AEPD (Spain) - PS/00180/2021

From GDPRhub
AEPD (Spain) - PS/00180/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.07.2021
Published: 13.07.2021
Fine: 75000 EUR
Parties: TELEFÓNICA MÓVILES ESPAÑA, S.A.U.
National Case Number/Name: PS/00180/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined Telefonica €75,000 (reduced to €45,000) for processing personal data without a legal basis. Telefonica had continued to call a data subject for direct marketing purposes after they had exercised their right to object.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint with the Spanish DPA (AEPD) stating that Telefonica – a telecommunications company – was still using their phone number and accessing their records to do trials in their call centres and shops. The data subject claimed that the controller had called them 247 calls in a span of two days, even after the controller had assured in previous proceedings that it had implemented adequate measures to prevent this from happening. The data subject continued to receive such calls after filing the complaint from a different number.

The data subject had exercised their right to object in 2017, what was confirmed by the controller in a letter that stated that they had taken adequate measures to prevent it.

Holding[edit | edit source]

The Spanish DPA concluded that the controller had violated Article 6 GDPR, as it had processed the personal data of the data subject without their consent, after they objected to such processing.

The controller acknowledged the facts and stated that they were implementing measures to prevent it from happening in the future.

The AEPD noted, however, that the controller had still made calls to the data subject after they filed the complaint. The DPA took into account the recidivism, as well as the continuous nature of the infringement, the basic categories of personal data affected, and the link between the infringement and its business core activity as aggravating factors.

Following this, the DPA fined Telefonica €75,000, that were reduced to €45,000 for acknowledgement of responsibility and early payment.

Comment[edit | edit source]

This case is similar to AEPD (Spain) - PS/00474/2020, in which the data subject also received around 250 unsolicited calls after having exercised their right to object – what was confirmed by the controller – in 2017.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                           1/12











    File No.: PS / 00180/2021


       RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT

                                  VOLUNTARY

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following

                                BACKGROUND

FIRST: On June 7, 2021, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure against TELEFÓNICA
MÓVILES ESPAÑA, S.A.U. (hereinafter, the claimed party), through the Agreement
which is transcribed:

<<






Procedure No.: PS / 00180/2021




           AGREEMENT TO START THE SANCTIONING PROCEDURE




Of the actions carried out by the Spanish Agency for Data Protection and in
based on the following:




                                     FACTS




FIRST: D. A.A.A. (hereinafter, the claimant) dated December 11, 2020
filed a claim with the Spanish Data Protection Agency. The

The claim is directed against TELEFÓNICA MÓVILES ESPAÑA, S.A.U. with NIF
A78923125 (hereinafter, the claimed one).




       The claimant states that the claimant continues to use her number
phone *** PHONE. 1, your employees accessing your customer profile, without your

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12








consent, to carry out tests in their Call Centers and stores. In fact,
states that, in two days, he has received a total of 247 calls from number 1004, to

despite the fact that in the previous claims the defendant claimed to have implemented
new security measures so that it does not happen again.




       On April 10, 2021, the claimant expands his claim by stating
that he continues to receive calls from the defendant, but in this case from number 1002

(to move).



       Provides proof of your claim, the SMS received and the calls from the

1002 and 1004.



SECOND: In accordance with article 65.4 of the LOPGDD, which has provided for a

mechanism prior to the admission for processing of claims made before
the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the intended purposes

in article 37 of the aforementioned norm, or to these when it has not designated them, it was
transfer of the claim to the claimed entity to proceed with its analysis and

respond to the complaining party and this Agency within one month.



       As a result of this process, on March 30, 2021, the claimed

has stated that a written reply has been sent to the claimant, in which it is
shows that "new control measures have been implemented,
maintaining in force and reinforcing the measures that had already been adopted

above regarding the use of the numbering *** TELEPHONE.1 ".



       They attach a copy of the letter sent to the claimant.




       On the other hand, it indicates that the claimant exercised his right of access which
was responded by letter on April 10, 2017.




       Next, they state: “who has analyzed the call log
provided by the claimant in this file, and notes that, after confirming

receipt of these, it has been detected that by mistake the claimant and his / her

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3








numbering in a campaign organized by our company in order to
check the existence of technical failures that customers may suffer.




       Although security and control measures have been taken over the use of

this numbering since 2014, they have been strengthened and implemented
two new measures:




       On the one hand, and when verifying that these calls were made by a campaign
resolution of technical incidents, our team has proceeded to exclude the
numbering of the aforementioned campaigns.




       Additionally, the direct blocking measure has been taken in the
the aforementioned numbering so that, when a new one is programmed

campaign with similar characteristics, the numbering is identified and
automatically excluded.




       On the other hand, a fortnightly control of all our
customer databases to confirm that all measures applied since the

year 2014, they are applied correctly.



       Finally, despite the fact that the claimant in his writing when referring to “the

black list ”in which you have entered the telephone numbers of Telefónica, in the
moment when one of our agents tries to contact the
numbering *** PHONE. 1, and even though it is blocked by the client, to

our agent does not appear any warning, alarm or similar that indicates this
situation, therefore, calls continue to be issued.




       After receiving the last claim from the client, the operation has been strengthened at the
time to establish and prepare communication campaigns to clients, inhibiting
this number automatically so that it cannot be included as a recipient in

no case in those communications; and controls will be carried out periodically
in order to check that our agents comply with all the measures established by

the company".




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12










THIRD: The result of the transfer process initiated in the previous event does not

allowed to understand satisfied the claims of the claimant. Consequently, with
dated April 21, 2021, for the purposes provided for in article 64.2 of the LOPDGDD,

The Director of the Spanish Data Protection Agency agreed to admit for processing the
claim filed.




                            FOUNDATIONS OF LAW



                                              I




        By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,

the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.




                                             II



        The defendant is charged with committing an offense for violation of the
Article 6 of the RGPD, "Legality of the treatment", which indicates in its section 1 the
cases in which the processing of third party data is considered lawful:




        "1. The treatment will only be lawful if at least one of the following is met
terms:


      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;
      b) the treatment is necessary for the performance of a contract in which the

      interested is part or for the application at the request of this of measures
      pre-contractual;

      (…) "

       The offense is classified in Article 83.5 of the RGPD, which considers as such:




      "5. Violations of the following provisions will be sanctioned, in accordance with
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12








with section 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

total annual global business volume of the previous financial year, opting for
the highest amount:



      a) The basic principles for the treatment, including the conditions for the

      consent in accordance with articles 5,6,7 and 9. "


       Organic Law 3/2018, on Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious ”provides:



      "1. Based on what is established in article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that

suppose a substantial violation of the articles mentioned in that one and, in
in particular, the following:



        (…)

        a) The processing of personal data without the concurrence of any of the

           conditions of legality of the treatment established in article 6 of the
           Regulation (EU) 2016/679. "



                                            III



      The documentation in the file provides evidence that the

claimed, violated article 6.1 of the RGPD, since it processed the
Claimant's personal data without having any legitimacy to do so.



      The respondent has recognized this error and indicated that it has analyzed the
record of calls made by the claimant in this file, and

note that, after confirming the receipt of these, it has been detected that by mistake
included the claimant and their number in a campaign organized by the defendant

in order to verify the existence of technical failures that the
customers.




       Likewise, it states that after receiving the last claim from the client, it has
Strengthened operations when establishing and preparing campaigns for
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12








communications to clients, inhibiting this number automatically so that no
can be included as a recipient in any case in these communications; So what

will carry out controls periodically in order to check that their agents
they comply with all the measures established by the company.




        Now, despite stating the claimed in previous claims
have implemented new security measures so that it does not happen again. This

of course, that the calls of 1002 and 1004, continue to occur. Therefore, it is
is producing the treatment of the claimant's personal data without basis
legitimizing.









                                            IV



      The determination of the sanction to be imposed in the present case requires

observe the provisions of articles 83.1 and 83.2 of the RGPD, precepts that,
respectively, provide the following:




           "Each control authority will guarantee that the imposition of fines
administrative regulations pursuant to this article for the infractions of this

Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "




        "Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the
        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and

        damages they have suffered;

        b) intentionality or negligence in the infringement;



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12








         c) any measure taken by the person in charge or in charge of the treatment
         to alleviate the damages suffered by the interested parties;

         d) the degree of responsibility of the person in charge or the person in charge of the

         treatment, taking into account the technical or organizational measures that have
         applied by virtue of articles 25 and 32;

         e) any previous infraction committed by the person in charge or the person in charge of the
         treatment;

          f) the degree of cooperation with the supervisory authority in order to establish

         remedy the violation and mitigate the possible adverse effects of the violation;

         g) the categories of personal data affected by the infringement;

         h) the way in which the supervisory authority learned of the infringement,
         in particular if the person in charge or the person in charge notified the infringement and,
         case, to what extent;

         i) when the measures indicated in article 58, paragraph 2, have been

         previously ordered against the person in charge or the person in charge
         in relation to the same matter, compliance with said measures;

         j) adherence to codes of conduct under article 40 or to mechanisms
         certification approved in accordance with article 42, and

         k) any other aggravating or mitigating factor applicable to the circumstances of the

         case, such as financial benefits obtained or losses avoided, direct
         or indirectly, through the infringement. " (The underlining is from the AEPD)



        In order to specify the amount of the penalty to be imposed on the one claimed by

  violation of article 83.5.a) of the RGPD, it is essential to examine and assess whether
  the circumstances described in article 83.2 of the RGPD concur and if they intervene
  mitigating or aggravating the responsibility of the responsible entity.





        In accordance with the transcribed precepts, and without prejudice to what results from the
  instruction of the procedure, in order to set the amount of the fine to impose
  in the present case, the claimed party is considered responsible for an infringement
  typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent

  the following factors.

        As aggravating factors the following:

- In the present case we are facing a negligent action on significant data that
  allow the identification of a person (article 83.2 b).


- Basic personal identifiers are affected (name, a number of
  identification, the line identifier) (article 83.2 g).
  C / Jorge Juan, 6 www.aepd.es
  28001 - Madrid sedeagpd.gob.es 12/8








       - Section k), in relation to article 76.2 of Organic Law 3/2018, which
         frames as aggravating the continuing nature of the offense attributed to the

         claimed.

       - The evident link between the business activity of the claimed and the

         treatment of personal data of clients or third parties (article 83.2 K, of the
         RGPD in relation to article 76.2 b, of the LOPDGDD).


     That is why it is considered appropriate to graduate the sanction to impose on the claimed and
set it at the amount of € 75,000 for the violation of article 6 of the RGPD.


       Therefore, based on the foregoing,


       By the Director of the Spanish Data Protection Agency,




       HE REMEMBERS:






    1. START SANCTIONING PROCEDURE for TELEFÓNICA MÓVILES

       ESPAÑA, S.A.U., with NIF A78923125, for the alleged violation of article 6
       of the RGPD typified in article 83.5.a) of the aforementioned RGPD.




    2. APPOINT D. B.B.B. as instructor. and as secretary to Ms. C.C.C.,
       indicating that any of them may be challenged, where appropriate, in accordance with
       what is established in articles 23 and 24 of Law 40/2015, of October 1, of

       Legal Regime of the Public Sector (LRJSP).



    3. INCORPORATE to the sanctioning file, for evidentiary purposes, the

       claim filed by the claimant and its attached documentation, the
       informative requirements that the Subdirectorate General for Inspection of
       Data sent to the claimed entity in the preliminary investigation phase and its

       respective acknowledgments of receipt.



    4. THAT, for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1,

       bre, of the Common Administrative Procedure of Public Administrations,


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12








        the corresponding penalty would be 75,000 euros (seventy-five thousand
        euros), without prejudice to what results from the instruction.




    5. NOTIFY this agreement to TELEFÓNICA MÓVILES ESPAÑA, S.A.U.,

        with NIF A78923125, granting a hearing period of ten business days
        to formulate the allegations and present the evidence that it deems appropriate.
        nientes. In your statement of allegations you must provide your NIF and the number of

        procedure at the top of this document.



If within the stipulated period it does not make allegations to this initiation agreement, the same

may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).




In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the

term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the penalty to be imposed in

the present procedure. With the application of this reduction, the sanction would be
established at 60,000 euros, resolving the procedure with the imposition of this
sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
the penalty would be set at 60,000 euros and its payment will imply the termination of the

process.



The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the preceding paragraph, it may be done at any time prior to the resolution. On
In this case, if both reductions should be applied, the amount of the penalty would be
set at 45,000 euros.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12








In any case, the effectiveness of either of the two mentioned reductions will be

conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts

indicated above, 60,000 euros or 45,000 euros, you must make it effective

by entering the account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Agency for Data Protection in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears in

the heading of this document and the cause of reduction of the amount to which
welcomes.




Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity

entered.



The procedure will have a maximum duration of nine months from the date of

date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.



Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.



Mar Spain Martí


Director of the Spanish Agency for Data Protection








>>



SECOND: On July 7, 2021, the claimed party has proceeded to pay
the sanction in the amount of 45,000 euros making use of the two reductions
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12








provided for in the Initiation Agreement transcribed above, which implies the
acknowledgment of responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.



                            FOUNDATIONS OF LAW

FIRST: By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in art. 47 of Organic Law 3/2018, of
December 5, Protection of Personal Data and guarantee of rights

digital (hereinafter LOPDGDD), the Director of the Spanish Agency for
Data Protection is competent to sanction the infractions that are committed
against said Regulation; the infractions of article 48 of Law 9/2014, of 9 of
May, General de Telecomunicaciones (hereinafter LGT), in accordance with the
provided in article 84.3 of the LGT, and the offenses typified in articles
38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the

information society and electronic commerce (hereinafter LSSI), according to
Article 43.1 of said Law provides.

SECOND: Article 85 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (hereinafter, LPACAP),

under the heading "Termination of sanctioning procedures" provides the
following:

"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the

compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.

The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased

regulations. "




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12








In accordance with the above, the Director of the Spanish Agency for the Protection of

Data
RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00180/2021, of

in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to TELEFÓNICA MÓVILES ESPAÑA,
S.A.U ..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                  936-280621
Mar Spain Martí
Director of the Spanish Agency for Data Protection






























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es