AEPD (Spain) - PS/00413/2021: Difference between revisions

From GDPRhub
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 61: Line 61:
}}
}}


AEPD fined Orange €‎100.000 for violating the data minimisation principle by obtaining a photo of the front and back of the customer's identity when delivering a phone that was purchased online.
AEPD fined Orange Espagne €‎100.000 for violating the data minimisation principle by requiring a photo of the front and back of the customer's identity document in order to deliver a phone previously purchased online.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject filed a complaint with the AEPD against the telephone company Orange alleging that an employee of General Logistics Systems Spain took a photo of the front and back of their ID upon delivery of a mobile phone. In response, Orange claimed that the photo was necessary for the performance of a contract subscribed by the data subject and provided an e-mail in which it informed them that the photo of the document would be requested for security reasons.
The data subject purchased a mobile phone from the telephone company Orange over the internet. For its part, Orange (the controller) outsourced the delivery of the product to the company General Logistics Systems Spain (the processor), determining by contract that a photo of the front and back of the consumer's identity document be taken for verification purposes. After receiving the product and having the photo of their document taken by the employee of General Logistics, the data subject filed a complaint with the AEPD against the controller. In response, Orange claimed that the photo was necessary for the performance of the contract subscribed by the data subject and provided an e-mail in which it informed them that the photo of the document would be requested at the time of the delivery for security reasons.


=== Holding ===
=== Holding ===
The Spanish DPA considered General Logistics to be the data processor and Orange to be the controller, as the latter contracted the former to deliver mobile phones and take photos of its customers' IDs. It recognized the need to guarantee that the recipient of the product is the same person who bought it. It also stated that the fight against fraud is a legitimate interest, particularly with regard to online transactions. However, the DPA recalled that the GDPR requires that any interference with the fundamental right to data protection be adequate, necessary, relevant and limited to what is necessary for the achievement of the purpose for which personal data were collected.  
The Spanish DPA considered General Logistics to be the data processor and Orange to be the controller, as the latter contracted the former to deliver mobile phones and take photos of its customers' IDs, determining the purposes for which and the means by which personal data was processed. It recognized the need to guarantee that the recipient of the product is the same person who bought it. It also stated that the fight against fraud is a legitimate interest, particularly with regard to online transactions. However, the DPA recalled that the GDPR requires that any interference with the fundamental right to data protection be adequate, necessary, relevant and limited to what is necessary for the achievement of the purpose for which personal data were collected.  


In the case at hand, taking a photo of the front and back of the ID reveals not only the name and surname of the recipient, but also their signature, address, place and date of birth, photograph, the document's date of issue and validity and its alphanumeric code. According to the DPA, these data are neither adequate nor relevant to the purpose of the delivery of the goods. Furthermore, there are less invasive means to ensure that the product is being delivered to the right person. The DPA distinguished the moment of the delivery of the product from the moment of the conclusion of the contract where the controller must be able to accredit the identity of the person who is contracting. From their point of view, if the transaction is correctly done, there should be no difficulty in proving that the recipient of the product is the same that concluded the contract.
In the case at hand, taking a photo of the front and back of the ID reveals not only the name and surname of the recipient, but also their signature, address, place and date of birth, photograph, the document's date of issue and validity and its alphanumeric code. According to the DPA, these data are neither adequate nor relevant to the purpose of the delivery of the goods. Furthermore, there are less invasive means to ensure that the product is being delivered to the right person. The DPA distinguished the moment of the delivery of the product from the moment of the conclusion of the contract where the controller must be able to accredit the identity of the person who is contracting. From their point of view, if the transaction is correctly done, there should be no difficulty in proving that the recipient of the product is the same that concluded the contract.

Latest revision as of 10:49, 23 March 2023

AEPD - PS/00413/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 18.06.2020
Decided:
Published:
Fine: 100.000 EUR
Parties: Orange Espagne
National Case Number/Name: PS/00413/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Bernardo Armentano

AEPD fined Orange Espagne €‎100.000 for violating the data minimisation principle by requiring a photo of the front and back of the customer's identity document in order to deliver a phone previously purchased online.

English Summary

Facts

The data subject purchased a mobile phone from the telephone company Orange over the internet. For its part, Orange (the controller) outsourced the delivery of the product to the company General Logistics Systems Spain (the processor), determining by contract that a photo of the front and back of the consumer's identity document be taken for verification purposes. After receiving the product and having the photo of their document taken by the employee of General Logistics, the data subject filed a complaint with the AEPD against the controller. In response, Orange claimed that the photo was necessary for the performance of the contract subscribed by the data subject and provided an e-mail in which it informed them that the photo of the document would be requested at the time of the delivery for security reasons.

Holding

The Spanish DPA considered General Logistics to be the data processor and Orange to be the controller, as the latter contracted the former to deliver mobile phones and take photos of its customers' IDs, determining the purposes for which and the means by which personal data was processed. It recognized the need to guarantee that the recipient of the product is the same person who bought it. It also stated that the fight against fraud is a legitimate interest, particularly with regard to online transactions. However, the DPA recalled that the GDPR requires that any interference with the fundamental right to data protection be adequate, necessary, relevant and limited to what is necessary for the achievement of the purpose for which personal data were collected.

In the case at hand, taking a photo of the front and back of the ID reveals not only the name and surname of the recipient, but also their signature, address, place and date of birth, photograph, the document's date of issue and validity and its alphanumeric code. According to the DPA, these data are neither adequate nor relevant to the purpose of the delivery of the goods. Furthermore, there are less invasive means to ensure that the product is being delivered to the right person. The DPA distinguished the moment of the delivery of the product from the moment of the conclusion of the contract where the controller must be able to accredit the identity of the person who is contracting. From their point of view, if the transaction is correctly done, there should be no difficulty in proving that the recipient of the product is the same that concluded the contract.

Therefore, the DPA held that the method of photographing the front and back of the ID at the time of delivery is inappropriate and intrusive to the privacy of individuals, violating the data minimization principle. On this basis, it fined the company 100.000 euros for infringing Article 5(1)(c) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/21








     File No.: PS/00413/2021

                - RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                  BACKGROUND


FIRST: The CIVIL GUARD - POST OF TOTANA sends, on date
06/18/2020, Minutes-Complaint-Inspection and Request for procedure for infringement of the
regulations on data protection, noting that on 04/22/2020 they appear in person at the

dependencies of the body D. A.A.A. (hereinafter the complaining party) together with a
third, delivery person for the company General Logistics Systems Spain, S.A. (in
successive GLS) The reasons on which the claim is based are the following: that the

employee of the company intended to give him a mobile phone sent by the
company ORANGE ESPAGNE S.A.U. (hereinafter the defendant), and that the company

mentioned to deliver the packages to their recipients, is imposing
as a necessary condition to take a photograph of the front and back of your ID. He
company employee takes it with his mobile terminal at the time of delivery.

Subsequently, the image obtained is transferred to the company that sent the package.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in

hereafter LOPDGDD), with reference number E/05859/2020, transfer of
said claim to the defendant and to other entities with which the claim was related.
delivery of the package, so that they proceed to its analysis and inform this Agency

within a month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.

GLS, whose delivery person was to deliver the mobile phone, alleges the following:


Despite not having the essential data to identify the shipments, they believe
have identified the reported delivery service, which they go on to explain. HE
called IdentService, and has its origin in the requirement of its clients so that

the identity documents of the recipients are photographed, thus providing a
greater security that the package has actually been delivered to the addressee and
not to any person who could live in the same address as this.


The procedure was implemented in September 2018 to comply with the
requirements of your ICP client. In addition to the corresponding manager contract,
signs a special addendum in which GLS assumes the role of representative under the

orders of the principal for the collection of the photographs of the documents of
identity. The contract is provided as the addendum, signed with ICP.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/21








Customers who decide to require this photograph record it in the system that
provides GLS in the form of a special attribute associated with the delivery of the shipment that

wish. The necessary information travels to the device of the delivery person who performs the
delivery (full name of the recipient and ID. At the time of delivery, if
name or ID do not match what is indicated, the delivery cannot be made. Yeah

match, the delivery application allows you to take a photo of the front and back of the
DNI, so that it can be delivered. The collected data is transmitted by channel
encryption to the GLS system (they are not saved on the driver's delivery device,

with which he cannot consult the images) and they remain stored on a server
internal property of GLS, separated from the rest of the images (signatures and stamp photos).

Only a maintenance technician has access to that server. through the
ERP module of the computer system, customers can access the photos
of the shipment that they have marked to carry out of this signature, through a link (not

can consult photographs of DNIs indiscriminately). the images are
stored and processed for customer consultation or to respond to possible
claims about shipping incidents, for 1 year (for the purposes of

extrajudicial claims) and 4 years (since it is considered a commercial document - art.
66 LGT 58/2003). The photographs also cannot be seen by the delivery person from
your device.


They also have another service, "Online DNI validation service" (consumed
only by this client, ICP), in which in real time it is transmitted to the
ICP the data of full name, DNI and images of the front and back of the DNI, and

They wait for a response from him. If the system returns a KO (negative response), the
prevent delivery; otherwise allowing (positive response or lack of

answer).

The procedure established for the delivery of the package provides that it must be
request the interested party to allow them to photograph the DNI, as it is a mandatory requirement

imposed by the customer for delivery. The recipient is free to do so, but it is
informed of the consequences of not being able to verify the
identity. The basis of legitimacy is not the consent but the execution of the

contract with your client. It will be this, the supplier of the product, who informs the
recipient of the procedure and request their consent, if this is the basis
legitimizer used”.


THIRD: On 11/04/2020, the Director of the AEPD agrees the admission to
claim processing.

FOURTH: In view of the facts denounced in the claim and the

documents provided by the claimant, the Sub-directorate General of Inspection of
Data proceeded to carry out previous investigation actions for the
clarification of the facts in question, by virtue of the investigative powers

granted to control authorities in article 58.1 of Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/21








in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter LOPDGDD).

On 09/02/2020, this Agency received a written statement stating
the following relevant aspects:


- The defendant makes shipments by itself or through subcontracted companies.
you give.

- The claimed has a delivery method called Identservice (DNI + photo)
which has its origin in the requirement of the ICP client to provide greater security.

that the package has been delivered to the addressee.

- If a client requests the Identservice service, once the shipment reaches the company
collaborator in charge of its delivery at the destination, the delivery person asks the recipient
the full name and the DNI and if these coincide with the data in the term-

delivery man, take a photo of both sides of the DNI. In case the data
full name or ID do not match those that appear in the deliveryman's terminal,
delivery and photo is not done. They add that the data collected is transmitted from

encrypted form to their systems, not saving the recipient's data or the photos received.
recently taken at the dealer's terminal, so he cannot consult them. Is-
All data is stored on a specific server for this function owned by the

claimed company and to which only one person has access for maintenance tasks.
I lie. In addition, the images must be taken with the application of the claimed that

is in charge of sending them to the mentioned server without storing them in the terminal of the re-
splitter, not admitting this application that can be taken with the mobile camera and
pass them to the application for transmission. It should be noted that in the event that the

client is ICP, the photograph of the DNI is sent through the claim servers.
gives to ICP systems.

- However, the data can be accessed from the ERP system (Project Planner).
Business Resources that allows the exchange of data between different areas)

of the claimed The person responsible for the shipment, the person responsible for
of delivery, and the customer responsible for shipping. The images are treated only
by its clients or to respond to possible claims of incidents of

shipment and only those data that correspond to the shipment of each client.

- The data is kept for one year for the purposes of extrajudicial claims and
for the purposes of proof of delivery, for four years as it is considered a mercantile document.
cantil.

- They indicate that their responsibility is that of the person in charge of the treatment, being the person responsible

saber of this, the client who requested this type of verification in the delivery. Therefore,
the basis of legitimation is not the consent of the sender, but the execution of the
contract with your client, being the latter the one who reports this treatment and collects the

sentiment of the recipient for the treatment.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/21








 And attach the following documents:

 - Service contract with ICP in which the claimed entity appears as manager
 of treatment, being the person in charge of this treatment, ICP.

 - Addendum service contract with ICP (DNI + photo) in which the claimed appears
 as agent

 - Descriptive poster of the three types of sender identification

Requested by this Agency, the contracts with the clients corresponding to the
Routes sent to claimants, dated 10/28/2020, are received at this Agency
three writings, stating:

 1.- Regarding the shipment made to the claimant of an ORANGE product through

 of the ICP entity, it had requested the validation modality with a photo of DNI.
 They provide document of expedition nº ***EXPEDIENTE.1. It shows the requirement
 compliance with this type of validation requested by ICP.

 On 11/04/2020, in procedure E/05859/2020, the Spanish Agency for

 Data Protection agreed to carry out these investigative actions
 in relation to the claims submitted by the claimants.

 - Regarding the claim presented by the claimant (through the Guardia Ci-
 vile) the defendant is asked for the basis of legitimacy to obtain a photograph.

 ID card, the recipient's consent and the information provided to this envelope
 the treatment.

 On 02/19/2021, this Agency received a written response manifesting
 tando:

 - That they understand that the basis of legitimation resides in the need to execute the
 contract to which both the claimant and the respondent are parties.

 - That prior to the delivery of the product sent by the claimant with validation

 tion by taking a photograph of the claimant's DNI, the claimant sent a co-
 email to the claimant informing him that for security reasons the document
 identification document with which the product was contracted could be digitized at the same time.

 delivery time. Likewise, the conditions of the deliveries of the orders that
 makes the claim to its clients, details can be found on the official website, at

 through the following link:
 https://ayuda.orange.es/particulares/movil/mi-movil/mi-pedido/1101-donde-recojo-mi-

 order-and-what-documentation-do I need?
 utm_source=orange&utm_medium=SMS&utm_term=smsAltaPedido

 And attach the following documents:

 - Contract signed by the claimant and claimed dated 01/18/2020 and "Annex
 of Privacy" dated 12/30/2018 signed by the claimant

 - Content of the email sent to the claimant.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/21








 It has been verified that the web link they provide contains the requirement that
 the identification document with which the product was contracted will be typed

 ized at the time of delivery.

 FIFTH: On 09/17/2021, the Director of the Spanish Protection Agency
 of Data agreed to initiate a sanctioning procedure against the defendant, for the alleged in-
 fraction of 5.1.c), typified in article 83.5.a) of the GDPR.

 SIXTH: Notified of the initiation agreement, the claimant on 09/23/2021 requested

 extension of the term to present allegations; period that was granted by means of
 you written from the instructor of 09/24/2021.

 The defendant by writing of 10/11/2021 presented a written statement of manifest
 summarizing the following: that a treatment of the image of the DNI is carried out

 lawful, as long as it pursues a legitimate interest; previously the AEPD has come
 penalizing the defendant for the absence of said treatment, considering it a
 lack of diligence in compliance with the obligations derived from the regulations

 data protection; that the National Court, in its Judgments of March 8
 of 2018 and May 5, 2021, which indicates that the person responsible for the treatment must
 keep documentary evidence of compliance with their obligations in protection of

 data, such as verification of the identity of the interested party to whom a
 product contracted at a distance; that the defendant is faced with a clear contradiction
 and legal uncertainty; that secondarily, in the event that it is not taken into account

 taking into account the grounds supported by the defendant, it is requested that the
 account the extenuating circumstances and, consequently, complete the procedure

 through a warning and, ultimately, if he considers that the impo-
 sanction, moderate or modulate its proposal included in the Initiation Agreement
 cio of Procedure. .

 SEVENTH: On 12/20/2021 a test practice period began, according to

 giving the following
       Deem reproduced for evidentiary purposes the claim filed by the re-

       claimant and his documentation, the documents obtained and generated by the
       Inspection services that are part of file E/05859/2020.

       Consider reproduced for evidentiary purposes, the allegations to the start agreement
       submitted by the defendant.

       Request both the claimant and the company Information Control and Planning

       tion that provide a copy of the collaboration contract signed between them, to
       the provision of services.


       On 12/29/2021, the defendant responded to the test carried out whose

content works in the file.

EIGHTH: On 04/07/2022, a Resolution Proposal was issued in the sense of
that the Director of the Spanish Data Protection Agency sanction the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/21








claimed for violation of article 5.1.c), typified in article 83.5.a) of the
GDPR, of the aforementioned Regulation a fine of €100,000 (one hundred thousand euros). is accompanied

Annex with the documents that make up the administrative file.

The defendant entity, after requesting an extension of the term to present allegations to the
proposal, presents, on 05/05/2022, a brief of allegations in which it reiterates the
already raised previously. Indicates that reference is made to other claims that

They are not related to the facts that are the subject of this proceeding.

They point out that the account of the facts included in the First Background is not accurate.
of the Resolution Proposal: the ID photo is not taken with the terminal camera
end of delivery, but with a specific application within the terminal, which does not allow

access the image and not store it on the device.

At the time the photograph is taken, it is verified that the name and ID
that is contained in the delivery terminal corresponds to the ID and identifying name
fallen by the application. The application only allows photography if the

data correspond, so that, if there are data different from those provided,
ron at the time of contracting the product by the interested party, the photo is not taken.
graph. The ultimate goal is to guarantee that the terminal is delivered to the person who has it.

hired. That is, after the identification of the contracting party, carried out at the time of
remote contracting, the identification of the receiver of the terminal is carried out, which has
to be the same person.

Only in the event that the data does correspond, the distribution application

Allows you to take a photo of the front and back of the ID. The collected data is transmitted
sent by encrypted channel to the GLS system and are stored on an internal server.
suit, separated from the rest of the images. Only a maintenance technician has

access to that server. Through the ERP module of the computer system, Orange
You can access (only) the photograph of the shipment, through a link, to the me-

For the purposes of being able to verify that the process has been carried out correctly.
The purpose of the treatment of the images of the DNI of the interested party is none other than

certify, subsequently and if necessary, having deployed the diligence
required by verifying the identity of the person to whom the product is delivered

hired.
The data processing now questioned in the present sanctioning procedure

was implemented by Orange as a reinforcing security measure against ca-
fraud attempts and identity theft that were taking place

in the year 2020 in connection with the receipt of home deliveries.
Now, it is intended to penalize this party for displaying an excessive level of diligence.

vo in the identification of its clients, despite the fact that there is no legal precept, resolution or
jurisprudence that supports such an accusation, nor does it regulate how to identify

a data controller to their clients in contexts such as those analysed.
The AEPD considers that there are clear indications that article 5 of the

RGPD when imposing as a condition in the delivery to take a photograph of the front and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/21








back of ID. I would like this part to recall that it is precisely this article 5 of the
RGPD which indicates, in its section 2: "The controller will be responsible for

able to demonstrate compliance with the provisions of paragraph 1 ('responsibility').
proactive responsibility»)”.

If Orange does not have supporting evidence that it has delivered to the
contracting person, what could he do in the event that he claimed not to have received

did you buy the product? And in the event that the product, a mobile terminal, had data?
expenses of a personal nature, for example, because it is a terminal from the
repair or technician? Would the Agency consider that in such a case it would also be

excessive to take a picture of the ID? What if the delivery package contained a card?
ta sim? Note at this point that the delivery men and courier companies do not know
They do not know the contents of the packages.

                                 PROVEN FACTS

 FIRST. On 06/18/2020 it has entry in the AEPD, Record-Complaint-Inspection and Pe-

 revocation of proceedings for infringement of the regulations on data protection re-
 submitted by the defendant stating that on 04/22/2020 they appeared at the
 dences of the body D. A.A.A. together with a third party, a delivery man from the company General

 Logistics Systems Spain, S.A. (hereinafter GLS) stating that the employee
 of the company intended to deliver a mobile phone sent by the claimant
 and that the aforementioned company, to deliver the packages to their desti-

 natarios, is imposing as a necessary condition to take a photograph of the an-
 front and back of your ID that the company employee takes with his terminal

 mobile at the time of delivery. Subsequently, the image obtained is transferred to
 the company that sent the package.

 SECOND. The defendant in writing of 02/19/2021 has stated that "the legitimate
 tion of this company for the treatment of personal data of Mr. A.A.A. resi-

 of the need to execute the contract of which both the subscriber and Orange
 are part, and which was signed on 01/20/2020, in accordance with the provisions of
 article 6.1.b) of the GDPR”


 THIRD. Contributed Contract for Private Clients mobile communications
 signed between the claimant and the defendant on 01/20/2020.

 ROOM. There is an email provided in which the claimant was informed

 that, at the time of collecting the order, you should have your
 Valid national identity document with which you contracted the services with the ci-
 mercantile tada. Likewise, it was reported that, for security reasons, said document

 This documentation could be required by the delivery person who delivered the order to your address.
 cilium.

 FIFTH. The defendant states that on his website, through the link

 https://ayuda.orange.es/particulares/movil/mi-movil/mi-pedido/1101-donde-recojo-mi-
 request-and-what-documentationdo I need?

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/21








 utm_source=orange&utm_medium=SMS&utm_term=smsAltaPedido, are also listed
 the conditions for the delivery of the orders made by the defendant to his clients.

 tes: Where do I pick up my order and what documentation do I need? Where can I pick up
 did you get my order?

 SIXTH. There is a document provided called "Privacy Annex", through

 of which express consent is requested to carry out personal data processing.
 personnel that are excluded from the purpose of executing the signed contract and are informed
 of the purposes of the processing of personal data, as well as the categories

 gories of data processed, in compliance with article 13 of the GDPR. The document is
 is signed by the claimant.

 SEVENTH. The defendant and ICP entered into a contract in Pozuelo de Alarcón (Madrid)

 of provision of services whose purpose is the provision of mercantile deposit services.
 cantil (storage of material of your business, commercial, promotional, technical

 and network), logistics services (handling, assembly of the Goods, loading and
 unloading of the same, transport of divided merchandise and its distribution, as well as
 as the computer support of the operations carried out) all in accordance with

 the agreed scope, prices and terms.

 By virtue of this contract, ICP has the status of Treatment Manager;
 It also contains a data protection clause, establishing that the person in charge

 will carry out the processing of personal data necessary for the correct provision of
 tion of the services object of the contract. The types of personal data that it will process in
 under this contract are identifying data (name and surname, NIF/DNI).


 EIGHTH. Confidentiality agreement and access to personal data is provided.
 on behalf of third parties for service providers held in Madrid on
 01/14/2018 between ICP, responsible for the treatment, and GLS, in charge of the treatment.

 to, whose purpose is the processing of personal data necessary for the provision of the
 messaging service (storage and custody of data).

 NINETH. The Annex provides the contracting of the IdentService service (DNI +

 foto) for clients of the latter, a complementary service to that of transport consisting
 in the Identification of the Holder of the receipt of shipments of merchandise re-
 wanted by the sending company. Its clauses state the following:


 FIRST. The purpose of this Annex is the statement of the requirement of the
 provision of the delivery service called IdentService (DNI + photo) whose con-
 concept is expressed below.


 SECOND. The IdentService (DNI + photo) consists in that, once the en-
 charge for the provision of parcel delivery service, at the time
 that delivery is made to the final recipient; the delivery man or messenger

 asks him for his DNI to carry out the comparison and coincidence of the identity between the subject
 subject to whom the package will be delivered and the subject indicated by the Client

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/21








 of GLS to whom it must be carried out, having to reliably accredit said
 identity to the company that sends the package.


 THIRD. The DNI that the recipient must show must be the original document,
 without a photocopy of it being valid, except in cases in which it is accredited
 the original complaint before the Police stating the theft or loss of the same.


 ROOM. The messenger or delivery man, at the time of delivery of the merchandise
 will take a photograph of the DNI, in order to provide it together with the POD (Test
 delivery basis) to the Client and certify that there is a correct correlation between

 identity of the addressee and the person indicated by the Client of the subject to carry out the
 delivery, having to send both documents to the Client that requires said service.

 FIFTH. The Client, manifests with the signature of this Annex I, his agreement

 regarding the request that the delivery man or messenger take the Photo of the DNI to the
 recipient of the package, which, in case of refusing to show it, will not
 the goods will be delivered.


 SIXTH. The Client, who requires the IdentService service (DNI + photo) from GLS or its Network
 Agency, assumes responsibility for as many claims as may be raised by the
 recipients in this regard or as derived from this requirement, when acting

 GLS as a mere representative of the Client, being the latter the one who requires and demands said
 identity check action.

 The Client is responsible for the treatment given to the photograph of the DNI of the

 recipient and exempting GLS from any liability that may arise from the
 practice of the service requested IdentService (DNI + photo), committing the latter

 to the adequacy of its protocols to what is established by the General Regulation of
 Data Protection 2016/679 of April 27, 2016 and other regulations in force in
 The matter.


                            FUNDAMENTALS OF LAW

                                            Yo
       In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each au-

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.

       Likewise, article 63.2 of the LOPDGDD determines that: “The procedures

Data processed by the Spanish Data Protection Agency will be governed by the dis-
set out in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, as long as they do not contradict them, with

subsidiary character, by the general rules on administrative procedures
you."
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/21








                                            II
       The facts denounced are specified in that the company claimed, when making
delivery of packages to their recipients through courier companies,

imposes as a necessary condition for the reception the taking of a photograph to the
front and back of your ID. The company employee takes it with his terminal
mobile at the time of delivery. Subsequently, the image obtained is transferred to the
company that sent the package.



       Article 58 of the GDPR, Powers, states:

       "2. Each supervisory authority will have all the following powers:
corrections indicated below:


       (…)
       i) impose an administrative fine in accordance with article 83, in addition to or instead of
       from the measures mentioned in this paragraph, depending on the circumstances.
       stances of each particular case;
       (…)”



       Article 5, Principles relating to processing, of the GDPR establishes that:

       "1. Personal data will be:

       (…)

       c) adequate, pertinent and limited to what is necessary in relation to the purposes
       for those who are processed ("data minimization");
       (…)


                                            II

       1. The documentation in the file offers clear indications that
the defendant violated article 5 of the GDPR, principles related to treatment, by im-
put as a condition in the delivery of the product to take a photograph of the front and
back of the DNI; photograph that is obtained through the application included in the ter-
Mobile terminal of the delivery person of the company that makes the delivery and whose image is post-

subsequently transferred and consulted by the company sending the package.
       Article 5 of the GDPR refers to the general principles for the treatment
of data. In its section c) reference is made to the principle of data minimization,

indicating that the data must be “adequate, pertinent and limited to what is necessary
in relation to the purposes for which they are processed”.

       From the norm we can deduce that only personal data can be collected
that are going to be treated, that is, those that are strictly necessary
for the treatment; that they can only be collected when they are going to be treated and that
They may only be used for the purpose for which they were collected, but not with
no other goal.

       In this same sense, Recital 39 states that:

       (39) All processing of personal data must be lawful and fair. For the per-
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/21








physical persons it must be completely clear that they are collecting, using, con-
accessing or otherwise processing personal data that concerns them, as well as the
extent to which said data is or will be processed. The principle of transparency requires
that all information and communication related to the processing of said data is easy-
mind accessible and easy to understand, and that simple and clear language is used. Saying

principle refers in particular to the information of data subjects on the identity
of the person responsible for the treatment and the purposes thereof and the information added to
guarantee a fair and transparent treatment with respect to the natural persons affected
and your right to obtain confirmation and communication of personal data
that concern them that are subject to treatment. Natural persons must have
knowledge of the risks, standards, safeguards and rights related to the

processing of personal data as well as how to enforce your rights in
relation to treatment. In particular, the specific purposes of the treatment of the
personal data must be explicit and legitimate, and must be determined at the moment
of your collection. Personal data must be adequate, relevant and limited
what is necessary for the purposes for which they are processed. This requires, in particular,

ensure that their retention period is limited to a strict minimum. The personal data
personal data should only be treated if the purpose of the treatment cannot be reasonably achieved
probably by other means. To ensure that personal data is not retained
longer than necessary, the data controller must set deadlines for
their deletion or periodic review. All reasonable steps must be taken to
ensure that inaccurate personal data is rectified or deleted. The

Personal data must be processed in a way that guarantees security and confidentiality.
appropriate characterization of personal data, including to prevent unauthorized access or use
authorities of said data and the equipment used in the treatment (underlining is
of the AEPD).

       Examining the documentation, it can be deduced that there are other procedures
delivery of products through which the identity of its destination can be verified.
notary, verifying that it is the person to whom it is addressed, without it being necessary to photograph
graph your ID through the application contained in the mobile of the company's delivery man
distribution company and accredit its delivery to the person in charge. The treatment of the images

ID card is excessive for the purpose of verifying and determining that the destination
The party to whom the goods are delivered is the same person as the person who entered into the
contract.

       Article 5.1.c) enshrines the principle of data minimization and assumes that
The processing of personal data must be adjusted and proportional to the purpose for which
which it is addressed, clearly determining the purposes for which the data is collected and processed
the data, and the treatment of those that are excessive or
proceed to their deletion.

       Likewise, the relevance in the treatment of the data must be produced both
in the field of collection as well as in the subsequent treatment carried out on the same
mos.

       Regarding whether the procedure adopted by the defendant is necessary
to meet that need or if it is essential to meet that need,

It should be noted that its purpose, as repeatedly stated by the re-
claimed is due to the fact that it provides greater security that the product is effective.
delivered to the addressee, who is the same person who signed the contract, making
do proof that delivery is made to the person you actually hired; although to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/21








To this we must add the fight against fraud in this type of product and its appearance
economical since it must not be forgotten that these deliveries in the so-called retail sale
has had and has a direct relationship with fraudulent activities, which requires

reasonable diligence on the part of this type of company at the time of the
treatment by implementing appropriate measures, verifying through documentation
the identity of the person providing the data is pertinent, in order to avoid these behaviours.

       In this sense, Recital 47 pronounces itself when it states that "The treatment
storage of personal data strictly necessary for the prevention of
Fraud also constitutes a legitimate interest of the data controller that
in question”.

       However, the procedure used by the respondent is relevant to
when assessing the interference in the fundamental right of data protection and the
need to achieve the desired goal. It should be noted that the GDPR limits the use
o treatment of data due to necessity and not due to excess thereof; that is to say,

Personal data must be adequate, necessary, pertinent and limited.
two to the need for which they were collected.

       Previously, the Constitutional Court jurisprudence has established
that, if the objective can be achieved without carrying out data processing, the same
they should not be treated.

       On the other hand, said limitation to what is necessary must be evaluated both from a
quantitative point of view (volume of data processed) and qualitative (category of
processed data). In this same sense, Recital 39 points out when it states
that “…This requires, in particular, guaranteeing that their plan is limited to a strict minimum.
conservation zone. Personal data should only be processed if the purpose of the processing

performance could not reasonably be accomplished by other means..."
       2. The defendant alleges that the data that was collected at the time of the

contracting the product were the DNI and the name of the interested party, which are the same
We provide data that is subsequently subject to verification at the time of delivery,
that are necessary to fulfill the pursued purpose.

       However, such an allegation cannot be accepted, since access to the image
gene of the DNI, photographing both the back and the front of it, and its treatment
for the purpose of delivering a product through the mobile terminal of the re-
from the distribution company, is considered excessive and not limited to what is necessary
in relation to the purposes for which they are processed.

       It should be noted that the DNI contains not only the name and surname, its number
and the recipient's photograph, but also incorporates many other data: signature, address,

place and date of birth, access code to the information contained therein,
issue date, validity date, alphanumeric code, issuing team and official
na, etc., completely additional data that is neither adequate nor pertinent nor
limited for the purpose of delivering the merchandise and that to prove that the
The person who collects the product is the owner who provided the data at the time of purchase.

contracting, other means that are less harmful and aggressive must be used
for people's privacy.
       The foregoing, regardless of whether the image of the DNI, as stated by the

claimed cannot be kept by the dealer and be transmitted through
encrypted file to the logistics company system, being stored on its internal server.
external, where only a technician assigned to its maintenance has access to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/21








said server and through the ERP query module of the computer system, the claimant
mado can access the collected photo.

       Therefore, the treatment does not correspond to what is indicated in the Consideration
recital 39, nor in article 5.1.c) that state that the data must be “adequate,
pertinent and limited to what is necessary" for the purpose pursued.

       That diligence that the defendant preaches must be deployed at the moment
contracting, adopting the necessary precautions and guarantees to identify
unequivocally certify the contracting party.

       Therefore, if the recruitment is done correctly there can be no difficulty
any to provide proof that the recipient of the product is really the one who
entered into the contract and to whom the product is delivered.

        3. The defendant alleges that the AEPD intends to qualify as constituting in-
fraction a treatment whose absence has been previously sanctioned by the AEPD.

       However, such a statement is neither acceptable nor admissible; the claimed
must require at the time of contracting the product, the identification of the user,

As on the other hand, it has been established by the sentences and in the procedure
disciplinary measure to which he alludes in his writing.
       Of course, it has nothing to do with the matter that the reference to the

Recital 64 of the GDPR to which the defendant refers, like those other
subsequent references to the right of access of the interested party regulated in article 15
of the legal text.

       It is at the time of signing the contract that the treatment of the document
The identification of the interested party is considered necessary so that the defendant can
certify that the person with whom they contract is who they really say they are and, therefore,
therefore, which would accredit an adequate level of diligence.

       And this moment should not be confused with the delivery of the product to your
addressee transferring that required diligence to prove that the personality
of the contracting party was who they claimed to be by providing the documentation

opportunely to a later moment, that of the delivery of the product to its addressee.
       This has been indicated by the AEPD itself, in its resolution of 06/23/2020, in the PS /

00452/2019, where the affected party claims the processing of their data in contracting
of telephone lines without any reason that legitimizes their treatment (article 6.1 of the
GDPR), stating: "The defendant has not provided any document or evidence
any evidence that the entity, in such a situation, would have deployed the diligence
minimum requirement required to verify that indeed your interlocutor was the one who affirmed

I'm going to show off."
       And that subsequently the National Court, in a Judgment of 05/05/2021, Rec.
437/2020 established that: "Regarding the face-to-face contracting of the XXXXX-

XXXX It should be reiterated that although a contract is provided, the complainant has not recognized
certifying as his the signature attached thereto, stating the Y that lacks coincidence-
with the one that appears in your DNI, considering the Chamber that the required diligence obligates
was to contrast through the pertinent documentation, the identity of the person facilitating
data, by showing the original identification document and attaching

a copy of the same to the declaration of intent that you want to enforce, as
has been reiterating in similar cases”; stating in the following paragraph:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/21








       Therefore, in view of the circumstances set forth, it cannot be appreciated that the
recurring operator to perform due diligence to verify the identity of
the person who associated the controversial telephone lines in their records, therefore

that the subjective element of guilt concurs. On the other hand, regarding the fact
I am aware that we are dealing with a third party fraud, as we said in the SAN of
October 3, 2013 (Rec. 54/2012) -: "Precisely for this reason, it is necessary to ensure
ensure that the person you hire is who they really say they are, and appropriate
appropriate preventive measures to verify the identity of a person whose
personal data will be processed...".

       And, in the same sense, in its Judgment of 03/08/2018, Rec 926/2016: “Considering
For this reason, this Chamber, as the Administration understands, that the minimum diligence

required, required TME to verify, through the pertinent documentation
the identity of the person providing the data, by showing the original document
identification document and attaching a copy of it to the declaration of will
that he wants to assert."

       The AEPD itself has also ruled, likewise, in its resolution,
06/23/2020, in PS/00452/2019, where the affected party claims the treatment of their data.
in the contracting of telephone lines without any cause that legitimizes their treatment.
(Article 6.1 of the GDPR): "The defendant has not provided a document or element

any evidence that shows that the entity, in such a situation, would have displayed
the minimum required diligence to verify that indeed your interlocutor was the
which he claimed to hold.

       However, the aforementioned cases do not bear any similarity with
which we are examining, no matter how much the defendant is interested in proposing it, since it
it deals with fraudulent contracts, due to infringement of the principle of legitimation (article
6.1 of the GDPR) in the first case and the principle of consent (article 6.1 of the
LOPD) in the second and that the defendant should be well aware of the position in the procedure.

The sanctioning party was sanctioned by the AEPD and was a recurring party in the dispute
which gave rise to the first of the sentences, dismissing the appeal filed and
sanctioned with 80,000 euros.

       Therefore, the treatment of the image of the DNI at the time of delivery of a
product contracted at a distance not only is it not considered lawful but it is considered
inappropriate not relevant or limited to what is necessary in relation to the purposes for which
that are processed, since it must not be forgotten that the DNI contains data that exceeds and

It has nothing to do with the purpose pursued.
       The AEPD in the current case not only is not in contradiction with the resolutions
dictated, but it is consistent and consistent with the interpretation that has been making

the National Court itself in its sentences.
       That is why the allegation of the defendant reiterating that the AEPD sanctioned her

Naba for his lack of diligence in not keeping proof of identity verification
of the interested party and in the opening of the current procedure in which he is blamed for
quite the contrary, keeping proof of identity verification of the interested party is not
true nor can it be accepted as it does not deal with contradictory administrative resolutions.
conflicts between themselves or affect legal certainty, nor generate uncertainty and defenselessness.

       Therefore, it is considered that there is a violation of the principle of minimization of
the data being the defendant responsible for the violation of article 5.1.c) of the
GDPR, infringement typified in article 83.5.a).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/21








       4. Finally, the defendant invoked the violation of the principle of proportionality
purpose by requesting a reduction in the amount of the penalty by reducing it.

       In this regard, it should be noted that taking into account that it is a
offense classified as very serious and that in accordance with article 83 of the
GDPR can be sanctioned, "with administrative fines of €20,000,000 maximum
or, in the case of a company, an amount equivalent to a maximum of 4% of the

total annual global business volume of the previous financial year, opting for
the one with the highest value”. an important reduction of the same is already applied, in addition to
take into account the circumstances and evaluation criteria concurrent in it.
The STS, Chamber 3, of December 16, 2003 (Rec. 4996/98) already indicated that the main
principle of proportionality of the sanctions requires that "the discretion granted

to the Administration for the application of the sanction is developed weighing in all
case the concurrent circumstances, in order to achieve due proportionality
between the facts charged and the responsibility demanded". Principle of proportionality
that it has not been violated, considering the sanction proposed to the entity
based on the proven facts and once the circumstances and criteria that
concur.

       For the rest, the specific circumstances that have been taken into account for the
graduation of the amount of the sanction are detailed in Fundament VII of this resolution.

lution.
                                                V

       The defendant has alleged his disagreement with the content of the fundamentals
expressed in the Proposal for the procedure ratifying what has already been stated in this
previous crits.

       It alleges that it is intended to penalize for displaying an excessive level of diligence
in the identification of its clients by requiring a copy of the DNI, the only document that

in accordance with Organic Law 4/2015, of March 30, Protection of Security
Citizenship that allows to prove the identity and personal data of its owner.

       It is true that article 8.1 of the LOPSC establishes that the DNI "is the only document
document with sufficient value on its own for the accreditation, for all purposes, of the
identity and personal data of its owner" and that verification by the re-
claimed the identity of the interested party at the time of delivery of the product to your
domicile is considered lawful both to execute the object of the contract and can be
the delivery of the contracted product and to prevent the commission of fraud. However,

what is in doubt is that the method, protocol, procedure or system carried out
carried out for this is not appropriate, photographing the front and back of the DNI at the same time
time of delivery, for being excessively inappropriate and intrusive in the privacy of the
people, unless it is due to other reasons, such as hiring
tion had not been exercised with reasonable diligence and the

corresponding documents, what need does the defendant have to photograph said
document if it is already in your possession?

       It has also alleged that the treatment of the images of the DNI of the interested party
It is not only considered necessary to prove that the product has been delivered to the
person who appears as contracting party, but this criterion has been collected by the
Agency not only in specific resolutions and is also described by the Agency in the
'Officio Inspection Plan on Distance Contracting in Telecom Operators
Communications and Energy Marketers of the AEPD', where the same identifi-

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/21








enforces compliance with regulations in the sector and proposes improvements to make effective
that duty of care.

       In relation to the Ex officio Inspection Plan on Distance Contracting
in Telecommunications Operators and Energy Marketers of the AEPD',
specifically established in the section 'Accreditation of the identity of the Contractor
te' that prior to the contracting and therefore in a matter that is not similar

jable to what is the object of this procedure as already indicated, figure
that "In the stores of some telephone operators the terminal can be delivered
mobile phone purchased from customers who have contracted by telephone or telematics
cos, in which case the presentation of an official identity document is requested
(DNI, NIE, passport) and a bank document proving that the account on the

that charges are going to be made is owned by the contracting party.
       Deliveries are also made using the Post Office service that checks
the client's ID using a scanning system to collect the copy.

       Telephone contracts are usually recorded and in cases of portability
ity, a third party performs the verification by third parties”.

       It is true that the treatment of the images of the DNI in contracting at dis-
tance of a product such as a mobile terminal is not only being considered

considered lawful by the Agency itself, but it is considered that said treatment is co-
Respond with the required diligence.
       Therefore, said treatment is necessary so that the defendant can accredit

verify the contracting carried out and that it has been carried out with the due diligence
supporting documentation of the same.

       However, in the present case we are not dealing with a case of treatment
unlawful lying; the question to be clarified as to whether the data collected at the time of
the delivery of the mobile terminal have been excessive or not for the purpose pursued,

       In the aforementioned Plan it was already indicated (page 8), in relation to the hiring of
distance in the Alerts section that: “Some companies in the sector have identified different
different circumstances that may be susceptible to fraud in contracting (high
concentration of orders in certain areas, same IP addresses...) and have im-
procedures have been established that allow warning of these anomalies and determine the pro-

probability of fraud, in which case, contracts by specialists are usually verified.
lists and additional documentation may be required from the client.

        And on page 19, in relation to the identity of the contracting party that:
        "Telematic contracts require contract signing and copy of documentation

identification (DNI and bank generally) although it has been detected that it is not always do-
Documentation is recorded in the companies.
       • A growing concern has been detected by all companies

to guarantee the identity of the contracting party and for this reason they are studying and implementing
different solutions in order to avoid identity theft as much as possible.
including facial recognition and the electronic handwritten signature.

       In this sense, he recommended a series of measures:

       - Maximize the guarantees of identification of the contracting party prior to the
execution of the contract,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/21








       - The use in systems with additional guarantees of the style of what is defined
in the PSD2 regulations,

       -Biometric data.

       Well, none of these recommendations included or referred to
to the system or procedure implemented by the claimant for the delivery of products
hired, consisting of photographing the ID using the apps that the delivery man has
installed in your mobile terminal.

       However, the Agency itself has considered that this is a question
complex, having to attend to the specific case, to the techniques used in the treatment
ment, interference in the right to data protection, and must, as long as
as long as the European Committee for Data Protection does not pronounce on it or

courts, adopt in case of doubt, the interpretation that is most
favorable for the protection of the rights of those affected.

       On the other hand, if the contracting carried out by the defendant of which
has provided a copy of the document signed by the contracting party was correctly identifying
(copy of the DNI and bank document where the account number appears), com-
proving that the identity of the addressee and the contracting party coincide should be done without
need to request again the copy of the DNI (photograph of its front and back)

SW).
                                            SAW
       The infringement attributed to the defendant is typified in the

Article 83.5 a) of the GDPR, which considers that the infringement of "the basic principles
for treatment, including the conditions for consent under art.
Articles 5, 6, 7 and 9" is punishable, in accordance with section 5 of the aforementioned article.
Article 83 of the aforementioned Regulation, "with administrative fines of €20,000,000 as
maximum or, in the case of a company, of an amount equivalent to a maximum of 4%.

of the total annual global turnover of the previous financial year, opting-
I know for the largest amount.”
       The LOPDGDD in its article 71, Violations, states that: "They constitute infringements
tions the acts and conduct referred to in sections 4, 5 and 6 of article 83

of Regulation (EU) 2016/679, as well as those that are contrary to this law
organic”.

       And in its article 72, it considers for the purposes of prescription, which are: "Infractions
considered very serious:


       1. Based on what is established in article 83.5 of the Regulation (EU)
2016/679 are considered very serious and the infractions that
suppose a substantial violation of the articles mentioned therein and, in part

particular, the following:

       (…)
       a) The processing of personal data in violation of the principles and guarantees
       established in article 5 of Regulation (EU) 2016/679.

       (…)
                                           VII
       In order to establish the administrative fine that should be imposed, they must observe

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/21








See the provisions contained in articles 83.1 and 83.2 of the GDPR, which state:

       "1. Each control authority will guarantee that the imposition of fines admissible
pursuant to this article for breaches of this Regulation.
indicated in sections 4, 5 and 6 are effective in each individual case, provided
constrained and dissuasive.

       2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an addition to or substitute for the measures contemplated

in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case shall be duly taken into account:

       a) the nature, seriousness and duration of the offence, taking into account the

       nature, scope or purpose of the processing operation in question
       as well as the number of interested parties affected and the level of damages.
       cios who have suffered;
       b) intentionality or negligence in the infraction;
       c) any measure taken by the controller or processor

       to alleviate the damages and losses suffered by the interested parties;
       d) the degree of responsibility of the data controller or processor
       to, taking into account the technical or organizational measures that have been applied
       under articles 25 and 32;
       e) any prior infringement committed by the controller or processor
       I lie;

       f) the degree of cooperation with the supervisory authority in order to remedy the
       gave to the breach and mitigate the potential adverse effects of the breach;
       g) the categories of personal data affected by the infringement;
       h) the way in which the supervisory authority became aware of the infringement, in
       particularly if the person in charge or the person in charge notified the infringement and, in such a case,

       what extent;
       i) when the measures indicated in article 58, paragraph 2, have been ordered
       previously filed against the person in charge or in charge in question in relation to
       relation to the same matter, compliance with said measures;
       j) adherence to codes of conduct under article 40 or to mechanisms
       of certification approved in accordance with article 42, and

       k) any other aggravating or mitigating factor applicable to the circumstances of the
       case, such as the financial benefits obtained or the losses avoided, direct
       or indirectly, through the infringement”.

       In relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its article
Article 76, "Sanctions and corrective measures", establishes that:

       "2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
2016/679 may also be taken into account:

       a) The continuing nature of the offence.

       b) Linking the activity of the offender with the performance of processing
       of personal data.
       c) The benefits obtained as a consequence of the commission of the infraction.
       d) The possibility that the conduct of the affected party could have led to the
       commission of the offence.

       e) The existence of a merger process by absorption after the commission
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/21








       of the infringement, which cannot be attributed to the absorbing entity.
       f) The affectation of the rights of minors.
       g) Have, when it is not mandatory, a data protection delegate.

cough.
       h) Submission by the person in charge or person in charge, voluntarily
       party, to alternative dispute resolution mechanisms, in those su-
       positions in which there are controversies between those and any interested party.”

       In accordance with the precepts transcribed, for the purpose of setting the amount of the sanction
tion of a fine to be imposed in the present case for the offense typified in article
83.5 of the GDPR for which the defendant is held responsible, in an initial assessment,
The following factors are estimated to be concurrent:

       As aggravating circumstances:

       - The nature, seriousness and duration of the infringement: the facts considered

proven seriously affect a basic principle relating to data processing
of a personal nature, such as data minimization; management is questioned

developed by the claimed result of the procedure called Identservice, a
modality of delivery of products implemented for the treatment of data and its
adaptation to the RGPD, being considered inadequate from the moment of collection

of the copy of the DNI both on the front and on the back at the time of delivery
of the package to its recipients. The scope or purpose of the processing operations
since a procedure such as the one implemented and the importance of the entity

ity is not established to operate in a reduced or local scope (article 83.2, a) of the
GDPR).

       The number of people potentially affected because, even if it is a

sole claimant, it seems clear that a considerable number may have been affected.
of the entity's customers since in accordance with the loan contract
tion of services held was implemented in January 2019; we must not forget either

that on 06/18/2020 another claim for identical facts was entered in the AEPD
chos (article 83.2, a) of the GDPR).

       In this same sense, the conditions of the deliveries of the products that

makes the claim to its clients are detailed on its official website,
through the following link: https://ayuda.orange.es/particulares/movil/mi-movil/mi-

order/1101-where-do-I-pick-up-my-order-and-what-documentation-do I need?
utm_source=orange&utm_medium=SMS&utm_term=smsAltaPedido

       - The activity of the allegedly infringing entity is linked to the tra-

Treatment of data of both clients and third parties. In the activity of the re-
clamada is essential to process the personal data of its clients
Therefore, given the volume of business of the same, the importance of the conduct

object of this claim is undeniable (article 76.2.b) of the LOPDGDD in
relation to article 83.2.k).

       - The intent or negligence in the infringement since the defendant was

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/21








fully aware of the procedure implemented for the delivery of products to
their final recipients. Also connected to the degree of diligence that the respondent

saber of the treatment is obliged to deploy in compliance with the obligations
imposed by the data protection regulations, the SAN of
10/17/2007. Although it was issued before the RGPD entered into force, its pronouncement is

perfectly extrapolated to the assumption that we analyse. The sentence, after
refer to the fact that the entities in which the development of their activity entails a continuous
processing of customer data and third parties must observe an adequate level of diligence

gency, specified that “(...). the Supreme Court has been understanding that there is imprudence
responsibility whenever a legal duty of care is neglected, that is, when the in-

fractor does not behave with the required diligence. And in the assessment of the degree of diligence
The professionalism or otherwise of the subject must be especially considered, and it is not possible to
doubt that, in the case now examined, when the appellant's activity is

constant and abundant handling of personal data must be insisted on the ri-
gor and the exquisite care to adjust to the legal precautions in this regard” (article
83.2, b) of the GDPR).


       - The continuous nature of the infringement, since it must not be forgotten that the procedure
performance in accordance with the contract for the provision of services concluded already carries
long implanted. The infringing conduct participates in the nature of

the so-called permanent infractions, in which the consummation is projected in
the time beyond the initial event and extends, violating the protection regulations
data, during the entire period of time in which the data is processed.

I lie. In this sense, the judgments of the National Court of
09/16/2008 (rec.488/2006) and the Supreme Court of 04/17/2002 (rec. 466/2000) (ar-

article 76.2.a) of the LOPDGDD in relation to article 83.2.k).

       In the present case, having valued the criteria that concur in it for the
graduation of the sanction, a sanction of 100,000 euros is imposed for violation

of article 5.1.f) of the GDPR, for which the defendant must respond.

       Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,

       The Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE ORANGE ESPAGNE, S.A.U., with NIF A82009812, for a
infringement of Article 5.1.c) of the GDPR, typified in Article 83.5 of the GDPR, a
fine of €100,000 (one hundred thousand euros).


SECOND: NOTIFY this resolution to ORANGE ESPAGNE, S.A.U.

THIRD: Warn the penalized person that they must make the imposed sanction effective
Once this resolution is enforceable, in accordance with the provisions of Article
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment term

voluntary established in art. 68 of the General Collection Regulations, approved
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/21








by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of its income, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account

restricted number ES00 0000 0000 0000 0000 0000, open in the name of the Agency
Spanish Data Protection Agency at the bank CAIXABANK, S.A.. In the event
Otherwise, it will proceed to its collection in the executive period.

       Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the deadline for making the

voluntary payment will be until the 20th day of the following or immediately following business month, and if
is between the 16th and the last day of each month, both inclusive, the term of the
Payment will be until the 5th of the second following or immediate business month.

       Against this resolution, which puts an end to the administrative process in accordance with art.

48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, interested parties may optionally file an appeal for reversal
before the Director of the Spanish Data Protection Agency within a period of one
month from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


       Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the firm resolution may be temporarily suspended in administrative proceedings
If the interested party expresses his intention to file a contentious appeal-
administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Agency for Data Protection,

presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Also
must transfer to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency were not aware of the
filing of the contentious-administrative appeal within a period of two months from the

day following the notification of this resolution, would terminate the
injunction suspension


                                                                      Mar Spain Marti
                              Director of the Spanish Data Protection Agency











C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es