AEPD (Spain) - PS/00135/2021

From GDPRhub
AEPD (Spain) - PS-00135-2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 19.05.2021
Published: 25.05.2021
Fine: 75000 EUR
Parties: Telefónica España, S.A.U.
National Case Number/Name: PS-00135-2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Paola León

The Spanish DPA fined Telefónica €75,000 (reduced to €45,000) for violating Article 6(1) GDPR, by creating a contract containing the complainant's personal data without a legal basis.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint with the Spanish Data Protection Authority (AEPD) against the telecommunication company Telefonica. The reasons on which the complaint was based were that the data subject's personal data had been used to contract, without knowledge or authorization, a Movistar service from March to October 2019 - when the line was cancelled due to non-payment.

The data subject indicated that they had been included in the credit information files for unrecognised debt. They also indicated that they had no relationship whatsoever with the contracted service or with the installation address of said services. Likewise, the data subject did not know how the debt collection company was able to locate them to their phone number.

During the investigation, the controller indicated that there was no copy of the documentation collected for the verification of the identity of the complainant, reason for which the cancellation was made of the contracted services, as well as the cancellation of all the invoices issued in the data subject's name.

Telefónica confirmed that this incident could possibly have been caused due to identity theft and that all necessary actions were carried out to regularise the situation proceeding to cancel the debt and request the exclusion of the complainant from the assets insolvency files in which it had been included. Telefónica advised that during 2020, it had implemented several organisational and technical measures in order to prevent recurrence of incidents of this type.

Holding[edit | edit source]

The DPA alleged that the controller had not been diligent enough and had not implemented adequate measures to prevent identity theft. This had led to an impossibility, in this case, to exhibit proof of the calls with the initial contractor and the identification they provided.

Therefore, the DPA argues that the lack of diligence and the impossibility to present proof constitutes a breach of the accountability principle, and hence imply that there is no justification for the controller to process personal data without a legal basis, as the violation derives from a lack of diligence and the non-compliance with its proactive responsibility obligation. Therefore, the AEPD concluded that the controller had violated Article 6(1)GDPR, for processing personal data without a legal basis.

Hence, the AEPD decided to fine Telefónica for the violation of Article 6(1)GDPR €75,000, that were reduced to €45,000 for prompt payment and admission of responsibility.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/14











     Procedure No.: PS / 00135/2021

RESOLUTION R / 00387/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY


In the sanctioning procedure PS / 00135/2021, instructed by the Spanish Agency for
Data Protection to TELEFÓNICA DE ESPAÑA, S.A.U., after the complaint
submitted by A.A.A., and based on the following,


                                 BACKGROUND

FIRST: On April 14, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to TELEFÓNICA DE

SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed:

<<





Procedure No.: PS / 00135/2021




           AGREEMENT TO START THE SANCTIONING PROCEDURE



Of the actions carried out by the Spanish Agency for Data Protection and in

based on the following:




                                     FACTS



FIRST: D. A.A.A. (hereinafter, the claimant) dated February 26, 2020

filed a claim with the Spanish Data Protection Agency. The
The claim is directed against TELEFÓNICA DE ESPAÑA, S.A.U. with NIF A82018474
(hereinafter, the claimed).




The reasons on which the claim is based are that your data has been used to

hire a Movistar Fusion service from March 19, 2019 until October
of the same year, when the line is canceled due to non-payment.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/14










On the other hand, it indicates that it has been included in the information files

credit for unrecognized debt.



That it has no relationship whatsoever with the contracted service or with the address of

installation of such services.



Likewise, he does not know how the debt collection company has located him since

the number *** PHONE. 1.




Relevant documentation provided by the claimant:



-Copy of police report dated February 19, 2020 where it is stated that:




       to. That the events occurred on 03/18/2019



       b. That on 02/13/2020 he received a call from the number *** PHONE. 1

       identifying itself as ISFG advisory claiming a debt of
       *** AMOUNT. 1 euros with Movistar.




       c. That the claimant states that he is not a Movistar customer, which is why
       who appeared at a Movistar office where they informed him that indeed

       there was in his name a debt corresponding to five invoices dated
       05/04/2019, 06/04/2019, 07/04/2019, 08/04/2019, 09/04/2019.




       d. That the Movistar office has been able to verify that, although the invoices
       They appear in your name and your DNI appears, the address that appears in them is
       that of *** ADDRESS.1, an address that is totally unknown to the

       claimant.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/14








       and. That they should have used your data and that at no time have you lost or
       your ID has been stolen.


-Copy of Certificate of Registration of the DAIMUS City Council signed in
date 02/24/2020 where the name, surname and DNI number of the claimant and the
address *** ADDRESS. 2.




-Copy of Movistar Fusion invoices with invoice dates 05/04/2019, 06/04/2019,
07/04/2019, 08/04/2019, 09/04/2019 respectively and where it consists:




       to. The first consumption period is from March 18, 2019 to April 17,
           2019 and the last consumption period is from July 18 to August 17.



       to. The fixed line *** PHONE. 2 and the mobile line *** PHONE. 3

       c. The identification data of the claimant, ID, and address
       ***ADDRESS 1.




SECOND: In view of the facts denounced in the claim and the
documents provided by the claimant and the facts and documents of which he has

this Agency, the Subdirectorate General for Data Inspection, has come to know
proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation

granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and of
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).




As a result of the investigative actions carried out, it is verified that the
responsible for the treatment is the one claimed.




Likewise, the following points are found:



On 12/30/2020, TELEFÓNICA DE ESPAÑA, S.A.U. sends this Agency the

following information and statements:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/14










1. That the contracting of services took place on March 20, 2019

through the telephone channel on 1004.

2. That the lines contracted were the fixed line *** TELEPHONE.2 and the lines
mobile *** PHONE. 3 and *** PHONE. 4.


3. That it has not been possible to locate a copy of the recording of the contract
done. That for this reason the contracted services were terminated and the
proceeded to cancel all the invoices issued.


4 .. That the security measures that were implemented in 1004 in the
moment of hiring, focused on verifying the identity of the person
contracting party for new registrations are:


        to. Verify the age of majority.

        b. Your identification through your name, surname, number and type of
        identification document.


        c. Limit the number of registrations to 5 with the same identification.

        d. Limit the number of hires at the same postal address to 5.

        and. Check on previously contracted debt.

        F. Verification of the postal address through a tool

        internal address verification.

        g. Verification at the address identified by the client of the data
        contributed by the latter at discharge through the exhibition of the document of

        identity to the installer.

5. That there is no copy of the documentation collected for the
verification of the identity of the claimant, reason for which the cancellation was made

of the contracted services, as well as the cancellation of all the invoices issued.

6. That during 2020 the following measures have been implemented:

        to. On the phone channel.


        Referral to the face-to-face channel of those sensitive operations that advise
        an additional customer identification (eg registration, mobile portability and
        SIM card duplicates)


        Referral to the online channel the operations of modification of personal data and
        to a specialized Back Office the requests for change of owner and exchange
        means of contact for the credentials of movistar.es.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/14








       b. In the face-to-face channel.

       An additional penalty has been established for the entire face-to-face channel for

       each management performed and incorrectly documented by a
       commercial.

       Weekly publication of a report detailing, store by store,

       certain sensitive operations to check if it is performed
       correctly or not the customer identification.

       Verification call for authorized, which consists of making a

       previous control call to the line on which certain requests are made
       sensitive operations, so that the owner client can authorize or not said
       operation before its execution.


7. That in 2020 work has been done on the development of a system of
client authentication via OTP to reinforce the identification level of their
customers. That this system is being implemented progressively.


8. That in 2021 they are working on the development of a digital Onboarding
of its clients that allows them to have their verified digital identity registered and
biometric authentication.


9. That in relation to the causes that have motivated the incidence manifest that it is
confirmed that the facts were compatible with a possible identity theft and
that all the actions were carried out to regularize the situation

proceeding to cancel the debt and request the exclusion of the claimant from the
assets insolvency files in which it had been included

10. That a letter addressed to the claimant has been sent to his mailing address

electronic and provides a copy of the letter dated July 3, 2020.

11. Provide a screenshot of their systems where the postal address of the
Claimant in Street *** ADDRESS. 1.


12. Provide a copy of letters addressed to the claimant at the address that appears in their
systems claiming the debt. Provides shipping and non-return certificates.














C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/14








                             FOUNDATIONS OF LAW




                                              I




        By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate

and to solve this procedure.




                                              II



      The RGPD deals in its article 5 with the principles that must govern the

treatment of personal data and mentions among them that of "legality, loyalty and
transparency". The precept provides:



      "1. The personal data will be:

         a) Treaties in a lawful, loyal and transparent manner with the interested party; "




        Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
cases in which the processing of third party data is considered lawful:



         "1. The treatment will only be lawful if it complies with at least one of the following
terms:


      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;

      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures
      pre-contractual;


      (…) "



      The offense for which the claimed person is responsible is typified in
Article 83 of the RGPD which, under the heading "General conditions for taxation
of administrative fines ”, it states:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/14










      "5. Violations of the following provisions will be sanctioned, in accordance with
with section 2, with administrative fines of a maximum of 20,000,000 Eur or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:



      a) The basic principles for the treatment, including the conditions for the

      consent in accordance with articles 5,6,7 and 9. "



       Organic Law 3/2018, on Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions

considered very serious ”provides:



      "1. Based on what is established in article 83.5 of the Regulation (E.U.)

2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that one and, in
in particular, the following:




        (…)

       b) The processing of personal data without the concurrence of any of the
       conditions of legality of the treatment established in article 6 of the

       Regulation (EU) 2016/679. "



       It must be taken into account that the documentation in the file
offers evidence that the defendant violated article 6.1 of the RGPD, since
processed the personal data of the claimant without standing to do so.




       Well, the defendant recognizes the possible identity theft in a
hiring carried out on channel 1004. Now, he states that he does not have the
recording, nor does it contain a copy of the documentation collected for the
verification of the identity of the claimant.




       They also indicate that they have canceled the debt and requested the exclusion of the
insolvency files, and that they have adopted a series of measures aimed at improving
the identity verification system, some applied as early as 2020, and

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/14








others in development.



        The lack of diligence displayed by the entity in complying with the

Obligations imposed by the personal data protection regulations
It is thus evident. A diligent compliance with the principle of legality in the treatment
of third-party data requires that the person responsible for the treatment is in conditions
to prove it (principle of proactive responsibility).






                                                III





      In order to determine the administrative fine to be imposed, the provisions

visions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

      "Each control authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "




      "Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the

        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and
        damages they have suffered;

        b) intentionality or negligence in the infringement;

        c) any measure taken by the person in charge or in charge of the treatment
        to alleviate the damages suffered by the interested parties;


        d) the degree of responsibility of the person in charge or the person in charge of the
        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;

        e) any previous infringement committed by the person in charge or the person in charge of the
        treatment;

         f) the degree of cooperation with the supervisory authority in order to establish

        remedy the violation and mitigate the possible adverse effects of the violation;
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/14








        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infringement and, in such
        case, to what extent;


        i) when the measures indicated in article 58, paragraph 2, have been
        previously ordered against the person responsible or the person in charge
        in relation to the same matter, compliance with said measures;

        j) adherence to codes of conduct under article 40 or to mechanisms
        certification approved in accordance with Article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the

        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement. "


              Regarding section k) of article 83.2 of the RGPD, the LOPDGDD,
        Article 76, "Sanctions and corrective measures", provides:

      "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
         The following may also be taken into account:


        a) The continuing nature of the offense.

        b) The linking of the activity of the offender with the performance of treatments
        of personal data.

        c) The benefits obtained as a result of the commission of the offense.


        d) The possibility that the affected person's conduct could have led to the
        commission of the offense.

        e) The existence of a process of merger by absorption subsequent to the commission of
        the infringement, which cannot be attributed to the absorbing entity.


        f) Affecting the rights of minors.

        g) Have, when not mandatory, a data protection officer.

      h) The submission by the person in charge or in charge, with character

      voluntary, to alternative dispute resolution mechanisms, in those
      assumptions in which there are controversies between those and any interested party. "

              In accordance with the transcribed precepts, and without prejudice to what results
      of the instruction of the procedure, in order to fix the amount of the sanction of
      fine to impose on the claimed person as responsible for an offense typified in the

      Article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent in the
      present case, as aggravating factors, the following factors:

      - The duration of the illegitimate treatment of the data of the affected party carried out by the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/14








       claimed (article 83.2. a) of the RGPD).

     - The intentionality or negligence of the infringement (article 83.2. B) of the RGPD).


     - Basic personal identifiers are affected (personal data
       and banking (art.83.2. g) of the RGPD).

     - The evident link between the business activity of the claimed and the

      treatment of personal data of clients or third parties (article 83.2.k, of the
      RGPD in relation to article 76.2.b, of the LOPDGDD)

       Therefore, based on the foregoing,

       By the Director of the Spanish Data Protection Agency,



       HE REMEMBERS:




FIRST: INITIATE SANCTIONING PROCEDURE for TELEFÓNICA DE
SPAIN, S.A.U. with NIF A82018474, for the alleged violation of article 6.1. of

RGPD typified in article 83.5.a) of the aforementioned RGPD.



SECOND: APPOINT D. B.B.B. as an instructor. and as secretary to Ms. C.C.C.,

indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime

Public Sector Legal (LRJSP).



THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the

claim filed by the claimant and her documentation, the documents
obtained and generated by the General Subdirectorate for Data Inspection.



FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1

October, of the Common Administrative Procedure of Public Administrations, the
The penalty that may correspond would be 75,000 euros (seventy-five thousand euros),

without prejudice to what results from the instruction.



FIFTH: NOTIFY this agreement to TELEFÓNICA DE ESPAÑA, S.A.U. with

NIF A82018474, granting a hearing period of ten business days so that
formulate the allegations and present the evidence that it deems appropriate. In its

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/14








statement of allegations must provide your NIF and the procedure number that appears
at the top of this document.




If within the stipulated period it does not make allegations to this initiation agreement, the same

It may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).




In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the

term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the penalty to be imposed in
the present procedure. With the application of this reduction, the sanction would be

established at 60,000 euros, resolving the procedure with the imposition of this
sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
the penalty would be set at 60,000 euros and its payment will imply the termination of the
process.




The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment

of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the preceding paragraph, it may be done at any time prior to the resolution. On
In this case, if both reductions should be applied, the amount of the penalty would be
set at 45,000 euros.




In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in

administrative against the sanction.



In case you choose to proceed to the voluntary payment of any of the amounts


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/14








indicated above, 60,000 euros or 45,000 euros, you must make it effective

by entering the account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Agency for Data Protection in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears in

the heading of this document and the cause of reduction of the amount to which
welcomes.




Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity

entered.



The procedure will have a maximum duration of nine months from the date of

date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.



Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.



Mar Spain Martí


Director of the Spanish Agency for Data Protection















>>


SECOND: On May 17, 2021, the defendant has proceeded to pay the
sanction in the amount of 45,000 euros making use of the two planned reductions
in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/14








THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to

the facts referred to in the Initiation Agreement.

                            FOUNDATIONS OF LAW

                                             I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said

Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.


                                             II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric

"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a

pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.


3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of

any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased
regulations.







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/14









In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00135/2021, of

in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to TELEFÓNICA DE ESPAÑA, S.A.U ..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                   936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection

































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es