AEPD (Spain) - PS/00193/2021
|AEPD (Spain) - PS/00193/2021
|Article 6(1) GDPR
Article 58(2) GDPR
Article 83 GDPR
Article 65(4) LOPDGDD
|National Case Number/Name:
|European Case Law Identifier:
|aepd.es (in ES)
The Spanish DPA fined Vodafone Spain €50,000 for unlawfully processing a non-customer's data. Another person had fraudulently entered into a contract with Vodafone and the company failed to take sufficient measures to guarantee their identity.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant noticed a Vodafone charge on his bank account for the use of two mobile phone line. As he had not entered into any contracts with the company, he complained to the Police in Seville and the Consumers and Users Organisation.
The company investigated the charges once they received the complaint. It found them to be fraudulent and disconnected the lines. It also cancelled the complainant's existing debt in its systems.
Holding[edit | edit source]
The AEPD held that the complainant's personal data were "incorporated into the company's information systems, without him having accredited that he had legitimately contracted, had legitimacy for the collection and subsequent processing of his personal data, or that there was any other cause that would make the processing carried out lawful".
It argued Vodafone Spain failed to perform the required due diligence to verify the contracting party was who they claimed to be, notably because the fraudulent contract that was established was unsigned and contained incorrect information (e.g. address, date of birth).
It then assessed the degree of responsibility that should be attributed to Vodafone Spain for this breach, and found a clear link between the company's business practices and the breach. It nonetheless took into account that the company reacted with the necessary urgency to remedy the incident as a mitigating factor.
Therefore, it fined the company €50,000.
Comment[edit | edit source]
This fine is only a part of multiple decisions issued by the AEPD on closely connected matters. For further information see this case's comment section.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 Procedure No.: PS / 00193/2021 RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT VOLUNTARY Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: On July 30, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against Vodafone Spain, S.A.U. with NIF A80907397 which is transcribed below: << Procedure number: PS / 00193/2021 BACKGROUND FIRST: D. A.A.A. on behalf of and on behalf of D. B.B.B. (hereinafter, the part claimant) on January 4, 2021, he filed a claim with the Agency Spanish Data Protection. The claim is directed against Vodafone España, S.A.U. with NIF A80907397 (in below, the claimed party). The complaining party states that it observes in the operation of its bank account a charge of the claimed part, and they inform you that you had been billed for the consumption of two mobile lines which were contracted in his name in the town of Avilés, and also a pack had been contracted, possibly of mobile terminals, the which had not yet been invoiced. The complaining party filed a complaint with the Seville National Police and a claim before the Organization of Consumers and Users. On the other hand, it states that it has not been a client of the claimed party. And, among other things, it provides the following documentation: - Complaint filed with the Seville National Police on January 2, 2021, by the contracting telephony services on your behalf. SECOND: Prior to the admission for processing of this claim, a transferred the claimed on February 17, 2021, in accordance with the provisions in article 65.4 of the Organic Law 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights (hereinafter, LOPDGDD), in the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 actions with reference E / 01375/2021. The notification is made electronically, and figure delivered on February 17, 2021. THIRD: In accordance with the provisions of article 65.2 of the Organic Law 3/2018, on Data Protection and Guarantee of Digital Rights (LOPDGDD), in On April 23, 2021, the claim admission agreement is signed. FOURTH: When transferring the claim to the claimed party, he presented a written document on the 14th May 2021, stating that it proceeded to investigate the events denounced and declared the claimed incident as fraudulent, finding all the lines affected permanently unsubscribed. Attached as document number 1, the response provided to the complaining party, in In this sense, they apologize for the events that occurred and inform you about the actions made. The claimed party states that, once the claim was received, they proceeded to give temporarily remove the lines associated with the reported customer ID on January 11 2021 after verifying the signs of fraud, and formally communicated the steps taken to the claimant on January 11 and February 18, 2021 by letter sent to the OCU and attached as document number 2. Finally, on March 18, 2021, they proceeded to deactivate of the services subject to fraudulent registration after confirming that the incident had due to a hiring of identity theft services of the claimant. Likewise, once the registrations were declared as fraudulent, they proceeded to cancel the existing debt in your systems. In this sense, they attach as document number 3 the invoices issued, as well as the corresponding payment to cancel the debt. On the other hand, they state that they acted as quickly as possible to resolve the situation, since until that moment the client account associated with the N.I.F. of the Claimant and the services associated with it appeared to be correct. In this In this sense, the contracts formalized with the supposed owner of the line. On the other hand, the complained party states that the Security Policy has been progressively updating, having implemented its last modification in date November 21, 2019. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in arts. 47 and 48.1 of the LOPDPGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/10 II The facts presented may suppose on the part of the claimed party, the commission of an infringement of article 6.1 of the RGPD that establishes the assumptions that allow the processing of personal data to be considered lawful. Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the cases in which the processing of third party data is considered lawful: "1. The treatment will only be lawful if it complies with at least one of the following terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the performance of a contract in which the interested is part or for the application at the request of this of measures pre-contractual; (…) " The infringement for which the claimed entity is responsible is found typified in article 83 of the RGPD that, under the heading "General conditions for the imposition of administrative fines ”, it states: "5. Violations of the following provisions will be sanctioned, in accordance with with section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The basic principles for the treatment, including the conditions for the consent in accordance with articles 5,6,7 and 9. " Organic Law 3/2018, on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions considered very serious ”provides: "1. Based on what is established in article 83.5 of the Regulation (E.U.) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that one and, in in particular, the following: (…) a) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. " The documentation in the file provides evidence that the claimed, violated article 6.1 of the RGPD, since it processed the personal data of the complaining party without having any legitimacy to it. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/10 The personal data of the complaining party were incorporated into the systems of company information, without having proven that he had contracted legitimately, had legitimacy for the collection and subsequent treatment of your personal data, or there is any other cause that would make the treatment lawful effected. Based on the foregoing, in the case analyzed, it remains in questioned the diligence used by the respondent to identify the person who carried out the contract on behalf of the complaining party. Well, it is proven as recognized by the claimed party in its written reply to this Agency dated May 14, 2021, which was produced a fraudulent hiring. It should be noted that the contracts provided by the claimed party as document number 4, they appear unsigned and their data (address, date of birth), do not coincide with the identity card of the claimant. Likewise, it appears that the Sepa Order of domiciliation is not signed. Thus, the claimed party did not verify the personality of the alleged contractor, not took the necessary precautions so that these events did not occur. In accordance with the evidence available at this time procedural and without prejudice to what results from the instruction of the procedure, it is estimated that the conduct of the complained party could violate article 6.1 of the RGPD being able to be constitutive of the offense typified in article 83.5.a) of the aforementioned Regulation 2016/679. Ultimately, the respondent has not provided a document or evidence any evidence that the entity, in such a situation, had deployed the minimum diligence required to verify that indeed your interlocutor was the one claimed to flaunt. Respect for the principle of legality that is at the core of fundamental right protection of personal data requires that it be proven that the responsible for the treatment deployed the necessary diligence to prove that extreme. If this Agency does not act like this - and if this Agency does not demand it, it is incumbent upon for compliance with the regulations governing the right to data protection of personal character - the result would be to empty the principle of legality of content. In this sense, Recital 40 of the RGPD states: "(40) For the treatment to be lawful, personal data must be processed with the consent of the interested party or on some other legitimate basis established in accordance with Law, either in this Regulation or by virtue of another Law of the Union or of the Member States referred to in this Regulation, including the need to comply with the legal obligation applicable to the person responsible for the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/10 treatment or the need to perform a contract to which the interested party or in order to take measures at the request of the interested party prior to the conclusion of a contract. " III The determination of the sanction to be imposed in the present case requires observe the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively, provide the following: "1. Each supervisory authority will guarantee that the imposition of fines administrative regulations pursuant to this article for the infractions of this Regulations indicated in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. " "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the treatment operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to pa- bundle the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, gives an account of the technical or organizational measures that have been applied by virtue of the articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular cular if the person in charge or the person in charge notified the infringement and, if so, in what measure gives; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same issue, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/10 k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly- mind, through the infraction. " Within this section, the LOPDGDD contemplates in its article 76, entitled "Sanctions and corrective measures": "1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 The following may also be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of treatment of personal information. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the offense. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested party. 3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679. " In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, for the purpose of setting the amount of the fine impose the claimed entity as responsible for an offense typified in the Article 83.5.a) of the RGPD and 72.1 b) of the LOPDGDD, in an initial assessment, consider the following factors to be concurrent in the present case: As mitigating factors: - Immediately proceeded to manage the cancellation of the services and the payment of the amounts invoiced (article 83.2.c, RGPD). As aggravating factors: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/10 - That the facts that are the subject of the claim are attributable to a lack of diligence of the claimed party (article 83.2.b, RGPD). - The evident link between the business activity of the claimed and the treatment of personal data of clients or third parties (article 83.2.k, of the RGPD in relation to article 76.2.b, of the LOPDGDD) It is appropriate to graduate the sanction to impose on the claimed and set it at the amount of € 50,000 for the violation of article 83.5 a) RGPD and 72.1b) of the LOPDGDD. Therefore, based on the foregoing, by the Director of the Spanish Agency for Data Protection. HE REMEMBERS: FIRST: INITIATE SANCTIONING PROCEDURE for VODAFONE ESPAÑA, S.A.U. with NIF A80907397, for the alleged violation of article 6.1) typified in the Article 83.5.a) of the aforementioned RGPD. SECOND: APPOINT D. C.C.C. as instructor. and as secretary to Mrs. D.D.D., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Public Sector Legal (LRJSP). THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and his documentation, the documents obtained and generated by the General Subdirectorate for Data Inspection. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the The corresponding sanction would be for the violation of article 6.1 of the RGPD, typified in article 83.5 a) of the RGPD, the corresponding sanction would be a fine in the amount of 50,000 euros (fifty thousand euros) without prejudice to what result of the instruction. FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with NIF A80907397 granting a hearing period of ten business days to formulate the allegations and present the evidence that it deems appropriate. In his writing of allegations, you must provide your NIF and the procedure number that appears in the heading of this document. If within the stipulated period it does not make allegations to this initiation agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; it which will entail a reduction of 20% for the penalty to be imposed C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/10 in the present procedure, equivalent in this case to ten thousand euros (€ 10,000). With the application of this reduction, the amount of the sanction would be established in forty thousand euros (€ 40,000), resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, in accordance with the provisions of article 85.2 LPACAP, which will entail a reduction of 20% of the amount of the same, equivalent in this case to ten thousand euros (€ 10,000), for the infringement charged. With the application of this reduction, the The amount of the penalty would be set at forty thousand euros (€ 40,000) and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the preceding paragraph, it may be done at any time prior to the resolution. On In this case, if both reductions should be applied, the amount of the penalty would be established at thirty thousand euros (€ 30,000). In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts indicated above, 40,000 euros or 30,000 euros, you must make it effective by entering the account number ES00 0000 0000 0000 0000 0000 open to name of the Spanish Agency for Data Protection in Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which is welcomed. Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: It is clear that the Initiation Agreement was notified on August 2, 2021, proceeded on August 17, 2021 to pay the sanction in the amount of 40,000 euros making use of the reduction provided for in the Initiation Agreement, stating: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/10 "That Vodafone has ordered the payment of € 40,000 corresponding to the infraction initially planned, taking into account the 20% reduction for the payment voluntary sanction, and in this act desists and renounces any action or remedy in administrative proceedings in relation to this factual assumption, in accordance with established in art. 85 of the LPACAP ”. THIRD: The payment made entails the waiver of any action or recourse in progress. against the sanction, in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of The Spanish Data Protection Agency is competent to resolve this process. II Article 85 of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations (hereinafter LPACAP), under The heading "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the sanction that proceeds. 2. When the sanction is solely of a pecuniary nature or it fits impose a pecuniary and a non-pecuniary sanction but it has been justified the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or to the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the penalty is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at less, 20% on the amount of the proposed sanction, these being cumulative each. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. " In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00193/2021, of in accordance with the provisions of article 85 of the LPACAP. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/10 SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U. with NIF A80907397. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations, interested parties may file an administrative contentious appeal before the Contentious Chamber- administrative authority of the National Court, in accordance with the provisions of article 25 and in section 5 of the fourth additional provision of Law 29/1998, of July 13, regulator of the Contentious-Administrative Jurisdiction, within a period of two months to count from the day following the notification of this act, as provided in the Article 46.1 of the aforementioned Law. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es