AEPD (Spain) - PS/00303/2020

From GDPRhub
AEPD - PS/00303/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 27.10.2020
Fine: 36000 EUR
Parties: Vodafone España, S.A.U.
National Case Number/Name: PS/00303/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish DPA (AEPD) concluded the sanction procedure against Vodafone España, S.A.U. for infringing Article 6(1) GDPR, as the defendant agreed to a voluntary payment of the corresponding part (€36000) of the fine suggested by the AEPD (€60000).

English Summary

Facts

The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen stating that the defendant had sent him a message thanking the successful acquisition of a new phone line he did not recognize (as he is a client of another telecommunications company) and that such message also specified that the new phone had a period of stay. Additionally, the claimant specified that he later received a document by the defendant requesting him to pay a debt he did not recognize.

Dispute

The defendant answered to the AEPD investigation requests stating that it requested the payment of the phone services contracted online by the claimant, but it did not attach any evidence of his acceptance; afterwards, the defendant attached a copy of the alleged contract containing the personal data of the claimant, but with no evidence at all that he has signed nor accepted it in any manner. The AEPD started the corresponding sanction procedure.

Holding

Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have breached the lawfulness of processing principle as per article 6(1) GDPR: on the basis of the available evidences, the defendant did not take the due diligences to ensure the lawfulness of the data processing activity, and it neither proved the lawfulness of such when required by the AEPD. Consequently, after considering some aggravating circumstances [(i) there is a negligence/intentionality by the defendant, and (iii) basic personal data have been affected], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 60,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine, with two possible discounts based on earliness (48,000 €) and acknowledging of guiltiness (36,000€). The defendant agreed to both, so it paid 36,000 € and the sanction procedure was closed by the AEPD.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/13











     Procedure No.: PS / 00303/2020

RESOLUTION R / 00521/2020 OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY


In the sanctioning procedure PS / 00303/2020, instructed by the Spanish Agency for
Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed
by A.A.A., and based on the following,


                                 BACKGROUND

FIRST: On September 29, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure against VODAFONE

SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed:

<<





Procedure Nº: PS / 00303/2020

935-200320




           AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE



       Of the actions carried out by the Spanish Agency for the Protection of

Data and based on the following:




                                     ACTS



FIRST: D. A.A.A. (hereinafter, the claimant) dated September 18,

2019 filed a complaint with the Spanish Agency for Data Protection. The
claim is directed against Vodafone España, S.A.U. with NIF A80907397 (in
ahead, the claimed one).




       The claimant states that he received an email from the claimed in which he

indicate that the purchase of a mobile terminal that includes
permanence, purchase that you do not recognize, being a customer of another operator.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/13








       That, according to the claimant, the events took place on August 21, 2019.

       And attach the following documentation:


     Invoice from Orange, the current operator with which you have contracted the service
        telephony.



       On July 4, 2020, this Agency received another letter from the

complainant stating that, on July 3, 2020, he received a coercive email
claiming a debt of XXX euros.



SECOND: In view of the facts reported in the claim and the
documents provided by the claimant / of the facts and documents of which he has
this Agency, the Subdirectorate General for Data Inspection

proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation

granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).




       As a result of the investigation actions carried out, it is verified
that the person responsible for the treatment is the one claimed.




       Likewise, the following points are found:



       On November 6, 2019, the claim was transferred to the

claimed party requesting information on the facts claimed.

       On December 19, 2019, the respondent states:


   There are four contracts: three of them are not concluded since the contract is not finalized.
portability, and the one dated 08/21/2019 (line *** PHONE. 1) is the one they claim
for non-payment of invoices.


   1. Contract dated 06/26/2019: Mobile Rate + Fiber Vodafone bit (portability from
   Orange: *** PHONE. 2)



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/13








   2.- Contract dated 07/03/2019 Vodafone Fibra 100Mb (portability from Telefónica
   *** PHONE. 3)


   3.- Contract dated 08/21/2019 Voice plus data *** PHONE. 1 Device
   delivered Samsung A10 Black

   4.- Contract dated 09/24/2019 Vodafone One limited line (100mb fiber)

   (portability from Orange *** PHONE. 3)


   The contracts are electronic and Vodafone does not provide proof that proves the
hiring the line *** TELEPHONE. 1 which is the one for which you are required to pay

debt.

   In addition, following the transfer of the claim, they send a letter to the claimant

informing you that your data has not been communicated to solvency files
patrimonial and credit, but requesting the payment of the amount owed.

   On June 1, 2019, it is agreed to open the present proceedings of

investigation in relation to the claim submitted by the claimant. Is notified
dated June 10, 2020

     Required from VODAFONE documents for the contracting of the
       number *** TELEPHONE 1 and its corresponding signature, dated July 29
       of 2020 is received in this Agency, with registration number 026866/2020,

       brief of allegations stating that the contracting was carried out online for
       that does not have a signature. That examined the contract where all the
       personal data of the claimant, this has the appearance of loyal, truthful and lawful

       for Vodafone.

       And they attach the following document:

           o Contract corresponding to the number *** PHONE. 1


     Once the contract is examined, it is verified that the personal data of the
       claimant, their bank details, and the email "*** EMAIL.1", which according to

       claims the claimant belongs to his daughter, but the claimed does not provide
       evidence or any indication of the origin of the hiring (session IP)
       nor confirmation or electronic signature of the contract (SMS confirmation or

       one-time password email, confirmation call, etc.). By
       Therefore, the origin of the claimant's data cannot be established, nor the
       acceptance of the treatment of these.








C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/13








FOUNDATIONS OF LAW




I



        By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate

and to solve this procedure.



II




      Article 58 of the RGPD, "Powers", says:



           “2 Each supervisory authority shall have all the following powers
corrective measures listed below:

(…)

b) sanction any person responsible or in charge of the treatment with warning

when the treatment operations have infringed the provisions of this
Regulation;

(...)

d) order the person in charge of the treatment that the operations of
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time frame.


(…)

i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, depending on the circumstances of the case
particular

(…) "



III




      The RGPD deals in its article 5 with the principles that must govern the
treatment of personal data and mentions among them that of "legality, loyalty and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/13








transparency". The precept provides:



      "1. The personal data will be:


         a) Treaties in a lawful, loyal and transparent manner in relation to the
             interested (<< legality, loyalty and transparency >>); "



        Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
cases in which the processing of third party data is considered lawful:




        "1. The treatment will only be lawful if at least one of the following is met
terms:

      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;

      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures

      pre-contractual;

      (…) "



      The infringement for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading "General conditions for

the imposition of administrative fines ”, it states:



      "5. Violations of the following provisions will be sanctioned, in accordance
with paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for

the highest amount:



      a) The basic principles for the treatment, including the conditions for the
      consent in accordance with articles 5,6,7 and 9. "



       Organic Law 3/2018, on the Protection of Personal Data and Guarantee of

Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious ”provides:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/13








      "1. In accordance with the provisions of article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that

suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:




        (…)

       b) The processing of personal data without the concurrence of any of the
       conditions of legality of the treatment established in article 6 of the
       Regulation (EU) 2016/679. "






IV




      The documentation in the file provides evidence that the
claimed, violated article 6.1 of the RGPD, since it processed the
Claimant's personal data without having any legitimacy to do so. The
The claimant's personal data were incorporated into the information systems of

the company, without proving that it had legitimately hired,
had your consent for the collection and subsequent treatment of your
personal data, or there is any other cause that makes the treatment lawful
effected.



       Based on the foregoing, in the case analyzed, it remains in

questioned the diligence used by the respondent to identify the
person who made the contract on behalf of the claimant.




       Well, it follows that the claimant received an email from the claimed in the
which indicate that you have successfully purchased a mobile terminal that you do not recognize.



       In this regard, we must point out that the contracting is electronic and the
claimed does not provide proof that proves the hiring of the line *** TELEPHONE. 1.

       On the other hand, as a result of the transfer of the claim, they send a letter to the

claimant informing him that his data has not been communicated to files of
patrimonial solvency and credit, but requesting the payment of the amount owed.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/13








       Precisely, required to the claimed documents of completion of the
contracting the number *** TELEPHONE 1 and its corresponding signature, states that the

hiring was carried out online so it does not have a signature.

       Although the company states that the contract where all the data appears
claims of the claimant, this has the appearance of loyal, truthful and lawful to

Vodafone.

       It is important to highlight that, after examining the contract, it is verified that
the personal data of the claimant, their bank details, and the email "*** EMAIL.1",

which, according to the claimant, belongs to his daughter, but the defendant does not provide
evidence or any indication of the origin of the hiring (session IP) or
confirmation or electronic signature of the contract (SMS confirmation or email

one-time password, confirmation call, etc.). For that reason, not
the origin of the claimant's data can be established, nor the acceptance of the

treatment of these.

      However, and this is the essential thing, the defendant does not accredit the legitimacy to

the treatment of the claimant's data.


      Ultimately, the respondent has not provided a document or evidence
any evidence that the entity, in such a situation, had deployed the
minimum diligence required to verify that indeed your interlocutor was the one

claimed to flaunt.



      Respect for the principle of legality that is in the essence of fundamental right
protection of personal data requires that it be proven that the
responsible for the treatment displayed the essential diligence to prove that
extreme. If this Agency does not act in this way - and if this Agency does not demand it, it is incumbent upon

for compliance with the regulations governing the data protection right of
personal character - the result would be to empty the content of the principle of legality.



                                            V



        In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:




           "Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/13










        "Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the

Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the
        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and

        damages they have suffered;

        b) intentionality or negligence in the infringement;

        c) any measure taken by the controller or processor
        to mitigate the damages suffered by the interested parties;

        d) the degree of responsibility of the person in charge of the
        treatment, taking into account the technical or organizational measures that have

        applied by virtue of articles 25 and 32;

        e) any previous infringement committed by the person in charge or the person in charge of the
        treatment;

         f) the degree of cooperation with the supervisory authority in order to
        remedy the violation and mitigate the possible adverse effects of the violation;


        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infraction and, in such
        case, to what extent;

        i) when the measures indicated in Article 58 (2) have been
        previously ordered against the person in charge or the person in charge

        in relation to the same matter, compliance with said measures;

        j) adherence to codes of conduct under Article 40 or to mechanisms
        certification approved in accordance with Article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct

        or indirectly, through the infringement. "




      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:

         "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:


  a) The continuing nature of the offense.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/13








  b) The linking of the activity of the offender with the performance of data processing
personal.


  c) The benefits obtained as a result of the commission of the offense.

  d) The possibility that the conduct of the affected party could have induced the commission of
the offense.


  e) The existence of a process of merger by absorption after the commission of the
infringement, which cannot be attributed to the absorbing entity.

  f) Affecting the rights of minors.

  g) Have, when not mandatory, a data protection officer.


  h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "


      In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the fine to impose
in the present case, the claimed party is considered responsible for an infringement
typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent
the following factors.


      As aggravating factors the following:

- The intentionality or negligence in the offense (article 83.2 b).

- Basic personal identifiers are affected (name, data

bank, the line identifier) (article 83.2 g).

     That is why it is considered appropriate to graduate the sanction to impose on the claimed and
set it at the amount of € 60,000 for the violation of article 6.1 of the RGPD.

        Therefore, based on the foregoing,



        By the Director of the Spanish Agency for Data Protection,




        HE REMEMBERS:






        1. INITIATE SANCTIONING PROCEDURE for Vodafone España, S.A.U.,
            with NIF A80907397, for the alleged violation of article 6.1. of the RGPD

            typified in article 83.5.a) of the aforementioned RGPD.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/13










       2. APPOINT D. B.B.B. as instructor. and as secretary to Dña. C.C.C.,

           indicating that any of them may be challenged, if applicable,
           in accordance with the provisions of articles 23 and 24 of Law 40/2015, of 1

           October, of the Legal Regime of the Public Sector (LRJSP).



       3. INCORPORATE to the sanctioning file, for evidentiary purposes, the

           claim filed by the claimant and its attached documentation, the
           informative requirements that the Subdirectorate General for Inspection of
           Data sent to the claimed entity in the preliminary investigation phase and

           their respective acknowledgments of receipt.



       4. THAT, for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1

           October, of the Common Administrative Procedure of the Administrations
           Public, the penalty that may correspond would be 60,000 euros

           (sixty thousand euros), without prejudice to what results from the instruction.



       5. NOTIFY this agreement to Vodafone España, S.A.U., with NIF

           A80907397, granting a hearing period of ten business days to
           to make the allegations and present the evidence that it considers
           convenient. In your statement of allegations you must provide your NIF and the

           procedure number in the heading of this
           document.




If within the stipulated period it does not make allegations to this initiation agreement, the same
It may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

the Public Administrations (hereinafter, LPACAP).




In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; the

which will entail a reduction of 20% of the sanction to be imposed in
this procedure. With the application of this reduction, the sanction would be
established at 48,000 euros, resolving the procedure with the imposition of this

sanction.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/13










In the same way, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,

the penalty would be established at 48,000 euros and its payment will imply the termination of the
process.




The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the recognition of responsibility, provided that this recognition
of responsibility is made manifest within the period granted to formulate

allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be

set at 36,000 euros.




In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts

indicated above, 48,000 euros or 36,000 euros, you must make it effective

by entering the account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears in

the heading of this document and the cause of reduction of the amount to which
welcomes.




Likewise, you must send proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity

entered.



The procedure will have a maximum duration of nine months from the date of

date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/13










Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.



Mar Spain Martí

Director of the Spanish Agency for Data Protection


>>

SECOND: On October 21, 2020, the defendant has proceeded to pay the
sanction in the amount of 36,000 euros making use of the two planned reductions

in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to

the facts to which the Initiation Agreement refers.

                            FOUNDATIONS OF LAW

                                             I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection

is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article

43.1 of said Law.

                                             II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/13








except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offense.


3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative among themselves.

The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased

regulations.

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:


FIRST: DECLARE the termination of procedure PS / 00303/2020, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


                                                                                  936-031219

Mar España Martí
Director of the Spanish Agency for Data Protection
















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es