AEPD (Spain) - PS/00262/2020

From GDPRhub
AEPD - PS/00262/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(2) GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Published: 09.12.2020
Fine: 40000 EUR
National Case Number/Name: PS/00262/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: CSO

The Spanish DPA (AEPD) fined XFERA MÓVILES, S.A. €40000 for violating Article 6(1) GDPR by illegally processing personal data of the claimants in a fraudulent hiring. The defendant was not sufficiently diligent in verifying the identity of the persons hiring two telephone lines.

English Summary


The personal data of the claimants were used illegitimately to contract two telephone lines with the company XFERA MÓVILES, S.A. The decision does not provide a clear description of the facts. However, on the basis of the available information it seems that when the complainants learned what had happened, they reported it to the Guardia Civil (Spanish military police) and the AEPD.


The key to this case was to determine whether or not the defendant applied adequate measures to verify the identity of the clients. The company claimed that when they learned that it was a fraudulent contract, they suspended the services and cancelled the debt generated. Likewise, they blocked the data of the data subjects and classified the contract as fraudulent.


The Spanish DPA concludes that the defendant has not been able to demonstrate that it adopted sufficient diligence measures to verify the identity of the clients before signing the contracts. Therefore, it breached Article 6(1) GDPR by processing personal data without a legitimate basis.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     Procedure No.: PS / 00262/2020


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:


FIRST: The General Directorate of the Civil Guard (Company of Manzanares,

Bolaños Post) transferred to the Spanish Agency for Data Protection, dated
May 13, 2019, the actions followed in relation to a usurpation of
identity in the contracting of telecommunications services, which took place on
February 26, 2019.

       The claim filed by D. A.A.A. and Ms. B.B.B. (hereinafter the

       The claim is directed against XFERA MÓVILES, S.A. with NIF A82528548
(hereinafter, the claimed).

       Providing the following documentation:
     Certificate number 2019-000593-00000110 dated February 26, 2019 in which

       the claimants state that according to company information they have been
       two telephone lines and internet with numbers *** TELEPHONE 1 and
       *** TELEPHONE. 2 and with a charge account that is not owned. The
       Tomorrow of February 25, 2019 the telephone company is in contact
       with one of his daughters informing her that, if they do not pay the amounts

       owed to said numbers, the service would be interrupted.
     Summary of the actions carried out by the Bolaños Civil Guard
       de Calatrava (Ciudad Real).
     MASMOVIL (XFERA MÓVILES, S.A.) contracts for the telephone lines

SECOND: In view of the facts denounced, the General Subdirectorate of
Data Inspection proceeded to carry out preliminary investigation actions
for the clarification of the facts in question, by virtue of the powers of
investigation granted to the control authorities in article 57.1 of the Regulation

(EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD).

       As a result of the investigation actions carried out, it is verified
that the person responsible for the treatment is the one claimed.

        Likewise, the following points are found:
        Examining the information provided by the Civil Guard, it is found that the
Reported lines have been hired by people outside the claimants. No

C / Jorge Juan, 6
28001 - Madrid 2/7

 outstanding debts were incurred by the claimants, since in the
 contracts contained the bank account of the people who had impersonated the
 identity of the claimants. These people, who used the ID of the claimants

 for both contracts, they lived in the same address of this and have been identified
 by the Civil Guard from the bank accounts provided in the hiring.

         Information requested from the respondent about the measures adopted after the
receipt of the complaint before the Civil Guard of Bolaños of a possible impersonation
of identity when contracting lines *** TELEPHONE.1 and *** TELEPHONE.2 and on

the guarantees required for the accreditation of identity in the contracting of the
referred phone lines.

         On January 16, 2020, the defendant states that according to his
inquiries, the lines denounced have been classified as contracting

fraudulent, and the debts associated with them have been forgiven.

         They provide a screenshot of the data that works in their systems of the
reported lines.

 THIRD: On September 8, 2020, the Director of the Spanish Agency

 of Data Protection agreed to initiate a sanctioning procedure for the claimed party, with
 in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
 Common Administrative Procedure of Public Administrations (hereinafter,
 LPACAP), for the alleged violation of Article 6.1 of the RGPD, typified in Article
 83.5 a) of the RGPD.

 FOURTH: Once the aforementioned commencement agreement was notified, the defendant submitted a written
 allegations in which, in summary, he stated that he had knowledge of the
 usurpation of the claimant's identity on February 25, 2019, providing
 subsequently denounced on February 26, 2019 and dated March 4, 2019,

 proceeded to the suspension of services and the cancellation of the debt generated
 to date for fraudulent contracts. This led to data blocking
 of the interested parties and the cataloging of the registration as fraudulent.

         They add that the lack of diligence in the custody of the DNI cannot be transferred to

         On the other hand, they manifest the inexistence of the elements of the right
 sanctioner, do not appreciate the concrete existence of the principle of responsibility, since
 that no fraudulent or culpable action is revealed from which the
 herself. Therefore, by not appreciating fraud or guilt on the part of the defendant, nor so

 even as a mere non-observance, in relation to the facts that give rise to the
 sanctioning procedure, it can only lead to the file.

 FIFTH: On October 13, 2020, the instructor of the procedure agreed to the
 opening of a period of practical tests, taking as incorporated the
 preliminary investigation actions, E / 08518/2019, as well as the documents

 provided by the claimed.

 C / Jorge Juan, 6
 28001 - Madrid 3/7

Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited:

                                 PROVEN FACTS

FIRST: Two telephone lines and internet are registered in the name of the
claimants. The usurpation of identity in the contracting of services
telecommunications, took place on February 26, 2019.

SECOND: The defendant acknowledges said error and thus in his allegations he manifests
that the reported lines have been classified as fraudulent hires, and
the debts associated with them have been forgiven.

                           FOUNDATIONS OF LAW


       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,

the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.

       The defendant is accused of committing an offense for violation of the

Article 6.1 of the RGPD.

       Article 6, Legality of treatment, of the RGPD establishes that:
       "1. The treatment will only be lawful if at least one of the following is met

       a) the interested party gave their consent for the processing of their data
personal for one or more specific purposes;
       b) the treatment is necessary for the performance of a contract in which the
interested is part or for the application at the request of this of measures
       (…) "

       Article 4 of the RGPD, Definitions, in section 11, states that:
       "11)" consent of the interested party ": any manifestation of free will,
specific, informed and unequivocal by which the interested party accepts, either through
a statement or a clear affirmative action, the processing of personal data that
they concern him ”.

       Also article 6, Treatment based on the consent of the affected,
of the new Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (hereinafter LOPDGDD), states

       "1. In accordance with the provisions of article 4.11 of the Regulation (EU)
2016/679, the consent of the affected party is understood to be any manifestation of will
free, specific, informed and unequivocal for which it accepts, either through a

C / Jorge Juan, 6
28001 - Madrid 4/7

declaration or a clear affirmative action, the processing of personal data that
       2. When the data processing is intended to be based on consent

of the affected party for a plurality of purposes, it will be necessary to record in a
specific and unequivocal that said consent is granted for all of them.
       3. The execution of the contract may not be subject to the consent of the affected party
processing of personal data for purposes that are not related to the
maintenance, development or control of the contractual relationship ”.
       Article 83.5 a) of the RGPD, considers that the infringement of “the principles

basic for the treatment, including the conditions for consent in accordance with
of articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the
mentioned Article 83 of the aforementioned Regulation, “with administrative fines of
€ 20,000,000 maximum or, in the case of a company, of an equivalent amount
at a maximum of 4% of the total global annual turnover of the financial year

above, opting for the highest amount ”.
       On the other hand, the LOPDGDD in its article 72 indicates for the purposes of prescription:
“Violations considered very serious:
       1. In accordance with the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in

in particular, the following:
       b) The processing of personal data without the concurrence of any of the
conditions of legality of the treatment established in article 6 of the Regulation
(EU) 2016/679.

       (…) "

       The documentation in the file provides evidence that the
claimed, violated article 6.1 of the RGPD, since he processed the personal data

without having any legitimacy for it. The personal data were
incorporated into the company's information systems, without having accredited
that he had legitimately hired, had his consent for the
collection and subsequent processing of your personal data, or there is any other
causes the treatment carried out to be legal.

       Well, with respect to the facts that are the subject of this claim,
we must emphasize that the defendant has recognized this error and thus both in his writing
dated January 16, 2019, as in the allegations to the Agreement to initiate the
This sanctioning procedure has stated that the lines denounced have
been classified as fraudulent contracts, and the debts associated with them have

been forgiven.

       The lack of diligence displayed by the entity in complying with the
Obligations imposed by the regulations for the protection of personal data
It is thus obvious. A diligent compliance with the principle of legality in the treatment

of third-party data requires that the person responsible for the treatment is in conditions
to prove it (principle of proactive responsibility).


C / Jorge Juan, 6
28001 - Madrid 5/7

        In order to establish the administrative fine to be imposed, they must
observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which

point out:

        "1. Each supervisory authority shall ensure that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.

        2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute for the measures contemplated
in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
        a) the nature, severity and duration of the offense, taking into account the

        nature, scope or purpose of the processing operation in question
        yes, as well as the number of interested parties affected and the level of damages
        who have suffered;
        b) intentionality or negligence in the infringement;
        c) any measure taken by the controller or processor
        to mitigate the damages suffered by the interested parties;

        d) the degree of responsibility of the person in charge of the
        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;
        e) any previous infringement committed by the person in charge or the person in charge of the

        f) the degree of cooperation with the supervisory authority in order to
        remedy the violation and mitigate the possible adverse effects of the violation;
        g) the categories of personal data affected by the infringement;
        h) the way in which the supervisory authority learned of the infringement, in
        particular if the person in charge or the person in charge notified the infringement and, in such case,

        what extent;
        i) when the measures indicated in Article 58 (2) have been
        previously ordered against the person in charge or the person in charge
        in relation to the same matter, compliance with said measures;
        j) adherence to codes of conduct under Article 40 or to mechanisms
        certification approved in accordance with Article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through infringement.
        In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its
        Article 76, “Sanctions and corrective measures”, establishes that: “2. According to

        the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also
        be taken into account:
        a) The continuing nature of the offense.
        b) The linking of the offender's activity with the performance of treatments
        of personal data.

        c) The benefits obtained as a result of the commission of the offense.
        d) The possibility that the affected person's conduct could have led to the
        commission of the offense.
        e) The existence of a merger process by absorption after the commission

C / Jorge Juan, 6
28001 - Madrid 6/7

       of the infringement, which cannot be attributed to the absorbing entity.
       f) Affecting the rights of minors.
       g) To have, when not mandatory, a delegate for the protection of

       h) The submission by the person in charge or in charge, with character
       voluntary, to alternative dispute resolution mechanisms, in those
       cases in which there are controversies between those and any

       In accordance with the provisions transcribed in order to fix the amount of the
sanction of a fine to be imposed in the present case for the offense typified in the
Article 83.5 of the RGPD for which the claimed person is responsible are estimated
concurrent the following factors:


     - Any measure taken by the person in charge or in charge of the treatment to
       palliate the damages suffered by the interested parties (art.83.2. c) of the RGPD).

      Aggravating factors:

     - The intentionality or negligence of the infringement (article 83.2. B) of the RGPD).

     - Basic personal identifiers are affected (personal data
       (art.83.2. g) of the RGPD).

     - The evident link between the business activity of the claimed and the
      processing of personal data of clients or third parties (article 83.2.k, of the

      RGPD in relation to article 76.2.b, of the LOPDGDD)

     Therefore, in accordance with the applicable legislation and the criteria of

graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE XFERA MÓVILES, S.A., with NIF A82528548, for a
violation of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, a fine
of 40,000 euros.

SECOND: NOTIFY this resolution to XFERA MÓVILES, S.A ..

THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number

of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency

C / Jorge Juan, 6
28001 - Madrid 7/7

Spanish Data Protection in the bank CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

Notification received and once executive, if the execution date is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term

It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly

contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the

referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
Mar Spain Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6
28001 - Madrid