AEPD (Spain) - PS/00026/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
 
(4 intermediate revisions by 2 users not shown)
Line 54: Line 54:
}}
}}


The Spanish DPA (AEPD) found that the data processor, Vamavi Phone SL, was in violation of Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR by making a commercial call to a data subject registered on the Robinson List. Vamavi paid a fine of €24,000 (reduced from €40,000).
The Spanish DPA (AEPD) found that the data processor, Vamavi Phone SL, had violated Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR by making a commercial call on behalf of Vodafone España, SAU to a data subject registered on the Robinson List. Vamavi paid a fine of €24,000 (reduced from €40,000).


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The complainant filed a complaint as they received a commercial call on behalf of "Vodafone España, SAU" despite being listed on the Robinson List (advertising exclusion list).
The complainant filed a complaint as they received a commercial call on behalf of "Vodafone España, SAU" despite being listed on the Robinson List (advertising exclusion list).


The Spanish DPA (AEPD) therefore began an investigation to clarify the facts at stake. This revealed that Vamavi Phone SL was responsible for the data processing. Vamavi had made the commercial call to the Claimant on behalf of Vodafone España, SAU.
The Spanish DPA (AEPD) therefore began an investigation to clarify the facts at stake. This revealed that Vamavi Phone SL was responsible for the data processing. Vamavi had made the commercial call to the Claimant on behalf of Vodafone España, SAU.


=== Dispute ===
===Dispute===
Does a commercial call made by a processor to a claimant on the Robinson List entail a breach of Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR ?
Does a commercial call made by a processor to a claimant on the Robinson List entail a breach of Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR?


=== Holding ===
===Holding===
The Spanish DPA (AEPD) held that the facts in question indicated a breach of Article 48(1)(b) of the Spanish Law on General Telecommunications (LGT) by Vamavi. This provision outlines that individuals have the right to oppose receiving unwanted calls for commercial communication purposes. The DPA went on to outline that this must be read in light of Article 21 GDPR (right to object) and Article 23 of the Spanish Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
The Spanish DPA (AEPD) held that the facts in question indicated a breach of Article 48(1)(b) of the Spanish Law on General Telecommunications (LGT) by Vamavi. This provision outlines that individuals have the right to oppose receiving unwanted calls for commercial communication purposes. The DPA went on to outline that this must be read in light of Article 21 GDPR (right to object) and Article 23 of the Spanish Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).


Line 73: Line 73:
As Vamavi made a voluntary, early and guilty payment, the fine paid was reduced to €24,000 (rather than the original fine of €40,000).
As Vamavi made a voluntary, early and guilty payment, the fine paid was reduced to €24,000 (rather than the original fine of €40,000).


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Latest revision as of 13:48, 13 December 2023

AEPD - PS/00026/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 21 GDPR
Article 28 GDPR
Article 23 of the Law on the Protection of Personal Data and Guarantee of Digital Rights
Article 48(1)(b) of the Law on General Telecommunications
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.02.2021
Published: 10.02.2021
Fine: 24000 EUR
Parties: Vamavi Phone SL
National Case Number/Name: PS/00026/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) found that the data processor, Vamavi Phone SL, had violated Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR by making a commercial call on behalf of Vodafone España, SAU to a data subject registered on the Robinson List. Vamavi paid a fine of €24,000 (reduced from €40,000).

English Summary

Facts

The complainant filed a complaint as they received a commercial call on behalf of "Vodafone España, SAU" despite being listed on the Robinson List (advertising exclusion list).

The Spanish DPA (AEPD) therefore began an investigation to clarify the facts at stake. This revealed that Vamavi Phone SL was responsible for the data processing. Vamavi had made the commercial call to the Claimant on behalf of Vodafone España, SAU.

Dispute

Does a commercial call made by a processor to a claimant on the Robinson List entail a breach of Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR?

Holding

The Spanish DPA (AEPD) held that the facts in question indicated a breach of Article 48(1)(b) of the Spanish Law on General Telecommunications (LGT) by Vamavi. This provision outlines that individuals have the right to oppose receiving unwanted calls for commercial communication purposes. The DPA went on to outline that this must be read in light of Article 21 GDPR (right to object) and Article 23 of the Spanish Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

The DPA held that by acting on behalf of Vodafone, Vamavi acted as a data processor within the meaning of Article 28 GDPR. Vamavi was nonetheless the one found responsible for the data processing in question.

As Vamavi made a voluntary, early and guilty payment, the fine paid was reduced to €24,000 (rather than the original fine of €40,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/16











     Procedure No.: PS / 00026/2021

RESOLUTION R / 00087/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY


In the sanctioning procedure PS / 00026/2021, instructed by the Spanish Agency for
Data Protection to VAMAVI PHONE, S.L., considering the complaint filed by A.A.A.,
and based on the following,

                                 BACKGROUND


FIRST: On January 27, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to VAMAVI PHONE, S.L.
(hereinafter, the claimed), through the Agreement that is transcribed:


<<
Procedure No.: PS / 00026/2021



           AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE




Of the actions carried out by the Spanish Agency for Data Protection and in

based on the following



                                     ACTS




FIRST: A.A.A. (hereinafter the claimant) filed a claim with the Agency
Spanish Data Protection Agency (hereinafter AEPD) for receipt on January 31

2020, at 11:34 am, from a commercial call on behalf of “Vodafone
España, S.A.U. ”, with NIF A80907397 (hereinafter VDF), to its telephone line
*** PHONE. 1 that is registered on the advertising exclusion list

Robinson, from the line *** PHONE. 2.



Relevant documentation provided by the claimant:




- 34-second audio file corresponding to the call recording
commercial on behalf of VDF.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/16








- Copy of the invoice (issued by XFERA MÓVILES, S.A.U. with NIF A82528548) of the

telephone line *** TELEPHONE. 1 in which the ownership of this by part
of the claimant.

- Copy of the certificate of the Robinson List registration issued on 01/31/2020, in which

your phone line *** PHONE. 1 is registered against phone calls
commercials since 08/03/2018.




SECOND: In view of the facts reported in the claim and the
documents provided by the claimant / of the facts and documents of which he has

this Agency, the Subdirectorate General for Data Inspection
proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation

granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and

in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).




As a result of the investigative actions carried out, it is verified that the

responsible for the treatment is the entity VAMAVI PHONE, S.L.



BACKGROUND




Claim entry date: February 3, 2020.




Claimant: A.A.A ..











Dated 04/15/2020 in check-in 014582/2020, associated with
procedure E / 02271/2020, the AEPD found allegations of the VDF in which it
established that he had no record in his database of the number *** PHONE. 2

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/16








associated with your collaborators who make recruitment calls on your behalf. VDF
in that same registry, he stated that the claimant was recorded in the List

Robinson corresponding from 08/03/2018. In addition, VDF reports having included
in the internal Robinson list of your entity to the telephone line *** TELEPHONE 1 of the

claimant as a result of the transfer of the claim, becoming recorded as registered in
she. VDF stated that it had not contacted the claimant to notify him of the procedures
made by not having your contact information




INVESTIGATED ENTITIES




As stated in the Diligence, incorporated in the associated Investigation File
(E / 09385/2020) on 11/25/2020, the telephone line with number *** TELEPHONE. 2
was operated by SEWAN COMUNICACIONES, as recorded in the Records of

Numbering and Telecommunications Operators of the National Commission of
Markets and Competition (hereinafter, CNMC).




Consequently, during these proceedings, the following has been investigated
entity:




SEWAN COMUNICACIONES, S.L.U. (hereinafter, the investigated # 1), with NIF
B73619215 and address *** ADDRESS. 1.




Likewise, by the very course of these previous actions of
investigation, the need to proceed to investigate also the

following entity:



VAMAVI PHONE, S.L. (hereinafter, the VAMAVI), with NIF B87914446 and address

*** ADDRESS. 2.



RESULT OF INVESTIGATION ACTIONS




     The claimant's telecommunications operator, XFERA MÓVILES, S.A.U.
       manifests confirmation of receipt at the number *** PHONE. 1

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/16








        (ownership of the claimant) of the call made by the line
        *** PHONE. 2, on January 31, 2020 at 11:34:50 am. This line of
        origin of the call is recorded as incoming in the interconnection platform

        operated by investigated # 1.



     The investigated # 1 claims to be a telecommunications operator that

        provides telephone services to customers, end users and resellers. The
        investigated # 1 provides a copy of the CNMC public registry of operators in
        that is thus identified.



     The investigated # 1 identifies VAMAVI as its client owner of the line
        telephone *** TELEPHONE. 2 on January 31, 2020 at 11:34:50 a.m., and

        specifically in its ownership since October 2, 2019. The investigated
        # 1 alleges that he did not make the call or have a contract or
        any connection with VDF to advertise its commercial services.



     The investigated # 1 confirms that the call from the telephone line
        *** PHONE. 2 to line *** PHONE. 1 (owned by the claimant)

        produced on January 31, 2020 at around 11:34 a.m. and had a
        duration of 39 seconds. The investigated # 1 provides a copy of the invoice
        corresponding to the month of January 2020 issued to VAMAVI, as its client

        owner of the telephone line *** TELEPHONE. 2, in which said
        phone call.


     VAMAVI confirms the realization of a commercial call on January 31,

        2020 at 11:34 a.m. to offer commercial services from the VDF, to the line
        Claimant's telephone number *** TELEPHONE.1 from line *** TELEPHONE.2

        (under your ownership).


     VAMAVI identifies itself as a subagent of the entity SOLIVESA MASTER
        FRANCHISE, S.L. (hereinafter SOLIVESA), with NIF B97154488, who acts

        as an authorized commercial distributor of the VDF. VAMAVI provides a contract
        between you and SOLIVESA dated 03/21/2019, for the activity of
        intermediation in client registrations through commercial telephone calls

        in favor of VDF and with a duration of 12 months.


     VAMAVI states that customer acquisition for VDF through calls

        commercial telephony occurred in the private segment, self-employed and
        of micro-enterprises.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/16









     VAMAVI claims that it does not have files related to the owners of the lines

        telephone numbers to which he called commercially due to the fact that lists were generated
        of random numbers from the list of valid published numberings

        by the CNMC. VAMAVI provides a copy of the list of telephone numbers
        allegedly taken from the CNMC.


     VAMAVI states that it has a Robinson list in which to carry out the filtering

        to avoid numbers that oppose business calls and add
        recognize the claimant's telephone line *** TELEPHONE.1 included in said

        list. VAMAVI alleges, after identifying the claimant's number
        involved in the commercial call produced, which [sic]: “(…) so
        it seems that this is a specific error in our filtering system. "




FOUNDATIONS OF LAW




I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director

of the Spanish Agency for Data Protection is competent to initiate and to
solve this procedure.




In accordance with the provisions of article 84.3) of the LGT, the competence to
initiate and resolve this Penalty Procedure corresponds to the Director of

the Spanish Agency for Data Protection.



II


The known facts could constitute an infraction, attributable to
VAMAVI, for violation of article 48.1.b) of Law 9/2014, of May 9, General
of Telecommunications (hereinafter, LGT), included in its Title III, which states:




<< Article 48. Right to the protection of personal data and privacy in relation
with unsolicited communications, with traffic and location data and with

subscriber guides.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/16










1. Regarding the protection of personal data and privacy in relation to

unsolicited communications end users of communications services
electronic will have the following rights:


(…)

b) To oppose receiving unwanted calls for commercial communication purposes
that are carried out through systems other than those established in the previous letter and to

be informed of this right. >>



Although, the aforementioned article does not configure such a right, so we must go to the

data protection rules that regulate the right of opposition: article
21 of the RGPD, (Regulation (EU) 2016/679, of the European Parliament and of the Council,
04/27/2016, regarding the Protection of Natural Persons with regard to the

Processing of Personal Data and Free Circulation of this Data) and article 23
of the LOPDGDD (Organic Law 3/2018, of December 5, on Data Protection

Personal Rights and Guarantee of Digital Rights).



The offense is classified as minor in article 78.11 of said rule, which considers

as such: “The breach of public service obligations, of the
public obligations and the violation of consumer rights
and end users, as established in Title III of the Law and its regulations on

developing".



This offense can be sanctioned with a fine of up to 50,000 euros, according to

with article 79.1.d) of the aforementioned LGT.



In accordance with the evidence available at the present time of

agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the sanction to be imposed should be graduated in accordance with

the following criteria established in article 80 of the LGT:



As aggravating factors:




Art 80.1 of the LGT.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/16








a) The seriousness of the offenses previously committed by the subject to whom the
sanctions. This AEPD consists of numerous previous antecedents known to

VDF.

c) The benefit that the offending event has provided to the offender. The
promotional actions are aimed at obtaining profits

business.

d) The damage caused and its repair. The claimant has had to take action
before this AEPD. There are no remedial actions by VDF.


g) The cessation of the infringing activity, previously or during the processing of the
sanctioning file. There is no evidence of the cessation of the infringing activity.




Considering the exposed factors, the initial assessment that reaches the amount of the
The fine for the violation of art 48.1.b) of the LGT imputed is € 20,000 (twenty thousand
euros).




III

Article 28 of the RGPD establishes the following:




In charge of the treatment



<1. When a treatment is to be carried out on behalf of a person responsible for the

treatment, it will only choose a manager who offers sufficient guarantees
to apply appropriate technical and organizational measures, so that the
treatment is in accordance with the requirements of this Regulation and guarantees the

protection of the rights of the interested party.



2. The person in charge of the treatment will not resort to another person in charge without prior authorization

in writing, specific or general, of the person in charge. In the latter case, the manager
will inform the person in charge of any change foreseen in the incorporation or

replacement of other managers, thus giving the person in charge the opportunity to oppose
to such changes.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/16








3. The treatment by the person in charge will be governed by a contract or other legal act with
under Union or Member State law, which binds the person in charge

with respect to the person in charge and establish the object, duration, nature and
purpose of the treatment, the type of personal data and categories of interested parties, and the
obligations and rights of the person in charge. Said contract or legal act shall stipulate, in

particular, that the person in charge:

a) will process personal data only following documented instructions from the
responsible, including with respect to transfers of personal data to a

third country or an international organization, unless it is obliged to do so under
of the law of the Union or the Member States that applies to the processor; in
In this case, the person in charge will inform the person in charge of this legal requirement prior to

treatment, unless such Law prohibits it for important reasons of interest
public;


b) will guarantee that the persons authorized to process personal data have
committed to respecting confidentiality or subject to an obligation of
confidentiality of a statutory nature;


c) take all necessary measures in accordance with Article 32;

d) will respect the conditions indicated in sections 2 and 4 to resort to another
in charge of the treatment;

e) will assist the controller, taking into account the nature of the treatment, through

appropriate technical and organizational measures, whenever possible, so that this
can fulfill its obligation to respond to requests that have as their object

the exercise of the rights of the interested parties established in chapter III;

f) will help the controller to ensure compliance with the obligations
established in articles 32 to 36, taking into account the nature of the treatment

and the information available to the person in charge;

g) at the choice of the controller, delete or return all personal data once
once the provision of treatment services ends, and will delete the copies

existing unless the conservation of personal data is required under
of the Law of the Union or of the Member States;

h) will make available to the controller all the information necessary to demonstrate

compliance with the obligations established in this article, as well as
to enable and contribute to the performance of audits, including inspections, by
part of the person in charge or another auditor authorized by said person in charge.


In relation to the provisions of letter h) of the first paragraph, the person in charge will inform
immediately to the person responsible if, in their opinion, an instruction violates this
Regulation or other provisions on data protection of the Union or of

Member States.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/16










4. When a processor uses another processor to carry out

certain processing activities on behalf of the controller, will be imposed on
this other person in charge, through a contract or other legal act established in accordance with

Union or Member State law, the same obligations to
data protection than those stipulated in the contract or other legal act between the
responsible and the person in charge referred to in section 3, in particular the provision

sufficient guarantees for the application of appropriate technical and organizational measures
so that the treatment is in accordance with the provisions of this
Regulation. If that other manager breaches their data protection obligations,

The initial manager will remain fully accountable to the person responsible for the
treatment with regard to the fulfillment of the obligations of the other

in charge.



5. Adherence of the data controller to a code of conduct approved by

pursuant to article 40 or to a certification mechanism approved pursuant to article
42 may be used as an element to demonstrate the existence of guarantees
sufficient referred to in sections 1 and 4 of this article.




6. Without prejudice to the person in charge and the person in charge of the treatment holding a
individual contract, the contract or other legal act referred to in sections 3 and 4

of this article may be based, totally or partially, on the clauses
contractual type referred to in sections 7 and 8 of this article, inclusive

when they form part of a certification granted to the person in charge of
in accordance with articles 42 and 43.




7. The Commission may establish standard contractual clauses for the matters to which
refer to sections 3 and 4 of this article, in accordance with the procedure for
examination referred to in article 93, paragraph 2.




8. A supervisory authority may adopt standard contractual clauses for the
matters referred to in sections 3 and 4 of this article, in accordance with the

coherence mechanism referred to in article 63.



9. The contract or other legal act referred to in sections 3 and 4 shall consist of

written, including in electronic format.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/16










10. Without prejudice to the provisions of articles 82, 83 and 84, if a person in charge of the

treatment violates these Regulations by determining the purposes and means of the
treatment, you will be considered responsible for the treatment with respect to said

treatment>



Article 83.4.a) of the RGPD establishes the following:




<4. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 10,000,000 or,

in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a
39, 42 and 43; …>.




Article 74.k) of the LOPDGDD, establishes the following:



<Infringements considered minor. They are considered mild and will prescribe the

remaining infringements of a merely formal nature of the articles mentioned in
paragraphs 4 and 5 of Article 83 of Regulation (EU) 2016/679 and, in particular, the

following:



k) Failure by the person in charge of the stipulations imposed in the contract or

legal act that regulates the treatment or instructions of the person responsible for the
treatment, unless legally obliged to do so in accordance with Regulation (EU)
2016/679 and the present organic law or in the cases in which it is necessary to

avoid the infringement of data protection legislation and have
notified the person in charge or the person in charge of the treatment.>




IV

In the present case, there are reasonable and sufficient indications to consider that the
VAMAVI entity, as sub-manager of the treatment now imputed

consisting of making commercial calls on behalf of and on behalf of Vodafone
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/16








Spain, S.A.U. to numbers included in the advertising exclusion lists
Robinson and without having had the due diligence to which it is obliged by the

hiring because of its content, and that has led to the violation of
Claimant's rights.




V

In accordance with the evidence available at the present time of

agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, the known facts could constitute an infraction,
attributable to the defendant, for violation of art. 28, offense typified in art.

83.4.a) of said rule considered mild for the purposes of prescription in article 74.k)
of the LOPDGDD.




SAW

In an initial assessment, concurrent aggravating criteria are estimated
following graduation:




. The high link between the activity of the offender and the performance of treatment of

personal information. It is established that VAMAVI is an entity specialized in treatments
of personnel in a systematic way.




. VAMAVI does not have adequate technical and organizational procedures in place for
action in order to comply with the treatment subject to sub-commission in the
terms of art 28 of the RGPD, so that the infringement is not the consequence of a

punctual anomaly in the operation of these procedures but a defect
persistent and continuous of the personal data management system.




Considering the exposed factors, the initial assessment that reaches the amount of the
The fine for the infringement of art 28 of the RGPD is € 20,000 (twenty thousand euros).




Therefore, based on the foregoing, by the Director of the Agency
Spanish Data Protection,




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/16








HE REMEMBERS:




FIRST:



INITIATE SANCTIONING PROCEDURE to VAMAVI PHONE S.L., with NIF

B87914446, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations

(hereinafter, LPACAP), for the alleged infringement of art. 48.1.b) in relation to the
art. 21 of the RGPD and 23 of the LOPDGDD, classified as mild in article 78.11 of the
mentioned LGT, without prejudice to what results from the instruction.




INITIATE SANCTIONING PROCEDURE to VAMAVI PHONE S.L., with NIF
B87914446, for the alleged violation of article 28 of the RGPD typified in accordance with

Article 83.4.a) of the RGPD.



SECOND: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C.,

indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime

Public Sector Legal (LRJSP).



THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the

claim filed by the claimant and its documentation; documents
obtained and generated by the General Subdirectorate for Data Inspection during the
investigations phase; as well as the report of previous Inspection actions;

all of them are part of the file.



FOURTH: THAT for the purposes provided for in art. 64.2 b) of the LPACAP, the sanction that

could correspond would be 40,000 euros, without prejudice to what results from the
instruction.




FIFTH: NOTIFY this agreement VAMAVI PHONE S.L., with NIF B87914446,
granting him a hearing period of ten business days to formulate the
allegations and present the evidence that you consider appropriate. In his writing of



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/16








allegations, you must provide your NIF and the procedure number that appears in the
heading of this document.




If within the stipulated period it does not make allegations to this initiation agreement, the same

It may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).




In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the

term granted for the formulation of allegations to the present initiation agreement; the
which will entail a reduction of 20% of the sanction to be imposed in
this procedure. With the application of this reduction, the sanction would be

established at 32,000 euros, resolving the procedure with the imposition of this
sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
the penalty would be established at 32,000 euros and its payment will imply the termination of the
process.




The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the recognition of responsibility, provided that this recognition

of responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the previous paragraph it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be
set at 24,000 euros.




In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in

administrative against the sanction.



In case you choose to proceed to the voluntary payment of any of the amounts


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/16








mentioned above, you must make it effective by entering account no.

ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for
Data Protection in the banking entity CAIXABANK, S.A., indicating in the
concept the reference number of the procedure that appears in the heading

of this document and the cause for the reduction of the amount to which it applies.




Likewise, you must send proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity
entered.




The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.

After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.






167-200320

Mar Spain Martí


Director of the Spanish Agency for Data Protection

>>

SECOND: On February 5, 2021, the defendant has proceeded to pay the

sanction in the amount of 24,000 euros making use of the two planned reductions
in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/16








FOUNDATIONS OF LAW

I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said

Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article

43.1 of said Law.

II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric

"Termination of sanctioning procedures" provides the following:
"one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a

pecuniary sanction and other non-pecuniary sanction, but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offense.


3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of

any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased
regulations.


In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00026/2021, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to VAMAVI PHONE, S.L ..



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/16









In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection












































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es