AEPD (Spain) - PS-00507-2022

From GDPRhub
Revision as of 10:54, 22 January 2024 by Ar (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS-00507-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(1) GDPR
Article 6(1) GDPR
Article 57(1) GDPR
Article 58 GDPR
Article 83(2) GDPR
Article 83(5) GDPR
C-511/11
LOPDGDD 3/2018
LPACAP 39/2015
Type: Complaint
Outcome: Upheld
Started: 15.11.2022
Decided:
Published:
Fine: 70,000 EUR
Parties: n/a
National Case Number/Name: PS-00507-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Marie

The Spanish DPA fined a telecom company (the controller) €70,000 for issuing a duplicated SIM and provided it to a third party, without the data subjects's consent under Article 6 GDPR.

English Summary

Facts

On 27 August 2021 the Spanish telecommunication company DIGI SPAIN TELECOM, S.L. (controller) duplicated the SIM card of Mr. A.A.A. (data subject). It was provided to a third party through a sale. The duplicate was active on 28 August 2021 from 01:18 to 19:42. During this time the third party had access to the data subjects bank details and carried out various transactions. They also had access to social networks.

On 2 September 2021 the data subject filed a complaint with the responding Civil court.

On 15 November 2022 sanctioning proceedings were initiated, based on Article 63 and Article 64 LPACAP and an infringement of Article 6(1) GDPR typified in Article 83(5) GDPR.

After the proceedings were initiated, the controller provided documents proving that they took measures upon seeing the irregular issuing of the duplicate. They also proved that they took security measures, as only the distributor and the data subject could duplicate the SIM card. The controller proved that the third party must have been in possession of personal data of the subject already (eg. Through a “phishing” attack). The controller also showed how they implemented measures to prevent any repetition of the incident. The distributor was sent on temporary one-week leave.

Holding

The AEDP found that there was no unlawful processing of data, as the processing was done by a third party. The issuance of a duplicated SIM is not enough to carry out banking operations.

However, the controller breached the principles of confidentiality and security and didn’t behave with the needed due diligence. They didn’t carry out the identification check properly, giving access to a third party. The AEDP saw that the negligence and the obvious link between the controller’s business activity and the processing of data to a third party called for sanctioning.

Considering the culpability and responsibility of the controller, paired with their cooperation and adoption of measures the AEPD decided on a fine according to Article 58 GDPR Supporting this they, amongst others, used the Case Versalis Spa v Commission, C-511/11, as well as the Recital 40 of the GDPR as basis of their decision.

To conclude, the AEPD found an infringement of Article 6(1) GDPR typified in Article 83(5)(a) GDPR and classified it as a grave infringement (Article 72(1) LOPDGDD).

Due to these violations the AEPD issued a fine of €70,000 based on Article 83(2) GDPR and Article 76(2)(b) LOPDGDD.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/16










     File No.: EXP202104009



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following:


                                   BACKGROUND

FIRST: D. A.A.A. (hereinafter, the complaining party) dated September 2,
2021 filed a claim with the Spanish Data Protection Agency. The

claim is directed against DIGI SPAIN TELECOM, S.L. with NIF B84919760 (in
hereinafter, the claimed party or DIGI). The grounds on which the claim is based are:
following:

The complaining party states that a duplicate of his SIM card was made, despite
not having requested it. Likewise, he points out that the third party to whom he provided his card

SIM, based on the information contained in your mobile phone, had access to your data
banking, withdrawing sums of money from your account and carrying out various
banking operations, with the consequent economic damage, in addition to trying
access your social networks.


Relevant documentation provided by the complaining party:

- Complaints filed with the Civil Guard of La Zubia (Granada) exposing the
facts.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.


The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on November 8, 2021 as
It appears in the acknowledgment of receipt that is in the file.


On December 3, 2021, this Agency received a response letter
indicating that you have received the claim from the interested party regarding the non-connectivity of
its numbering proceeded to provisionally suspend the service on the numbering
of the claimant in order to minimize any possible risk.

They point out that the duplicate was obtained through a point of sale while the
day 08/28/21 from 1:18 a.m. to 7:42 p.m., when the party
claimant recovers the numbering again.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/16








The data controller considered the facts as a case
of irregular issuance of duplicate cards, also adopting measures against
distributor.


Likewise, they indicate that they have adopted a series of measures that detail in order to
avoid situations like the one claimed in the future.

THIRD: In accordance with article 65 of the LOPDGDD, when presented
before the Spanish Data Protection Agency (hereinafter, AEPD) a

claim, it must evaluate its admissibility for processing, and must notify the
complaining party the decision on the admission or non-admission for processing, within the period of
three months since the claim was submitted to this Agency.

If, after this period, said notification does not occur, it will be understood that

The processing of the claim continues in accordance with the provisions of Title VIII of
the law.

This provision also applies to the procedures that the AEPD
had to be processed in the exercise of the powers attributed to it by other
laws.


In this case, taking into account the above and that the claim is
presented to this Agency, on September 2, 2021, it is reported that your
claim has been admitted for processing on December 2, 2021, having elapsed
three months since it was entered into the AEPD.


FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)

2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:

RESULT OF THE RESEARCH ACTIONS


(…)

The defendant reprimanded the distributor, punishing him with one week of
temporary suspension of the activity, indicating that the objective of the sanction is to avoid

future behaviors such as the one in the case. They provide a copy of the communication sent to
distributor. Furthermore, they declare having visited the distributor, reiterating the obligation
compliance with established procedures.

(…)


FIFTH: On November 15, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged
violation of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/16








SIXTH: On November 28, 2022, DIGI requests a copy of the file and the
extension of the legal period granted to respond to said request.


SEVENTH: On December 15, 2022, it is received in this Agency, in time
and form, writing from the representative of DIGI in which, in summary, it is alleged that
reiterate in the allegations previously presented, firstly pointing out
chronological manner in which the events occurred, indicating the security protocol and
the measures adopted due to these events, stating that DIGI has not made
provision to alleged criminals of personal information of the claimant other than

of what those already had previously, after having obtained them through the
email.

Consequently, it is not possible to associate DIGI with the performance of non-medical treatment.
legitimized personal data, given that its action is reduced to compliance with

their processes and obligations.

That is, during the process of requesting and delivering the duplicate, a
processing of personal data provided to DIGI in order for it to
verify the identity of the interlocutor, first by telephone and later
in person.


Besides. DIGI states that it is proven that identity theft and
Access to the claimant's data illegitimately occurs prior to
have contact with DIGI, the alleged impersonator had the data in his possession
personal details of the claimant, including his bank account (which allowed him, as well

yourself, access it).

On the other hand, it points out that the AEPD unequivocally imposes on DIGI a
objective liability, in which, regardless of the diligence and measures
deployed, the entity's guilt is declared. The AEPD seems to confuse the

concept of proactive responsibility with the obligation of results imposed by the
objective liability. In the present case, the existence of a
strict control, prior and after the request for the duplicate, the establishment of
prior and a posteriori measures, as well as the existence of measures aimed at
avoid these practices beforehand.


That is why the claimed party considers that this Initiation Agreement is not
adjusted to law, since it imposes on DIGI an obligation of result, based
only in the harmful result that occurs due to the fraudulent activity of a
third, without taking into account the diligence used and without considering the deployment of measures
technically adequate and implemented.


Furthermore, it points out that the following mitigating circumstances exist in the present:
that have not been considered in the appropriate grading of the sanction:
The absence of previous infringements committed by DIGI (art. 83.2 e) RGPD).
At no time have special categories of data been processed (Art. 83.2 g)

GDPR)
The degree of cooperation of DIGI with the AEPD in order to remedy a
alleged infringement and mitigate its possible adverse effects (art. 83.2 f) GDPR).
The non-existent benefit obtained (Art. 83.2 k).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/16









Requests that a resolution be issued by means of which the file of the
procedure.


Subsidiarily warning and, ultimately, moderating or modulating the
proposal included in the Startup Agreement.

EIGHTH: On January 10, 2023, the instructor of the procedure agreed
perform the following tests: 1. The

claim filed by D. A.A.A. and its documentation, the documents obtained
and generated during the phase of admission for processing of the claim, and the report of
prior investigative actions that are part of the procedure. 2.
       Likewise, it is considered reproduced for evidentiary purposes, the allegations to the
agreement to initiate the referenced sanctioning procedure, presented by DIGI

SPAIN TELECOM, S.L., and the documentation that accompanies them.

NINTH: On February 2, 2023, a proposed resolution was formulated,
proposing that the Director of the Spanish Data Protection Agency
sanction DIGI SPAIN TELECOM, S.L., with NIF B84919760, for a violation of the
Article 6.1 of the RGPD, typified in Article 83.5 a) of the RGPD, the sanction that

would be a fine of 70,000 euros (seventy thousand euros).

TENTH: Once the proposed resolution was notified, the claimed party requested an extension
of the period to formulate allegations that was granted to him, he presented a written
allegations on February 27, 2023 in which, in summary, it is alleged that it is reiterated in

the allegations previously presented, and that in the report issued by the Agency
of Cybersecurity of the European Union ratifies that, to make a duplicate
SIM fraud, the fraudster needs to have access to some of the data
personal belongings of the victim, client of the operator. That is, cybercriminals,
They have personal information about their victims prior to going before the court.

Mobile Network Operator.

He points out that this is what happened in the present case, the victim lost control
on your personal data in favor of the impersonator prior to him
Contact DIGI. That is, it is through the “phishing” attack where the victim
you lose control over your personal data, and it is this fact that

triggers and enables the commission of fraud.

Likewise, it states that it must be taken into account that DIGI does not participate in the process
identification of a user before his bank, but it is the bank that determines the way
where you want to carry out this check, so it is not possible to transfer the

responsibility before telephone operators.

Likewise, they indicate that this is why the complained party considers that the Proposal
It is not in accordance with the law, since it imposes on DIGI an obligation of result,
consisting of the establishment of infallible measures, when imputing a violation of the

Article 6.1 of the GDPR based solely on the harmful result that occurs
due to the fraudulent intervention of a third party, without taking into account the diligence used and without
consider the deployment of technically appropriate and implemented measures.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/16








DIGI cannot foresee or know what the applicable duty of care is.

Regarding the lack of proportionality of the proposed sanction and that prior to the procedures

appropriate resolution is issued by means of which the procedure is archived
No. EXP202104009.

Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:




                                PROVEN FACTS

FIRST.- The claimant filed a claim with this Agency on the 2nd of

September 2021, which states that the claimed party provided on the 27th
August of the same year to a third party a duplicate of your SIM card, with the
consequence that he had access to his personal data, extracting sums of money
of your account and carrying out various banking operations.

SECOND.- DIGI certifies that the duplicate occurred on August 27,

2021 at 01:18 a.m. at a Point of Sale, and that DIGI has dealt with the case internally
as an irregular issuance of a duplicate SIM. Duplication could only be done
by the owner of the line and only in person at a distributor. The customer must
show the original identity document, photocopies not being valid, and the
dealer check the line number and identity document details that

They must match those that the client has in the systems of the claimed party.

THIRD. - It is clear that DIGI reprimanded the distributor, sanctioning him with a
week of temporary suspension of activity.



                           FOUNDATIONS OF LAW

                                           Yo

                                     Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to

initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/16








                                            II

                                  Unfulfilled Obligation

The claimed party is charged with committing an infraction due to violation of the
Article 6 of the GDPR, “Legality of processing”, which states in section 1 the

Cases in which the processing of third-party data is considered lawful:

"1. Treatment will only be legal if at least one of the following is met
conditions:

a) the interested party gave his consent for the processing of his personal data

for one or more specific purposes;

b) the processing is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;


c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;

d) the processing is necessary to protect vital interests of the interested party or another
Physical person;

e) the processing is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the controller;


f) the processing is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that regarding said
interests do not prevail over the interests or fundamental rights and freedoms of the
interested party requiring the protection of personal data, in particular when the
interested is a child. The provisions of letter f) of the first paragraph will not be
application to the processing carried out by public authorities in the exercise of their

functions.”

                                            III

                        Classification and classification of the offense

 The infringement is classified in article 83.5 of the RGPD, which considers as such:

"5. Violations of the following provisions will be sanctioned, in accordance with the

section 2, with administrative fines of a maximum of EUR 20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:


a) The basic principles for treatment, including the conditions for treatment
consent in accordance with articles 5,6,7 and 9.”

The LOPDGD, for the purposes of the prescription of the infringement, qualifies in its article 72.1

of very serious infringement, in this case the limitation period being three years, “b)
The processing of personal data without any of the conditions of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/16








legality of the treatment established in article 6 of Regulation (EU) 2016/679”.

In response to the allegations presented by the claimed entity, it should be noted
the next:


Regarding the fact that DIGI has not made available to the alleged criminals
personal information of the complaining party other than that already held by those with
anteriority. Consequently, there has been no non-legitimate treatment of
personal information.


Indeed, the issuance of a duplicate is not sufficient to carry out operations
bank accounts on behalf of the holders, certainly, to complete the scam, it is
necessary for a third party to “impersonate” the identity of the data owner before the entity
financial.

Which entails, a priori, a treatment outside the principle of legality, since a

third party is processing data, since it has access to them, without any legal basis, in addition
of the violation of other principles such as confidentiality.

For this reason, this is a process where the diligence provided by the
operators is essential to avoid this type of scams and violations of the RGPD.

Diligence that translates into the establishment of appropriate measures to guarantee
that the data processing complies with the RGPD.

The actions of the banking entities that
provide payment services, in which area this type of scam begins, since

The third party has access to the credentials of the affected user and impersonates
this.

While these entities are responsible for the processing of the data of their
clients, they have the same obligations as those indicated until now for the
operators referring to compliance with the RGPD and the LOPDGDD, and also the

derived from Royal Decree-Law 19/2018, of November 23, on payment services and
other urgent measures in financial matters.

It can be assumed that DIGI has provided a duplicate SIM card to a third party other than the
legitimate owner of the mobile line, after the third party exceeds the policy of

existing security, which shows a breach of the duty to protect the
customer information.

Denying the concurrence of negligent action on the part of DIGI would be equivalent to
recognize that their conduct - by action or omission - has been diligent. Obviously not

We share this perspective of the facts, since the
lack of due diligence. The SAN of October 17, 2007 is very illustrative.
(rec. 63/2006), assuming that these are entities whose activity involves
in continuous processing of customer data, indicates that “…the Supreme Court comes
understanding that imprudence exists whenever a legal duty of

care, that is, when the offender does not behave with the required diligence. And in the
assessment of the degree of diligence, special consideration must be given to professionalism
or not of the subject, and there is no doubt that, in the case now examined, when the
activity of the appellant is constant and abundant handling of data of a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/16








personnel must insist on rigor and exquisite care in conforming to the
legal precautions in this regard.


It is proven in the file that security has not been guaranteed

appropriate in the processing of personal data, taking into account the result that
identity theft has occurred. That is, a third party has managed to access
to the personal data of the line owner.

Regarding the fact that the criminals have not managed to obtain personal data from

DIGI, so we cannot speak of non-compliance with protective measures,
point out that access to a duplicate SIM card that makes your
owner, responds to the definition of personal data in article 4.1) of the RGPD.

Regarding the responsibility of DIGI, it should be indicated that, in general, DIGI
processes the data of its clients under the provisions of article 6.1 b) of the RGPD,

because it is considered a necessary treatment for the execution of a contract in which
the interested party is a party or for the application at his request of measures
pre-contractual. In other cases, it bases the legality of the treatment on the bases
provided for in article 6.1.a), c), e) and f) of the RGPD.


On the other hand, to complete the scam, it is necessary for a third party to “impersonate the
identity” of the data owner, to receive the duplicate SIM card. Which
entails, a priori, a treatment outside the principle of legality since a third party is
processing data, since it has access to them, without any legal basis, in addition to the
violation of other principles such as confidentiality.


Certainly, the principle of responsibility provided for in article 28 of the LRJSP,
provides that: “They may only be sanctioned for acts that constitute an infraction
administrative authority of natural and legal persons, as well as, when a Law
recognize the capacity to act, the affected groups, the unions and entities without

legal personality and independent or autonomous assets, which are
responsible for them by way of fraud or guilt.”

However, the method of attributing responsibility to legal entities is not
corresponds to the intentional or reckless forms of guilt that are attributable

to human behavior. So, in the case of violations committed by
legal persons, although the element of guilt must be present, it is
necessarily applies in a different way than it does with respect to people
physical.


According to STC 246/1991 "(...) this different construction of the imputability of the self-
The infringement of the legal entity arises from the very nature of legal fiction.
to which these subjects respond. The volitional element in the strict sense is missing in them.
to, but not the ability to violate the rules to which they are subject.


Capacity for infringement and, therefore, direct blameworthiness that derives from the good
legal protected by the norm that is violated and the need for said protection
is really effective and for the risk that, consequently, the person must assume
legal entity that is subject to compliance with said norm" (in this sense STS of 24

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/16








of November 2011, Rec 258/2009).

To the above it must be added, following the ruling of January 23, 1998,
partially transcribed in the SSTS of October 9, 2009, Rec 5285/2005, and 23

of October 2010, Rec 1067/2006, that "although the guilt of the conduct must
also be the subject of evidence, must be considered in order to assume the
corresponding charge, which ordinarily the volitional and cognitive elements
necessary to appreciate it are part of the proven typical behavior, and that its
exclusion requires that the absence of such elements be proven, or in its
regulations, that the diligence that was required by whoever claims his

nonexistence; is not enough, in short, to exculpate behavior
"the invocation of the absence of fault is typically unlawful".

Therefore, the lack of guilt is rejected. The ultimate responsibility
on the treatment continues to be attributed to the person responsible, who is the one who determines the
existence of the treatment and its purpose. Let us remember that, in general, the

operators process their clients' data under the provisions of article 6.1
b) of the RGPD, as it is considered a necessary treatment for the execution of a
contract to which the interested party is a party (…). In this sense, DIGI has a
network of sales representatives, points of sale and approved distributors through a
distribution contract to offer DIGI services. Among these services

offered from their points of sale, is the creation of duplicate SIM cards
corresponding to a mobile telephone line.

Regarding non-compliance with the principle of proportionality, the GDPR provides
expressly the possibility of graduation, through the provision of fines
susceptible to modulation, taking into account a series of circumstances of each case

individual.

Regarding the imposition of a warning, reprimand, or the adoption of
corrective measures pursuant to article 58 of the GDPR, a deterrent fine is
one that has a genuine deterrent effect. In this regard, the Judgment of the
CJEU, June 13, 2013, Versalis Spa/Commission, C-511/11,

ECLI:EU:C:2013:386, says:

“94.With regard, first of all, to the reference to the Showa Denko v Commission judgment,
mentioned above, it must be noted that Versalis interprets it incorrectly. Indeed,
the Court of Justice, when pointing out in paragraph 23 of said judgment that the factor
deterrent is assessed taking into consideration a multitude of elements and not only the

particular situation of the company in question, referred to points 53 to 55 of
the conclusions presented in that case by Advocate General Geelhoed, who
had pointed out, in essence, that the multiplier coefficient of a deterrent nature
may have as its objective not only "general deterrence", defined as an action
to discourage all companies, in general, from committing the violation of

in question, but also a "specific deterrence", consisting of deterring the
specific defendant so that he does not violate the rules again in the future. For the
Therefore, the Court of Justice only confirmed, in that ruling, that the Commission did not
was required to limit its assessment to factors related only to the
particular situation of the company in question.”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/16








“102. According to reiterated jurisprudence, the objective of the deterrent multiplier factor and
consideration, in this context, of the size and overall resources of the
company in question lies in the desired impact on the aforementioned company, since the

sanction should not be insignificant, especially in relation to the capacity
financial situation of the company (in this sense, see, in particular, the ruling of 17
Case C-413/08 P Lafarge v Commission [2010] ECR p. I-5361, section 104, and the order
of 7 February 2012, Total and Elf Aquitaine v Commission, C-421/11 P, paragraph 82).”

We must attend to the unique circumstances of the claim presented, through
from which it can be verified that, from the moment in which the person
impersonator performs the SIM replacement, the victim's phone is left without
service passing control of the line to the impersonators. Consequently,

their powers of disposal and control over their personal data are affected, which
constitute part of the content of the fundamental right to data protection
as stated by the Constitutional Court in Sentence 292/2000, of 30
November 2000 (FJ 7). So, when you get a duplicate SIM card,
Under certain circumstances, access to contacts or
applications and services that have the key recovery procedure

sending an SMS with a code to modify passwords. Definitely,
may impersonate those affected, being able to access and control, for
example: email accounts; bank accounts; applications like
WhatsApp; social networks, such as Facebook or Twitter, and much more. In short
accounts, once the access code is modified by the impersonators, they lose

control of your accounts, applications and services, which poses a great threat.
In short, it is the data controller who has the obligation to integrate the

necessary guarantees in the treatment, with the purpose of, by virtue of the principle of
proactive responsibility, comply and be able to demonstrate compliance, while
while respecting the fundamental right to data protection.

In the present case, it is proven that on August 27, 2021 DIGI
processed the issuance of a duplicate SIM card for the ***TELÉFONO.1 line,

belonging to the complaining party, and that according to DIGI the alleged impersonator exceeded
the established protocols.

Now, it should be noted that Sim Swapping is a fraud that allows impersonation
identity by hijacking the phone number by obtaining a duplicate of

the SIM card.

Well, the result was that the defendant issued the SIM card to a third party who did not
He was the owner of the line.

In fact, in the establishment where the duplicate SIM card was issued, it must have
the original of the identification document has been verified, thus,
If this operation had been carried out correctly, the duplicate should have been

denied.

In the explanation provided by the claimed party, it is not pointed out which could have
been the specific cause that led to the issuance of the duplicate, beyond
some generic explanations that the alleged impersonator had in his possession the

personal data of the claimant, including his bank account (which allowed him, as well
yourself, access it).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/16









On the other hand, the party claimed in response to this Agency on December 3
of 2021, states that he reprimanded the distributor, sanctioning him with a week of

temporary suspension of the activity, indicating that the objective of the sanction is to avoid
future behaviors such as the one in the case.

Based on the above, in the case analyzed, the
diligence used by the defendant to identify the person who requested
a duplicate SIM card.


In accordance with the evidence available, it is estimated that the conduct
of the claimed party violates article 6.1 of the RGPD, being constitutive of the
infringement classified in article 83.5.a) of the aforementioned Regulation 2016/679.

In this sense, Recital 40 of the GDPR states:

“(40) For the processing to be lawful, personal data must be processed with the

consent of the interested party or on some other legitimate basis established in accordance
a Law, whether in this Regulation or under other Union law
or of the Member States referred to in this Regulation, including the
need to comply with the legal obligation applicable to the person responsible for the treatment or the
need to execute a contract to which the interested party is a party or for the purpose of
take measures at the request of the interested party prior to the conclusion of a

contract."

                                             IV

                        Fine sanction. Determination of the amount.


The determination of the sanction that should be imposed in the present case requires
observe the provisions of articles 83.1 and 2 of the RGPD, precepts that,
respectively, they provide the following:

"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.”

"2. Administrative fines will be imposed, depending on the circumstances of each

individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:


a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;

b) intentionality or negligence in the infringement;


c) any measure taken by the person responsible or in charge of the treatment to pa-
bundle the damages and losses suffered by the interested parties;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/16








d) the degree of responsibility of the person responsible or in charge of the treatment, given
gives an account of the technical or organizational measures that have been applied under the
articles 25 and 32;


e) any previous infringement committed by the controller or processor;

f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;


h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;

i) when the measures indicated in Article 58, paragraph 2, have been ordered

previously against the person responsible or the person in charge in question in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under Article 40 or certification mechanisms
fication approved in accordance with article 42, and


k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or indirect.
mind, through infringement.”

 Within this section, the LOPDGDD contemplates in its article 76, entitled “Sancio-

tions and corrective measures”:

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

may also be taken into account:

a) The continuous nature of the infringement.

b) The linking of the offender's activity with the performance of medical treatments.
personal information.


c) The benefits obtained as a consequence of the commission of the infraction.

d) The possibility that the conduct of the affected person could have induced the commission
of the infringement.


e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/16








g) Have, when not mandatory, a data protection delegate.

h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which

disputes exist between them and any interested party.

3. It will be possible, complementary or alternatively, the adoption, when appropriate, of
the remaining corrective measures referred to in article 83.2 of the Regulation
(EU) 2016/679.”


Digi requests that the following extenuating circumstances be appreciated:


(I) “the absence of previous infringements” (art. 83.2 e) RGPD).
(II) “At no time have special categories of data been processed” (art. 83.2 g).
(III) “cooperation with the control authority in having responded to the transfer of the
claim and having provided the requested information”, article 83.2 f) of the RGPD.
(IV) “The lack of benefits obtained through the infringement”, article 83.2 k)

of the RGPD and 76.2 c) of the LOPDGDD.

None of the mitigating circumstances invoked are admitted.

Regarding (I) and (II), it should be noted that such circumstances can only operate as
aggravating factors and in no case as mitigating factors.


The statement made by the National Court in its SAN of May 5, 2021
(Rec. 1437/2020) on section e) of article 83.2. of the GDPR, the commission
Previous violations:


      "Considers, on the other hand, that the non-commission of
      of a previous violation. Well, article 83.2 of the GDPR establishes that
      must be taken into account for the imposition of the administrative fine, among
      others, the circumstance "e) any previous infraction committed by the person responsible or
      the person in charge of treatment". This is an aggravating circumstance, the fact

      The fact that the budget for its application does not exist means that it cannot be
      taken into consideration, but it does not imply or allow, as the plaintiff claims,
      its application as a mitigating factor”;

(III) Article 83.2.f) of the GDPR refers to the “degree of cooperation with the authority of
control in order to remedy the violation and mitigate the possible effects

adverse of the infringement;”. The response of the defendant to the information request
of the Inspection Subdirectorate did not fulfill these purposes, so it is not
fit into that mitigating circumstance.

(IV) On the application of article 76.2.c) of the LOPDGDD, in connection with the

article 83.2.k), lack of benefits obtained, it should be noted that such
circumstance can only operate as an aggravating circumstance and in no case as a mitigating circumstance.

Article 83.2.k) of the GDPR refers to “any other aggravating or mitigating factor
applicable to the circumstances of the case, such as the financial benefits obtained or the

losses avoided, directly or indirectly, through the infringement.” and the article
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/16








76.2c) of the LOPDGDD says that “2. In accordance with the provisions of article 83.2.k) of the
Regulation (EU) 2016/679 may also be taken into account: [..] c) The benefits
obtained as a consequence of the commission of the infraction.” Both provisions

mentioned as a factor that can be taken into account in the graduation of the sanction
the “benefits” obtained, but not the “absence” of these, which is what DIGI alleges.

Furthermore, in accordance with article 83.1 of the RGPD, the imposition of fine sanctions
is governed by the following principles: they must be individualized for each
particular case, be effective, proportionate and dissuasive. The admission that it operates

as a mitigating factor, the absence of benefits is contrary to the spirit of article 83.1
of the GDPR and the principles governing the determination of the amount of the
fine sanction. If, as a result of the commission of a violation of the RGPD, it is classified as
mitigating factor that there have been no benefits, the deterrent purpose that
It is fulfilled through sanction. Accept DIGI's thesis in a case like the one

we are dealing with would mean introducing an artificial reduction in the sanction that truly
it is necessary to impose itself; which results from considering the circumstances of article 83.2
RGPD that must be valued.

The Administrative Litigation Chamber of the National Court has warned that, the
fact that in a specific case not all the elements that

integrate a circumstance modifying responsibility that, by its nature,
has an aggravating nature, it cannot lead to the conclusion that such circumstance is applicable
as a mitigating factor. The pronouncement made by the National Court in its
SAN of May 5, 2021 (Rec. 1437/2020) - even though that resolution is seen
on the circumstance of section e) of article 83.2. of the GDPR, the commission

previous infractions - can be extrapolated to the question raised, the claim of the
demand that the “absence” of benefits be accepted as a mitigating factor, being thus
that both the RGPD and the LOPDGDD refer only to “the benefits obtained”:

      "Considers, on the other hand, that the non-commission of

      of a previous violation. Well, article 83.2 of the GDPR establishes that
      must be taken into account for the imposition of the administrative fine, among
      others, the circumstance "e) any previous infraction committed by the person responsible or
      the person in charge of treatment". This is an aggravating circumstance, the fact
      The fact that the budget for its application does not exist means that it cannot be
      taken into consideration, but it does not imply or allow, as the plaintiff claims,

      its application as a mitigating factor”;

In accordance with the transcribed precepts, the amount of the fine to be imposed on
the entity claimed as responsible for an infraction classified in article 83.5.a)
of the RGPD and 72.1 b) of the LOPDGDD, the
following factors:

As aggravating factors:


- The evident link between the business activity of the defendant and the
      processing of personal data of clients or third parties (article 83.2.k, of the
      RGPD in relation to article 76.2.b, of the LOPDGDD).

       The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,
      with respect to entities whose activity involves continuous processing of
      client data, indicates that “…the Supreme Court has been understanding that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/16








      Imprudence exists whenever a legal duty of care is neglected, that is
      That is, when the offender does not behave with the required diligence. And in the
      assessment of the degree of diligence, special consideration must be given to

      professionalism or not of the subject, and there is no doubt that, in the case now
      examined, when the appellant's activity is constant and abundant
      handling of personal data must insist on rigor and exquisite
      “Be careful to comply with the legal provisions in this regard.”

As mitigating factors:

The claimed party proceeded to resolve the incident that was the subject of the claim in a manner

effective (art. 83.2 c).

The balance of the circumstances contemplated in article 83.2 of the RGPD, with
regarding the infraction committed by violating the provisions of article 6.1 of the
GDPR allows a fine of 70,000 euros (seventy thousand euros) to be set.

Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the

Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE DIGI SPAIN TELECOM, S.L., with NIF B84919760, for a
violation of Article 6.1 of the GDPR, typified by Article 83.5 of the GDPR, a fine
of 70,000 euros (seventy thousand euros).


SECOND: NOTIFY this resolution to DIGI SPAIN TELECOM, S.L.

THIRD: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account

restricted IBAN number: ES00 0000 0000 0000 0000 0000, open in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected during the executive period.

Once the notification is received and once enforceable, if the enforceable date is

between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/16








Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly

contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-

web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative procedure within a period of two months from the day following the

notification of this resolution would terminate the precautionary suspension.

Sea Spain Martí
Director of the Spanish Data Protection Agency

































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es