AEPD (Spain) - PS/00001/2021: Difference between revisions

Revision as of 21:02, 2 February 2022

AEPD (Spain) - PS-00001-2021

Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 5(1)(f) GDPR Article 5(2) GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:	01.02.2022
Fine:	3940000 EUR
Parties:	VODAFONE ESPAÑA, S.A.U.
National Case Number/Name:	PS-00001-2021
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	Carmen Villarroel

The Spanish DPA fined Vodafone €3,940,000 for the violation of Articles 5(1)(f) and 5(2) GDPR, as they had not implemented appropriate security measures to prevent fraudulent replication of SIM cards, nor was Vodafone able to prove that they had implemented such measures.

English Summary

Facts

Nine data subjects filed several complaints with the Spanish DPA (AEPD) against Vodafone after being victims of fraud, due to the deceitful replication of their SIM cards.

The perpetrators of such fraud obtained a replica of the data subjects' SIM cards through Vodafone, that could not verify the identity of the requesters. The perpetrators used the SIM cards to carry out bank transfers from the online banking services of the data subjects, that verify their users' identity via phone, and to transfer and spend money in other ways. The data subjects also reported these facts to the police.

Holding

The Spanish DPA considered that Vodafone was not able to prove that they had verify the identity of the requester of the replication or the invoices issued, nor the effectiveness of the measures implemented to prevent identity theft.

The DPA concluded that the security measures were insufficient, as any person who had the basic personal data of a data subject could circumvent Vodafone's security policy in this regard, and obtain a replica of the data subject's SIM card. Therefore, Vodafone showed a lack of accountability, breaching Article 5(2) GDPR, since there was a lack of proper analysis, planning, implementation, maintenance, control, and updating of the security measures. This is also related, as the DPA noted, to data protection by design, enshrined in Article 25 GDPR.

The AEPD also concluded that the controller had violated Article 5(1)(f) GDPR. The DPA reasoned that the GDPR does not demands a result but to act, and Vodafone did not act with enough diligence to prevent the circumvention of their security measures against theft identity. The DPA states that Vodafone should have known the risk, that has a strong impact in the data subjects' rights and freedoms, and should have acted accordingly. According to the DPA, the measures were obviously insufficient and not adequate, since a relevant number of cases had happened (and not only the nine cases reported to the authority).

While Vodafone alleged that some of the cases occurred due to human error, the DPA alleged that human error shall be considered when determining the security measures, since human errors will always happen and shall be fought with risk analysis, planning and the implementation and control of adequate technical and organisational measures. Therefore, a high number of human errors just highlights a lack of such care; or in other words, a lack of adequate security measures and a disregard for accountability-related obligations.

The DPA also remarked that the data subjects had lost their power to arrange and control over their personal data. In this case, such personal data were of a particularly sensitive nature, since a SIM card allows for the access to apps and services that require authentication or password retrieval via SMS, enabling therefore identity theft for the majority of web service such as email, online banking, social networks, etc.

The AEPD decided to fine the controller €3,940,000 for the violation of Articles 5(1)(f) and 5(2) GDPR. The DPA considered that such fine was proportional, since the GDPR establishes that fines shall be dissuasive. In this regard, the DPA mentioned the CJEU Judgment Versalis Spa/Comisión, C-511/11, in which both the meaning of ‘general deterrence’ and ‘specific deterrence’ are explained, meaning the latter 'to dissuade the specific defendant from infringing the rules again in the future'.

The same judgment also establishes that 'the purpose of the multiplier for deterrence and the taking into consideration of the size and global resources of the undertaking in question resides in the impact sought on that undertaking, and the sanction must not be negligible in the light, particularly, of its financial capacity'.

Additionally, Spanish case law^[1] notes that fines shall pursue that the perpetration an offense shall not be more beneficial to the offender than compliance with the rules.

The DPA also declared that the fine was proportionate. The DPA took into account, among others, the following aggravating factors: First, the nature, gravity and duration of the infringement. Second, number of data subjects affected, that considered too high in relation to the risk at stake. Third, the level of damage suffered by them, that was also high. The DPA remarked that they should have been taken into account in a DPIA from Article 35 GDPR. Fourth, the negligent character of the infringement. Fifth, the relevant previous infringements by the controller. Here, the DPA pointed out the following cases, also related with identity theft:

PS/00139/2020 (03/07/2020 - fine: €9000)
PS/00168/2020 (20/07/2020 - fine €45,000,00)
PS/00009/2020 (28/07/2020 - fine €48,000,00)
PS/00186/2020 (31/08/2020 - fine €60,000,00)
PS/00303/2020 (26/10/2020 - fine €36,000,00)
PS/00341/2020 (28/10/2020 - fine €30,000,00)
PS/00348/2020 (06/11/2020 - fine €42,000,00)
PS/00356/2020 (16/11/2020 - fine €42,000,00)
PS/00308/2020 (16/11/2020 - fine €36,000,00)
PS/00415/2020 (30/12/2020 - fine €54,000)
PS/00430/2020 (10/02/2021 - fine €120,000)

Sixth, the categories of personal data affected by the infringement: in this case, as previously remarked, they were personal data of a sensitive nature.

The AEPD finally remarked that the sanction is not imposed because of the complaints filed by the data subjects, but because such cases highlight the failure to comply with the security and accountability obligations, that are evidenced by the deficiency of the security measures adopted by the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

↑ STS, 11 de Mayo de 2006, ES:TS:2006:3384, https://vlex.es/vid/tasadora-grave-homologacion-cobertura-24281875

[1] STS, 11 de Mayo de 2006, ES:TS:2006:3384, https://vlex.es/vid/tasadora-grave-homologacion-cobertura-24281875

[1]

@@ Line 71: / Line 71: @@
 The DPA also remarked that the data subjects had lost their power to arrange and control over their personal data. In this case, such personal data were of a particularly sensitive nature, since a SIM card allows for the access to apps and services that require authentication or password retrieval via SMS, enabling therefore identity theft for the majority of web service such as email, online banking, social networks, etc.
-The AEPD decided to fine the controller €3,940,000 for the violation of Articles 5(1)(f) and 5(2) GDPR. The DPA considered that such fine was proportional, since the GDPR establishes that fines shall be dissuasive. In this regard, the DPA mentioned the CJEU Judgment Versalis Spa/Comisión, C-511/11, in which both the meaning of ‘general deterrence’ and ‘specific deterrence’, meaning the later 'to dissuade the specific defendant from infringing the rules again in the future'.
+The AEPD decided to fine the controller €3,940,000 for the violation of Articles 5(1)(f) and 5(2) GDPR. The DPA considered that such fine was proportional, since the GDPR establishes that fines shall be dissuasive. In this regard, the DPA mentioned the [https://curia.europa.eu/juris/document/document.jsf?text=&docid=138383&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2204252 CJEU Judgment Versalis Spa/Comisión, C-511/11], in which both the meaning of ‘general deterrence’ and ‘specific deterrence’ are explained, meaning the latter 'to dissuade the specific defendant from infringing the rules again in the future'.
 The same judgment also establishes that 'the purpose of the multiplier for deterrence and the taking into consideration of the size and global resources of the undertaking in question resides in the impact sought on that undertaking, and the sanction must not be negligible in the light, particularly, of its financial capacity'.
-Additionally, Spanish case law notes that fines shall pursue that the perpetration an offense shall not be more beneficial to the offender than compliance with the rules.
+Additionally, Spanish case law<ref>STS, 11 de Mayo de 2006, ES:TS:2006:3384, https://vlex.es/vid/tasadora-grave-homologacion-cobertura-24281875</ref> notes that fines shall pursue that the perpetration an offense shall not be more beneficial to the offender than compliance with the rules.
-The DPA also declared that the fine was proportionate. The DPA took into account, among others, the following aggravating factors: First, the nature, gravity and duration of the infringement. Second, number of data subjects affected, that considered too high in relation to the risk at stake. Third, the level of damage suffered by them, that was also high. The DPA remarked that they should have been taken into account in a DPIA from [[Article 35 GDPR|Article 35 GDPR]]. Fourth, the negligent character of the infringement. Fifth, the relevant previous infringements by the controller. The DPA pointed out the following cases, also related with identity theft:
+The DPA also declared that the fine was proportionate. The DPA took into account, among others, the following aggravating factors: First, the nature, gravity and duration of the infringement. Second, number of data subjects affected, that considered too high in relation to the risk at stake. Third, the level of damage suffered by them, that was also high. The DPA remarked that they should have been taken into account in a DPIA from [[Article 35 GDPR|Article 35 GDPR]]. Fourth, the negligent character of the infringement. Fifth, the relevant previous infringements by the controller. Here, the DPA pointed out the following cases, also related with identity theft:
-PS/00139/2020 (03/07/2020 - fine: €9000)
+* PS/00139/2020 (03/07/2020 - fine: €9000)
+* PS/00168/2020 (20/07/2020 - fine €45,000,00)
-PS/00168/2020 (20/07/2020 - fine €45,000,00)
+* PS/00009/2020 (28/07/2020 - fine €48,000,00)
+* PS/00186/2020 (31/08/2020 - fine €60,000,00)
-PS/00009/2020 (28/07/2020 - fine €48,000,00)
+* PS/00303/2020 (26/10/2020 - fine €36,000,00)
+* PS/00341/2020 (28/10/2020 - fine €30,000,00)
-PS/00186/2020 (31/08/2020 - fine €60,000,00)
+* PS/00348/2020 (06/11/2020 - fine €42,000,00)
+* PS/00356/2020 (16/11/2020 - fine €42,000,00)
-PS/00303/2020 (26/10/2020 - fine €36,000,00)
+* PS/00308/2020 (16/11/2020 - fine €36,000,00)
+* PS/00415/2020 (30/12/2020 - fine €54,000)
-PS/00341/2020 (28/10/2020 - fine €30,000,00)
+* PS/00430/2020 (10/02/2021 - fine €120,000)
-PS/00348/2020 (06/11/2020 - fine €42,000,00)
-PS/00356/2020 (16/11/2020 - fine €42,000,00)
-PS/00308/2020 (16/11/2020 - fine €36,000,00)
-PS/00415/2020 (30/12/2020 - fine €54,000)
-PS/00430/2020 (10/02/2021 - fine €120,000)
 Sixth, the categories of personal data affected by the infringement: in this case, as previously remarked, they were personal data of a sensitive nature.
 The AEPD finally remarked that the sanction is not imposed because of the complaints filed by the data subjects, but because such cases highlight the failure to comply with the security and accountability obligations, that are evidenced by the deficiency of the security measures adopted by the controller.
 == Comment ==
 ''Share your comments here!''