AEPD (Spain) - PS/00188/2021: Difference between revisions

From GDPRhub
No edit summary
Line 25: Line 25:
|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_1=Article 6(1) GDPR
|GDPR_Article_Link_1=Article 6 GDPR#1
|GDPR_Article_Link_1=Article 6 GDPR#1
 
|GDPR_Article_2=Article 17(1) GDPR
 
|GDPR_Article_Link_2=Article 17 GDPR#1


|Party_Name_1=Vodafone España, S.A.U.
|Party_Name_1=Vodafone España, S.A.U.
Line 50: Line 50:
The Spanish DPA fined Vodafone €120,000 (reduced to €96,000) for processing personal data without a legal basis, since they did not prevent a third party from fraudulently using someone's personal data to contract a service.  
The Spanish DPA fined Vodafone €120,000 (reduced to €96,000) for processing personal data without a legal basis, since they did not prevent a third party from fraudulently using someone's personal data to contract a service.  


== English Summary ==
==English Summary==


=== Facts ===
=== Facts===
A data subject lodged a complaint with the Spanish DPA (AEPD) stating that they had received an invoice with a debt on behalf of Vodafone (a telecommunications company) without having contracted any services. The data subject also reported it to the police.
A data subject lodged a complaint with the Spanish DPA (AEPD) stating that they had received an invoice with a debt on behalf of Vodafone (a telecommunications company) without having contracted any services. The data subject also reported it to the police and tried to contact Vodafone in order to exercise their right to erasure, but obtained no answer from them.
=== Holding ===
===Holding===
The Spanish DPA concluded during the investigation that Vodafone had processed the personal data of the data subject without any legal basis. Vodafone also recognized such facts, although they remarked that they had later classified the processing of data as fraudulent and cancelled the debt. They additionally alleged that they were trying to improve their security policies to prevent that from happening.  
The Spanish DPA concluded during the investigation that Vodafone had processed the personal data of the data subject without any legal basis. Vodafone also recognized such facts, although they remarked that they had later classified the processing of data as fraudulent and cancelled the debt. They additionally alleged that they were trying to improve their security policies to prevent that from happening.  


However, the DPA considered that the controller had not acted with due diligence and had failed to implement the necessary measures to avoid processing data without a legal basis, in accordance with the accountability principle.  
However, the DPA considered that the controller had not acted with due diligence and had failed to implement the necessary measures to avoid processing data without a legal basis, in accordance with the accountability principle. Also, the DPA considered that the controller had no reason to ignore the data subject's erasure request, and that they should have answered to and complied with it.
 
Therefore, the AEPD fined the controller a total of €120,000 (reduced to €96,000 because of early payment) for:


Therefore, the AEPD fined the controller €120,000 (reduced to €96,000 because of early payment) for processing personal data without a legal basis, in breach of [[Article 6 GDPR#1|Article 6(1) GDPR]].
* processing personal data without a legal basis, in breach of [[Article 6 GDPR#1|Article 6(1) GDPR]]: €70,000 and;
* not complying with their obligation to erase the data subject's personal data after they had exercised their right to erasure, in breach of [[Article 17 GDPR|Article 17(1) GDPR]]: €50,000.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
== Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
== English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Revision as of 09:24, 9 August 2021

AEPD (Spain) - PS/00188/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 17(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 03.08.2021
Fine: 120000 EUR
Parties: Vodafone España, S.A.U.
National Case Number/Name: PS/00188/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined Vodafone €120,000 (reduced to €96,000) for processing personal data without a legal basis, since they did not prevent a third party from fraudulently using someone's personal data to contract a service.

English Summary

Facts

A data subject lodged a complaint with the Spanish DPA (AEPD) stating that they had received an invoice with a debt on behalf of Vodafone (a telecommunications company) without having contracted any services. The data subject also reported it to the police and tried to contact Vodafone in order to exercise their right to erasure, but obtained no answer from them.

Holding

The Spanish DPA concluded during the investigation that Vodafone had processed the personal data of the data subject without any legal basis. Vodafone also recognized such facts, although they remarked that they had later classified the processing of data as fraudulent and cancelled the debt. They additionally alleged that they were trying to improve their security policies to prevent that from happening.

However, the DPA considered that the controller had not acted with due diligence and had failed to implement the necessary measures to avoid processing data without a legal basis, in accordance with the accountability principle. Also, the DPA considered that the controller had no reason to ignore the data subject's erasure request, and that they should have answered to and complied with it.

Therefore, the AEPD fined the controller a total of €120,000 (reduced to €96,000 because of early payment) for:

  • processing personal data without a legal basis, in breach of Article 6(1) GDPR: €70,000 and;
  • not complying with their obligation to erase the data subject's personal data after they had exercised their right to erasure, in breach of Article 17(1) GDPR: €50,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                              1/12










     Procedure No.: PS / 00188/2021


       RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT
                                   VOLUNTARY

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following:

                                  BACKGROUND


FIRST: On July 12, 2021, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure against Vodafone Spain,
S.A.U. with CIF A80907397 that is transcribed below:
<<
Procedure number: PS / 00188/2021


                                  BACKGROUND


FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated December 22,
2020 filed a claim with the Spanish Data Protection Agency. The

claim is directed against Vodafone España, S.A.U. with CIF A80907397 (in
ahead, the claimed one).

The claimant states that on September 10, 2019, she received calls from the
commercial ISGF claiming, on behalf of the claimed, a debt whose amount
amounted to XXX euros and that was contracted by a third party for an ADSL line for

a house located on the street *** ADDRESS.1.

Thus, on September 12, 2019, he denounced before the
Mossos d'Esquadra this impersonation as a third party using their surnames and ID,
he had fraudulently hired a service. The day after the complaint, he sent

an email to ISGF and asked to cancel the contracted services
fraudulently and the debt, as well as being notified in writing of the
resolution.

On September 8, 2020, he sent a burofax to the respondent requesting that

deleted your personal data, but they have not replied.

Provide the following documentation:
 - Claim made before the claimed person for the impersonation of their identity in the
contracting services.
 - Police complaint made for the same facts.

- Burofax, denounced the identity theft and exercising the right to
deletion of date September 8, 2020 and admission time 10:17:53.
 - Proof of delivery of the burofax sent to the claimed party, delivered on 9
September 2020 at 8:45 a.m.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12









SECOND: Prior to the admission for processing of this claim, a
transferred the claimed on January 28, 2021, in accordance with the provisions

in article 65.4 of the Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (hereinafter, LOPDGDD), in the
actions with reference E / 00611/2021. The notification is made electronically,
and figure delivered on February 1, 2021.

THIRD: In accordance with the provisions of article 65.2 of the Organic Law

3/2018, on Data Protection and Guarantee of Digital Rights (LOPDGDD), in
On April 23, 2021, the claim admission agreement is signed.


FOURTH: It is established that outside the deadline granted on July 6, 2020, the part

The respondent responds to the transfer of the claim, stating the following:

       On the one hand, it indicates that it has taken the appropriate steps to verify whether
the receipt of the request for the exercise of the right of deletion that,
According to what was stated in the claim, it appears that the claimant sent
by burofax on September 9, 2020. In this way, as it has been possible to

check, in the systems of the claimed does not appear the record of the presentation of
the aforementioned request.

       In turn, it indicates that they attach as document number 1 a copy of the letter that,
have sent the claimant in compliance with their right to erasure exercised

and informing you that the data relating to you that appear in the
systems of the claimed associated with its NIF, have been duly eliminated.

       Likewise, the claimant is informed that the unrecognized steps that
Your personal data was carried out using your personal data, specifically, your surnames and ID,

were classified as fraudulent: In this way, the associated debt has been
correctly canceled, excluding the personal data of the claimant from
any negative financial solvency file in which, if applicable, you had
registered by the claimed.

       On the other hand, it includes information on procedures regarding

security available to the claimed for the contracting of services. In
In particular, it is informed about the Security Policy of mandatory compliance of
the one available to prevent the carrying out of fraudulent efforts.

       Likewise, they point out that in order to prevent similar incidents from occurring,

the claimed works continuously to improve Security Policies
implemented in the contracting of services and in any other process that
entails possible risks of fraud or irregular actions for your clients.



                            FOUNDATIONS OF LAW




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3









                                             I


        By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in arts. 47 and 48.1 of the LOPDPGDD, the
Director of the Spanish Data Protection Agency is competent to resolve
this procedure.

                                             II


        In the first place, the facts presented may suppose on the part of the
claimed, the commission of an infringement of article 6.1 of the RGPD that establishes the
assumptions that allow the processing of personal data to be considered lawful.


        Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
cases in which the processing of third party data is considered lawful:

         "1. The treatment will only be lawful if it complies with at least one of the following
terms:
      a) the interested party gave their consent for the processing of their data

      personal for one or more specific purposes;
      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures
      pre-contractual;
      (…) "


      The infringement for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading "General conditions for
the imposition of administrative fines ”, it states:


      "5. Violations of the following provisions will be sanctioned, in accordance with
with section 2, with administrative fines of a maximum of 20,000,000 Eur or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the highest amount:


      a) The basic principles for the treatment, including the conditions for the
      consent in accordance with articles 5,6,7 and 9. "

       Organic Law 3/2018, on Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions

considered very serious ”provides:

      "1. Based on what is established in article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that one and, in

in particular, the following:

        (…)
        a) The processing of personal data without the concurrence of any of the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12








           conditions of legality of the treatment established in article 6 of the
           Regulation (EU) 2016/679. "


        On the one hand, it is proven that the respondent processed the personal data
of the claimant (name, surname and NIF). Thus, the claimed, when hiring no
had the necessary precautions to prove the legitimacy of the contractor.

        The defendant acknowledges the facts in her letter to this Agency dated June 6
May 2021, in which it states: ”the claimant is informed that the steps taken

unacknowledged that your personal data was used, specifically,
their surnames and ID card were classified as fraudulent: In this way, the
associated debt has been correctly canceled, excluding the personal data of
the claimant of any negative financial solvency file in which, in its
If so, you would have signed up for the claimed one ”.


        Hence, the absence of legitimation for the treatment is confirmed, by
how much they show that there was no contract between the two.

        It must be taken into account that the documentation in the file
offers evidence that the complained party violated article 6.1 of the RGPD, all

time that he processed the personal data of the claimant without legitimacy.

        The lack of diligence displayed by the entity in complying with the
Obligations imposed by the personal data protection regulations
It is thus obvious. A diligent compliance with the principle of legality in the treatment

of third-party data requires that the person responsible for the treatment is in conditions
to prove it (principle of proactive responsibility).

      In accordance with the evidence available at this time
procedural, for the first offense, and without prejudice to what results from the instruction of the

procedure, it is considered that the conduct of the claimed party could violate the
Article 6.1 of the RGPD may be constitutive of the offense typified in the article
83.5.a) of the aforementioned Regulation 2016/679.

      In this sense, Recital 40 of the RGPD states:


       "(40) For the treatment to be lawful, personal data must be processed
with the consent of the interested party or on some other legitimate basis established
in accordance with Law, either in this Regulation or by virtue of another Law
of the Union or of the Member States referred to in this Regulation,
including the need to comply with the legal obligation applicable to the person responsible for the

treatment or the need to perform a contract to which the interested party or
in order to take measures at the request of the interested party prior to the
conclusion of a contract. "

                                               III



        Second, the facts presented may imply the commission of a
infringement of article 17 of the RGPD.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12









        The right of erasure is contained in article 17 of the RGPD as a right
of the interested party, or concerned with their data, and at the same time implies an obligation of the

responsible (of the treatment), indicating:

        1. The interested party shall have the right to obtain without undue delay from the person in charge
of the treatment the deletion of the personal data that concerns him, which will be
obliged to delete without undue delay the personal data when there is any
of the following circumstances:


        a) the personal data is no longer necessary in relation to the purposes for
those that were collected or otherwise treated;
        b) the interested party withdraws the consent on which the treatment of
in accordance with Article 6 (1) (a) or Article 9 (2) (a), and

it is not based on another legal basis;
        c) the interested party objects to the processing in accordance with article 21, paragraph 1,
and no other legitimate reasons for the treatment prevail, or the interested party
object to the processing pursuant to Article 21 (2);
        d) the personal data has been unlawfully processed;
        e) personal data must be deleted to comply with a

  legal obligation established in the law of the Union or the Member States
  that applies to the person responsible for the treatment;
        f) the personal data have been obtained in relation to the offer of services
  of the information society mentioned in article 8, paragraph 1.


        3. Sections 1 and 2 will not apply when the treatment is necessary:
        a) to exercise the right to freedom of expression and information;
        b) for the fulfillment of a legal obligation that requires the treatment of
  data imposed by the law of the Union or of the Member States that
  apply to the person responsible for the treatment, or for the fulfillment of a mission

  carried out in the public interest or in the exercise of public powers conferred on the
  responsable;
        c) for reasons of public interest in the field of public health of
  in accordance with Article 9, paragraph 2, letters h) and i), and paragraph 3;
        d) for archival purposes in the public interest, scientific research purposes or
  historical or statistical purposes, in accordance with article 89, paragraph 1, in the

  insofar as the right indicated in paragraph 1 could make it impossible to
  seriously impede the achievement of the objectives of such treatment, or
        e) for the formulation, exercise or defense of claims.



                                             IV

        It has been proven that the claimant exercised the right of deletion before
the claimed entity and its request did not obtain the legally required response.


        The respondent states in her allegations that she is not aware that in her
systems include the record of the presentation of the burofax on September 9,
2020.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12








       It should be noted that the burofax is a reliable communication with value
probative, the content of the text is accredited, as well as the issuer, the recipient
and the date of shipment.


       In this sense, in the text of the burofax sent to the claimed entity on
September 2020, it is stated by the claimant “I exercise the right to suppress
my personal information".

       The postal service certifies that it was delivered, the burofax, to the address of

claimed on September 9, 2020 at 08:45 hours and was signed by his
representative and consists of the name, surname and ID of the person who took charge of
same.



                                            V


       Article 83.5 b) of the RGPD, considers that the infringement of “the rights of
the interested parties according to articles 12 to 22 "; is punishable, “with fines
administrative fees of € 20,000,000 maximum or, in the case of a company, a
an amount equivalent to a maximum of 4% of the total global annual business volume of the
previous financial year, opting for the one with the highest amount. "

       Article 58.2 of the RGPD provides: “Each control authority will have
all of the following corrective powers listed below:

       d) order the person in charge of the treatment that the operations of

treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time frame;

       i) impose an administrative fine in accordance with article 83, in addition or in
place of the measures mentioned in this section, depending on the circumstances
of each particular case;

       The offense is typified in article 74 c) of the LOPDGDD, which indicates:


       They are considered minor and the remaining character offenses will prescribe a year.
merely formal of the articles mentioned in sections 4 and 5 of article 83
of Regulation (EU) 2016/679 and, in particular, the following:

       a) Failure to respond to requests to exercise the rights established in

           Articles 15 to 22 of Regulation (EU) 2016/679, unless it results from
           application of the provisions of article 72.1.k) of this organic law. "

                                           SAW

       Determination of the sanctions to be imposed in the present case

requires observing the provisions of articles 83.1 and 2 of the RGPD, precepts that,
respectively, provide the following:

    "1. Each supervisory authority will guarantee that the imposition of fines
administrative regulations pursuant to this article for the infractions of this

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12








Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "

    "2. Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administrative and its amount in each individual case will be duly taken into account:

a) the nature, severity and duration of the offense, taking into account the

nature, scope or purpose of the treatment operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;

b) intentionality or negligence in the infringement;


c) any measure taken by the controller or processor to pa-
bundle the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or the person in charge of the treatment,
gives an account of the technical or organizational measures that have been applied by virtue of the
articles 25 and 32;


e) any previous infringement committed by the person in charge or the person in charge of the treatment;

f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;


g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in particular
cular if the person in charge or the person in charge notified the infringement and, if so, in what measure
gives;


i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and


k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as the financial benefits obtained or the losses avoided, directly or indirectly-
mind, through the infraction. "

 Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanction-

tions and corrective measures ”:

  "1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/8








  2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:

  a) The continuing nature of the offense.


  b) The linking of the activity of the offender with the performance of treatment of
personal information.

  c) The benefits obtained as a result of the commission of the offense.


  d) The possibility that the affected person's conduct could have led to the
commission of the offense.

  e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.


  f) Affecting the rights of minors.

  g) Have, when not mandatory, a data protection officer.

  h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which

there are controversies between those and any interested party.

  3. It will be possible, complementary or alternatively, the adoption, when appropriate,
of the remaining corrective measures referred to in article 83.2 of the
Regulation (EU) 2016/679. "


        In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the sanctions of fines to
impose the claimed entity as responsible for two offenses typified in the
article 83.5.a) of the RGPD and 72.1 b) of the LOPDGDD, and in article 83.5 b) of the RGPD
and 74 c) of the LOPDGDD in an initial assessment, they are considered concurrent in the

present case the following factors:

As aggravating factors:

- That the facts that are the subject of the claim are attributable to a lack of diligence
      of the claimed party (article 83.2.b, RGPD).


- Basic personal identifiers are affected (personal data
      (art.83.2. g) of the RGPD).

- The evident link between the business activity of the claimed and the
      treatment of personal data of clients or third parties (article 83.2.k, of the
      RGPD in relation to article 76.2.b, of the LOPDGDD)


        It is appropriate to graduate the sanctions to be imposed on the claimed and set them in the amount
of € 70,000 for the violation of article 83.5 a) RGPD and 72.1b) of the LOPDGDD and
€ 50,000 for the violation of article 83.5 b) and 74 c) of the LOPDGDD.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12








       Therefore, based on the foregoing, by the Director of the
Spanish Agency for Data Protection.


HE REMEMBERS:

FIRST: INITIATE SANCTIONING PROCEDURE for VODAFONE ESPAÑA,
S.A.U. with CIF A80907397, for the alleged infractions of articles 6.1) and 17.1
of the RGPD typified in article 83.5.a) and 83.5b) of the aforementioned RGPD.


SECOND: APPOINT D. B.B.B. as instructor. and as secretary to Ms. C.C.C.,
indicating that any of them may be challenged, as the case may be, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime
co of the Public Sector (LRJSP).


THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and his documentation, the documents
obtained and generated by the General Subdirectorate for Data Inspection during the
investigation phase, as well as the report of previous Inspection actions.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1

October, of the Common Administrative Procedure of Public Administrations,
the penalties that may correspond would be the following:

 for the violation of article 6.1 of the RGPD, typified in article 83.5 a) of the

RGPD the corresponding sanction would be a fine of 70,000 euros
(seventy thousand euros) without prejudice to what results from the instruction.

 for the violation of article 17.1 of the RGPD, typified in article 83.5 b) of the
RGPD the corresponding sanction would be a fine of 50,000 euros

(fifty thousand euros) without prejudice to what results from the instruction.

FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with CIF
A80907397 giving you a hearing period of ten business days to formulate
the allegations and present the evidence that it deems appropriate. In his writing of
allegations, you must provide your NIF and the procedure number that appears in the

heading of this document.

If within the stipulated period it does not make allegations to this initiation agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

the Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; it

that will entail a reduction of 20% for each of the sanctions that
It is appropriate to impose in the present procedure, equivalent in this case to fourteen thousand
euros (€ 14,000), for the first offense charged and ten thousand euros (€ 10,000) for the
second offense charged, that is, a total reduction for this reason of
twenty-four thousand euros (€ 24,000). With the application of this reduction, the total amount

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12








of both two penalties it would be established at ninety-six thousand euros (€ 96,000),
resolving the procedure with the imposition of this sanction.


In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction,
in accordance with the provisions of article 85.2 LPACAP, which will entail a

reduction of 20% of the amount thereof, equivalent in this case to fourteen thousand
euros (€ 14,000), for the first offense charged and ten thousand euros (€ 10,000), this
is, a total reduction for this reason of twenty-four thousand euros (€ 24,000). With the
application of this reduction, the total amount of both penalties would remain
established at ninety-six thousand euros (€ 96,000) and its payment will imply the termination

of the procedure.
The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment

of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be
established at seventy-two thousand euros (€ 72,000).

In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in

administrative against the sanction.
In case you choose to proceed to the voluntary payment of any of the amounts
indicated above, 96,000 euros or 72,000 euros, you must make it effective

by entering the account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Agency for Data Protection in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears
in the heading of this document and the cause of reduction of the amount to which
is welcomed.


Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity
entered.


The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.

Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.

Mar Spain Martí
Director of the Spanish Agency for Data Protection >>



SECOND: It is clear that the Initiation Agreement was notified on July 13, 2021,
proceeded on July 28, 2021 to pay the penalties in the amount of 96,000

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12








euros making use of the reduction provided for in the Initiation Agreement, stating:
"That Vodafone has ordered the payment of € 96,000 corresponding to the infraction
initially planned, including the 20% reduction for making the voluntary payment

of the proposed sanction, and in this act desists and renounces any action or remedy
in administrative proceedings in relation to this factual assumption, in accordance with
established in art. 85 of the LPACAP "

THIRD: The payment made entails the waiver of any action or recourse in progress.
against the sanction, in relation to the facts referred to in the

Initiation Agreement.

                           FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Data Protection Agency is competent to resolve this
process.


                                            II

       Article 85 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (hereinafter LPACAP), under
The heading "Termination of sanctioning procedures" provides the following:


       "1. Initiated a sanctioning procedure, if the offender acknowledges his
responsibility, the procedure may be resolved with the imposition of the sanction
that proceeds.
       2. When the sanction is solely of a pecuniary nature or it fits

impose a pecuniary and a non-pecuniary sanction but it has been justified
the inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.
       3. In both cases, when the penalty is solely of a pecuniary nature,

the competent body to resolve the procedure will apply reductions of, at
less, 20% on the amount of the proposed sanction, these being cumulative
each. The aforementioned reductions must be determined in the notification of
initiation of the procedure and its effectiveness will be conditional on the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.

       The percentage of reduction foreseen in this section may be increased
regulations. "

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:


FIRST: DECLARE the termination of procedure PS / 00188/2021, of
in accordance with the provisions of article 85 of the LPACAP.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12









SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U. with
CIF A80907397.

        In accordance with the provisions of article 50 of the LOPDGDD, the

This Resolution will be made public once it has been notified to the interested parties.

        Against this resolution, which puts an end to the administrative procedure according to
prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure

Common Administrative of Public Administrations, interested parties may
file an administrative contentious appeal before the Contentious Chamber-
administrative authority of the National Court, in accordance with the provisions of article 25 and
in section 5 of the fourth additional provision of Law 29/1998, of July 13,

regulator of the Contentious-Administrative Jurisdiction, within a period of two months to
count from the day following the notification of this act, as provided in the
Article 46.1 of the aforementioned Law.


Mar Spain Martí
Director of the Spanish Agency for Data Protection









































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es