AEPD (Spain) - PS/00111/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...")
 
 
(3 intermediate revisions by one other user not shown)
Line 50: Line 50:
}}
}}


The Spanish DPA fined Vodafone Spain €40,000 for violations of Article 5(1)(f) and 32 GDPR. The complainant received multiple invoices intended for a customer of the company and was not properly helped when they attempted to resolve this.  
The Spanish DPA fined Vodafone Spain €40,000 for violations of [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 32 GDPR|32]] GDPR. The complainant received multiple invoices intended for a customer of the company and was not properly helped when they attempted to resolve this.  


== English Summary ==
== English Summary ==
Line 57: Line 57:
An individual repeatedly received emails containing Vodafone invoices belonging to a third party. They tried reaching out to the company by email and telephone to resolve this issue, but were never properly helped.
An individual repeatedly received emails containing Vodafone invoices belonging to a third party. They tried reaching out to the company by email and telephone to resolve this issue, but were never properly helped.


Thus, they filed a complaint to the Spanish DPA (AEPD), which informed Vodafone of the issue. The company assured the DPA it had both dealt with the problem and communicated the resolution to the complainant. They nonetheless kept receiving invoices. The DPA communicated this to the company, which then provided evidence the complainant's email address had been deleted from its systems. It claimed the problem was caused by the customer (that the invoices were actually intended for) entering the complainant's email address instead of their own.  
Thus, they filed a complaint to the Spanish DPA (AEPD), which informed Vodafone of the issue. The company assured the DPA it had both dealt with the problem and communicated the resolution to the complainant. The complainant nonetheless kept receiving invoices. The DPA communicated this to the company, which then provided evidence the complainant's email address had been deleted from its systems. It claimed the problem was caused by the customer (that the invoices were actually intended for) entering the complainant's email address instead of their own.  


=== Holding ===
=== Holding ===
-
The Spanish DPA held that Vodafone Spain unlawfully processed the complainant's personal data, as the company had no lawful basis to send them invoices belonging to one of its customers. It found this to constitute a severe and negligent violation (Article 83(2)(a) and (b) GDPR) of Articles 5(1)(f) and 32 GDPR, as the complainant's data was neither processed with integrity and confidentiality nor appropriately safeguarded.
 
It originally imposed a fine of €30,000 for the violation of Article 5(1)(f) GDPR and €20,000 for the violation of Article 32 GDPR, but this was reduced to a total fine amounting to €40,000 because Vodafone Spain made use of a reduction procedure proposed by the DPA.


== Comment ==
== Comment ==

Latest revision as of 10:08, 20 October 2021

AEPD (Spain) - PS/00111/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 13.10.2021
Published: 13.10.2021
Fine: 40000
Parties: Vodafone Spain
National Case Number/Name: PS/00111/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: aepd.es (in ES)
Initial Contributor: FA

The Spanish DPA fined Vodafone Spain €40,000 for violations of Articles 5(1)(f) and 32 GDPR. The complainant received multiple invoices intended for a customer of the company and was not properly helped when they attempted to resolve this.

English Summary

Facts

An individual repeatedly received emails containing Vodafone invoices belonging to a third party. They tried reaching out to the company by email and telephone to resolve this issue, but were never properly helped.

Thus, they filed a complaint to the Spanish DPA (AEPD), which informed Vodafone of the issue. The company assured the DPA it had both dealt with the problem and communicated the resolution to the complainant. The complainant nonetheless kept receiving invoices. The DPA communicated this to the company, which then provided evidence the complainant's email address had been deleted from its systems. It claimed the problem was caused by the customer (that the invoices were actually intended for) entering the complainant's email address instead of their own.

Holding

The Spanish DPA held that Vodafone Spain unlawfully processed the complainant's personal data, as the company had no lawful basis to send them invoices belonging to one of its customers. It found this to constitute a severe and negligent violation (Article 83(2)(a) and (b) GDPR) of Articles 5(1)(f) and 32 GDPR, as the complainant's data was neither processed with integrity and confidentiality nor appropriately safeguarded.

It originally imposed a fine of €30,000 for the violation of Article 5(1)(f) GDPR and €20,000 for the violation of Article 32 GDPR, but this was reduced to a total fine amounting to €40,000 because Vodafone Spain made use of a reduction procedure proposed by the DPA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/18











     File No.: PS / 00111/2021


       RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT

                                   VOLUNTARY

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following

                                 BACKGROUND

FIRST: On June 24, 2021, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure against VODAFONE
SPAIN, S.A.U. (hereinafter, the claimed party), through the Agreement that is
transcribe:

<<






Procedure No.: PS / 00111/2021







           AGREEMENT TO START THE SANCTIONING PROCEDURE



Of the actions carried out by the Spanish Agency for Data Protection and in

based on the following



                                     FACTS




FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated June 24, 2020
filed a claim with the Spanish Data Protection Agency. The

claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in
ahead, the claimed one).





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/18








The reasons on which the claim is based are the sending by the entity
claimed from telephone bills owned by a third party to the email address

claimant's email. After informing the respondent, he has not
got answer. He states that he sent on 06/17/2019 and 07/16/2019 emails
emails to the addresses soporte@vodafone.es and

tufacturavodafone@vodafone.es (the latter from which you receive the invoices). Too
He claims to have called by phone without specifying the date stating “I called a couple
sometimes to Vodafone, but it was impossible for me to have an intelligent conversation with

a person, since they were passing me from operator to operator, from
department to department and nobody knew anything, nobody wanted to attend me, nobody

I could solve the problem ”.

Date on which the claimed events took place: from May 16, 2019
until 01/18/2021.




Relevant documentation provided by the claimant:

Copy of the invoices and copy of the emails sent to the claimed to
bring out the problem.




SECOND: In view of the facts denounced in the claim and the
documents provided by the claimant, and in accordance with the provisions of article

65.4 of Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (hereinafter, LOPDGDD), which
consists of transferring them to the Data Protection Delegates

designated by those responsible or in charge of the treatment, or to them when not
They have been appointed, and for the purpose indicated in the aforementioned article, on date 4

August 2020, the claim was forwarded to the respondent (file of
reference E / 6010/2020), so that it could proceed with its analysis and provide a response in the
within one month.




On 10/13/2020, this Agency has a response to the transfer of the claim,
where the complained party assures that the incident has been solved and that

communicated its resolution to the claimant. However, as reflected in the
Resolution of file E / 6010/2020, on 12/01/2020, the affected party states that
continues to receive invoices, as evidenced by copies of those received

the month of October and November 2020 issued on October 8 and November 8
2020 respectively.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/18








THIRD: On 01/22/2021 a resolution was issued admitting the claim for processing,
and the General Subdirectorate for Data Inspection proceeded to carry out

preliminary investigation actions to clarify the facts in
question, by virtue of the powers of investigation granted to the authorities of
control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of

Data Protection, hereinafter RGPD), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of Organic Law 3/2018, of December 5,
Protection of Personal Data and guarantee of digital rights (hereinafter

LOPDGDD).



The result of the investigation actions carried out is as follows:




First.- Detailed information is required on the reasons why the
The claimant has continued to receive invoices, a copy of which is provided, despite having

declared its entity to this Agency, within the framework of file E / 06010/2020, with
dated 10/13/2020, that the incident had been duly resolved.

The representatives of the respondent state that:


"As indicated in the allegations submitted to the request for information with
reference number E / 06010/2020, sending invoice availability notices to
the claimant to his email account occurred because another customer had

I activate the sending of these notices to the claimant's email *** EMAIL.1.

In August 2020, a fault ticket was opened to Sistemas for a solution
to the problem detected since the system did not allow to delete the email

from the claimant to those responsible for the customer service channel.

The moment the email account was no longer visible in the systems,
claimant assigned to another client for those responsible for customer service.

The incident was considered solved, thus communicating it to this Agency in the
response to the request for information indicated. However, it was found

Subsequently, the changes made to the client's file in which the
The claimant's email was not saved, so the email from the
The complainant was not eliminated, so he continued to receive the notices.


After receiving this request for information, the case has been reopened before the
responsible for systems to proceed to the definitive solution of the incident.
Inc. After making the appropriate modifications, we can confirm that on the 11th of

February 2021, it has been possible to save the applied changes correctly, not
The claimant's email account is already established as the recipient of the
notices of invoice availability from another client. "


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/18








They provide a screenshot of the systems that shows the solution to the incident.




Second.- Detailed information on the error made at the source is required, as well as at the
attempt to correct it in October 2020, which has motivated the claimant to continue
receiving invoices from the third party in question.


The representatives of the defendant state that:

“As has been stated in the previous section, the original error is that another
client had activated the notifications of sending invoices to the email account

Claimant's electronic mail, for this reason, was receiving the notices of
availability of invoices in your email.

This case has been studied in detail with those responsible for Systems and it has been

been able to find out that this error was not caused by a system failure, but
because the third customer had provided the email account of the
claimant to send the invoices. The third client has been listed as

fraudulent by the Vodafone investigation team (this having been resolved
incidence), therefore, when accessing the client area via the web, it provided an address of
email for sending invoices that turned out to be that of the claimant.


This incident tried to be corrected between August and September 2020, eliminating the
e-mail account of the claimant of the third party's file. However, in
the processing of the ticket of this breakdown, the process of erasing this information does not

it was completed, the changes not being saved definitively. For this reason,
The claimant's email account has continued to be recorded in the file of the
third client that did have these invoice availability notices active. "




Third.- Detailed information on the procedure has also been required
followed by the entity to send the invoices to the clients, showing both

the procedure for the consignment of email addresses as well as the
procedure for sending invoices to the addresses provided for each

customer. It is requested to include a detailed explanation of the reason why the procedure
established has allowed the claimant to continue to receive invoices, despite
of the information obtained in the screenshot of the data of the third party provided to this

Agency dated 10/13/2020, in which the email address does not appear.

The representatives of the defendant state that:

“Vodafone customers have the option to activate notifications of availability of

invoice and sending of electronic invoice in which they are informed about the charge date
of the amount in advance of the charge to your bank account, only in cases where


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/18








that the billing method is direct debit. For these assumptions,
customers can request to receive these notices via e-mail or SMS.


To activate these options, customers can request it at the time of registration
the line or at a later time through Customer Service
from Vodafone or the MiVodafone AppWeb.


Through the indicated channels, customers have the options of:

Activate the electronic invoice.

Activate and modify the monthly notification of the availability of invoices.


View the last three invoices in different formats.

Download the invoices.

In the case of the third client that turned out to be fraudulent, it is recorded in our systems
that you have made modifications through the web area in the management of your billing

where the claimant's address could be included for sending the notices of
availability of invoices. "




Fourth.- The claimed entity has been required to explain the reasons why the
replied to the claimant's emails, nor were her requests for

rectification of your personal data to avoid continuing to receive invoices from another
customer. Evidence of the claimant's shipments is attached to the request,
sent on 06/17/2019 and 07/16/2019 to the mailboxes support@vodafone.es and

tufacturavodafone@vodafone.es. Documentary accreditation of the
Answers issued, if applicable.

The representatives of the respondent state that:


"The emails support@vodafone.es and tufacturavodafone@vodafone.es do not
They are email accounts that receive or attend customer requests. The mails
that are forwarded to these mailboxes are returned to senders as not received, and the

case of the mailbox relative to support@vodafone.es, a reply is sent
automatic in which customers are redirected to the appropriate channels to be able to
process your request, indicating the following:


"Dear Customer:

Thank you very much for contacting Vodafone.

In order to respond to your query we need to identify you through My

Vodafone where we can attend your request safely and you can also see


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/18








all the information related to your services. In case you are not registered in My
Vodafone, click here.


We also have at your disposal our customer service telephone number 22123 and
You can solve your doubts in the Vodafone help section for private customers.

If you are not a client, call us:


Individuals:

1444 - Commercial Information - Information and contracting related to
products that Vodafone sells. Free call


1704 - Commercial information and exclusive online promotions - Information and
contracting related to the products that Vodafone sells. Call
free. Hours of operation: Monday to Sunday from 9:00 a.m. to 9:00 p.m.


607 123 000- Helpline

Thank you very much for your attention and best regards.

Vodafone customer service

* In case the links in this email do not work for you, copy them in your browser and

access directly.

My Vodafone Registration: http://www.vodafone.es/c/mivodafone/es/registro-nueva-
key / # / register »


Therefore, the communications sent to these mailboxes were not received by
Vodafone and so the claimant was informed.

In addition, the appropriate checks have been carried out and it has been possible to

confirm that for Mrs. A.A.A. there is no interaction or ticket in which
It is indicated that a claim has been received for these events. It is also confirmed
that, with the email address of the claimant, *** EMAIL.1, there is no evidence

that any mail has been received. "

Attach screenshots of customer interactions. The claimant does not indicate the

calls of his calls, nor does he provide evidence of them that allows contrasting the information
tion. It is only verified that there are some interactions dated 07/30/2019
(date closest to the beginning of receipt of the invoices by the claimant) of the

type "information" and code "open question", or "customer inquiry".

They also attach a screen print of the aforementioned generic response from the mailbox
medium.


They attach a screen print of the client's email address indicating that in
he also does not record receipt of any claim, and that he has not been able to give a
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/18








reply if a claim has not been received in this regard from the claim-
keep.




Fifth.- It is required to provide a description of the detailed procedure for the care of
the mailboxes support@vodafone.es and tufacturavodafone@vodafone.es and why

which may not be answered or processed requests directed by customers to these
two mailboxes as in the present case. Description of the controls established on
the procedure described, to ensure the answering and processing of the requests

received through these channels, and the reason why they failed in this case in two
different dates and two different mailboxes

The representatives of the defendant state that:


"As indicated in the fourth allegation of this brief, the mailboxes
indicated are not the communication channels on the part of the clients that
Vodafone, has enabled, but mailboxes from which communications are issued

towards customers.

When a customer sends an email to these addresses, the messages are
return and receive timely information on the channels through the

which you can contact Vodafone to file your claims or
any type of request.

Therefore, these mailboxes are not enabled as a customer service channel,

not receiving, also incoming emails. "



Sixth.- Google searches have been carried out for these addresses,

verifying that there are multiple occurrences of support@vodafone.es of
third-party websites, and one of ayudacliente.vodafone.es in which there is a contract
"Request for change of owner and Mobile Communications Services Contract

Postpaid Individuals ”in pdf format with the following clause:

"7. Customer Service and Claims. Vodafone provides the Customer with a service of
support and information through www.vodafone.es, points of sale or agents

authorized, at Customer Service 123, at the indicated registered office
in these conditions or by email to soporte@vodafone.es. If he

Client wants to file a claim must do so within one (1) month
as long as the fact that motivates it is known, in writing to the registered office of
Vodafone located at Avenida de América, 115, 28042, Madrid, by phone at

123 Customer Service or by email to support@vodafone.es.
[…]. "



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/18









After searching for the email address tufacturavodafone@vodafone.es only
a result of a third party website is found citing that it is the address
Sender of the invoices of the claimant entity.


The Data Inspection has sent an email of
test to the address support@vodafone.es verifying that after one minute

approximately the mentioned automatic reply is received.






                             FOUNDATIONS OF LAW




                                              I




     By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 of the
European Parliament and of the Council of 04/27/2016 on the protection of
natural persons with regard to the processing of personal data and the free

circulation of these data (hereinafter, GDPR); recognizes each authority of
control, and as established in art. 47 of Organic Law 3/2018, Protection

of Personal Data and guarantee of digital rights (hereinafter LOPDGDD),
the director of the Spanish Data Protection Agency is competent to initiate

and to solve this procedure.



























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/18








                                               II




The LOPGDD, in its article 5.1 indicates: "Duty of confidentiality":




"1. Those responsible and in charge of data processing as well as all
people who intervene in any phase of this will be subject to the duty of
confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679. "




                                               III




Article 5.1.f) of the RGPD establishes that personal data will be:




"F) treated in such a way as to guarantee adequate data security
personal data, including protection against unauthorized or illegal processing and against
its loss, destruction or accidental damage, through the application of technical measures

or appropriate organizational ("integrity and confidentiality").




And section 2 of the same article 5 states:



"2. The person responsible for the treatment will be responsible for compliance with the provisions

in section 1 and able to demonstrate it (<< proactive responsibility >>).



                                               IV




Regarding the security of personal data, article 32 of the RGPD “Security
treatment ”, establishes that:




"1. Taking into account the state of the art, the application costs, and the

nature, scope, context and purposes of the treatment, as well as risks of
variable probability and severity for people's rights and freedoms

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/18








physical, the person in charge and the person in charge of the treatment will apply technical measures and
appropriate organizational arrangements to ensure a level of security appropriate to the risk,

that in your case include, among others:

a) pseudonymisation and encryption of personal data;


b) the ability to ensure confidentiality, integrity, availability and resilience
permanent treatment systems and services;

c) the ability to restore the availability and access to personal data of

quickly in the event of a physical or technical incident;

d) a process of regular verification, evaluation and assessment of the effectiveness of the
technical and organizational measures to guarantee the security of the treatment.




2. When evaluating the adequacy of the security level, particular attention will be paid to
take into account the risks presented by the data processing, in particular as

consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to such data. 3. Adherence to a code of conduct

approved pursuant to Article 40 or a certification mechanism approved pursuant to
Article 42 may serve as an element to demonstrate compliance with the

requirements established in section 1 of this article. 4. The person in charge and the
data controller will take measures to ensure that any person
that acts under the authority of the person in charge or the person in charge and has access to data

personal data can only process said data following instructions from the person in charge,
unless required to do so under Union or State law
members".




                                            V




In accordance with the evidence available at the present time of
agreement to initiate the sanctioning procedure, and without prejudice to what results from the

instruction, it is considered that the complainant carried out the data processing
personal data of the claimant without having any legitimacy to do so,
materialized in that they continue to receive telephone bills owned by a

third party in the claimant's email address, even though they requested
in the past the deletion of your data.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/18








It should be noted that this Agency transferred the claim made
by the claimant to the claimed, stating that the incident was already

resolved. However, the claimant continued to receive telephone bills
ownership of a third party in your email address. Consequently, it has

carried out a treatment of personal data without having proven that it has
with the legal authorization to do so.




On the other hand, there are other significant evidences for the graduation of the
infringement:

Continued nature of the facts verified: from 05/16/2019 to 01/18/2021.


Volume of the treatments carried out: an affected third party, owner of the invoices,
person who was able to enter the claimant's email address as the address
shipping, and the claimant who receives the invoices.


The development of the business activity carried out by the entity requires a
continuous processing of personal data. The entity carries out for the development of its

activity a high volume of personal data processing.



                                                SAW




The known facts could constitute an infringement, attributable to the
claimed, for violation of article 5.1.f) of the RGPD, which governs the principles of

integrity and confidentiality of the processing of personal data, as well as the
proactive responsibility of the controller to demonstrate its
compliance, as stated in section 2 of the same article 5 of the RGPD.




On the other hand, there are clear indications that the respondent has violated article
32 of the RGPD, facilitating access to information related to personal data of a

client by a third person outside the entity.

The responsibility of the claimed is determined by unauthorized access. The
entity is responsible for making decisions aimed at implementing in a

effective the appropriate technical and organizational measures to ensure a level of
security appropriate to the risk to ensure the confidentiality of the data and, between

these, those aimed at restoring availability and preventing access to data in case
physical or technical incident.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/18








Article 83.5 a) of the RGPD, considers that the infringement of "the basic principles
for the treatment, including the conditions for consent under the

Articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the aforementioned
Article 83 of the aforementioned Regulation, with administrative fines of € 20,000,000 as

maximum or, in the case of a company, of an amount equivalent to 4% as
maximum total annual global business volume of the previous financial year,
opting for the highest amount.




The LOPGDD in its article 72.1.a) establishes as: “Infractions considered very
serious. 1. In accordance with the provisions of article 83.5 of the Regulation (EU)

2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in

in particular, the following: a) The processing of personal data violating the
principles and guarantees established in article 5 of Regulation (EU) 2016/679 ”.




The violation of article 32 RGPD is typified in article 83.4.a) of the
cited RGPD in the following terms: “4. Violations of the provisions
following will be sanctioned, in accordance with section 2, with administrative fines

of up to EUR 10 000 000 or, in the case of a company, of an amount
equivalent to a maximum of 2% of the total global annual turnover of the
previous financial year, opting for the highest amount: a) the obligations of the

responsible and the person in charge in accordance with articles 8, 11, 25 to 39, 42 and 43. " (…)



It establishes article 73 of the LOPDGDD, under the heading “Infractions considered

serious ”, the following:“ In accordance with the provisions of article 83.4 of the Regulation
(EU) 2016/679 are considered serious and will prescribe after two years the infractions that

suppose a substantial violation of the articles mentioned in that and, in
in particular, the following: (…) f) Failure to adopt those technical measures and
organizational arrangements that are appropriate to ensure an adequate level of security

to the risk of treatment, in the terms required by article 32.1 of the Regulation
(EU) 2016/679. "




In the present case, the offending circumstances provided for in article
83.5 and 83.4 of the RGPD and 72.1 a) and 73 section f) of the LOPDGDD, transcribed above.




Article 58.2 of the RGPD provides: “Each supervisory authority will have all the
following corrective powers: b) issue reprimands to a person responsible for the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/18








treatment or a processor when the processing operations
have infringed the provisions of this Regulation; d) order the person responsible

of the treatment or the person in charge of the treatment that puts the operations of
treatment in accordance with the provisions of this Regulation, when

proceed, in a specified way and within a specified period; i) impose a fine
administrative pursuant to Article 83, in addition to the measures referred to in the
this section or instead, depending on the circumstances of each case

concrete;"


In this sense, the actions taken by the claimed to the

know the claim that was reported by this AEPD and the measures
adopted, having to report them within the procedure, being able to

in the resolution to adopt the appropriate ones for its adjustment to the regulations.



Likewise, it is considered that the sanction to be imposed should be adjusted in accordance with the

following criteria established in article 83.2 of the RGPD:

As aggravating factors, in the present case, the following:

The duration of the offense (article 83.2.a).


A negligent action (article 83.2.b).

Basic personal identifiers are affected, according to article 83.2.g).




                                           VII



Therefore, in accordance with the foregoing, the Director of the Spanish Agency

of Data Protection, AGREES:



FIRST: INITIATE SANCTIONING PROCEDURE for VODAFONE ESPAÑA,

S.A.U., with NIF A80907397, for the alleged violation of article 5.1.f) of the RGPD,
punishable in accordance with the provisions of art. 83.5 of the aforementioned RGPD, and classified as
very serious in article 72.1 a) of the LOPDGDD, and for the alleged infringement of the

Article 32 of the RGPD, punishable in accordance with the provisions of Article 83.4 of the
cited RGPD, and which is classified as serious in article 73 section f) of the

LOPDGDD.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/18








SECOND: ORDER VODAFONE ESPAÑA, S.A.U., with NIF A80907397, from
in accordance with the provisions of article 58.2 d) of the RGPD, so that within ten

days proceed to order the person in charge of the treatment, that the
processing operations comply with the provisions of the RGPD.




THIRD: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C.,
indicating that any of them may be challenged, if applicable, in accordance with the

established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Public Sector Legal (LRJSP).




FOURTH: INCORPORATE to the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and her documentation, the documents
obtained and generated by the General Subdirectorate for Data Inspection during the

investigation phase, as well as the report of previous Inspection actions.



FIFTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1

October, of the Common Administrative Procedure of Public Administrations, the
Penalty that may correspond would be: € 30,000 (thirty thousand euros) per offense
of article 5.1 f) of the RGPD, regarding the violation of the principle of confidentiality

and € 20,000 (twenty thousand euros) for violation of article 32 of the aforementioned RGPD,
regarding the security of the processing of the personal data of its clients, without

detriment of what results from the instruction.



SIXTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF

A80907397, granting you a hearing period of ten business days to formulate
the allegations and present the evidence that it deems appropriate. In his writing of
allegations, you must provide your NIF and the procedure number that appears in the

heading of this document.



If within the stipulated period it does not make allegations to this initiation agreement, the same

may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

the Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the

term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the penalty to be imposed in
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/18








the present procedure. With the application of this reduction, the sanction would be
established at € 40,000 (forty thousand euros), resolving the procedure with the

imposition of this sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,

the penalty would be set at € 40,000 (forty thousand euros) and its payment will involve
the termination of the procedure.




The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate

allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. On

In this case, if both reductions should be applied, the amount of the penalty would be
set at € 30,000 (thirty thousand euros).




In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts
mentioned above € 40,000 (forty thousand euros) or € 30,000 (thirty thousand euros),

You must make it effective by entering the account number ES00 0000 0000 0000
0000 0000 opened in the name of the Spanish Agency for Data Protection in the

banking entity CAIXABANK, S.A., indicating in the concept the reference number
of the procedure that appears in the heading of this document and the cause of
reduction of the amount to which it is accepted.




Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity

entered.



The procedure will have a maximum duration of nine months from the date of

date of the initiation agreement or, where appropriate, the draft initiation agreement.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/18








After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.



Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.



                                                                                   935-200320

Mar Spain Martí


Director of the Spanish Agency for Data Protection



>>



SECOND: On September 27, 2021, the claimed party has proceeded to
payment of the sanction in the amount of 40,000 euros making use of one of the two
reductions provided for in the Inception Agreement transcribed above. Therefore, it has not

The acknowledgment of responsibility has been accredited.

THIRD: The payment made entails the waiver of any action or recourse in progress.
against the sanction, in relation to the facts referred to in the

Initiation Agreement.


                            FOUNDATIONS OF LAW


                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the

article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.


                                             II




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/18








Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), under the rubric

"Termination of sanctioning procedures" provides the following:

"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the

compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.

The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased

regulations. "


In accordance with the above, the Director of the Spanish Agency for the Protection of
Data

RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00111/2021, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U ..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


                                                                                 937-160721

Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/18


































































































C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es