AEPD (Spain) - PS/00193/2021

From GDPRhub
Revision as of 10:01, 22 September 2021 by FA (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD (Spain) - PS/00193/2021
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 58(2) GDPR
Article 83 GDPR
Article 65(4) LOPDGDD
Type: Complaint
Outcome: Upheld
Decided: 14.09.2021
Published: 14.09.2021
Fine: 50000 EUR
Parties: Vodafone Spain
National Case Number/Name: PS/00193/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: (in ES)
Initial Contributor: Frederick Antonovics

The Spanish DPA fined Vodafone Spain €50,000 for unlawfully processing a non-customer's data. Another person had fraudulently entered into a contract with Vodafone and the company failed to take sufficient measures to guarantee their identity.

English Summary


The complainant noticed a Vodafone charge on his bank account for the use of two mobile phone line. As he had not entered into any contracts with the company, he complained to the Police in Seville and the Consumers and Users Organisation.

The company investigated the charges once they received the complaint. It found them to be fraudulent and disconnected the lines. It also cancelled the complainant's existing debt in its systems.


The AEPD held that the complainant's personal data were "incorporated into the company's information systems, without him having accredited that he had legitimately contracted, had legitimacy for the collection and subsequent processing of his personal data, or that there was any other cause that would make the processing carried out lawful".

It argued Vodafone Spain failed to perform the required due diligence to verify the contracting party was who they claimed to be, notably because the fraudulent contract that was established was unsigned and contained incorrect information (e.g. address, date of birth).

It then assessed the degree of responsibility that should be attributed to Vodafone Spain for this breach, and found a clear link between the company's business practices and the breach. It nonetheless took into account that the company reacted with the necessary urgency to remedy the incident as a mitigating factor.

Therefore, it fined the company €50,000.


This fine is only a part of multiple decisions issued by the AEPD on closely connected matters. For further information see this case's comment section.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     Procedure No.: PS / 00193/2021


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:


FIRST: On July 30, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against Vodafone Spain,
S.A.U. with NIF A80907397 which is transcribed below:
Procedure number: PS / 00193/2021


FIRST: D. A.A.A. on behalf of and on behalf of D. B.B.B. (hereinafter, the part
claimant) on January 4, 2021, he filed a claim with the Agency

Spanish Data Protection.

The claim is directed against Vodafone España, S.A.U. with NIF A80907397 (in
below, the claimed party).

The complaining party states that it observes in the operation of its bank account a

charge of the claimed part, and they inform you that you had been billed for the consumption of
two mobile lines which were contracted in his name in the town of
Avilés, and also a pack had been contracted, possibly of mobile terminals, the
which had not yet been invoiced.

The complaining party filed a complaint with the Seville National Police and a
claim before the Organization of Consumers and Users.

On the other hand, it states that it has not been a client of the claimed party.

And, among other things, it provides the following documentation:

- Complaint filed with the Seville National Police on January 2, 2021, by the
contracting telephony services on your behalf.

SECOND: Prior to the admission for processing of this claim, a

transferred the claimed on February 17, 2021, in accordance with the provisions
in article 65.4 of the Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (hereinafter, LOPDGDD), in the

C / Jorge Juan, 6
28001 - Madrid 2/10

actions with reference E / 01375/2021. The notification is made electronically,
and figure delivered on February 17, 2021.

THIRD: In accordance with the provisions of article 65.2 of the Organic Law
3/2018, on Data Protection and Guarantee of Digital Rights (LOPDGDD), in
On April 23, 2021, the claim admission agreement is signed.

FOURTH: When transferring the claim to the claimed party, he presented a written document on the 14th
May 2021, stating that it proceeded to investigate the events denounced and

declared the claimed incident as fraudulent, finding all the lines
affected permanently unsubscribed.

Attached as document number 1, the response provided to the complaining party, in
In this sense, they apologize for the events that occurred and inform you about the

actions made.

The claimed party states that, once the claim was received, they proceeded to give
temporarily remove the lines associated with the reported customer ID on January 11
2021 after verifying the signs of fraud, and formally communicated the
steps taken to the claimant on January 11 and February 18, 2021

by letter sent to the OCU and attached as document number 2.

Finally, on March 18, 2021, they proceeded to deactivate
of the services subject to fraudulent registration after confirming that the incident had
due to a hiring of identity theft services of the claimant.

Likewise, once the registrations were declared as fraudulent, they proceeded to cancel the
existing debt in your systems. In this sense, they attach as document number
3 the invoices issued, as well as the corresponding payment to cancel the debt.

On the other hand, they state that they acted as quickly as possible to resolve the
situation, since until that moment the client account associated with the N.I.F. of the
Claimant and the services associated with it appeared to be correct. In this
In this sense, the contracts formalized with the
supposed owner of the line.

On the other hand, the complained party states that the Security Policy has been
progressively updating, having implemented its last modification in
date November 21, 2019.

                            FOUNDATIONS OF LAW


       By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in arts. 47 and 48.1 of the LOPDPGDD, the
Director of the Spanish Data Protection Agency is competent to resolve
this procedure.

C / Jorge Juan, 6
28001 - Madrid 3/10


       The facts presented may suppose on the part of the claimed party, the

commission of an infringement of article 6.1 of the RGPD that establishes the assumptions that
allow the processing of personal data to be considered lawful.

       Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
cases in which the processing of third party data is considered lawful:

         "1. The treatment will only be lawful if it complies with at least one of the following
      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;
      b) the treatment is necessary for the performance of a contract in which the

      interested is part or for the application at the request of this of measures
      (…) "

      The infringement for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading "General conditions for

the imposition of administrative fines ”, it states:

      "5. Violations of the following provisions will be sanctioned, in accordance with
with section 2, with administrative fines of a maximum of 20,000,000 Eur or,
in the case of a company, an amount equivalent to a maximum of 4% of the

total annual global business volume of the previous financial year, opting for
the highest amount:

      a) The basic principles for the treatment, including the conditions for the
      consent in accordance with articles 5,6,7 and 9. "

       Organic Law 3/2018, on Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious ”provides:

      "1. Based on what is established in article 83.5 of the Regulation (E.U.)

2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that one and, in
in particular, the following:


        a) The processing of personal data without the concurrence of any of the
           conditions of legality of the treatment established in article 6 of the
           Regulation (EU) 2016/679. "

      The documentation in the file provides evidence that the

claimed, violated article 6.1 of the RGPD, since it processed the
personal data of the complaining party without having any legitimacy to

C / Jorge Juan, 6
28001 - Madrid 4/10

       The personal data of the complaining party were incorporated into the systems
of company information, without having proven that he had contracted
legitimately, had legitimacy for the collection and subsequent treatment of

your personal data, or there is any other cause that would make the treatment lawful

       Based on the foregoing, in the case analyzed, it remains in
questioned the diligence used by the respondent to identify the
person who carried out the contract on behalf of the complaining party.

       Well, it is proven as recognized by the claimed party in its
written reply to this Agency dated May 14, 2021, which was produced
a fraudulent hiring.

       It should be noted that the contracts provided by the claimed party as
document number 4, they appear unsigned and their data (address, date
of birth), do not coincide with the identity card of the claimant.

       Likewise, it appears that the Sepa Order of domiciliation is not signed.

       Thus, the claimed party did not verify the personality of the alleged contractor, not
took the necessary precautions so that these events did not occur.

       In accordance with the evidence available at this time

procedural and without prejudice to what results from the instruction of the procedure, it is estimated
that the conduct of the complained party could violate article 6.1 of the RGPD
being able to be constitutive of the offense typified in article 83.5.a) of the aforementioned
Regulation 2016/679.

        Ultimately, the respondent has not provided a document or evidence
any evidence that the entity, in such a situation, had deployed the
minimum diligence required to verify that indeed your interlocutor was the one
claimed to flaunt.

       Respect for the principle of legality that is at the core of fundamental right

protection of personal data requires that it be proven that the
responsible for the treatment deployed the necessary diligence to prove that
extreme. If this Agency does not act like this - and if this Agency does not demand it, it is incumbent upon
for compliance with the regulations governing the right to data protection of
personal character - the result would be to empty the principle of legality of content.

      In this sense, Recital 40 of the RGPD states:

      "(40) For the treatment to be lawful, personal data must be processed

with the consent of the interested party or on some other legitimate basis established
in accordance with Law, either in this Regulation or by virtue of another Law
of the Union or of the Member States referred to in this Regulation,
including the need to comply with the legal obligation applicable to the person responsible for the

C / Jorge Juan, 6
28001 - Madrid 5/10

treatment or the need to perform a contract to which the interested party or
in order to take measures at the request of the interested party prior to the
conclusion of a contract. "


        The determination of the sanction to be imposed in the present case requires

observe the provisions of articles 83.1 and 2 of the RGPD, precepts that,
respectively, provide the following:
    "1. Each supervisory authority will guarantee that the imposition of fines
administrative regulations pursuant to this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case

effective, proportionate and dissuasive. "
    "2. Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the treatment operation in question, as well as

such as the number of interested parties affected and the level of damages that
have suffered;

     b) intentionality or negligence in the infringement;

c) any measure taken by the controller or processor to pa-

bundle the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or the person in charge of the treatment,
gives an account of the technical or organizational measures that have been applied by virtue of the
articles 25 and 32;

e) any previous infringement committed by the person in charge or the person in charge of the treatment;

f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in particular
cular if the person in charge or the person in charge notified the infringement and, if so, in what measure

i) when the measures indicated in article 58, paragraph 2, have been ordered

previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and

C / Jorge Juan, 6
28001 - Madrid 6/10

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as the financial benefits obtained or the losses avoided, directly or indirectly-
mind, through the infraction. "

  Within this section, the LOPDGDD contemplates in its article 76, entitled
"Sanctions and corrective measures":

  "1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria

established in section 2 of the aforementioned article.

  2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:

  a) The continuing nature of the offense.

  b) The linking of the activity of the offender with the performance of treatment of
personal information.

  c) The benefits obtained as a result of the commission of the offense.

  d) The possibility that the affected person's conduct could have led to the

commission of the offense.

  e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.

  f) Affecting the rights of minors.

  g) Have, when not mandatory, a data protection officer.

  h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party.

  3. It will be possible, complementary or alternatively, the adoption, when appropriate,
of the remaining corrective measures referred to in article 83.2 of the
Regulation (EU) 2016/679. "

        In accordance with the transcribed precepts, and without prejudice to what results from the

instruction of the procedure, for the purpose of setting the amount of the fine
impose the claimed entity as responsible for an offense typified in the
Article 83.5.a) of the RGPD and 72.1 b) of the LOPDGDD, in an initial assessment,
consider the following factors to be concurrent in the present case:

As mitigating factors:

- Immediately proceeded to manage the cancellation of the services and the payment of the
    amounts invoiced (article 83.2.c, RGPD).

As aggravating factors:

C / Jorge Juan, 6
28001 - Madrid 7/10

- That the facts that are the subject of the claim are attributable to a lack of diligence
      of the claimed party (article 83.2.b, RGPD).

- The evident link between the business activity of the claimed and the

      treatment of personal data of clients or third parties (article 83.2.k, of the
      RGPD in relation to article 76.2.b, of the LOPDGDD)

      It is appropriate to graduate the sanction to impose on the claimed and set it at the amount of
€ 50,000 for the violation of article 83.5 a) RGPD and 72.1b) of the LOPDGDD.

       Therefore, based on the foregoing, by the Director of the
Spanish Agency for Data Protection.


S.A.U. with NIF A80907397, for the alleged violation of article 6.1) typified in the
Article 83.5.a) of the aforementioned RGPD.

SECOND: APPOINT D. C.C.C. as instructor. and as secretary to Mrs. D.D.D.,
indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Public Sector Legal (LRJSP).

THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and his documentation, the documents
obtained and generated by the General Subdirectorate for Data Inspection.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1

October, of the Common Administrative Procedure of Public Administrations, the
The corresponding sanction would be for the violation of article 6.1 of the RGPD,
typified in article 83.5 a) of the RGPD, the corresponding sanction would be a
fine in the amount of 50,000 euros (fifty thousand euros) without prejudice to what
result of the instruction.

FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with NIF
A80907397 granting a hearing period of ten business days to formulate
the allegations and present the evidence that it deems appropriate. In his writing of
allegations, you must provide your NIF and the procedure number that appears in the
heading of this document.

If within the stipulated period it does not make allegations to this initiation agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% for the penalty to be imposed

C / Jorge Juan, 6
28001 - Madrid 8/10

in the present procedure, equivalent in this case to ten thousand euros (€ 10,000).
With the application of this reduction, the amount of the sanction would be established in
forty thousand euros (€ 40,000), resolving the procedure with the imposition of

this sanction.

In the same way, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction,
in accordance with the provisions of article 85.2 LPACAP, which will entail a
reduction of 20% of the amount of the same, equivalent in this case to ten thousand
euros (€ 10,000), for the infringement charged. With the application of this reduction, the
The amount of the penalty would be set at forty thousand euros (€ 40,000) and its payment

will imply the termination of the procedure.
The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment

of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. On
In this case, if both reductions should be applied, the amount of the penalty would be
established at thirty thousand euros (€ 30,000).

In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in

administrative against the sanction.
In case you choose to proceed to the voluntary payment of any of the amounts
indicated above, 40,000 euros or 30,000 euros, you must make it effective

by entering the account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Agency for Data Protection in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears
in the heading of this document and the cause of reduction of the amount to which
is welcomed.

Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity

The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.

Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.

Mar Spain Martí
Director of the Spanish Agency for Data Protection >>

SECOND: It is clear that the Initiation Agreement was notified on August 2, 2021,
proceeded on August 17, 2021 to pay the sanction in the amount of 40,000
euros making use of the reduction provided for in the Initiation Agreement, stating:

C / Jorge Juan, 6
28001 - Madrid 9/10

"That Vodafone has ordered the payment of € 40,000 corresponding to the infraction
initially planned, taking into account the 20% reduction for the payment

voluntary sanction, and in this act desists and renounces any action or remedy
in administrative proceedings in relation to this factual assumption, in accordance with
established in art. 85 of the LPACAP ”.

THIRD: The payment made entails the waiver of any action or recourse in progress.

against the sanction, in relation to the facts referred to in the
Initiation Agreement.

                           FOUNDATIONS OF LAW


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Data Protection Agency is competent to resolve this



       Article 85 of Law 39/2015, of October 1, on the Procedure

Common Administrative of Public Administrations (hereinafter LPACAP), under
The heading "Termination of sanctioning procedures" provides the following:

       "1. Initiated a sanctioning procedure, if the offender acknowledges his
responsibility, the procedure may be resolved with the imposition of the sanction

that proceeds.
       2. When the sanction is solely of a pecuniary nature or it fits
impose a pecuniary and a non-pecuniary sanction but it has been justified
the inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,

except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.
       3. In both cases, when the penalty is solely of a pecuniary nature,
the competent body to resolve the procedure will apply reductions of, at
less, 20% on the amount of the proposed sanction, these being cumulative

each. The aforementioned reductions must be determined in the notification of
initiation of the procedure and its effectiveness will be conditional on the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
       The percentage of reduction foreseen in this section may be increased
regulations. "

In accordance with the above, the Director of the Spanish Agency for the Protection of

FIRST: DECLARE the termination of procedure PS / 00193/2021, of

in accordance with the provisions of article 85 of the LPACAP.

C / Jorge Juan, 6
28001 - Madrid 10/10

SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U. with
NIF A80907397.

        In accordance with the provisions of article 50 of the LOPDGDD, the

This Resolution will be made public once it has been notified to the interested parties.

        Against this resolution, which puts an end to the administrative procedure as
prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure

Common Administrative of Public Administrations, interested parties may
file an administrative contentious appeal before the Contentious Chamber-
administrative authority of the National Court, in accordance with the provisions of article 25 and
in section 5 of the fourth additional provision of Law 29/1998, of July 13,

regulator of the Contentious-Administrative Jurisdiction, within a period of two months to
count from the day following the notification of this act, as provided in the
Article 46.1 of the aforementioned Law.

Mar Spain Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6
28001 - Madrid