AEPD (Spain) - PS/00001/2021

From GDPRhub
Revision as of 11:57, 10 February 2022 by Douwe (talk | contribs) (→‎Holding)
AEPD (Spain) - PS-00001-2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 01.02.2022
Fine: 3940000 EUR
Parties: VODAFONE ESPAÑA, S.A.U.
National Case Number/Name: PS-00001-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined Vodafone €3,940,000 for violating Articles 5(1)(f) and 5(2) GDPR by not implementing appropriate security measures to prevent fraudulent replication of SIM cards, or being able to provide proof thereof.

English Summary

Facts

Nine data subjects filed several complaints with the Spanish DPA (AEPD) against Vodafone after being victims of fraud, due to the deceitful replication of their SIM cards.

The perpetrators obtained a replica of the data subjects' SIM cards through Vodafone, which could not verify the identity of the persons requesting them. The perpetrators used the SIM cards to carry out bank transfers from the data subjects' online banking services (which verify their users' identity via phone) and to transfer and spend money in other ways. The data subjects also reported these facts to the police.

Holding

The AEPD considered that Vodafone was not able to prove that they had verified neither the identity of the person requesting the SIM card replica, the invoices issued, nor the effectiveness of measures implemented to prevent identity theft.

The AEPD concluded that the security measures were insufficient, as any person who had the basic personal data of a data subject could circumvent Vodafone's security policy in this regard, and obtain a replica of the data subject's SIM card. Therefore, Vodafone showed a lack of accountability, breaching Article 5(2) GDPR, since there was a lack of proper analysis, planning, implementation, maintenance, control, and updating of their security measures. The AEPD noted that this is also related to data protection by design, enshrined in Article 25 GDPR.

Additionally, the AEPD concluded that the controller had violated Article 5(1)(f) GDPR, noting that although the GDPR does not demand specific results, it does require actions, and Vodafone did not act with enough diligence to prevent the circumvention of their security measures against identity theft. The AEPD stated that Vodafone should have known the risk, which has a strong impact on data subjects' rights and freedoms, and should have acted accordingly. According to the AEPD, the measures were obviously insufficient and not adequate, since a significant number of other similar cases had occurred, and not just the nine cases reported to the authority.

While Vodafone alleged that some of the cases occurred due to human error, the AEPD held that human error should be considered when determining the security measures, since they are always bound to happen and should be foreseen with risk analysis, planning, implementation and control of adequate technical and organisational measures. Therefore, a high number of human errors just highlights a lack of due care, or in other words, a lack of adequate security measures and a disregard for accountability-related obligations.

The AEPD also remarked that the data subjects had lost their power to exert control over their personal data. In this case, such personal data were of a particularly sensitive nature, since a SIM card provides access to apps and services that require authentication or password retrieval via SMS, therefore enabling identity theft for a large number of web services such as email, online banking, social networks, etc.

The AEPD decided to fine the controller €3,940,000 for the violation of Article 5(1)(f) GDPR and Article 5(2) GDPR. The AEPD considered that the fine was proportional, since the GDPR establishes that fines shall be dissuasive.

In this regard, the AEPD mentioned the CJEU Judgment Versalis Spa/Comisión, C-511/11, in which both the meaning of ‘general deterrence’ and ‘specific deterrence’ are explained, the meaning of the latter defined as 'to dissuade the specific defendant from infringing the rules again in the future'. The aforementioned judgment also establishes that 'the purpose of the multiplier for deterrence and the taking into consideration of the size and global resources of the undertaking in question resides in the impact sought on that undertaking, and the sanction must not be negligible in the light, particularly, of its financial capacity'.

Additionally, Spanish case law[1] notes that fines shall pursue that the perpetration of an offense is not be more beneficial to the offender than actual compliance with the rules.

The AEPD also declared that the fine was proportional taking into account, among others, the following aggravating factors: First, the nature, gravity and duration of the infringement. Second, number of data subjects affected, that was considered too high in relation to the risk at stake. Third, the level of damage suffered by them, that was also very high. The AEPD also remarked that a Data Protection Impact Assessment (DPIA) under Article 35 GDPR should have been considered. Fourth, the negligent character of the infringement. Fifth, previous infringements by the controller also related with identity theft, highlighting the following cases:

  • PS/00139/2020 (03/07/2020 - fine: €9000)
  • PS/00168/2020 (20/07/2020 - fine €45,000,00)
  • PS/00009/2020 (28/07/2020 - fine €48,000,00)
  • PS/00186/2020 (31/08/2020 - fine €60,000,00)
  • PS/00303/2020 (26/10/2020 - fine €36,000,00)
  • PS/00341/2020 (28/10/2020 - fine €30,000,00)
  • PS/00348/2020 (06/11/2020 - fine €42,000,00)
  • PS/00356/2020 (16/11/2020 - fine €42,000,00)
  • PS/00308/2020 (16/11/2020 - fine €36,000,00)
  • PS/00415/2020 (30/12/2020 - fine €54,000)
  • PS/00430/2020 (10/02/2021 - fine €120,000)

And sixth, the categories of personal data affected by the infringement, which in this case, as previously remarked, were personal data of a sensitive nature.

The AEPD finally remarked that the sanction was not imposed solely because of the complaints filed by the data subjects, but because such cases highlight the failure to comply with the security and accountability obligations that are evidenced by the deficiency in the security measures adopted by the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.