AEPD (Spain) - PS/00009/2020

From GDPRhub
AEPD - PS/00009/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 04.08.2020
Fine: 48.000 EUR
Parties: Vodafone España, S.A.U.
National Case Number/Name: PS/00009/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

4 August 2020 - The Spanish Data Protection Agency (AEPD) decided to early finish the sanction procedure against Vodafone España, S.A.U. (the defendant) for the infringement of Article 6(1) of the GDPR, as the defendant agreed to an early voluntary payment of the corresponding part (48,000 €) of the fine suggested by the AEPD (60,000 €).

English Summary

Facts

The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen stating that the defendant had sent him a message thanking the acquisition of a new phone line he/she did not recognize; after checking this point in the mobile app of the defendant, the claimant discovered that the defendant (acting through an agency) had unlawfully used his personal and banking details in order to produce a contract without his/her consent, as its commercial procedure is the following: the agency buys prepaid cards in the name of its clients in order to authorize portability to Vodafone.

Dispute

The defendant answered to the AEPD investigation requests stating that the whole situation is due to an isolated behaviour of the agency, as the defendant, always following strict procedures, was fully convinced of the veracity of the portability contract (which was not signed, and in which the agency had included the personal data of the claimant without his/her consent), and so it has been “a victim” of the bad practices of the agency; the defendant also stated that there is no intentionality on its side, and that it totally rejects the behaviour of the agency, as such unlawful activity would be punished according to the commercial agreement between both companies. The AEPD started the corresponding sanction procedure.

Holding

Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have breached the lawfulness of processing principle as per article 6(1) GDPR: on the basis of the available evidences, the defendant did not take the due diligences to avoid such situation, and it did not prove the lawfulness of the data processing. Consequently, after considering some aggravating circumstances [(i) there is a negligence/intentionality by the defendant, and (iii) basic personal data have been affected], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 60,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine with a possible discount (48,000 €). The defendant agreed, so it paid 48,000 € and the sanction procedure was closed by the AEPD.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

9 Procedure Nº: PS / 00009/2020RESOLUTION R / 00348/2020 OF TERMINATION OF THE PROCEDURE BY PAYMENTVOLUNTARYIn the sanctioning procedure PS / 00009/2020, instructed by the AgencySpanish Data Protection to VODAFONE ESPAÑA, SAU , after theclaim submitted by AAA , and based on the following,BACKGROUNDFIRST: On February 18, 2020, the Director of the Spanish Agency forData Protection agreed to initiate a sanctioning procedure against VODAFONESPAIN, SAU . Notified the initiation agreement and after analyzing the allegationspresented, on June 29, 2020, the resolution proposal was issued thatThe following is transcribed:<<Procedure no .: PS / 00009/2020821-200320Of the procedure instructed by the Spanish Agency for Data Protection andbased on the following:BACKGROUNDFIRST: Ms. AAA (hereinafter, the claimant) dated February 25, 2019filed a claim with the Spanish Agency for Data Protection. TheThe claim is directed against Vodafone España, SAU, with NIF A80907397 (inahead, the claimed one).The reasons on which your claim is based are that you received a message fromVodafone España, SAU (hereinafter, Vodafone) thanking you for a purchasethat he does not recognize, carried out in a physical store of which he was a customer.So, check through the application for mobile devices ofVodafone that a contracted portability was carried out in your name and with your databanking.Well, in the store he requests the contract that he has supposedly signed, butthey deny it and recognize that it is a habitual practice that they carry out: they buyLycamobile prepaid cards and portability to customers of your store. Inwhen they have knowledge of these facts, they cancel the cover line.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/11On the other hand, it indicates that the events took place on February 22, 2019.And, among other things, it provides the following documentation: Vodafone service contract for portability of the number *** PHONE. 1coming from Lycamobile. Copy of the claims sheet filled out by the claimant in whichclaim that (i) your identity has been impersonated, (ii) your data has been processedpersonal and banking services at their convenience and (iii) have entered into a contract at theirname without your consent.SECOND: In view of the facts denounced in the claim and thedocuments provided by the claimant and the facts and documents of which he hasthis Agency, the Subdirectorate General for Data Inspection, had knowledgeproceeded to carry out preliminary investigation actions for theclarification of the facts in question, by virtue of the powers of investigationgranted to the control authorities in article 57.1 of Regulation (EU)2016/679 (General Data Protection Regulation, hereinafter RGPD), andin accordance with the provisions of Title VII, Chapter I, Second Section, of the LawOrganic 3/2018, of December 5, Protection of Personal Data and guarantee ofdigital rights (hereinafter LOPDGDD).As a result of the investigative actions carried out, it is verifiedthat the person responsible for the treatment is the one claimed.Likewise, the following points are found:The antecedents that appear are the following: Made a request for information to Vodafone about the contracting ofportabilities without signing and on the ported telephone number, with the date ofNovember 11, 2019 is received at this Agency, with registration number054686/2019, letter sent by the operator stating that theportabilities are formalized through a contract signed by the client in a mannerthat the contract model includes the necessary signature fields so that theprevious client authorizes the change of owner and the new client authorizes theportability. The contract can be signed digitally or manually:- When the digital signature option is chosen, the contract signed by the clientdumps directly into "Docuweb". The system should not advance if it is missingany of the 2 signatures in the portability and change boxes.- When the manual signature option is chosen, the order advances in any case andthe store is obliged to keep an original copy of the contract signed bythe customer and send this copy to "Docout" for safekeeping. "Docout" checkif the contract reaches your office and informs us otherwise.As for the number carried, they report that he was discharged from the 26from February 2019 to February 28, 2019, the date on which thefinal discharge.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/11THIRD: On February 18, 2020, the Director of the Spanish Agency forData Protection agreed to initiate a sanctioning procedure against the claimed entity,by virtue of the powers established in article 58.2 of the RGPD and in articles47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on Data ProtectionPersonal Rights and Guarantee of Digital Rights (LOPDGDD), for the violation of theArticle 6.1 of the RGPD typified in article 83.5.a) of the RGPD.FOURTH: Notified the initiation agreement, the claimed entity, by writing ofdated March 19, 2020, made, in summary, the following allegations:“It should be noted, first of all, that the factual assumption before which weWe find and that affects Vodafone is the portability of the unrecognized line of theclaimant that was managed by the Vodafone agency modality. In thisIn this sense, the signed contract is provided as document number 3, in which theobserve the personal data of the claimant. In this sense, and facing the dumpof data in the Vodafone system the hiring had the appearance of consent,dear and real by having all the updated and truthful information for what it wasimpossible to know the reality of the facts -one non-consensual of the data together withthe illegal action of the commercial - who, if he had known them, would not have managed theportability.Vodafone rejects this type of behavior for which it has tolerancezero. Proof of this is the contract signed between Vodafone and Oliveros Reus onwhich we provide as Document 4.Likewise, breaches of all these behaviors are accompanied by aseries of sanctions to the agent that are included in Clause 4 Penaltiesof Annex I of the contract that is attached as Document 5.It is evident that, in the present case, it has also been a victim of the actionsillicit by this agency, not being able to be blamed any intentionality,nor lack of diligence, because there is a contract between the agency and Vodafonethat regulates the relationship between the parties and establishes the obligations and guidelines to followto carry out the commercial activity that has not been fulfilled.In relation to these facts, he wants to reiterate, therefore, the lack of intentionalityinfringer that governs the acts that are the object of this procedure.Therefore, the appropriate thing is to agree to the dismissal of this file and thearchive of the proceedings, since the events occurred without intentionalityany. In the alternative, the amount of the sanction must be moderated, imposing itself inits minimum amount, taking into account the following circumstances included in theart. 83.2 of the RGPD ”.FIFTH: On June 1, 2020, the test practice period began,remembering: 1. To consider the complaint filed as reproduced for evidentiary purposesby the claimant and its documentation, the documents obtained and generated thatare part of the file and 2. To consider reproduced for evidentiary purposes, theallegations to the agreement to initiate PS / 00009/2020, presented by the entityreported.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/11SIXTH: Of the information and documentation provided by the parties in this proceedingment, are credited with the following facts:PROVEN FACTS1 The claimant states that, on February 25, 2019, it received anotification by SMS of the claimed, in relation to the registration of a line that does notrecognized and that he proceeded to check through the My Vodafone mobile application,where he saw that indeed, a portability had been carried out in his namealso using your bank details.2nd Due to the above, and having the information in the MiVodafone, went to the store where he requested the contract that he supposedly signed,but they deny it and recognize that it is a common practice that they carry out:buy prepaid Lycamobile cards and carry out porting to clients of theirstore. As soon as they have knowledge of these facts, they cancel the cover line.3º Work in the file copy of the Vodafone service contract bynumber portability *** PHONE. 1 from Lycamobile.SIXTH: A list of documents available in theprocess.FOUNDATIONS OF LAWIThe Director of the Agency is competent to resolve this procedureSpanish Data Protection, in accordance with the provisions of art. 58.2 ofRGPD and in arts. 47 and 48.1 of the LOPDGDDIIThe defendant is charged with committing an offense for violation of theArticle 6 of the RGPD, " Legality of the treatment ", which indicates in its section 1 thecases in which the processing of third party data is considered lawful:"one. The treatment will only be lawful if at least one of the following is metterms:a) the interested party gave their consent for the processing of their datapersonal for one or more specific purposes;b) the treatment is necessary for the performance of a contract in which theinterested is part or for the application at the request of this of measurespre-contractual;(…) "The offense is typified in Article 83.5 of the RGPD, which considers as such:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/11"5 . Violations of the following provisions will be sanctioned, in accordance withwith section 2, with administrative fines of a maximum of EUR 20,000,000 or,in the case of a company, an amount equivalent to a maximum of 4% of thetotal annual global business volume of the previous financial year, opting forthe highest amount:a) The basic principles for the treatment, including the conditions for theconsent in accordance with articles 5,6,7 and 9. "Organic Law 3/2018, on Protection of Personal Data and Guarantee ofDigital Rights (LOPDGDD) in its article 72, under the heading " Infractionsconsidered very serious ” provides:"one. Based on what is established in article 83.5 of the Regulation (EU)2016/679 are considered very serious and will prescribe after three years the infractions thatsuppose a substantial violation of the articles mentioned in that and, inin particular, the following:(…)b) The processing of personal data without the concurrence of any of theconditions of legality of the treatment established in article 6 of theRegulation (EU) 2016/679. "IIIThe documentation in the file provides evidence that theclaimed, violated article 6.1 of the RGPD , since it processed thepersonal data of the claimant without having any legitimacy to do so. TheClaimant's personal data were incorporated into the information systemsof the company, without having proven that he had legitimately hired,had your consent for the collection and subsequent treatment of yourpersonal data, or there is any other cause that makes the treatment lawfuleffected.The Administrative Litigation Chamber of the National Court, inassumptions such as the one presented here, it has considered that when the owner of thedata denies the contract, the burden of proof corresponds to whoever affirms theirexistence and the person responsible for the data processing of third parties must collect andkeep the necessary documentation to prove the consent of the owner.We cite, for all, the SAN of 05/31/2006 (Rec. 539/2004), Basis of LawFourth.On the other hand, there is evidence, in the contract provided by the claimant, thatthe portability contract was made in the physical store of the claimed and that thecontract is without signatures.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/11Although the company states that portability does not occur if it is missingany of the signatures, the contract obtained by the claimant through the applicationfor Vodafone mobiles contains all the spaces intended for the signatures of theblank headlines.However, and this is essential, the defendant does not prove the standing tothe treatment of the claimant's data.Respect for the principle of legality that is in the essence of fundamental rightprotection of personal data requires that it be proven that theresponsible for the treatment deployed the necessary diligence to prove thatextreme. If this Agency does not act in this way - and if this Agency does not demand it, it is incumbent uponfor compliance with the regulations governing the data protection right ofpersonal character - the result would be to empty the principle of legality of content.IVIn accordance with the provisions of the RGPD in its art. 83.1 and 83.2, when deciding theimposition of an administrative fine and its amount in each individual case will betake into account the aggravating and mitigating factors that are listed in the articleindicated, as well as any other that may be applicable to the circumstances of thecase."Each supervisory authority will guarantee that the imposition of finesadministrative pursuant to this article for the infractions of thisRegulations indicated in paragraphs 4, 9 and 6 are in each individual caseeffective, proportionate and dissuasive. "" Administrative fines will be imposed, depending on the circumstances ofeach individual case, as an additional or substitute for the measures contemplated in theArticle 58, paragraph 2, letters a) to h) and j). When deciding to impose a fineadministrative and its amount in each individual case will be duly taken into account:a) the nature, gravity and duration of the offense, taking into account thenature, scope or purpose of the processing operation in questionas well as the number of affected stakeholders and the level of damage anddamages they have suffered;b) intentionality or negligence in the infringement;c) any measure taken by the controller or processorto alleviate the damages suffered by the interested parties;d) the degree of responsibility of the person in charge of thetreatment, taking into account the technical or organizational measures that haveapplied by virtue of articles 25 and 32;e) any previous infraction committed by the person in charge or the person in charge of thetreatment;f) the degree of cooperation with the supervisory authority in order toremedy the violation and mitigate the possible adverse effects of the violation;g) the categories of personal data affected by the infringement;C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
7/11h) the way in which the supervisory authority learned of the infringement,in particular if the person in charge or the person in charge notified the infraction and, in suchcase, to what extent;i) when the measures indicated in article 58 (2) have beenpreviously ordered against the person in charge or the person in chargein relation to the same matter, compliance with said measures;j) adherence to codes of conduct under Article 40 or to mechanismscertification approved in accordance with Article 42, andk) any other aggravating or mitigating factor applicable to the circumstances of thecase, such as financial benefits obtained or losses avoided, director indirectly, through the infringement. "Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76," Sanctions and corrective measures", provides:"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679The following may also be taken into account:a) The continuing nature of the offense.b) The linking of the offender's activity with the performance of treatment ofpersonal information.c) The benefits obtained as a result of the commission of the offense.d) The possibility that the affected person's conduct could have led to thecommission of the offense.e) The existence of a merger by absorption process after the commission of theinfringement, which cannot be attributed to the absorbing entity.f) Affecting the rights of minors.g) Have, when not mandatory, a data protection officer.h) The submission by the person in charge or manager, on a voluntary basis, toalternative dispute resolution mechanisms, in those cases in whichthere are controversies between those and any interested party. "In accordance with the transcribed precepts, in order to set the amount of the penaltyfine to be imposed in the present case for the offense typified in article 83.5.a)of the RGPD for which the claimed person is responsible, thefollowing factors:As aggravating criteria:The intentionality or negligence in the infringement (article 83.2 b).Basic personal identifiers (name, surname,address) (article 83.2 g).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
8/11The balance of the circumstances contemplated in article 83.2 of the RGPD, withRegarding the offense committed by violating the provisions of its article 6, it allows settinga penalty of 60,000 euros (sixty thousand euros), classified as "very serious", for the purposesof prescription thereof, in article 72.1.b) of the LOPDGDD.In view of the above, the following is issuedMOTION FOR A RESOLUTIONThat the Director of the Spanish Data Protection Agency sanctionto VODAFONE ESPAÑA, SAU, with NIF A80907397, for a violation of Article 6 of theRGPD, typified in Article 83.5 of the RGPD, a fine of € 60,000.00 (SIXTY THOUSANDeuros).Likewise, in accordance with the provisions of article 85.2 of the LPACAP,informs you that you may, at any time prior to the resolution of thisprocedure, carry out the voluntary payment of the proposed sanction, which will meana reduction of 20% of the amount thereof. With the application of this reduction, theThe penalty would be established at 48,000.00 euros and its payment will imply the termination of theprocess. The effectiveness of this reduction will be conditioned to the withdrawal orwaiver of any action or appeal in administrative proceedings against the sanction.In case you choose to proceed to the voluntary payment of the specified amountabove, in accordance with the provisions of the aforementioned article 85.2, you must do iteffective by entering the restricted account number ES00 0000 0000 0000 0000 0000opened in the name of the Spanish Agency for Data Protection in the BankCAIXABANK, SA, indicating in the concept the reference number of the procedurethat appears in the heading of this document and the cause, by voluntary payment, ofreduction of the amount of the penalty. Likewise, you must send proof of income tothe Subdirectorate General of Inspection to proceed to close the file.By virtue of this, he is notified of the foregoing, and theprocedure so that within TEN DAYS it can allege whatever it deems inhis defense and present the documents and information he considers pertinent, inaccording to article 89.2 in relation to art. 73.1 of the LPACAP).BBBINSPECTOR / INSTRUCTORC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 9
9/11Index of File PS / 00009/202002-25-2019 AAA claim08-19-2019 Admission to AAA09-23-2019 Request for Information to VODAFONE ESPAÑA, SAU11-18-2019 CCC allegations01-16-2020 Report on previous actions.02-19-2020 A. opening to VODAFONE ESPAÑA, SAU02-19-2020 Complainant Information to AAAC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 10
10/1103-19-2020 CCC allegations06-01-2020 Notification of the testing period to VODAFONE ESPAÑA, SAU>>SECOND : On July 16, 2020, VODAFONE ESPAÑA, SAU has proceededto the payment of the sanction in the amount of 48,000 euros making use of the reductionprovided for in the proposed resolution transcribed above.THIRD : The payment made entails the waiver of any action or recourse in progressagainst the sanction, in relation to the facts referred to in themotion for a resolution.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each authority ofcontrol, and as established in art. 47 of Organic Law 3/2018, of 5December, Protection of Personal Data and guarantee of digital rights (inhereinafter LOPDGDD), the Director of the Spanish Agency for Data Protectionis competent to sanction the infractions that are committed against saidRegulation; infractions of article 48 of Law 9/2014, of May 9, Generalof Telecommunications (hereinafter LGT), in accordance with the provisions of thearticle 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of theinformation and electronic commerce (hereinafter LSSI), as provided in article43.1 of said Law.IIArticle 85 of Law 39/2015, of October 1, on the ProcedureCommon Administrative of Public Administrations (hereinafter LPACAP), underthe heading " Termination of sanctioning procedures " provides the following:"one. Initiated a sanctioning procedure, if the offender acknowledges hisresponsibility, the procedure may be resolved with the imposition of the sanctionthat proceeds.2. When the sanction is solely of a pecuniary nature or it fitsimpose a pecuniary sanction and a non-pecuniary sanction but it has been justifiedthe inadmissibility of the second, the voluntary payment by the presumed responsible, inany time prior to the resolution, will imply the termination of the procedure,Except for the replacement of the altered situation or the determination of thecompensation for damages caused by the commission of the offense.3. In both cases, when the penalty is solely of a pecuniary nature,the competent body to resolve the procedure will apply reductions of, atC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 11
11/11less, 20% of the amount of the proposed penalty, these being cumulativeeach. The aforementioned reductions must be determined in the notification ofinitiation of the procedure and its effectiveness will be conditional on the withdrawal orwaiver of any action or appeal in administrative proceedings against the sanction.The percentage of reduction foreseen in this section may be increasedregulations. "In accordance with the above,the Director of the Spanish Agency for Data Protection RESOLVES:FIRST: DECLARE the termination of procedure PS / 00009/2020 , ofin accordance with the provisions of article 85 of the LPACAP.SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, SAU .In accordance with the provisions of article 50 of the LOPDGDD, theThis Resolution will be made public once it has been notified to the interested parties.Against this resolution, which ends the administrative procedure according toprescribed by art. 114.1.c) of Law 39/2015, of October 1, on the ProcedureCommon Administrative of Public Administrations, interested parties mayfile a contentious-administrative appeal before the Contentious Chamber-administrative law of the National Court, in accordance with the provisions of article 25 andin section 5 of the fourth additional provision of Law 29/1998, of July 13,regulator of the Contentious-Administrative Jurisdiction, within a period of two months tocount from the day after the notification of this act, as provided in theArticle 46.1 of the aforementioned Law.
Mar España Martí
Director of the Spanish Agency for Data Protection