AEPD (Spain) - PS/00139/2020

From GDPRhub
AEPD - PS/00139/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(d) GDPR
Article 6(1) GDPR
Article 57(1) GDPR
Article 58(2) GDPR
Article 58(2) GDPR
Article 83(2) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Fine: 9000 EUR
Parties: AAA
National Case Number/Name: PS/00139/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: Agencia Española de Protección de Datos (in ES)
Initial Contributor: Silvia López

Spanish DPA holds that a company infringed Article 5 GDPR by keeping its ex-husband as the joint account holder of the client, who could have access to all the client's data.

English Summary


After making a change of address in her telephone company, in the company's systems it still appeared as joint holder the complainant's ex-husband, who could have access to all her data even if he was no longer joint holder of the account.


Does the data processer violate the GDPR if it allows a third party access to the data of the current sole holder?


The Spanish DPA imposed a fine of 15,000 euros on the company, which was reduced to 9,000 euros for voluntary payment and acknowledgement of liability (after waiving a further appeal against the DPA's decision).


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

In sanction procedure PS/00139/2020, conducted by the Agency
Spanish Data Protection Agency to VODAFONE ESPAÑA, S.A.U., in view of the complaint
presented by A.A.A., and based on the following,
FIRST: On June 16, 2020, the Director of the Spanish
Data Protection agreed to initiate sanctioning procedure against VODAFONE
SPAIN, S.A.U. (hereinafter, the claimed), by means of the Agreement which is transcribed:
Product No.: PS/00139/2020
Of the actions carried out by the Spanish Agency for the Protection of
Data and based on the following:
FIRST: Mrs. A.A.A. (hereinafter, the Claimant) dated March 8, 2019
filed a complaint with the Spanish Data Protection Agency.
The complaint is directed against Vodafone España, S.A.U. with NIF A80907397
(hereinafter referred to as the Respondent).
C/ Jorge Juan, 6
28001 - Madrid
The complainant states that he was the holder of a fixed telephony + fibre +
mobile line with Movistar, making the portability with the claimed in various
Later, in February 2018, he moved to a new home, and when he
a consultation, they tell you that in their systems the services discharged
as the title of his ex-spouse.
He adds that the invoices issued by the respondent contain his details, but
addressed to your ex-spouse.
And, among other things, it provides the following documentation:
Certified letter sent to the respondent on February 27, 2018.
Claim presented at the Respondent's commercial establishment on 10
March 2018.
Complaint to the OMIC of the City Council of ***LOCALIDAD.1 on 11
May 2018 and replies from Vodafone on May 17 and July 19
o Invoices dated February 15 and March 1, 2018, showing the
data of the claimant, but addressed to his ex-spouse.
o Invoice dated 1 March 2018, containing your details and addressed to
SECOND: In view of the facts denounced in the complaint and the
documents provided by the complainant, the Subdirectorate General for the Inspection of
Data proceeded to the realization of previous research actions for the
clarification of the facts in question under the powers of investigation
granted to the inspection authorities in Article 57(1) of the Regulation (EU)
2016/679 (General Data Protection Regulations, hereinafter referred to as GPRD), and
in accordance with the provisions of Title VII, Chapter I, Section Two of the Act
Organic 3/2018 of 5 December on the Protection of Personal Data and Guarantee of
digital rights (hereinafter LOPDGDD).
As a result of the investigation carried out, it was found that
that the person responsible for the processing is the one who is being claimed.
The following points are also noted:
C/ Jorge Juan, 6
28001 - Madrid
On 9 October 2019, the respondent states the following:
1. The claimant was the holder of a contract with Movistar of which he made
portability to the claimant and later made a change of address.
2. That the services provided by the claimant were associated, in their
systems, to her ex-spouse, for as she herself states in her
claim, was the former marital home so his ex-spouse
appeared as the holder of the contracted services
3. In addition, they verified that there were two headlines linked to the ID
***Therefore, they made a correction to the data in their
so that in this ID the claimant's contact currently appears as
and the contact your ex-spouse is listed as "Former Holder". In short,
it appears to be offline in their systems which means that it cannot
access any of the data associated with the current owner.
4. They provide a copy of a letter addressed to the complainant on 8 October 2019, in the
which state that they have proceeded to unlink the data of the other holder who
was associated with the contracted services so it currently appears
unlinked so that you can no longer access the information
associated with the services contracted by the claimant.
By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the
authority, and as established in articles 47 and 48.1 of the LOPDPGDD, the
The Director of the Spanish Data Protection Agency is competent to resolve
this procedure.
Article 6.1 of the RGPD, establishes the cases that allow to consider
The processing of personal data is lawful.
C/ Jorge Juan, 6
28001 - Madrid
Article 5 of the RGPD states that personal data shall be:
"(a) processed in a lawful, fair and transparent manner in relation to the data subject
("legality, loyalty and transparency");
(b) collected for specified, explicit and legitimate purposes and not treated
subsequently in a manner incompatible with those purposes; in accordance with Article 89,
paragraph 1, the further processing of personal data for archiving purposes in
public interest, scientific and historical research or statistical purposes are not
shall be deemed to be incompatible with the initial purposes ("purpose limitation");
(c) adequate, relevant and limited to what is necessary in relation to the purposes
for those who are treated ("data minimization");
(d) accurate and, where necessary, kept up to date; all measures
to delete or rectify without delay personal data that
are inaccurate with respect to the purposes for which they are intended ("accuracy");
(e) maintained in such a way as to permit identification of the persons concerned
for no longer than is necessary for the purposes of the processing
personal; personal data may be kept for longer periods
provided that they are processed exclusively for archiving purposes in the public interest, for
scientific or historical research or statistical purposes, in accordance with Article
89(1), without prejudice to the implementation of technical and organisational measures
This Regulation shall be binding in its entirety and directly applicable in all Member States.
freedoms of the data subject ("limitation of the retention period");
(f) processed in such a way as to ensure appropriate security for the
personal data, including protection against unauthorised or unlawful processing and
against their accidental loss, destruction or damage, by the application of measures
appropriate techniques or organisational arrangements ("integrity and confidentiality").
The controller shall be responsible for compliance with the
provided for in paragraph 1 and capable of demonstrating it ("proactive responsibility").
In accordance with the evidence available here
at the time, and without prejudice to the outcome of the investigation, it is considered to be proven that
in the respondent's systems, another person was listed as the holder of the contracted services
It should be noted that the defendant acknowledges this error, stating that
two headlines linked to the ID ***ID.1 appeared.
correction of data in their systems.
Ultimately, a third party could access the claimant's data, i.e.
had access to the information associated with the services contracted by the claimant and
which is in violation of Article 5(1)(d) of the GPRS, in relation to Article 4(1)
of the LOPDGDD, which governs the principle of accuracy of personal data.
Article 72.1.a) of the LOPDGDD states that "in accordance with the provisions
Article 83(5) of Regulation (EU) 2016/679 are considered very serious and
The statute of limitations for offences involving a substantial breach shall be three years
of the articles mentioned in that one and, in particular, the following ones:
a) The processing of personal data in violation of the principles and guarantees
laid down in Article 5 of Regulation (EU) 2016/679
Article 58(2) of the GPRS provides: "Each inspecting authority
shall have all the following corrective powers as set out below:
C/ Jorge Juan, 6
28001 - Madrid
(b) sanction any person responsible for or in charge of the processing with
warning where processing operations have infringed the provisions of
this Regulation;
(d) instruct the controller or processor to ensure that processing operations
treatment are in accordance with the provisions of this Regulation, where applicable,
in a certain way and within a specified time frame;
(i) impose an administrative fine pursuant to Article 83, in addition to or in
place of the measures referred to in this paragraph, depending on the circumstances
of each individual case;
This offence is punishable by a fine of up to EUR 20 000 000
or, in the case of an undertaking, an amount equivalent to a maximum of 4% of
total annual turnover for the previous financial year, opting for the
in accordance with article 83.5 of the RGPD.
Likewise, it is considered that the sanction to be imposed should be graduated according to
with the following criteria established by Article 83.2 of the RGPD:
The following are aggravating factors:
In the present case we are dealing with unintentional but significant negligent action (article 83.2 b)
Basic personal identifiers are affected, according to
C/ Jorge Juan, 6
28001 - Madrid
Therefore, on the basis of the above,
By the Director of the Spanish Data Protection Agency,
with NIF A80907397, for the alleged infringement of Article 5.1.d) of the RGPD
as defined in article 83.5.a) of the aforementioned RGPD.
To appoint Mr. B.B.B. as instructor and Ms. C.C.C. as secretary, indicating that either of them may be challenged, if appropriate, in accordance with the
established in Articles 23 and 24 of Law 40/2015, of 1 October, on the Legal Regime of the Public Sector (LRJSP).
2. INCORPORATE into the sanctioning file, for evidential purposes, the claim filed by the claimant and its attached documentation, the requirement
information that the Subdirectorate General for Data Inspection sent to the
entity claimed in the preliminary investigation phase and their respective accusation of
3. THAT for the purposes of Article 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations
the sanction that could correspond would be 15,000 euros (fifteen thousand euros),
without prejudice to the outcome of the investigation.
4. NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with NIF
A80907397, giving you a hearing period of ten working days to
make the allegations and submit the evidence he deems appropriate.
In your pleading, you must provide your VAT number and the procedure number in the heading of this document.
C/ Jorge Juan, 6
28001 - Madrid
If you do not make representations to this initiating agreement within the stipulated time, the
may be considered as a motion for resolution, as set out in the
Article 64.2.f) of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP).
In accordance with Article 85 of the LPACAP, in the case of
that the sanction to be imposed was a fine, may acknowledge its responsibility within
of the time allowed for the submission of claims under this agreement to commence; the
which will be accompanied by a 20% reduction in the penalty to be imposed in
the present procedure. With the application of this reduction, the sanction would be
12,000, with the procedure being resolved by the imposition of this
Similarly, at any time prior to the resolution of the
The Commission shall, in accordance with this procedure, carry out the voluntary payment of the proposed penalty
which will result in a 20% reduction in its amount. With the application of this
reduction, the penalty would be set at 12,000 euros and its payment would involve the
termination of the procedure.
The reduction for the voluntary payment of the penalty is cumulative with the one
The same applies to the recognition of liability, provided that this
recognition of responsibility is shown within the time limit
granted to make representations on the opening of the proceedings. The payment
of the amount referred to in the preceding paragraph may be made at any
moment before the resolution. In this case, if it is appropriate to apply both
reductions, the amount of the penalty would be set at
In any case, the effectiveness of either of the two above-mentioned reductions
shall be conditioned upon the waiver or relinquishment of any action or remedy in the
administrative sanction against the sanction.
If you choose to proceed with the voluntary payment of any of the
12,000 or 9,000 euros, you must do so
cash by depositing it in the account nº ES00 0000 0000 0000 0000 opened
on behalf of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure in
C/ Jorge Juan, 6
28001 - Madrid
the heading of this document and the reason for the reduction in the amount to which
Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure in accordance with the quantity
The procedure will last a maximum of nine months from
the date of the agreement to initiate or, where appropriate, the draft agreement to initiate.
After this period, the agreement will expire and, consequently, the
actions; in accordance with the provisions of Article 64 of the LOPDGDD.
Finally, it is noted that in accordance with the provisions of Article 112.1 of the
LPACAP, there is no administrative appeal against this act.
 SECOND: On June 30, 2020, the claimant paid the
9,000 by making use of the two reductions provided
in the above transcribed Inception Agreement, which implies recognition of the
THIRD: The payment made, within the period granted to make allegations to
the opening of the procedure, entails the waiver of any action or appeal in
administrative sanctioning and acknowledgement of responsibility in relation to
the facts referred to in the Agreement to Initiate.
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the
control, and in accordance with Article 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights (in
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6
28001 - Madrid
is competent to penalise infringements committed against it
Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General
of Telecommunications (hereinafter referred to as LGT), in accordance with the
Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the
information and electronic commerce (hereinafter referred to as the ISESA), as provided for in
43.1 of the said Act.
Article 85 of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), under the heading
"Termination in sanctioning proceedings" provides the following:
"1. Penalty proceedings are initiated if the offender acknowledges his
responsibility, the proceedings may be terminated with the imposition of the penalty
as appropriate.
2. Where the penalty is solely pecuniary in nature or where it is
impose a financial penalty and a non-pecuniary penalty but has been justified
the impropriety of the second, voluntary payment by the alleged perpetrator, in
any time before the resolution, will imply the termination of the procedure,
except as regards the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the penalty is solely of a pecuniary nature,
the body competent to decide on the procedure shall apply reductions of, at
at least 20 % of the amount of the proposed penalty, which may be cumulated
with each other. These reductions shall be determined in the notification of
initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this paragraph may be increased
by regulation.
In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure PS/00139/2020, of
in accordance with Article 85 of the LPACAP.
In accordance with the provisions of article 50 of the LOPDGDD, this
The decision will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure
The interested parties may lodge an appeal with the
administrative litigation before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months of
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
C/ Jorge Juan, 6
28001 - Madrid
Mar Spain Marti
Director of the Spanish Data Protection Agency