AEPD (Spain) - PS/00501/2021

From GDPRhub
AEPD (Spain) - PS/00501/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(2) GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 18.01.2022
Fine: 56,000 EUR
Parties: Vodafone España S.A.U.
National Case Number/Name: PS/00501/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Cesar Manso-Sayao

The Spanish DPA fined Vodafone €56,000 for unlawfully processing personal data, as they did not have proper documentation for the contracting of phone lines which the data subject alleges were contracted fraudulently through identity theft.

English Summary

Facts

A data subject filed a complaint with the Spanish DPA (AEPD) against Vodafone España S.A.U. (Vodafone) claiming that someone had contracted two prepaid phone numbers fraudulently in their name through one of Vodafone's distributors.

The data subjected had originally filed a police report for identity theft used to contract these phone lines, and also made an access request to Vodafone to obtain further information on the contracting of these phone lines.

Vodafone responded to this request stating that they only had partial information on file for the contracting of one of the two phone lines in the data subject's name. The data on file included the data subject's ID number, postal address, but no signature.

Holding

The AEPD held that according to the evidence in the case, Vodafone had violated Article 6(1) GDPR for unlawful processing of the data without a proven justification to do so.

Additionally, the AEPD held that Vodafone had acted with a lack of diligence to comply with the principle of accountability under Article 5(2) GDPR, as it did not possess adequate documentation of the contracting of the phone lines to prove the processing was lawful.

The AEPD set the fine at €70,000eur. The payment was reduced €56,000 as Vodafone adhered to the provision which establishes a 20% reduction for voluntary payment, although not explicitly accepting responsibility for the infringement.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/12











     File No.: PS/00501/2021


       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT

                                   VOLUNTARY

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                 BACKGROUND

FIRST: On November 15, 2021, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure against VODAFONE

SPAIN, S.A.U. (hereinafter, the claimed party), through the Agreement that is
transcribe:

<<






File No.: PS/00501/2021






           AGREEMENT TO START A SANCTION PROCEDURE




Of the actions carried out by the Spanish Data Protection Agency and in

based on the following:



                                     FACTS




FIRST: D.A.A.A. (hereinafter, the complaining party) dated January 15,
2021 filed a claim with the Spanish Data Protection Agency. The

claim is directed against Vodafone Spain, S.A.U. with NIF A80907397 (in
hereinafter, the claimed party or Vodafone). The grounds on which the claim is based

are the following.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/12








The complaining party states that a third party has contracted with the entity Vodafone
two prepaid telephone numbers in your name, through a distributor of the

claimed party.

And, attach the following documentation:


       1. Complaint before the National Police Force of Fuengirola (Málaga) with number
           report XXXXX/YY, of September 9, 2020, for alleged usurpation
           civil identity.


       2. Complaint to Vodafone in the consumer office of Mijas, from XX of
           September 2020.


       3. Response received by the Mijas consumer office, in which
           They state that the lines have been activated since February 17, 2020.


       4. Burofax to Disashop, of October 16, 2020, in the request as
           distribution company of both Vodafone prepaid telephones, which
           give you the right to access your data.


       5. Response from Diasashop, informing that the responsibility for the situation
           It's from Vodafone.


       6. Burofax to DPO of Vodafone, of October 28, 2020, in which it requests
           Vodafone the right to access the data referring to the contracting of
           both prepaid numbers.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of

Data Protection.

THIRD: On May 19, 2021, the application was admitted for processing.
claim filed by the claimant.


FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in

matter, by virtue of the investigative powers granted to the authorities of
control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter RGPD), and in accordance with the provisions of the

Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the
following ends:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/12








    Vodafone representatives state on June 2, 2021 that they attach as

    document number 1 copy of the letter sent to the complaining party, giving
    compliance with your exercised right of access, for which you are given the
    all personal documents found in Vodafone systems.




    Subsequently, on July 4, 2021, the respondent states that after

    carry out the appropriate investigations, have been able to verify that the complete list of
    the prepaid lines that the claimant has had with Vodafone would be the
    following:




(i) ***PHONE.1

(ii) ***PHONE.2



    Regarding the line ***TELEPHONE.1, they have been able to verify that it was given
    high on December 16, 2019 and low on July 22, 2020. The

    disconnection was made by the distributor Disashop Consulting, S.L.



    According to the entity's representatives, the line ***TELÉFONO.1, as of the date of

    June 22, 2021, is in another operator, specifically, in Movistar.



    On the other hand, the line ***TELÉFONO.2 has registered its registration on the 17th of
    February 2020 and his discharge on September 23, 2020. The disconnection was carried out by

    part of the distributor Disashop Consulting, S.L.



    In the Vodafone systems there is no documentation that currently allows

    prove the contracting of the lines in prepaid mode, however, they provide a copy of
    an “information document for natural and legal persons who acquire a
    prepaid card” relative to the line ***TELÉFONO.2 in which the details of the

    claimant, DNI and postal address, but does not contain any signature.



    Vodafone does not have documentation proving the contracting of the lines
    prepaid ***TELEPHONE.1 and ***TELEPHONE.2 in the name of the claimant.



                                                                                        8-300921


    C/ Jorge Juan, 6 www.aepd.es
    28001 – Madrid sedeagpd.gob.es, 4/12








                            FOUNDATIONS OF LAW




                                              I



        By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and according to the provisions of articles 47 and 48 of the LOPDGDD,
The Director of the Spanish Agency for Data Protection is competent to initiate

and to solve this procedure.



                                              II




      The General Data Protection Regulation deals in article 5 with the
principles that must govern the processing of personal data and mentions among
them that of "legality, loyalty and transparency". The provision provides:



      "one. The personal data will be:

         a) Treated in a lawful, loyal and transparent manner with the interested party;”




      Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
assumptions in which the processing of third party data is considered lawful:



      "one. The treatment will only be lawful if it meets at least one of the following
terms:


      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;

      b) the treatment is necessary for the execution of a contract in which the
      interested party is a party or for the application at the request of the latter of measures
      pre-contractual;

      (…)”




      The violation of article 6.1 of the RGPD is typified in article 83
of the RGPD that, under the heading “General conditions for the imposition of fines
administrative”, says:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/12










      "5. Violations of the following provisions will be sanctioned, in accordance
with section 2, with administrative fines of a maximum of 20,000,000 Eur or,

in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for
the largest amount:



      a) The basic principles for the treatment, including the conditions for the

consent under articles 5,6,7 and 9.”



      The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of the
Digital Rights (LOPDGDD) in its article 72.1.b) qualifies this infraction, for the purposes
of prescription, as a very serious infraction.




      The documentation in the file offers evidence that the party
claimed violated article 6.1 of the RGPD, since it processed the personal data
of the claimant (name, surnames and D.N.I.), without having legitimacy for the treatment
of the claimant's data.



      It should be remembered that article 5 of the RGPD, after alluding in its section

1 to the principles relating to the processing of personal data -among them, as
has pointed out in the preceding Basis, that of "legality"-, it says in its section 2:

      “The person responsible for the treatment will be responsible for compliance with the
provided in section 1 and able to demonstrate it (<<proactive responsibility>>)”

        Well, with respect to the facts that are the subject of this claim,
We must point out that Vodafone does not have documentation proving the
contracting the prepaid lines ***TELEPHONE.1 and ***TELEPHONE.2 in the name of the
claimant.

      The lack of diligence displayed by the entity in complying with the
obligations imposed by the personal data protection regulations

it is therefore evident. Diligent compliance with the principle of legality in the treatment
of third-party data requires that the data controller be in a position
to prove it (principle of proactive responsibility).



      In short, there is evidence in the file that the respondent tried
the personal data of the claimant without legitimacy to do so. The behavior described

violates article 6.1. of the RGPD and is subsumable in the sanctioning type of the article
83.5.a, of the RGPD.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/12








                                                III



      In order to determine the administrative fine to be imposed, the precautions
visions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

      “Each control authority will guarantee that the imposition of fines

administrative actions under this article for violations of this
Regulation indicated in sections 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.”



      “Administrative fines will be imposed, depending on the circumstances of
each individual case, in addition to or as a substitute for the measures contemplated in the

Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:

        a) the nature, seriousness and duration of the offence, taking into account the
        nature, scope or purpose of the processing operation in question
        as well as the number of stakeholders affected and the level of damage and
        damages they have suffered;

        b) intentionality or negligence in the infringement;


        c) any measure taken by the controller or processor
        to alleviate the damages suffered by the interested parties;

        d) the degree of responsibility of the person in charge or of the person in charge of the
        treatment, taking into account the technical or organizational measures that have
        applied under articles 25 and 32;

        e) any previous infraction committed by the person in charge or the person in charge of the

        treatment;

         f) the degree of cooperation with the supervisory authority in order to put
        remedying the breach and mitigating the possible adverse effects of the breach;

        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority became aware of the infringement,
        in particular if the person in charge or the person in charge notified the infringement and, in such

        case, to what extent;

        i) when the measures indicated in article 58, paragraph 2, have been
        previously ordered against the person in charge or the person in charge in question
        in relation to the same matter, compliance with said measures;

        j) adherence to codes of conduct under article 40 or mechanisms
        certificates approved in accordance with article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the

        case, such as financial benefits realized or losses avoided, direct
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/12








        or indirectly, through infringement.”


      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
“Sanctions and corrective measures”, provides:

      "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

may also be taken into account:

        a) The continuing nature of the offence.

        b) The link between the activity of the offender and the performance of treatments
of personal data.


        c) The profits obtained as a result of committing the offence.

        d) The possibility that the conduct of the affected party could have induced the
commission of the offence.

        e) The existence of a merger by absorption process after the commission

of the infringement, which cannot be attributed to the absorbing entity.

        f) Affectation of the rights of minors.

        g) Have, when it is not mandatory, a delegate for the protection of
data.


        h) The submission by the person in charge or person in charge, with
voluntary, to alternative conflict resolution mechanisms, in those
assumptions in which there are controversies between those and any interested party.”

      In accordance with the transcribed precepts, and without prejudice to what results from the

instruction of the procedure, in order to set the amount of the sanction of fine to
impose on the claimed entity as responsible for an infraction typified in the
article 83.5.a) of the RGPD, in an initial assessment, they are estimated to be concurrent in the
present case the following factors:

As aggravating factors:

- The intentionality or negligence of the infringement (article 83.2.b, RGPD). Dice
        that the respondent party does not have documentation proving the
        contracting the prepaid lines ***TELEPHONE.1 and ***TELEPHONE.2 to

claimant's name.

 - The evident link between the business activity of the defendant and the
      processing of personal data of clients or third parties (article 83.2.k, of the

      RGPD in relation to article 76.2.b, of the LOPDGDD)

        It is appropriate to graduate the sanctions to be imposed on the claimed party and set them in the amount
of €70,000 for the infringement of article 83.5 a) RGPD and 72.1b) of the LOPDGDD.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/12








       Therefore, in accordance with the foregoing, by the Director of the
Spanish Data Protection Agency.




HE REMEMBERS:




FIRST: Start sanctioning procedure against Vodafone España, S.A.U. with NIF
A80907397, for the alleged infringement of article 6.1. of the RGPD typified in the

article 83.5.a) of the aforementioned RGPD.



SECOND: APPOINT D. B.B.B. as instructor. and as secretary to Ms. C.C.C.,

indicating that any of them may be challenged, where appropriate, in accordance with the provisions
established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime
Public Sector Co (LRJSP).




THIRD: INCORPORATE to the disciplinary file, for evidentiary purposes, the
claim filed by the claimant and his documentation, the documents

obtained and generated by the General Subdirectorate for Data Inspection during the
investigations phase.




FOURTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of the Public Administrations, the

sanction that could correspond would be 70,000 euros (seventy thousand euros), without
prejudice to what results from the instruction.




FIFTH: NOTIFY this agreement to Vodafone España, S.A.U. with NIF
A80907397 granting him a hearing period of ten business days to formulate
the allegations and present the evidence it deems appropriate. In his writing of

allegations you must provide your NIF and the procedure number that appears in the
header of this document.




    If within the stipulated period it does not make allegations to this initial agreement, the
The same may be considered a resolution proposal, as established in the
Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure

Common to Public Administrations (hereinafter, LPACAP).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/12










    In accordance with the provisions of article 85 of the LPACAP, in the event that

the sanction to be imposed was a fine, it may recognize its responsibility within the
term granted for the formulation of allegations to this initial agreement; it

which will entail a reduction of 20% of the sanction to be imposed in
the present procedure. With the application of this reduction, the sanction would be
established at 56,000 euros, resolving the procedure with the imposition of this

sanction.



    Similarly, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 56,000 euros and its payment will imply the termination of the

process.




    The reduction for the voluntary payment of the sanction is cumulative to the one
It is appropriate to apply for the acknowledgment of responsibility, provided that this
acknowledgment of responsibility is revealed within the period

granted to formulate arguments at the opening of the procedure. The pay
volunteer of the amount referred to in the preceding paragraph may be made at any
time prior to resolution. In this case, if it were appropriate to apply both

reductions, the amount of the penalty would be established at 42,000 euros.



    In any case, the effectiveness of any of the two reductions mentioned

will be conditioned to the withdrawal or renunciation of any action or resource in via
administrative against the sanction.




    In the event that you choose to proceed with the voluntary payment of any of the
amounts indicated above, 56,000 euros or 42,000 euros, you must do so

cash by depositing it in account number ES00 0000 0000 0000 0000 0000 opened
on behalf of the Spanish Agency for Data Protection at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure that appears in

the heading of this document and the reason for the reduction of the amount to which
welcomes






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 10/12








   Likewise, you must send proof of payment to the General Subdirectorate of

Inspection to proceed with the procedure in accordance with the quantity
entered.




   The procedure will have a maximum duration of nine months from the
date of the start-up agreement or, where appropriate, of the draft start-up agreement.

Once this period has elapsed, it will expire and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.




   Finally, it is pointed out that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.



                                                                                 935-160721


Sea Spain Marti

Director of the Spanish Agency for Data Protection.

>>



SECOND: On December 23, 2021, the claimed party has proceeded to
payment of the sanction in the amount of 56,000 euros using one of the two
reductions provided for in the Start Agreement transcribed above. Therefore, it has not

acknowledgment of responsibility has been confirmed.

THIRD: The payment made entails the waiver of any action or resource in via
against the sanction, in relation to the facts referred to in the
Home Agreement.



                            FOUNDATIONS OF LAW


                                            I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of the Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the infractions typified in articles 38.3 c), d) and i) and

38.4 d), g) and h) of Law 34/2002, of July 11, on services of the society of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 11/12








information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.


                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations (hereinafter LPACAP), under the rubric
"Termination in sanctioning procedures" provides the following:


"one. Started a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely pecuniary in nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the

inadmissibility of the second, the voluntary payment by the alleged perpetrator, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction is solely pecuniary in nature, the

competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.


The reduction percentage provided for in this section may be increased
regulations."



In accordance with the above, the Director of the Spanish Agency for the Protection of
Data
RESOLVES:

FIRST: TO DECLARE the termination of procedure PS/00501/2021, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of the Public Administrations, the interested parties may file an appeal
contentious-administrative before the Contentious-administrative Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 12/12











day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.



                                                                                                937-160721
Sea Spain Marti

Director of the Spanish Data Protection Agency































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es