AEPD (Spain) - PS/00030/2021

From GDPRhub
AEPD (Spain) - PS/00030/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 28 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.05.2021
Published: 25.05.2021
Fine: 100000 EUR
Parties: Vodafone España, S.A.U.
National Case Number/Name: PS/00030/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined Vodafone €100,000 for not ensuring that the processor they contracted with had implemented and continued to implement appropriate technical and organisational measures to ensure compliance with the GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint with the Spanish DPA (AEPD) against Vodafone as they received a phone call with commercial purposes from the company after signing up for the Robinson list.

The AEPD launched an investigation and discovered that the call had been made from Xfera Móviles, who acted on behalf of Vodafone on marketing activities (as a processor, as determined by the DPA). Xfera alleged that there had been an error when filtering the phone numbers of the Robinson list.

Additionally, it was proven that the agreements carried out between Vodafone and Xfera, there was no indication on how to process the data so it was in line with the Robinson list and included phone numbers were not used for commercial purposes.

Holding[edit | edit source]

Firstly, the AEPD concluded that, according to Article 23(4) of the Spanish Data Protection Act, controllers have the obligation to consult exclusion lists, such as the Robinson list, before carrying out any commercial communications, to ensure that they are effective for their purposes.

Secondly, the AEPD concluded that Vodafone is undoubtedly a controller, as they determine the purposes and means of the data processing that Xfera carries out on their behalf.

In this regard, the AEPD remarked that the data controller must have absolute control over the data processing operations carried out by the processor, and must not only previously check the organisational and technical means that they have implemented, but also carry out the necessary subsequent audits in order to guarantee that the rights and freedoms of data subjects in the processing operations carried out in the name and on behalf of the data controller are respected. Thus, it is a continuous obligation, that is alive during the whole duration of the agreement and data processing.

Vodafone is therefore, as a controller, responsible of ensuring that the processing activities carried out by Xfera, the processor, comply with the GDPR. In this regard, the AEPD also noted the accountability and proactive responsibility from Article 5(2) that the GDPR entails. And such accountability applies to any data processing that is carried out in the interest of the controller, regardless whether it is materially carried out by the controller or by a processor.

Hence, the DPA concluded that there had been a violation of Article 28 GDPR due to the lack of diligence of Vodafone in ensuring that the processor they contracted with had implemented and continued to implement appropriate technical and organisational measures to ensure compliance with the GDPR.

Because of this, the AEPD fined Vodafone €100,000.

In order to assess the amount of the fine, the DPA took into account:

  • The relation between the controller's business activities and the processing of the data.
  • The size of the company: over 4000 employees and €1600 billion turnover.
  • The lack of adequate measures.
  • The existence of more than 50 previous sanctioning proceedings against the same controller.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                              1/24








     Procedure No.: PS / 00030/2021

               RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and with
based on the following

                                  BACKGROUND


FIRST: A.A.A. (hereinafter the claimant) filed a claim with the Agency
Spanish Data Protection Agency (hereinafter AEPD) upon receipt on *** DATE.1,
at 11:34 am, from a commercial call on behalf of “Vodafone España, S.A.U.”,
with CIF A80907397 (hereinafter the claimed or VDF), to your telephone line
*** TELEPHONE. 1, which is registered in the advertising exclusion list

Robinson, from the line *** PHONE. 2.

Relevant documentation provided by the claimant:

- 34 second audio file corresponding to the call recording

commercial claimed.

- Copy of the invoice (issued by XFERA MÓVILES, S.A.U. with CIF A82528548) of the
telephone line *** TELEPHONE.1 in which the ownership of the claimant is accredited.


- Copy of the certificate of registration in the Robinson List issued on 01/31/2020, in which
your phone line *** PHONE. 1 is registered against phone calls
commercials since 08/03/2018.

SECOND: In view of the facts denounced in the claim and the
documents provided by the claimant / of the facts and documents of which he has

this Agency, the Subdirectorate General for Data Inspection, had knowledge
proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation
granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and of

in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).

As a result of the investigative actions carried out, it is verified that the

responsible for the treatment is the one claimed.

BACKGROUND

Claim entry date: *** DATE. 2.


Claimant: A.A.A.
Claimed: VODAFONE ESPAÑA, S.A.U.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/24









Dated 04/15/2020 in check-in 014582/2020, associated with
procedure E / 02271/2020, the AEPD verified allegations of the complained in that
It established that it had no record in its database of the number *** TELEPHONE. 2
associated with your collaborators who make recruitment calls on your behalf. The

claimed in that same registry stated that the claimant was recorded in the
the corresponding Robinson List from 08/03/2018. In addition, the claimed informs
have included the telephone line in the internal Robinson list of their entity
*** PHONE. 1 of the claimant as a result of the transfer of the claim, going to
be recorded as registered in it. The respondent stated that she had not contacted the
claimant to notify him of the steps taken for not having his data of

Contact

INVESTIGATED ENTITIES

As stated in the Diligence, incorporated in the associated Investigation File

(E / 09385/2020) on 11/25/2020, the telephone line with number *** TELEPHONE. 2
was operated by SEWAN COMUNICACIONES, as recorded in the Records of
Numbering and Telecommunications Operators of the National Commission of the
Markets and Competition (hereinafter, CNMC).

Consequently, during these proceedings the following has been investigated

entity:

SEWAN COMUNICACIONES, S.L.U. (hereinafter, the investigated # 1), with CIF
B73619215 and address at *** ADDRESS.1 (MADRID).

Likewise, in the course of the preliminary investigation actions, it was established

the need to proceed to investigate also the following entity:

VAMAVI PHONE, S.L. (hereinafter, the investigated # 2), with CIF B87914446 and address
at *** ADDRESS.2, *** LOCALITY.1 (MADRID).

RESULT OF RESEARCH ACTIONS


     The claimant's telecommunications operator, XFERA MÓVILES, S.A.U.
       manifests confirmation of receipt at the number *** PHONE. 1
       (ownership of the claimant) of the call made by the line
       *** PHONE. 2, on *** DATE.1 at 11:34:50. This line of origin of

       the call appears to you as incoming in the interconnection platform operated
       by the investigated # 1.

     The investigated # 1 claims to be a telecommunications operator that
       provides telephone services to customers, end users and resellers. The

       investigated # 1 provides a copy of the CNMC public registry of operators in
       that is thus identified.

     Respondent # 1 identifies respondent # 2 as her client who owns the
       telephone line *** TELEPHONE.2 on *** DATE.1 at 11:34:50, and

       specifically in its ownership since October 2, 2019. The investigated
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/24








       # 1 alleges that he did not make the call or have a contract or
       any connection with the one claimed to advertise its commercial services.

     The investigated # 1 confirms that the call from the telephone line

       *** PHONE. 2 to line *** PHONE. 1 (owned by the claimant)
       produced the *** DATE.1 at around 11:34 a.m. and lasted for
       39 seconds. The investigated # 1 provides a copy of the invoice corresponding to the
       month of January 2020 issued to the investigated # 2, as its client holder of the
       telephone line *** TELEPHONE. 2, in which said call is reflected
       telephone.


     The investigated # 2 confirms the realization of a commercial call on
       *** DATE 1 at 11:34 a.m. to offer commercial services on behalf of and
       on behalf of the respondent, to the claimant's phone line
       *** TELEPHONE.1 from line *** TELEPHONE.2 (under your ownership).


     The investigated # 2 expresses that the acquisition of clients for the claimed
       through commercial telephone calls occurred in the segment of
       individuals, self-employed and micro-businesses.


     The investigated # 2 alleges that she does not have files related to the owners of the
       telephone lines to which he called commercially due to the fact that
       generated lists of random numbers from the list of numberings
       valid published by the CNMC, in accordance with the instructions of the claimed
       according to contract. The investigated # 2 provides a copy of the numbering list
       telephone numbers allegedly taken from the CNMC.


     The respondent # 2 states that she has access to the Robinson List in which
       performs the filtering to avoid numberings that have been opposed to the
       commercial calls and adds to recognize the claimant's phone line
       *** PHONE. 1 included in said list. The investigated # 2 alleges, after the

       identification of the number of the claimant involved in the business call
       produced, which [sic]: “(…) so it seems that it is a specific error in
       our filtering system. "

THIRD: On January 27, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the complained party (VDF), for

the alleged violation of Article 28 of the RGPD, typified in Article 83.4 of the
GDPR.

FOURTH: The person in charge has not requested the practice of tests or the sending of the
documentation in the file.


FIFTH: In relation to the allegations made by the person in charge after the agreement
Initially, they are answered in the Law Foundation II (FDII).

SIXTH: On March 5, 2021, a resolution proposal was formulated, in the
following terms:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/24








 <That the Director of the Spanish Data Protection Agency sanctions
VODAFONE ESPAÑA, S.A.U., with CIF A80907397, for a violation of Article 28
in relation to art. 24 both of the RGPD, typified in Article 83.4 of the RGPD and

according to art. 83.2, with a fine of 100,000 euros (one hundred thousand euros)>.

SEVENTH: It is established that investigated # 2 (Vamavi) has direct access to VDF
by means of access code, to proceed to the registration of the services contracted in
VDF direct distributor quality since September 2019.


EIGHTH: On 03/23/2021, VDF presented allegations to the Proposal for
Resolution, in summary, in the following terms:

1. VDF is not responsible for the treatments carried out by its "collaborators ...
   that use their own databases in the development of their own activity ”.


2. The AEPD has investigated the calling numbering and has concluded that it
   is owned by the Vamavi entity, an entity that has acknowledged having carried out
   the call to the claimant to promote VDF services. This entity has
   identified before the Agency as a subagent of Solivesa.


Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited,

                                PROVEN FACTS


FIRST: The complained party (VDF) is responsible for data processing
personnel carried out by their entities in charge, among which is
the investigated # 2, being the one that defines the purpose and means and acting as those in charge
in the name and on behalf of VDF.


SECOND: The defendant (VDF) contracted with investigated # 2 -as manager
treatment- who made a commercial call to the claimant on the date
*** DATE. 1, 11:34 m, 39 seconds long, to your line number
*** TELEPHONE.1 from line *** TELEPHONE.2, offering VDF services.

THIRD: It is clear that VDF had knowledge of the events now analyzed and of

the claimant's data on 03/11/2020 (16:03:36, according to the support of the
electronic notifications and certified email address). In the transfer of the
The claim contained the complete contact details of the claimant. However,
VDF alleges that it did not communicate with the claimant due to not having his data.


FOURTH: The claimant's line *** TELEPHONE 1 was registered in the list
of advertising exclusion robinson of ADigital from the date 08/03/2018.

FIFTH: In the contract for the data controller entered into between VDF and the
investigated # 2, dated 09/19/2017, and in annexes II, III and IV provided that are

head with express reference to the investigated # 2 as "in charge of the
treatment ”, there are no instructions on how to carry out the mandatory crossing
of data in order to eliminate the lines registered in ADigital's robinson list of


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/24








advertising exclusion. In this regard, VDF alleges that there is “no instruction to
VDF regarding the treatment of said data ”(sic).

SIXTH: Nor does the VDF record the monitoring and follow-up of the
execution of the contract manager from its inception to the end of the treatment of

Personal data commissioned for advertising actions, including the
subcontracting with third parties of VDF promotional services. The claimed
Until the beginning of this proceeding, it was not aware that the number of
Claimant's telephone number was included in the advertising exclusion list
Adigital's Róbinson List, without any action against the investigated # 2
to avoid the commercial call on your behalf by the investigated # 2.


SEVENTH: Exhibit VI of the aforementioned contract states that the scope of this
service provision contract is the promotion of services on behalf of and by
VDF account.


The second clause states: "The purpose of this contract is the promotion
commercial, in person, of the VODAFONE Services in the area
geographic location that is communicated by VODAFONE to the COLLABORATOR (hereinafter,
"Sales Area") so that they are hired by Clients and consumed by
recurring and consolidated way. Exceptionally, the CONTRIBUTOR may
carry out your activity by making phone calls when

VODAFONE expressly authorizes this authorization may be limited temporary or
objectively to specific promotions / campaigns ”.

The fourth clause states: "In the Sales Areas in which the COLLABORATOR
develop their activity for VODAFONE, the COLLABORATOR may not, directly or
indirectly, promote the commercialization of services of other operators,

companies or professionals that intervene in the market in which it operates
VODAFONE, with or without its own network, that concur or compete directly or indirectly
with the Services provided by VODAFONE, regardless of the technology
used by the aforementioned operators, companies or professionals, having to develop
their professional activity in this field exclusively on behalf of and on behalf of
VODAFONE ”.


The fifth clause states:

“5.2 At the beginning of the validity of this contract, the EMPLOYEE has the
third party collaborators listed in Annex II of this contract. (consists
investigated # 2 as in charge of the treatment)


5.3. The COLLABORATOR must expressly communicate to VODAFONE the new
incorporations of third-party collaborators that must be expressly
authorized by VODAFONE in accordance with clause 6.1. Also, the
COLLABORATOR must send VODAFONE quarterly the list of

third-party collaborators with whom it has at that time ”.

EIGHTH: Section 6 of Annex IV of the aforementioned contract states the following:

<USE OF SUB-MANAGER OF TREATMENTS

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/24









6.1. The Treatment Manager will not subcontract or outsource any Treatment
of Personal Data to any other person or entity, including the Entities of the

Group of the Person in Charge of Treatment ("Sub-person in charge of Treatment") unless and
until:

6.1.1. The Treatment Manager has notified Vodafone by notification
formal in writing the full name and registered office or main headquarters of the
Deputy in Charge of Treatment by completing Annex 1.


6.1.2. The Data Controller has notified Vodafone of any change that
Annex 1 is required to be made in accordance with this Clause 6.

6.1.3. The Data Controller has provided Vodafone with the details

(including categories) of the Treatment to be carried out by the Assistant Manager of
Treatment in relation to the Services provided;

6.1.4. Treatment Manager has signed an agreement with said Sub-Manager
Treatment that, in no case, may be less demanding than what is contained in
this Agreement;


6.1.5. The Treatment Manager must send Vodafone a certificate or
Responsible statement in which you state that you have signed with your Sub-processors
the corresponding contracts regarding data protection and processing
personal in which all the obligations required by VODAFONE are transferred

in accordance with the provisions of VODAFONE in clause 13 of the contract and in the
clause 6.1.4. of this Annex, reserving the right VODAFONE to request
evidence of compliance at any time;

6.1.6. Vodafone has not substantiated its opposition to outsourcing or

outsourcing within ten (10) business days after receipt of the
written notification of the Treatment Manager established in Clause 6.1.1,
including the information established in Clause 6.1.3; Y

6.2. In all cases, the Treatment Manager will be responsible to Vodafone
of any act or omission made by the Sub-Manager of Treatment or any

another third party designated by him as if the acts or omissions had been
carried out by the Person in Charge of Treatment, regardless of whether the
Treatment Manager complied with its obligations specified in Clause
6.1.


6.3. In case of breach of the obligations contained in this Agreement
for the commission of actions carried out by a Deputy in Charge of Treatment, the
Treatment Manager must, if requested by Vodafone, assign the
Vodafone's right to act as it deems necessary for the protection and
safeguards the Personal Data, by virtue of the contract of the Treatment Manager

with the Sub-person in charge of Treatment>.

NINTH: Section 9 of Annex IV of the aforementioned contract states the following:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/24








<9. RIGHT TO AUDIT.

The Treatment Manager will ensure that any Sub-Processor

Treatment allows Vodafone, its clients (including subcontractors, auditors
or other Vodafone agents and their respective customers) and / or the Authorities of
Privacy (each of them an "Audit Party") access their systems
IT and other information systems, records, documents and agreements that
reasonably required by the Audit Party, to verify that the Person in Charge of
Treatment and / or its Deputy Managers of Treatments are complying with their

obligations under this Agreement (or any contract of
subsequent sub-treatment) or any Applicable Privacy Legislation, always
that said review does not imply the review of third party data and that said entity
auditor complies with the confidentiality obligations of the person in charge of
Treatment or with the relevant Sub-Manager of Treatment, respecting the

confidentiality of the commercial interests of the Treatment Manager or
Sub-manager of Treatment and the data and information of third parties of which the
auditing entity can become aware in the course of carrying out the
audit…>

TENTH: It is established that the reference sanctioning procedure PS / 00026/2021

filed against investigated # 2 (Vamavi), was resolved by advance payment and
recognition of the facts (those described in the Second Proven Fact), which
knows the claimed every time it alleges. Also, in the procedure
reference sanctioner PS / 00031/2021 is resolved in the sense of filing the
facts imputed to Solivesa since the twelfth proven fact contains

that Vamavi acted on behalf of and on behalf of VDF as manager of the
treatment in making the now investigated call to the claimant. Consists
that VDF is aware of the foregoing by being credited with the proven fact
twelfth of the resolution of the citato PS / 00031/2021, the following:


<TWELFTH: After the agreement to initiate this sanctioning procedure,
SOLIVESA requested a meeting with the DPD of Vodafone to inform them how
Vamavi had a direct access key from Vodafone to sign up for services
contracted, at which point Vodafone informs SOLIVESA that effectively
Vamavi has a direct key from Vodafone as an authorized distributor since
September 2019.> (underlined is from the AEPD).



                           FOUNDATIONS OF LAW

                                           I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to
solve this procedure.


                                           II




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/24








In relation to the allegations made by the person in charge after the initiation agreement,
are answered in the following terms:


1R) It should be noted that the object of the claim is not due directly to the
receiving an unwanted call, but a call to a line registered in the
advertising exclusion list since 08/03/2018, violating the provisions of art
23 of the LOPDGDD.

As developed in the Fundamentals of Law, the person in charge must have

absolute control over the data processing that is the object of the order, not only
previously check the organizational and technical means available to the
entity in charge, but to carry out the necessary subsequent audits in order to guarantee
the rights and freedoms of those affected in the treatments carried out in
name and on behalf of the person in charge.


2R) As indicated in the Fundamentals of Law, the imputation to VDF in the
This sanctioning procedure does not exonerate other entities from liability
involved in the processing of data of responsibility VDF and object of order
to other entities as those in charge, although each one must be responsible for its
conduct contrary to the RGPD, where appropriate, in separate procedures.


3R) In the present case, VDF is responsible for the treatments carried out
by the entities in charge of them. The publicity call received by the
claimant being included in Adigital's Robinson advertising exclusion list
should have been avoided by applying effective organizational and technical means in hiring

of the person in charge (s), that there is no evidence that they were implanted.

4R) VDF alleges that managers must present themselves to potential clients
in her name. Without prejudice to the internal rules of courtesy in the face of a potential
client, it should be noted that the treatment object of analysis is carried out on behalf of and

on behalf of VDF at all times, regardless of the databases that
are used.

5R) Regarding the call routing system through the VDF trunk,
It should be noted that its efficacy is not established since in the present case it has not been
made or verified the correct filtering of calls with the exclusion list

Adigital advertising.

5, 6 and 7R) In addition, as stated by VDF in other proceedings, said system
routing was supposed to be activated in February 2020 and now VDF claims that it did not
will be effective until February 2021, which denotes a serious lack of diligence on the

commercial activity carried out by those in charge of the treatment in the name and by
VDF account.

8.1R) As has already been reiterated, regarding the application of the aggravating factor of art 76.1.b)
of the LOPDGDD in relation to art 83.2.k) of the RGPD, its application is evident

since VDF is one of the largest telecommunications operators in the country and
acts as responsible for the data being processed in its campaigns
advertising to attract customers and, in the present case, acting without the diligence
due in the hiring and monitoring of entities in charge.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/24









8.2R) It should be emphasized that VDF is responsible for the treatments object of
analysis in this proceeding, as proven by the proven facts and

It is developed in the Fundamentals of Law.

8.3R) It should be noted that article 83.2.e) of the RGPD indicates as an aggravating factor: “all
infringement… ”, that is, the repetition of conduct contrary to the regulations of
competition the AEPD.


                                            III

In relation to the allegations made by the person in charge after the initiation agreement,
are answered in the following terms:


   1R) VDF is not responsible for the treatments carried out by its "collaborators
   … That use their own databases in the development of their own activity ”.

From the definition of data controller in art. 4.7 of RGPD, it is established that VDF
It is the one that determines the purposes and means of the treatment. In the present case, it consists
that Vamavi materializes the call to the claimant in the name and on behalf of VDF

as stated in the contract signed between both entities in September 2019.
In the following Fundamentals of Law, the concept of responsible person is specified.
of the treatment, in charge of the treatment and the obligations of one and the other according to
provides art. 28 of the GDPR. Consequently, the claim must be rejected.


   2R) The AEPD has investigated the calling numbering and has concluded that the
   It is owned by the Vamavi entity, an entity that has acknowledged having
   made the call to the claimant to promote VDF services. Is
   entity has identified before the Agency as a subagent of Solivesa.


As stated in the proven facts of this resolution, the allegation must
be rejected since it is proven that VDF and Vamavi signed a contract
direct and independent (in September 2019) of the previously subscribed with
Solivesa, for which reason in the present case Vamavi acted as the person in charge of the
treatment on behalf of and on behalf of VDF in making the call to
claimant on January 31, 2020. Consequently, making the call

commercial by Vamavi in the name and on behalf of VDF (responsible) on the date
01/31/2020 when the claimant was included in the advertising exclusion list
Róbinson de Adigital since 08/03/2018, it is the total responsibility of VDF by not
have had due diligence in ordering and insuring previously and throughout
the period of execution of the contract that your manager (Vamavi) deleted the records

included in Adigital's Róbinson advertising exclusion list, as provided
art 28 of the RGPD and art. 23 of the LOPDGDD.

                                            IV
Article 24 of the RGPD establishes the following:


<Responsibility of the person responsible for the treatment



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/24








1. Taking into account the nature, scope, context and purposes of the processing
as well as risks of varying probability and severity to the rights and
freedoms of natural persons, the data controller will apply measures

appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the
treatment is in accordance with this Regulation. These measures will be reviewed and
will update when necessary.

2. When they are provided in relation to the treatment activities, between
the measures mentioned in section 1 shall include the application, by the

responsible for the treatment, of the appropriate data protection policies.

3. Adherence to codes of conduct approved pursuant to article 40 or to a
certification mechanism approved under article 42 may be used
as elements to demonstrate compliance with the obligations by the

responsible for the treatment.>

Report 0064/2020 of the Legal Office of the AEPD has emphatically expressed
that “The RGPD has meant a paradigm shift when addressing the regulation of the
right to the protection of personal data, which is based on the
principle of "accountability" or "proactive responsibility" as stated

repeatedly the AEPD (Report 17/2019, among many others) and is included in the
Statement of reasons for Organic Law 3/2018, of December 5, on the Protection of
Personal Data and guarantee of digital rights (LOPDGDD) ”.

The aforementioned report continues that “… the criteria on how to attribute the different

roles remain the same (section 11), reiterates that these are concepts
functional, which aim to assign responsibilities according to the roles
of the parties (section 12), which implies that in most cases
should be addressed to the circumstances of the specific case (case by case) according to
their actual activities rather than the formal designation of an actor as

"responsible" or "manager" (for example, in a contract), as well as concepts
self-employed, whose interpretation must be carried out under the protection of European regulations
on the protection of personal data (section 13), and taking into account (section
24) that the need for a factual assessment also means that the role of a
responsible for the treatment does not derive from the nature of an entity that is
processing data but of their specific activities in a specific context… ”.


The concepts of controller and processor are not formal, but
functional and must attend to the specific case. The designation by VDF of
"Responsible for the treatment" to its collaborators, does not automatically grant them
such condition.


The person responsible for the treatment is so from the moment he decides the purposes and
means of treatment, not losing this condition the fact of leaving a certain margin of
action to the person in charge of the treatment or for not having access to the databases of the
in charge.

This is undoubtedly expressed in the Guidelines 07/2020 of the European Committee on
Data Protection (CEPD) on the concepts of data controller and
in charge of the RGPD -the translation is ours-, “A data controller is
who determines the purposes and means of the treatment, that is, the why and the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/24








how of the treatment. The controller must decide on both
purposes and means. However, some more practical aspects of the
implementation ("nonessential media") can be left to the manager

treatment. It is not necessary for the controller to actually have access to the
data that is being processed to qualify as responsible ".

In the present case, it is established that VDF is the data controller now
analyzed (call to the claimant on date *** DATE.1 made by Vamavi in
quality of data controller in the name and on behalf of VDF) since,

As defined in article 4.7 of the RGPD, it is the entity that determines the purpose and means
of the treatments carried out in direct marketing actions of the person in charge.
Therefore, in its capacity as data controller, it is obliged to comply with
the provisions of the transcribed article 24 of the RGPD and, especially, regarding the control
effective and continued “appropriate technical and organizational measures in order to

guarantee and be able to demonstrate that the treatment is in accordance with the present
Regulation ”among which are those provided in article 28 of the RGPD in
relationship with those in charge of the treatments who act in the name and on behalf of
VDF.

In this sense, and in relation to the allegation made by VDF in its brief of

allegations that those responsible for the treatments that the entities
those in charge carry out on behalf of VDF and, therefore, those that have
of their own files, they do not act as managers but rather as managers.
responsible for these treatments, it should be noted that in the Guidelines 07/2020
of the European Data Protection Committee (CEPD) on the concepts of

data controller and person in charge of the RGPD - the translation is ours -, “42.
It is not necessary for the controller to actually have access to the
data being processed. Whoever outsources a treatment activity and, at the
to do so, has a determining influence on the purpose and (essential) means of the
treatment (for example, adjusting the parameters of a service in such a way that

influences whose personal data will be processed), should be considered as
responsible although he will never have real access to the data ”. Remember that VDF
determines who the calls can be made to, as they cannot be made to
who are already clients of the company, as well as filtering regarding lists of
advertising exclusion (Robinson ADigital) or whatever corresponds with respect to the exercise
opposition (internal Robinson).


Likewise, following the legal report of the AEPD dated 11/20/2019, with
internal reference 0007/2019 and STS 1562/2020 (for all), we must point out that
analyzes the legal figure of the data controller from the perspective of the RGPD
that regulates it exclusively.


                                          V
Article 28 of the RGPD establishes the following:

In charge of the treatment


<1. When a treatment is to be carried out on behalf of a person responsible for the
treatment, it will only choose a manager who offers sufficient guarantees
to apply appropriate technical and organizational measures, so that the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/24








treatment is in accordance with the requirements of this Regulation and guarantees the
protection of the rights of the interested party.


2. The person in charge of the treatment will not resort to another person in charge without prior authorization
in writing, specific or general, of the person in charge. In the latter case, the person in charge
will inform the person in charge of any change foreseen in the incorporation or
substitution of other managers, thus giving the person in charge the opportunity to oppose
to such changes.


3. The treatment by the person in charge will be governed by a contract or other legal act with
according to the law of the Union or of the Member States, that binds the person in charge
with respect to the person in charge and establish the object, duration, nature and
purpose of the treatment, the type of personal data and categories of interested parties, and the
obligations and rights of the person in charge. Said contract or legal act shall stipulate, in

particular, that the person in charge:

a) will process personal data only following documented instructions from the
responsible, including with respect to transfers of personal data to a
third country or an international organization, unless it is obliged to do so by virtue of
of the law of the Union or of the Member States that applies to the processor; on

In such case, the person in charge will inform the person in charge of this legal requirement prior to
treatment, unless such Right prohibits it for important reasons of interest
public;

b) will guarantee that the persons authorized to process personal data have

are committed to respecting confidentiality or are subject to an obligation of
confidentiality of a statutory nature;

c) take all necessary measures in accordance with Article 32;


d) respect the conditions indicated in sections 2 and 4 to resort to another
in charge of the treatment;

e) will assist the person in charge, taking into account the nature of the treatment, through
appropriate technical and organizational measures, whenever possible, so that this
can fulfill its obligation to respond to requests that have as their object

the exercise of the rights of the interested parties established in chapter III;

f) will help the person in charge to guarantee compliance with the obligations
established in articles 32 to 36, taking into account the nature of the treatment
and the information available to the person in charge;


g) at the discretion of the person in charge, delete or return all personal data a
once the provision of treatment services ends, and will delete the copies
existing unless the preservation of personal data is required by virtue of
of the Law of the Union or of the Member States;


h) will make available to the controller all the information necessary to demonstrate
the fulfillment of the obligations established in this article, as well as


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/24








to enable and assist in the conduct of audits, including inspections, by
part of the person in charge or another auditor authorized by said person in charge.


In relation to the provisions of letter h) of the first paragraph, the person in charge will inform
immediately to the person responsible if, in his opinion, an instruction violates this
Regulation or other provisions on data protection of the Union or of
Member States.

4. When a processor uses another processor to carry out

certain processing activities on behalf of the controller, will be imposed on
this other person in charge, by means of a contract or other legal act established in accordance with the
Union or Member State law, the same obligations to
data protection than those stipulated in the contract or other legal act between the
responsible and the person in charge referred to in section 3, in particular the provision

of sufficient guarantees of application of appropriate technical and organizational measures
so that the treatment is in accordance with the provisions of this
Regulation. If that other person in charge breaches their data protection obligations,
The initial manager will remain fully accountable to the person responsible for the
treatment with regard to the fulfillment of the obligations of the other
in charge.


5. The adherence of the person in charge of the treatment to a code of conduct approved by
pursuant to article 40 or to a certification mechanism approved pursuant to article
42 may be used as an element to demonstrate the existence of the guarantees
sufficient referred to in sections 1 and 4 of this article.


6. Without prejudice to the person in charge and the person in charge of the treatment holding a
individual contract, the contract or other legal act referred to in sections 3 and 4
of this article may be based, totally or partially, on the clauses
contractual type referred to in sections 7 and 8 of this article, inclusive

when they are part of a certification granted to the person in charge or in charge of
in accordance with articles 42 and 43.

7. The Commission may establish standard contractual clauses for the matters to which it is
refer to sections 3 and 4 of this article, in accordance with the procedure for
examination referred to in article 93, paragraph 2.


8. A supervisory authority may adopt standard contractual clauses for the
matters referred to in sections 3 and 4 of this article, in accordance with the
coherence mechanism referred to in article 63.


9. The contract or other legal act referred to in sections 3 and 4 shall consist of
written, including in electronic format.

10. Without prejudice to the provisions of articles 82, 83 and 84, if a person in charge of the
treatment violates these Regulations by determining the purposes and means of the

treatment, you will be considered responsible for the treatment with respect to said
treatment>



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/24








The definition of 'processor' includes a wide range of actors, since
be they natural or legal persons, public authorities, agencies or other bodies.


The existence of a data processor depends on a decision taken by the
data controller (VDF), who may decide to carry out certain
treatment operations or contract all or part of the treatment with a
in charge.

The essence of the role of "processor" is that personal data

are processed in the name and on behalf of the person responsible for the treatment. In practice,
It is the person in charge who determines the purpose and the means, at least the essential ones,
while the processor has a function of providing services to the
Responsible for the Treatment. In other words, "acting in the name and on behalf of
of the person responsible for the treatment »means that the person in charge of the treatment

service of the interest of the controller in carrying out a task
specific and that, therefore, follows the instructions established by the person responsible for the
treatment, at least with regard to the purpose and essential means of the
entrusted treatment.

Article 28, section 1, of the RGPD establishes that “When a

treatment on behalf of a data controller, he will choose only a
manager that offers sufficient guarantees to apply technical measures and
appropriate organizational, so that the treatment is in accordance with the
requirements of this Regulation and guarantee the protection of the rights of the
interested".

The obligation provided for in article 28.1 of the RGPD -to select a person in charge of the
treatment that offers sufficient guarantees to guarantee the application of the
Regulation and the rights and freedoms of the interested party - it is not exhausted in the action
prior to the selection and hiring of the treatment manager. This forces the
responsible for the treatment to be evaluated at all times during the entire execution

of the contract if the guarantees (technical or organizational) offered by the person in charge of the
treatment are sufficient to guarantee the rights and freedoms of the
interested.

The 07/2020 Guidelines of the European Data Protection Committee (CEPD) on the
concepts of data controller and processor in the RGPD -translation is

ours- have, without a doubt, that “97. The obligation to use only the
processors "who provide sufficient guarantees" contained in the
Article 28 (1) of the GDPR is a continuous obligation. It does not end in the
moment in which the controller and the person in charge of the treatment conclude a contract or
another legal act. Instead, the controller should, at appropriate intervals, verify the

assurances from the manager, including through audits and inspections when
corresponds ”.

And this, because the person responsible for the treatment is the one who has the obligation to guarantee
the application of data protection regulations and the protection of the rights of

interested parties, as well as being able to prove it (articles 5.2, 24, 28 and 32 of the
GDPR). The control of compliance with the law extends throughout the
treatment, from start to finish. The person responsible for the treatment must
Act, in any case, diligently, consciously, committed and actively.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/24









This mandate of the legislator is independent of whether the treatment is carried out
directly the person in charge of the treatment or that it carries out using a

in charge of the treatment. Where the Law does not distinguish, we cannot distinguish ourselves.

In addition, the treatment carried out materially by a person in charge of treatment by
account of the data controller belongs to the sphere of action of this
Lastly, in the same way as if he did it directly himself. The person in charge of
Treatment, in the case examined, is an extension of the person responsible for the

treatment.

The data controller has the obligation to integrate and deploy the protection
of data within everything that constitutes your organization, in all its areas. I know
must bear in mind that, ultimately, the determining purpose is to

guarantee the protection of the interested party.

Interpret it in the opposite sense - the obligations that article 28 of the RGPD imposes
to the data controller are limited to verifying the capabilities of the processor ab
initio and to sign the contract of the data controller - not only would they contravene the
current legislation constituting a clearly fraudulent action, but rather

would violate the spirit and purpose of the GDPR.

In light of the principle of proactive responsibility (art 5.2 RGPD), the person responsible for the
treatment must be able to demonstrate that it has taken into account all the elements
provided for in the RGPD. In the present case, VDF has disregarded the

hiring by the entity in charge of the initially entrusted treatments.

The data controller must take into account whether the data controller
provides adequate documentation that demonstrates such compliance,
privacy protection, file management policies, privacy policies

information security, external audit reports, certifications,
management of the exercise of rights ... etc.

The controller must also take into account the knowledge
specialized technicians of the person in charge of the treatment, the reliability and its resources.
Only if the controller can demonstrate (principle of responsibility

proactive of article 5.2 of the RGPD) that the person in charge of the treatment is adequate during
the entire treatment phase (at all times) to carry out the order
entrusted may enter into a binding agreement that meets the requirements of the
Article 28 of the RGPD, without prejudice to the fact that the controller must follow
complying with the principle of accountability and periodically checking the

compliance of the manager and the measures in use. Before outsourcing a treatment
and in order to avoid possible violations of rights and freedoms of those affected, the
data controller must enter into a contract, another legal act or an agreement
binding with the other entity that establishes clear and precise obligations regarding
of data protection (in this case there is a contract of September 2019

with Vamavi).

The person in charge of the treatment can only carry out treatments on the instructions
documented data of the person in charge, unless he is obliged to do so by the Law

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/24








of the Union or a Member State, which is not the case. The person in charge of the treatment
It also has the obligation to collaborate with the person in charge in guaranteeing the rights
of the interested parties and comply with the obligations of the person responsible for the treatment of

in accordance with the provisions of the aforementioned article 28 of the RGPD (and related).

Therefore, it is insisted that the person responsible for the treatment must establish
clear modalities for such assistance and give precise instructions to the person in charge of the
treatment on how to comply with them properly and document it prior to
through a contract or another (binding) agreement and check all

moment of the development of the contract, its fulfillment in the manner established in the
same.

However, despite the obligations of the person in charge, article 28 of the RGPD
seems to suggest that the responsibility of the processor remains

limited compared to the responsibility of the controller. On
In other words, although controllers may, in principle, be
responsible for the damages derived from any infraction related to the
processing of personal data (including those that have been committed by the
processor) or breach of contract or other agreement (binding)
Managers may be held liable when they have acted upon

margin of the mandate granted by the controller, or have not complied
your own contractual obligations or under the GDPR. In these cases, the
data controller can be considered fully or partially responsible for
the "part" of the processing operation in which you participate. You will only be in charge
fully responsible when fully responsible for the damages

caused in terms of the rights and freedoms of the affected parties; everything
This, without avoiding the responsibility in which the person responsible for the treatment has
incurred in order to avoid them.

In the present case, and in accordance with the content of the signed contract, the investigated # 2

acts in a manager capacity whenever, according to the definition, they act
fully in the name and on behalf of the person in charge (VDF) for all purposes in
data protection matters. It is enough to bring up the content of the already
mentioned STS 1562/2020 (by all), which states the following:

<< In this sense, and the Judgment of the Supreme Court of June 5, 2004, which

confirms, on appeal for Uni fi cation of Doctrine, that of this AN of October 16,
2003, echoing what was argued by this Chamber, refers to the differentiation of two
responsible depending on whether the decision-making power is directed to the file or to the
data treatment. Thus, the person responsible for the file is the one who decides the creation of the file.
file and its application, and also its purpose, content and use, that is, who has

decision-making capacity on all the data registered in said file.

The person responsible for the treatment, however, is the subject to whom the
decisions about the specific activities of a certain data processing,
that is, on a specific application. It would be all those assumptions in

those that the power of decision must be differentiated from the material realization of the
activity that integrates the treatment.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/24








With this, as the STS of April 26, 2005 also argues (appeal for
uni fi cation of doctrine 217/2004), the Spanish legislator intends to adapt to the
requirements of Directive 95/46 / EC, which aims to provide a legal response to the

The phenomenon, which is becoming more and more frequent, of the so-called externalization of
IT services, where multiple operators operate, many of them
insolvent, created with the aim of seeking impunity or irresponsibility of the
that follow him in the next links of the chain.

Currently, the new Regulation (EU) 2016/679 of the European Parliament and of the

Council of April 27, 2016, regarding the protection of natural persons in the
regarding the processing of personal data (repealing the Directive
95/46 / CE, and directly applicable as of May 25, 2018) also distinguishes
between the figures of the person in charge and the person in charge of the treatment. The first is defined
in paragraph 7) of article 4 as "natural or legal person (...) that determines the

purposes and means of the treatment ". And the person in charge of treatment in section 8) of the
same article 4 as the one that "processes personal data on behalf of the person in charge
treatment ".

This in relation to Articles 24 and 28 of the same European Regulation of
Data Protection. Responsible for and in charge of the data processing that, without place

doubtless, they are also responsible for infractions in terms of protection
of data, in such a new regulatory framework, in accordance with the provisions of article
82.2 of the repeated Regulation (EU) 2016/679 in which: «Any person responsible
who participates in the treatment operation will be liable for damages
caused in the event that said operation does not comply with the provisions of the present

Regulation. A manager will only be liable for damages.
caused by the treatment when it has not complied with the obligations of the
these Regulations specifically addressed to those in charge or has acted at the
margin or against the legal instructions of the person in charge ".


It follows from all the above that the concurrence, in the present case, of a
ZZZZ processor in no way exempts the entity from liability
XXXX now recurring, and this despite the forcefulness of the clauses that appear
in the contract and annex thereto signed by both companies (proven facts 9 and
10) insofar as the personal data processed was for the purpose of carrying out
an advertising campaign regarding car and motorcycle insurance that marketed the

(XXXX), ultimately for the benefit of said XXXX, such plaintiff being the one that, in
last term, determines the purposes and means of repeated data processing, therefore
that it cannot be exonerated of responsibility. >>
The STS continues, in relation to the possible exoneration of alleged responsibility
Regarding what is subscribed in the contract of "person in charge of the treatment", the following:


<< The sanctioned conduct of obstruction or impediment by XXXX of the exercise
by his client of the right of opposition to the treatment of his data, is manifested in
that said company did not adopt any kind of measure or precaution to avoid the
sending advertising to your client's email addresses by

those companies to which it entrusted the realization of the advertising campaigns.

The adoption of the necessary measures or precautions to ensure the effectiveness of the
Right to object to the processing of your data by XXXX, such as

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/24








responsible for the file, subsist even if the advertising campaigns are not carried out
starting with the data of your own files, but with databases of other
companies hired by XXXX, and in this case it was proven that the appellant

did not communicate to the companies with which it contracted the performance of
publicity the opposition of the complainant to receive publicity from the Mutual, nor in short
made any provision to ensure the exclusion of its customer from shipments
advertising contracted with third parties >> and as in the present case,
resulting in the called line included in the advertising exclusion lists from the
08/03/2018.


Consequently, it must be concluded that the treatment analyzed in the antecedents
in its various forms by the person in charge, the person responsible for the treatment is
Vodafone Spain, S.A.U. (VDF) and acting as manager that other
entity that acts in the name and on behalf of and for the benefit of VDF (Vamavi).


Of the documentation in the file that is mentioned in the
present resolution from the information collected by the Inspection of this
AEPD and VDF's own acts and manifestations, the breach is accredited by
VDF as responsible for the treatments entrusted to the effective control and
continued in time of the measures provided in the above transcribed art 28 of the

GDPR.

In this regard, add that the obligation provided in article 28.3.h) RGPD, using in the
at the beginning, the imperative term "will put" referring to the person in charge of the treatment,
Obligation to "demand" from the person in charge "compliance with the obligations

established in this article, as well as to allow and contribute to the realization
of audits, including inspections, by the manager or another auditor
authorized by said person in charge. "

Thus, it is established that those in charge of the treatment (and in its case successive

sub-processors) acting in the name and on behalf of VDF do not offer the guarantees
sufficient to apply the appropriate technical and organizational measures to the treatment
commissioned by VDF. Nor are the VDF duly documented
entrusted tasks that carry out the treatments in the name and on behalf of the
responsible (VDF).


VDF, as the data controller, does not know under what conditions it hires a
commissioned to act on his own behalf and under his specific specifications
-that do not exist in terms of the crossing and exclusion of lines called included
previously in robinson Adigital- and accept in these conditions and without qualms this
conduct even having knowledge of this anomaly.


Nothing appears in the relationship between VDF and managers regarding the requirements
listed in the aforementioned art 28.3 which, in summary, are specified in defining
previously by the person responsible for the treatment (VDF) the object, duration, nature,
purpose, types of data, categories, obligations and rights of the interested parties, and

mandatory powers of continuous control ... etc. Only on specific occasions
cites having informally communicated one or other specific guidelines for action without
that this implies any effective control of VDF with the entrusted treatments
on your own and in your name.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 19/24









Therefore, non-compliance with data protection regulations must be
also imputed, and in the first place, to the person responsible for the treatment (VDF) by not acting

clearly, actively and effectively in stipulating and enforcing the specifications
timely to carry out the treatment adequately in time
entrusted in his name.

The foregoing, without prejudice to the responsibilities incurred by the
entities in charge and sub-entrusted of the treatments that must be settled in

other procedures, which to date have already been resolved.

Consequently, there is no evidence that VDF has carried out continuous monitoring during
the entire cycle of execution of the treatments ordered despite the numerous
known claims and ongoing investigations carried out by AEPD and

which VDF has full knowledge of

                                           SAW
Art 23 LOPDGDD.

Article 23. Advertising exclusion systems.


<< 1. The processing of personal data that is intended to prevent the sending
of commercial communications to those who have expressed their refusal or
opposition to receiving them. For this purpose, information systems may be created, general
or sectoral, in which only the data essential to identify

the affected. These systems may also include preference services,
by which those affected limit the reception of commercial communications
those from certain companies.

2. The entities responsible for the advertising exclusion systems will notify

the competent control authority its creation, its general or sectoral nature, as well
as the way in which those affected can join them and, where appropriate,
assert your preferences. The competent control authority will make public in its
electronic headquarters a list of the systems of this nature that were
communicated, incorporating the information mentioned in the previous paragraph. To such
In effect, the competent control authority to which the creation has been communicated

of the system will make it known to the other control authorities for their
publication by all of them.

3. When an affected party expresses to a person in charge his wish that his data not
are processed for the referral of commercial communications, it must inform you

of the existing advertising exclusion systems, being able to refer to the
information published by the competent control authority.

4. Those who intend to make direct marketing communications must
previously consult the advertising exclusion systems that could affect your

action, excluding from the treatment the data of those affected who had
expressed their opposition or refusal to it. For these purposes, to consider
Once the above obligation has been fulfilled, consulting the exclusion systems will suffice
included in the list published by the competent control authority.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 20/24









It will not be necessary to carry out the query referred to in the previous paragraph when the
affected would have provided, in accordance with the provisions of this organic law, its

consent to receive the communication to whoever intends to make it. >>

                                           VII
In the event of an infringement of the RGPD precepts, among the
corrective powers available to the Spanish Data Protection Agency,
As a supervisory authority, Article 58.2 of said Regulation contemplates the

following:

“2 Each supervisory authority shall have all the following corrective powers
listed below:
(…)


b) punish any person responsible or in charge of the treatment with warning
when the processing operations have infringed the provisions of this
Regulation;"

i) impose an administrative fine in accordance with article 83, in addition to or instead of

the measures mentioned in this section, according to the circumstances of each
particular case;".

                                           VIII
Therefore, VDF as responsible for the treatments carried out on behalf of and

on your behalf and in accordance with the evidence available in the
present moment, it is considered that the facts presented do not comply with the
in article 28, with the scope expressed in the Fundamentals of Law
above, and involve the commission of an offense typified in article 83.4.a) of the
RGPD, which under the heading "General conditions for the imposition of fines

administrative ”provides the following:

Article 83.4.a) of the RGPD, establishes the following:

<4. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,

in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:

a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a

39, 42 and 43; …>.

Article 71 of the LOPDGDD. Infractions.

The acts and conducts referred to in sections 4, 5 constitute offenses.

and 6 of Article 83 of Regulation (EU) 2016/679, as well as those resulting
contrary to the present organic law.

Article 73 section p) of the LOPDGDD, establishes the following:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 21/24









<Violations considered serious. Based on the provisions of article 83.4 of the
Regulation (EU) 2016/679 are considered serious and will prescribe after two years the

offenses that involve a substantial violation of the aforementioned articles
in that and, in particular, the following:

p) The processing of personal data without carrying out a prior assessment of the
elements mentioned in article 28 of this organic law.>


In accordance with the evidence available, the facts constitute
infringement of art. 28 in relation to art 24 of the RGPD, offense typified in art.
83.4.a) of said rule and considered serious for the purposes of prescription in art. 73
section p) of the LOPDGDD.


                                           IX
In the present case, the complained party, as the data controller
personal now accused, has not proven to carry out its obligations or the
due diligence to which it is obliged as indicated in art 28 and 24 of the RGPD in the
continuous and permanent monitoring and control throughout the entire cycle of the
treatment of the services commissioned with the entity in charge of the treatment

(Vamavi), which has led to the violation of rights and freedoms of the
claimant.

                                           X
In order to determine the administrative fine to be imposed, the

provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:

"1. Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case

effective, proportionate and dissuasive.

2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:


a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that
have suffered;


b) intentionality or negligence in the infringement;

h) the way in which the supervisory authority learned of the infringement, in
in particular if the person in charge or the person in charge notified the infringement and, if so, in what

measure;




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 22/24








k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through the infringement.


For its part, in relation to article 83.2.k) RGPD, article 76 “Sanctions and measures
corrective ”of the LOPDGDD provides:

<1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria

established in section 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:


a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of treatment of
personal information.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have induced the commission
of the offense.

e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to

alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party.

3. It will be possible, complementary or alternative, the adoption, when appropriate, of
the remaining corrective measures referred to in article 83.2 of the Regulation

(EU) 2016/679.

4. The information that
identify the offender, the offense committed and the amount of the penalty imposed
When the competent authority is the Spanish Data Protection Agency, the
The penalty exceeds one million euros and the offender is a legal person.

When the competent authority to impose the sanction is an authority
autonomic data protection, it will be to its application regulations>.

In accordance with the transcribed precepts, and derived from the instruction of the
procedure for the purpose of setting the amount of the penalty for infringement of article 28 of

RGPD to VDF as responsible for the aforementioned offense typified in article 83.4.a)
of the RGPD, it is necessary to graduate the fine that corresponds to impose as follows:

Infringement for breach of the provisions of article 28 in relation to the 24
of the RGPD, typified in article 83.4.a) and classified as serious for the purposes of

prescription in article 73, sections p) of the LOPDGDD:

The following graduation criteria are estimated as concurrent aggravating factors, according to
Article 83.2 of the RGPD and 76 of the LOPDGDD:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 23/24









Art. 76.1.b) LOPDGDD. The high link between the offender's activity and the
processing of personal data. It is known that VDF is a

entity with more than fifteen million customers whose personal data is processed
systematically in the exercise of its powers as one of the main
telecommunications operators.

Art. 83.1 and 83.2.k) and RGPD. The status of a large company of the responsible entity and
your business volume (according to the corresponding audited annual accounts report

to the period from March 2018 to March 2019, plus 1,600 million euros of
business and with more than 4,000 employees).

Art. 83.2.b) RGPD. The claimed entity does not have procedures in place
adequate performance in the hiring and continuous, permanent and

effective during the entire term of the contract with those in charge of the treatment of
so that the infringement is not the consequence of a specific anomaly in the
functioning of these procedures but a persistent and continuous defect of the
personal data management system designed by the person in charge in terms of
the treatments delegated to those in charge of them, which denotes a
gross negligence.


Art. 83.2.e) Any previous infraction: There are more than fifty in this AEPD
disciplinary proceedings completed in the last two years.

Considering the exposed factors, and taking into account the range of the sanction

possible of up to 10 million euros, the assessment of the amount of the fine for the
The infringement charged is € 100,000 (one hundred thousand euros), resulting in the present case
adequate to be proportional, effective and dissuasive (art 83.1 RGPD).

Therefore, in accordance with the applicable legislation and assessed the criteria of

graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE VODAFONE ESPAÑA, S.A.U., with CIF A80907397, for a
violation of Article 28 of the RGPD, typified in Article 83.4 of the RGPD, a fine
100,000 euros (one hundred thousand euros).


SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U ..

THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned and the number

procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 24/24









Received the notification and once executive, if the date of execution is found

Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through

of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.

Mar Spain Martí
Director of the Spanish Agency for Data Protection

















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es