person will be considered
person whose identity can be determined, directly or indirectly, in particular
via an identifier (Article 4.1 of the GDPR).
The defendant is accused of committing an infraction due to violation of article 6
of the RGPD, “Legitimacy of processing”, which indicates in section 1 the assumptions in which
that the processing of third party data is considered lawful:
"1. Treatment will only be legal if at least one of the following is met
conditions:
a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;
b) the processing is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;
c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/28
d) the processing is necessary to protect vital interests of the interested party or another
Physical person;
e) the processing is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the controller;
f) the processing is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that regarding said
interests do not prevail over the interests or fundamental rights and freedoms of the
interested party requiring the protection of personal data, in particular when the
interested is a child. The provisions of letter f) of the first paragraph will not be
application to the processing carried out by public authorities in the exercise of their
functions.”
IV
Classification and Qualification of the infraction
The infringement is classified in article 83.5 of the RGPD, which considers as such:
"5. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
1. The basic principles for treatment, including the conditions for treatment
consent in accordance with articles 5,6,7 and 9.”
The LOPDGDD, for the purposes of the prescription of the infringement, qualifies in its article 72.1
of very serious infringement, in this case the limitation period being three years,
<<b) The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679>>
V
Sanction
The determination of the sanction that should be imposed in the present case requires
observe the provisions of articles 83.1 and 2 of the RGPD, precepts that,
respectively, they provide the following:
"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.”
"2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/28
a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment to pa-
bundle the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person responsible or in charge of the treatment, given
gives an account of the technical or organizational measures that have been applied under the
articles 25 and 32;
e) any previous infringement committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;
i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or certification mechanisms
fication approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or indirect.
mind, through infringement.”
Within this section, the LOPDGDD contemplates in its article 76, entitled “Sancio-
tions and corrective measures”:
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of medical treatments.
personal information.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/28
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected person could have induced the commission
of the infringement.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Have, when not mandatory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
disputes exist between them and any interested party.
3. It will be possible, complementary or alternatively, the adoption, when appropriate, of
the remaining corrective measures referred to in article 83.2 of the Regulation
(EU) 2016/679.”
In accordance with the precepts transcribed for the purposes of setting the amount of the sanction of
fine to be imposed on the entity claimed as responsible for a classified infraction
in article 83.5.a) of the RGPD and 72.1 b) of the LOPDGDD, are considered concurrent in
the present case the following factors:
As aggravating circumstances:
- The circumstance of article 83.2.e) RGPD: “Any previous infraction committed by the
responsible or the person in charge of the treatment”.
Recital 148 of the GDPR states “In order to strengthen the application of the rules
of this Regulation [...]” and indicates in this regard that “It must, however,
Special attention should be paid to the nature, severity and duration of the infringement, its
intentional character [...] or to any pertinent infringement [...]”.
Thus, in accordance with section e) of article 83.2. GDPR, in determining the
amount of the administrative fine sanction cannot fail to be valued all
those previous infractions of the person responsible or of the person in charge of treatment in
in order to gauge the illegality of the analyzed behavior or the guilt of the subject
offender.
Furthermore, a correct interpretation of the provision of article 83.2.e) RGPD does not
can ignore the purpose pursued by the rule: to decide the amount of the sanction of
administrative fine in the individual case raised, always taking into account that the
sanction is proportional, effective and dissuasive.
There are numerous sanctioning procedures processed by the AEPD in which
The defendant has been sanctioned for violating article 6.1 GDPR:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/28
i.EXP202204288 Resolution issued on January 31, 2023 in which a
penalty of 70,000 euros. The facts concerned a duplicate SIM card
fraudulent without legitimacy.
ii.EXP202203638. Resolution issued on January 30, 2023 in which a
penalty of 70,000 euros. The facts concerned a duplicate SIM card
fraudulent without legitimacy.
- The evident link between the business activity of the defendant and the
processing of personal data of clients or third parties (article 83.2.k, of the RGPD
in relation to article 76.2.b, of the LOPDGDD).
The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,
regarding entities whose activity involves continuous data processing
of clients, indicates that “…the Supreme Court has been understanding that there is
recklessness whenever a legal duty of care is neglected, that is, when the
offender does not behave with the required diligence. And in assessing the degree of
diligence, the professionalism or otherwise of the subject must be especially considered, and not
There is no doubt that, in the case now examined, when the activity of the appellant
is constant and abundant handling of personal data, it must be insisted on
the rigor and exquisite care to comply with the legal preventions in this regard.”
As extenuating circumstances:
Orange requests that the following mitigating circumstances be appreciated:
At no time have special categories of data been processed. The degree of
Orange's cooperation with the AEPD in order to remedy an alleged
infringement and mitigate its possible adverse effects. The non-existent benefit obtained by
part of Orange derived from the data processing involved in this procedure.
None of the circumstances invoked are admitted.
Regarding the fact that special categories of data have not been treated, art. 83.2.g GDPR,
It would be an aggravating circumstance, so it cannot be classified in that circumstance.
extenuating.
Article 83.2.d) RGPD: “The degree of responsibility of the person responsible or the
person in charge of processing, taking into account the technical or organizational measures that
have applied under articles 25 and 32;”.
The defendant has limited herself to stating that the third party that contracted with her exceeded the
company security policy without providing any evidence to show that
obtained from the person who participated in the contracting any document that accredited
that he was effectively the owner of the data that he had provided as his own or that
articulated some mechanism that would allow the veracity of the data to be verified.
identity provided.
On the other hand, the principle of proactivity means transferring the person responsible for the
treatment the obligation not only to comply with the regulations, but also to be able
demonstrate compliance. Among the mechanisms that the RGPD contemplates to
to achieve this are those provided for in article 25, “data protection from the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/28
design", according to which the person in charge must apply "both at the time of
determine the means of treatment as at the time of the treatment itself.”
technical and organizational measures that guarantee effective application of
the principles of the GDPR regarding the processing it carries out.
Article 83.2.f) of the GDPR refers to the “degree of cooperation with the authority of
control in order to remedy the violation and mitigate the possible effects
adverse of the infringement;”. The response of the defendant to the information request
of the Inspection Subdirectorate did not fulfill these purposes, so it is not
fit into that extenuating circumstance.
The consideration of cooperation with the Agency as a mitigating circumstance, as
claimed, is not linked to any of the cases in which it may be
there is a collaboration or cooperation or requirement for the sake of a legal mandate,
when the actions are due and required by Law, as in the case that we
occupies
To this end, the Committee's Guidelines 04/2022 must be taken into consideration.
European Data Protection Regulation on the calculation of administrative fines with
in accordance with the RGPD, in its version 2.1 adopted on May 24, 2023, which
point out that “the ordinary duty of cooperation must be considered mandatory
and, therefore, it should be considered neutral (and not a mitigating factor).”
This is confirmed in the same EDPB Guidelines on the application and
fixing of administrative fines for the purposes of Regulation 2016/679, adopted on 3
October 2017, which states that “That said, it would not be appropriate to have
additionally take into account the cooperation required by law; For example, in any case
requires the entity to allow the control authority access to the facilities to
carry out audits or inspections.
On the application of article 76.2.c) of the LOPDGDD, in connection with the article
83.2.k), lack of benefits obtained, it should be noted that such circumstance only
It can operate as an aggravating circumstance and in no case as a mitigating circumstance.
Article 83.2.k) of the GDPR refers to “any other aggravating or mitigating factor
applicable to the circumstances of the case, such as the financial benefits obtained or the
losses avoided, directly or indirectly, through the infringement.” and the article
76.2c) of the LOPDGDD says that “2. In accordance with the provisions of article 83.2.k) of the
Regulation (EU) 2016/679 may also be taken into account: [..] c) The benefits
obtained as a consequence of the commission of the infraction.” Both provisions
mentioned as a factor that can be taken into account in the graduation of the sanction
the “benefits” obtained, but not the “absence” of these, which is what Orange alleges.
Furthermore, in accordance with article 83.1 of the RGPD, the imposition of fine sanctions
is governed by the following principles: they must be individualized for each
particular case, be effective, proportionate and dissuasive. The admission that it operates
as a mitigating factor, the absence of benefits is contrary to the spirit of article 83.1
of the GDPR and the principles governing the determination of the amount of the
fine sanction. If, as a result of the commission of a violation of the RGPD, it is classified as
mitigating factor that there have been no benefits, the deterrent purpose that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/28
It is fulfilled through sanction. Accept ORANGE's thesis in a case like
the one in question would mean introducing an artificial reduction in the sanction that
It is truly necessary to impose oneself; which results from considering the circumstances
of article 83.2 RGPD that must be assessed.
The Administrative Litigation Chamber of the National Court has warned that, the
fact that in a specific case not all the elements that
integrate a circumstance modifying responsibility that, by its nature,
has an aggravating nature, it cannot lead to the conclusion that such circumstance is applicable
as a mitigating factor. The pronouncement made by the National Court in its
SAN of May 5, 2021 (Rec. 1437/2020) - even though that resolution is seen
on the circumstance of section e) of article 83.2. of the GDPR, the commission
previous infractions - can be extrapolated to the question raised, the claim of the
demand that the “absence” of benefits be accepted as a mitigating factor, being thus
that both the RGPD and the LOPDGDD refer only to “the benefits obtained”:
- The claimed party proceeded to resolve the incident that was the subject of the claim in a manner
effective (art. 83.2 c).
It is appropriate to graduate the sanction to be imposed on the person complained of and set it at the amount of 200,000
€ for the alleged violation of article 6.1) typified in article 83.5.a) of the
cited GDPR.
Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE ORANGE ESPAGNE, S.A.U., with NIF A82009812, for a
violation of Article 6.1 of the GDPR, typified by Article 83.5 of the GDPR, a fine
for an amount of 200,000 euros (two hundred thousand euros).
SECOND: NOTIFY this resolution to ORANGE ESPAGNE, S.A.U.
THIRD: This resolution will be enforceable once the deadline to file the
optional resource for replacement (one month counting from the day following the
notification of this resolution) without the interested party having made use of this power.
The sanctioned person is warned that he must make effective the sanction imposed once
This resolution is executive, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Real
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, through your entry, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A.. Otherwise, it will be
collection in executive period.
Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/28
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative procedure within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
