AEPD (Spain) - PS/00182/2020

From GDPRhub
AEPD - PS/00182/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Published: 05.11.2020
Fine: 75000 EUR
Parties: Telefónica Móviles España, S.A.U.
National Case Number/Name: PS/00182/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish DPA (AEPD) imposed a fine of € 75000 on Telefónica Móviles España, S.A.U. for infringing the principle of lawful processing (Article 6 GDPR) by charging a data subject five times that was not its client and not resolving the issue.

English Summary


The decision is the consequence of a complaint submitted by a Spanish citizen (the claimant) stating that the defendant has charged him five invoices of a third person, and that, despite the fact that he is not a client of the defendant and he has contacted the defendant to solve this situation, it did not offer any kind of solution.


The defendant answered the first requirements of the AEPD stating that (i) the claimant had been informed on the steps to follow in order to solve the situation, (ii) in the end, the invoices were not paid by the claimant, and (iii) that the banking information on the invoices was provided by a bank, so there was no breach of the lawfulness principle. The AEPD started the corresponding sanction procedure.


Thus, the AEPD understood that the defendant has infringed the lawfulness principle included at Article 6 GDPR, as it did not have the corresponding legal basis to process the personal data of the claimant when it charged him five invoices. Consequently, after considering some circumstances [(i) there is a wilful misconduct by the defendant, (ii) basic personal data have been affected, (iii) the duration of the infraction by the defendant, and (iv) the evident connection between the main activity of the defendant ant the processing of personal data], the AEPD decided to impose a fine of € 75000 to the defendant.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     Procedure nº: PS / 00182/2020

       Of the procedure instructed by the Spanish Agency for Data Protection and
based on the following:


FIRST: D. A.A.A. (hereinafter, the claimant) dated January 13, 2020
filed a claim with the Spanish Agency for Data Protection. The
The claim is directed against Telefónica Móviles España, S.A.U. with NIF A78923125
(hereinafter, the claimed).

       The claimant states in his claim that since May
2019, the defendant has collected five invoices from a third party that have been
paid through his bank account, which he has subsequently returned.

       On the other hand, he points out that he is not a client of said operator, and that he has

filed various claims with said company and they have ignored it.

       The claimant, submits with his claim writing the following

       1.- Proof of the five charges made by the claimed in your account
bank, linked to a mobile phone number of a third party that you do not know.

       2.- SMS of the claimed informing that they are analyzing the claim
1341890, dated October 21, 2019.

SECOND: In accordance with article 65.4 of the LOPGDD, which has provided a
mechanism prior to the admission for processing of claims made before
the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the intended purposes

in article 37 of the aforementioned rule, or to these when it has not designated them,
transfer of the claim to the claimed entity to proceed with its analysis and
respond to the complaining party and this Agency within one month.

       As a result of this process, on April 8, 2020, the claimed


       That they have sent an email in response to the claim of the
claimant. They attach a copy of the aforementioned email.

THIRD: The result of the transfer process initiated in the previous Event does not
allowed to understand satisfied the claims of the claimant. Consequently, with
dated June 3, 2020, for the purposes set forth in article 64.2 of the LOPDGDD,
The Director of the Spanish Agency for Data Protection agreed to admit for processing the
claim filed.

C / Jorge Juan, 6
28001 - Madrid 2/7

FOURTH: On July 20, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the claimed party, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the

Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of Article 6.1 of the RGPD, typified in Article
83.5 of the RGPD.

FIFTH: Once the aforementioned commencement agreement was notified, the respondent submitted a written
allegations in which, in summary, it stated that the defendant informed the

claimant on the procedures to follow, according to art. 43.1 of the Royal Decree Law
19/2018, of November 23, of payment services and other urgent measures in
financial matter

       Likewise, they highlight that the receipts to which the claim refers

are not finally paid by the claimant at the time of making the
timely procedures with the bank.

       On the other hand, it states that the data contained in the bank receipts
mentioned has been carried out by a bank, which results in the absence
of infringement of the principle of legality of treatment contained in article 6.

       In conclusion, the facts that are the subject of the procedure, as well as the absence of
liability exclude the commission of the offense contained in article 72.1b) of
the LOPDGDD, for which it requests that the procedure file be proposed.

SIXTH: On August 28, 2020, the instructor of the procedure agreed to the
opening of a period of practical tests, taking as incorporated the
previous actions, E / 01519/2020, as well as the documents provided by the

SEVENTH: The Proposal for Resolution was notified on September 28, 2020, by
alleged violation of article 6.1 of the RGPD, typified in article 83.5 of the RGPD,
proposing a fine of 75,000 euros.

       The respondent requested an extension of the deadline, on October 5, 2020, to
formulate allegations and subsequently presented the same in which, in summary,
stated that it is affirmed and ratified in its brief of allegations, presented to the

Agreement to initiate this file, requesting the filing of the procedure.

       Of the actions carried out in this procedure and of the
documentation in the file, the following have been accredited:

                                PROVEN FACTS

       1.- It is clear that the defendant has collected five invoices from a third party

that have been paid through his bank account, which he has subsequently
       2.- The claimant is not a client of the claimed.

C / Jorge Juan, 6
28001 - Madrid 3/7

       3.- The events took place since May 2019.

       4.- The vouchers include the charges made by the claimed in the

claimant's account.

       5.- There is an SMS from the claimed informing that they are analyzing the
    claim 1341890, dated October 21, 2019.

                            FOUNDATIONS OF LAW


       By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in arts. 47 and 48.1 of the LOPDGDD, the
Director of the Spanish Data Protection Agency is competent to resolve
this procedure.


       The defendant is accused of committing an offense for violation of the
Article 6 of the RGPD, "Legality of the treatment", which indicates in its section 1 the
cases in which the processing of third party data is considered lawful:

        "1. The treatment will only be lawful if at least one of the following is met

      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;

      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures

      (…) "

       The offense is typified in Article 83.5 of the RGPD, which considers as such:

      "5. Violations of the following provisions will be sanctioned, in accordance

with paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:

      a) The basic principles for the treatment, including the conditions for the
      consent in accordance with articles 5,6,7 and 9. "

       Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious ”provides:

C / Jorge Juan, 6
28001 - Madrid 4/7

      "1. In accordance with the provisions of article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in

in particular, the following:

       b) The processing of personal data without the concurrence of any of the
       conditions of legality of the treatment established in article 6 of the
       Regulation (EU) 2016/679. "


      The documentation in the file provides evidence that the
claimed, violated article 6.1 of the RGPD, since it processed personal data

of the claimant without standing.

    Well, with respect to the facts that are the subject of this claim,
We must emphasize that the claimed has answered but the content of the same has not
it follows that they had responded to the claimant with a reliable explanation
of the reasons why invoices were charged to your account that you do not recognize. From

here that does not provide any evidence that would allow estimating that the treatment of
Claimant's data had been legitimate.

       The lack of diligence displayed by the entity in complying with the
Obligations imposed by the regulations for the protection of personal data

It is thus obvious. A diligent compliance with the principle of legality in the treatment
of third-party data requires that the person responsible for the treatment is in conditions
to prove it (principle of proactive responsibility).


       In accordance with the provisions of the RGPD in its art. 83.1 and 83.2, when deciding the
imposition of an administrative fine and its amount in each individual case will be
take into account the aggravating and mitigating factors that are listed in the article
indicated, as well as any other that may be applicable to the circumstances of the

           "Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "

       "Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the
        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and

        damages they have suffered;
C / Jorge Juan, 6
28001 - Madrid 5/7

        b) intentionality or negligence in the infringement;

        c) any measure taken by the controller or processor
        to mitigate the damages suffered by the interested parties;
        d) the degree of responsibility of the person in charge of the

        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;
        e) any previous infringement committed by the person in charge or the person in charge of

         f) the degree of cooperation with the supervisory authority in order to

        remedy the violation and mitigate the possible adverse effects of the violation;
        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infraction and, in such
        case, to what extent;

        i) when the measures indicated in Article 58 (2) have been
        previously ordered against the person in charge or the person in charge
        in relation to the same matter, compliance with said measures;

        j) adherence to codes of conduct under Article 40 or to mechanisms
        certification approved in accordance with Article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement. "

        Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
        "Sanctions and corrective measures", provides:

        "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
        The following may also be taken into account:

        a) The continuing nature of the offense.

        b) The linking of the offender's activity with the performance of treatments

        of personal data.

        c) The benefits obtained as a result of the commission of the offense.

        d) The possibility that the affected person's conduct could have led to the
        commission of the offense.

        e) The existence of a process of merger by absorption subsequent to the commission of
        the infringement, which cannot be attributed to the absorbing entity.

        f) Affecting the rights of minors.

        g) Have, when not mandatory, a data protection officer.

        h) The submission by the person in charge or in charge, with character
        voluntary, to alternative dispute resolution mechanisms, in those
C / Jorge Juan, 6
28001 - Madrid 6/7

       cases in which there are controversies between those and any

      In accordance with the transcribed precepts, in order to set the amount of the

      sanction of a fine to be imposed in the present case for the offense typified in the
      Article 83.5.a) of the RGPD for which the claimed person is responsible, they are considered
      concurrent the following factors:

       As aggravating criteria:

      - The duration of the illegitimate treatment of the data of the affected party carried out by the
       claimed (article 83.2. a) of the RGPD).

     - The intentionality or negligence of the infringement (article 83.2. B) of the RGPD).

     - Basic personal identifiers are affected (personal data

       and banking (art.83.2. g) of the RGPD).

     - The obvious link between the business activity of the claimed and the
      processing of personal data of clients or third parties (article 83.2.k, of the
      RGPD in relation to article 76.2.b, of the LOPDGDD).

       The balance of the circumstances contemplated in article 83.2 of the RGPD, with
Regarding the offense committed by violating the provisions of its article 6, it allows setting
a penalty of 75,000 euros (seventy-five thousand euros), classified as "very serious", to
prescription effects of the same, in article 72.1.b) of the LOPDGDD.

       Therefore, in accordance with the applicable legislation and the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:


A78923125, for a violation of Article 6 of the RGPD, typified in Article 83.5
of the RGPD, a fine of € 75,000 (seventy-five thousand euros).


THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned and the
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the bank CAIXABANK, S.A .. In case

Otherwise, it will be collected in the executive period.

       Once the notification has been received and once it is executed, if the date of execution is
finds between the 1st and 15th of each month, both inclusive, the deadline to carry out the

C / Jorge Juan, 6
28001 - Madrid 7/7

voluntary payment will be until the 20th of the following or immediately subsequent business month, and if
is between the 16th and last days of each month, both inclusive, the term of the
Payment will be up to the 5th of the second following or immediate business month.

       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.

       Against this resolution, which puts an end to the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the

LPACAP, the interested parties may optionally file an appeal for reversal
before the Director of the Spanish Agency for Data Protection within a period of
month from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.

       Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the

LPACAP, the final resolution may be suspended in an administrative way
If the interested party expresses his intention to file a contentious appeal-
administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Agency for Data Protection,
Presenting it through the Electronic Registry of the Agency

[], or through any of the rest
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too
must forward to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the

day after the notification of this resolution, would terminate the
precautionary suspension.

Mar España Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6
28001 - Madrid