AEPD (Spain) - PS/00429/2019

From GDPRhub
AEPD - PS/00429/2019
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Decided: 04.03.2020
Fine: 60.000 EUR
Parties: Vodafone España, S.AU
National Case Number/Name: PS/00429/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish Data Protection Agency (AEPD) decided to impose a fine up to 60,000 € on Vodafone España, S.AU. (the data controller) for the infringement of the lawfulness of processing principle, as per Article 6(1) GDPR.

English Summary


The decision is the consequence of a complaint submitted by a Spanish citizen stating he has contracted the data controller telecommunications services as a new customer, but an employee of the data controller used his information and falsified his signature in order to register into another telecommunications company (Llamaya) as if the claimant had requested his portability right; such complaint included screenshots of the text messages received by the second telecom company, as well as delivery notes by Llamaya.


The data controller did not answer to any AEPD investigation requests, so the AEPD started the corresponding sanction procedure. In such procedure, the data controller alleged that the infringement was due to a illegal use of data by the employee (as the data controller effectively applied the security protocols with the consent of the claimant during the contracting of the services and, as soon as the data controller got news of the problem, it marked the as a fraud and deregister its contracting), so there would be no guilt nor intentionality by the data controller.


Thus, the AEPD understood that not only there is a fraud in the contracting of the services and in using the name of the claimant without his consent, but also the data controller has infringed the lawfulness of processing principle (as it has not proved that it has even obtained the consent by the claimant for the contracting nor it carried out any due diligence in order to prove the identity of the claimant) and, after considering some aggravating circumstances [(i) the nature, severity and duration of the infringement, (ii) there is intentionality and or negligence by the data controller, (iii) personal identification data such as the name or the domicile have been affected, and (iv) the data controller has already committed other infringements], it decided to impose a fine of 60,000 € to the data controller.


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

to be completed