AEPD - PS/00448/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 17 GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 05.03.2021 |
Published: | 09.03.2021 |
Fine: | 150000 EUR |
Parties: | Xfera Móviles S.A. |
National Case Number/Name: | PS/00448/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Paola L. |
The Spanish DPA (AEPD) imposed a fine of €150,000 on Xfera Móviles S.A. (defendant) for infringing Article 17, 32, 5(1)(f) GDPR and Article 21 LSSI. The fine was imposed after investigating two complaints received from the same data subject who indicated that the defendant had not stopped sending marketing messages and that the data subject was able to access third party's personal data through the 'Mi Yoigo' platform.
English Summary
Facts
First, a data subject filed a complaint in which indicated that they have exercised their right to object to the use of their personal data for direct marketing purposes but the defendant continued to send SMS to their mobile number. The complainant provided proof of having received more than 60 SMS within 30 days which suggests that the defendant did not fulfil the complainant’s request.
Second, the same complainant indicated that they reported to the defendant that they were receiving a large number of SMS to their mobile number with confidential information about third parties. The defendant told the complainant that it had noted the incident and that it would not reoccur. However, the defendant continued to send information related to third parties to the complainant, in particular, a security code to access the platform "Mi Yoigo", to which the complainant accessed and was able to view personal data from a third party. The access given allowed the complainant to view someone else’s bills, phone number, address, bank account, account number and the possibility to make any changes in the third party’s profile. The complainant also provided proof to this effect.
Dispute
Were the actions of the defendant a violation of the principles relating to processing of personal data contained in article 5(f) and 32 the GDPR?
Holding
The AEPD held that this offense is considered as ‘grave’ in accordance with Article 72(1)(k) LOPDGDD and falls under the criteria defined in article 83(5)(a) GDPR where a company can be fined up to €20000000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The AEPD imposed a fine of €150000 for infringing the following provisions:
-Article 17 GDPR – Right to Erasure - €50000 fine
-Article 32 GDPR – Failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk – €30000 fine
-Article 5(1)(f) GDPR - For breaching of the principle of integrity and confidentiality in the processing of personal data of customers - €50000 fine
- Article 21 of the LSSI (Spanish Law on Information Society Services and Electronic Commerce) regarding the sending of commercial SMS or advertising without the express consent of the recipient - €20000 fine
The AEPD, indicated that the fine may be reduced to €90000 for voluntary payment and admission of responsibility.
Comment
When imposing the fine, the AEPD considered:
- The duration of the violation, taking into account the scope or purpose of the data processing operation, as well as the damages caused to the interested party and third parties – Article 83(2)(a) GDPR
- Negligence in the infringement, when verifying the lack of due diligence of the claimed entity in the fulfilment of its obligations with respect to the management of users' personal data - Article 83(2)(b) GDPR
- The way in which the supervisory authority learned of the infringement, since this occurred through several complaints filed by the complainant, Article 83(2)(h) GDPR
- The existence of a prior complaint.
Aggravating factors in accordance with Article 72(2)(a) & (b) LOPDGDD and Article 83(2)(k) GDPR:
- The continuing nature of the infringement even though the defendant informed that it had been corrected
- The nature of the defendant’s activities with respect to the processing of personal data.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/19 Procedure No.: PS / 00448/2020 - RESOLUTION R / 00180/2021 TERMINATION OF THE PROCEDURE BY VOLUNTARY PAYMENT In the sanctioning procedure PS / 00448/2020, instructed by the Spanish Agency for Data Protection to XFERA MÓVILES, S.A., considering the complaint filed by A.A.A., and based on the following, BACKGROUND FIRST: On February 12, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against XFERA MÓVILES, S.A. (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure Nº: PS / 00448/2020 935-240719 AGREEMENT TO START THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection before the entity, XFERA MÓVILES, S.A., with CIF .: A82528548, (hereinafter, “the entity claimed ”), by virtue of a complaint filed by D.A.A.A., (hereinafter,“ the claimant ”), and based on the following: ACTS FIRST: On 10/16/20, you have an entry in this Agency, a complaint filed by the claimant in which it indicated, among others, the following: “Start a claim with you dated 07/19/20, Nº: E / 06604/2020; where I indicated that the company had complied with the right of objection and was not admitted to procedure, (to understand that they had taken the appropriate measures). To this day, this operator continues to send SMS to my telephone line, (attached screenshots in attached file), of more than 60 SMS in the last 30 days, so it is understood that this operator has not taken the measures indicated ". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/19 The complaint letter was accompanied by the following documents: - Screenshots of 26 SMS from 09/22/20 to 10/15/20, sent from the Yoigo company with advertising messages, inviting the user to access to certain web pages such as, http // shorturi.kairos365.com / MjkxNDM2 and http //: yoigo.kairos365.com/coronavirus; or to call the numbers of telephone, *** TELEPHONE.1 or *** TELEPHONE.2 to contract the promotions offered by the company. SECOND: On 10/31/20, a second letter from complaint filed by the claimant in which he indicated, among others, the following: “ON 09/24/20 I sent an email to Yoigo (Más-Móvil), informing that I was receiving a large number of SMS on my mobile line with information confidential information from third parties, who told me that they had taken note and it would not happen again. Well, this company, to this day, has sent me phone line, an SMS with my phone number and a security code to access your platform ("Mi Yoigo"), which I have accessed, since it has my number phone number and I have been able to verify that I have accessed personal data from a third party someone else, with whom I have nothing to do, I have seen their bills and the possibility and to carry out any procedure in your profile ”. The complaint letter was accompanied by the following documents: - Email sent from the address *** EMAIL.1, dated 09/24/20 to the address ***EMAIL.2@masmovil.com denounced the receipt of shipments mass of advertising SMS and others with personal data of third parties persons. - Reply email to the claimant, from the address ***EMAIL.2@masmovil.com, dated 09/24/20, indicating, among others, that, have responded to your request for opposition, dated 08/13/20 and that, regarding of the commercial communications that you have received after said date, they inform you that they have been made by a MASMOVIL agent, who performs operations with their own database, committing to give the order to said agent to delete your personal data from their databases and stop advertising. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/19 - Provide a screenshot: "My Yoigo Account - Manage your information personal and access data ”from the web address: https://miyoigo.yoigo.com/datos-personales ”, dated 10/31/20, where you can see that, with the claimant's phone number, entered in In the "user" box, the personal data, address and number of bank account of a third person unrelated to the claimant. Also I know Attached invoice for the month of October 2020, of the services provided by the company to said third person, where data such as: the name, the address, checking account number, and contact phone numbers. THIRD: On 11/10/20, a third letter from complaint filed by the claimant in which he indicated, among others, the following: “The complaint filed with that Agency, dated October 31, 2020, against the operator of Yoigo (MásMóvil), for the use of data in a fraudulent and repeated, even after having been notified of these facts ”. The complaint letter was accompanied by the following documents: - Screenshots of 16 SMS, sent from 10/18/20 to 11/09/20, from the Yoigo company, informing the user of the existence of problems technicians for the management of your requests and the subsequent correction of the themselves. FOURTH: On 11/30/20, by the Director of the Spanish Agency for Data Protection an agreement is issued for the admission of processing of complaints submitted by the claimant, in accordance with article 65 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LPDGDD). FOUNDATIONS OF LAW I- Competition. a) .- Regarding the processing of personal data: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/19 It is competent to initiate and resolve this Penalty Procedure, the Director of the Spanish Data Protection Agency, by virtue of the powers that art 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, Relating to the Protection of Natural Persons with regard to the Treatment of Personal Data and the Free Circulation of this Data (RGPD) recognizes each Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD). Sections 1) and 2), of article 58 of the RGPD, list, respectively, the investigative and corrective powers that the supervisory authority may provide to the effect, mentioning in point 1.d), that of: “notify the person in charge or commission of the treatment of alleged infringements of this Regulation ”and in 2.i), that of: “Impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case.". b) .- Regarding the sending of advertising SMS without the consent of the interested party: It is competent to initiate and resolve this Penalty Procedure, the Director of the Spanish Agency for Data Protection, in accordance with the provisions of the art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (LSSI), is competent to initiate and resolve this Penalty Procedure, the Director of the Spanish Agency for Data Protection. II From file No.: E / 06604/2020, followed by this Agency as a result of the first complaint filed by the claimant against the claimed entity, it must be keep in mind the following points: On 07/17/20, the claimant filed a complaint with this Agency, indicating in it that: “he was receiving advertising messages on his phone mobile, from the company denounced, which he had not authorized ”. Dated 09/14/20, in response to the request made from this Agency on the occasion of the denounced events, the company indicated that: “we confirm that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/19 We have managed the claimant's right of opposition in relation to all the databases for which we are responsible for the treatment dated 13 of August 2020 (…) ”. On 09/25/20, the claimed entity, in response to the request for additional information made from this Agency, reported that: “In relation to the extension made by the claimant, as can be seen in the messages provided by this, point to a "url" with domain hazmeclic.es, which is not ownership of my client, as accredited through red.es., not being the database of this company under the responsibility of Xfera Móviles ”. Vector Software Factory, S.L. is a MASMOVIL distributor, with whom you have a Agency contract, which carries out commercial campaigns on its own initiative and on its own database, which, as we have indicated, is not under responsibility, nor have we provided from MASMOVIL. However, the foregoing, We will proceed to contact this agent in order to transfer the opposition of Mr. A.A.A. in order to meet the right of the interested party. By mail dated September 24, 2020, at 3:25 p.m., we have proceeded to inform the interested party of the following: “We write to your email, to which we have had access within the framework of the procedure followed by the Spanish Agency of Data Protection E / 06604/2020. in order to inform you of how we have proceeded in the attention of your right of opposition. We hereby inform you that we proceeded to manage your right of opposition regarding the numbering XXX XXX XXX, by Xfera Móviles, S.L. (More Mobile) dated August 13 2020. In relation to the communications that the Spanish Protection Agency indicates to us of Data has received after that date, we inform you that we have verified that they have been sent by an agent of the brand MASMOVIL, who carries out commercial actions on its own databases. In In this sense, we inform you that we will transmit your request to exercise your rights of opposition to this agent, after which we hope you will stop receiving our advertising. Well, dated 10/01/20, once the reasons given by the claimed entity, and consider that the person responsible had attended the claim C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/19 presented, this Agency agreed not to admit the claim for processing submitted, notifying the interested parties. However, dated 10/16/20, a second entry has been entered into this Agency complaint filed by the claimant indicating that the operator was still sending SMS to his telephone line, and attached the screenshots of more than 60 SMS received until that day, for which he considered that the operator had not attended satisfactorily the first claim, and that the AEPD had rejected the processing of the consider otherwise. A few days later, on 10/31/20, the claimant resubmits a written statement of complaint to this Agency, indicating that he had contacted the claimed entity, on 09/24/20, to inform them that, although he had exercised before them the right to object continued to receive a huge amount of advertising SMS, receiving as a response from the entity that had responded to his request for opposition dated 08/13/20 and that it would not happen again, but the claimant again justifies that you continue to receive SMS from the company after that date, providing a copy of all of them. On 11/10/20, he once again submits a new letter to this Agency providing advertising SMS of the claimed entity, up to 16 SMS, from the 10/18/20 to 11/09/20. Apart from all the above, the claimant also reports that he has received an SMS from the company, to your phone number with a security code to access the platform, (“Mi Yoigo”), in which, once accessed, you have been able to verify that the profile belongs to another user, but has access to the personal data of this person, to their invoices, and even has the possibility and to carry out any procedure with the data of this person. III- On the breach of the right to delete personal data. This section examines the presumed non-compliance, on the part of the claimed entity, of the deletion of all personal data from its databases data, which was requested by the claimant. Article 17.1.c) of the RGPD, establishes the right to delete data personal data of the interested party, ("the right to be forgotten"), that: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/19 "The interested party shall have the right to obtain without undue delay from the person responsible for the treatment the deletion of personal data that concerns you, which will be obliged to delete without undue delay the personal data when there is any of the following circumstances: (…) c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not other legitimate reasons for the treatment prevail, or the interested party opposes the treatment in accordance with article 21, paragraph 2; ”. From the existing documentation in the file followed in this Agency, by the same facts denounced (E / 06604/2020), of the documentation presented by the claimant in the present sanctioning procedure (PS / 00448/2020) and of the Answers made by the claimed entity, to the requirements made by this Agency, set forth in point II, it is verified that the facts known could be constitutive of an infringement, attributable to the defendant, for violation of the Article 17.1.c) of the RGPD, for breach of the right to delete data personal data of the interested party, when he had exercised the right of opposition before the entity and he had even confirmed that he had correctly managed said right. Article 72.1.k) of the LOPDGDD, considers very serious, for the purposes of prescription, “The impediment or the obstruction or the repeated lack of attention to the exercise of the rights established in articles 15 to 22 of Regulation (EU) 2016/679. ”. This offense may be punished with a fine of a maximum of € 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of a higher amount, in accordance with article 83.5.b) of the RGPD. In accordance with the indicated precepts, and without prejudice to what results from the instruction of the procedure, in order to fix the amount of the sanction to be imposed in In this case, it is considered that the sanction to be imposed should be adjusted according to with the following aggravating criteria established in article 83.2 of the RGPD: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/19 - The duration of the offense, taking into account the scope or purpose of the data processing operation, as well as the damages caused to the interested party, as the entity stated that it had proceeded to erase the data of the complainant from their databases on 08/13/20 and continued to send SMS advertising until 11/09/20, (section a). - Negligence in the infringement, when verifying the lack of due diligence of the claimed entity in the fulfillment of its obligations with respect to the management of users' personal data, (section b). - The way in which the supervisory authority learned of the infringement, since this was produced through several complaints filed by the claimant, (section h). - The existence of a previous complaint, which was not admitted for processing by this Agency, by affirming the claimed entity that it had proceeded satisfactorily to address the right to delete personal data of the interested party, (section k). For its part, article 76.2 of the LOPDGDD, establishes that, in accordance with the provisions in article 83.2.k) of the RGPD, it will be taken into account, as aggravating factors of the sanction, the following: - The continuing nature of the infringement, therefore, although the claimed entity affirms that it has proceeded to the erasure of the claimant's personal data from your databases on 08/13/20, continues to send advertising SMS on your mobile, even after 11/08/20, (section a). - The linking of the activity of the offender with the performance of treatment of personal data, (section b). The balance of the circumstances contemplated in article 83.2 of the RGPD, with Regarding the offense committed by violating the provisions of article 17 of the RGPD, allows setting an initial penalty of 50,000 euros, (fifty thousand euros). IV- On the lack of security measures in the company's systems. This section examines the presumed non-compliance, on the part of the claimed entity, of the security in the treatment of the personal data of its clients, since the claimant reports having received an SMS from the company, with his telephone number and a security code to access the platform (“My Yoigo ”), in which, he has been able to verify that the profile belongs to another user, that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/19 has access to the personal data of this person, to their invoices, and there is even the possibility of carrying out any procedure with your personal data. The security of personal data is regulated in article 32 of the RGPD, where it is stated that: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for people's rights and freedoms physical, the person in charge and the person in charge of the treatment will apply technical measures and appropriate organizational arrangements to ensure a level of security appropriate to the risk, (…) " The GDPR defines personal data security breaches as “all those security violations that cause destruction, loss or accidental or illegal alteration of personal data transmitted, stored or processed otherwise, or unauthorized communication or access to said data ”. From the documentation in the file there are evident indications that the claimed has violated article 32 of the RGPD, due to a breach of security in their systems by sending an SMS to the claimant with the access codes to the “Mi Yoigo” platform, belonging to another client of the company. It should be noted that the RGPD in the aforementioned precept does not establish a list of the security measures that are applicable according to the data that are the object of treatment, but establishes that the person in charge and the person in charge of the treatment apply technical and organizational measures that are appropriate to the risk involved the treatment, taking into account the state of the art, the application costs, the nature, scope, context and purposes of the treatment, the risks of probability and seriousness for the rights and freedoms of the interested persons. Article 73.g) of the LOPDGDD, considers serious, for the purposes of prescription, "The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented as required by article 32.1 of Regulation (EU) 2016/679 ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/19 This offense can be sanctioned with administrative fines of 10,000,000 EUR at most or, in the case of a company, of an amount equivalent to 2% as maximum total annual global business volume of the previous financial year, opting for the highest amount in accordance with article 83.4.a) of the RGPD. In accordance with the indicated precepts, and without prejudice to what results from the instruction of the procedure, in order to fix the amount of the sanction to be imposed in In this case, it is considered that the sanction to be imposed should be adjusted according to with the following aggravating criteria established in article 83.2 of the RGPD: - The duration of the offense, taking into account the scope or purpose of the treatment operation in question, (section a). - Negligence in the infringement, when verifying the lack of due diligence of the claimed entity in the fulfillment of its obligations with respect to the management of the security of the personal data of its clients, (section b). - The way in which the supervisory authority learned of the infringement, as it has been through the complaint filed by the claimant, (section h). For its part, article 76.2 of the LOPDGDD, establishes that, in accordance with the provisions in article 83.2.k) of the RGPD, it will be taken into account, as aggravating factors of the sanction, the following: - The linking of the activity of the offender with the performance of treatment of personal data, (section b). The balance of the circumstances contemplated in article 83.2 of the RGPD, with Regarding the offense committed by violating the provisions of Article 32 of the RGPD, allows setting an initial penalty of 30,000 euros, (thirty thousand euros). V- On the consequences of the lack of adequate security measures. This section examines the presumed non-compliance, on the part of the claimed entity, of the security in the treatment of the personal data of its clients, since the claimant reports that he has received an SMS from the company, with C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/19 your phone number and a security code to access the platform (“My Yoigo ”), in which, he has been able to verify that the profile belongs to another user, that has access to the personal data of this person, to their invoices, and there is even the possibility and to carry out any procedure with your these personnel who are not the his. The RGPD establishes, in article 5, the principles that must govern the treatment of the personal data and mentions among them that of "integrity and confidentiality". The article states, in point 1.f) that: "Personal data will be treated in such a way in a way that ensures adequate security of personal data, including the protection against unauthorized or illegal processing and against its loss, destruction or accidental damage, through the application of technical or organizational measures appropriate ('integrity and confidentiality') ”. Well, in accordance with the evidence available at present moment, the fact that the claimed entity made it possible to view data personal data of a third person outside the claimant, allow verifying that the complained has not been able to guarantee the security in the processing of the data personal data of its clients, thereby showing a serious lack of due diligence and incurring, therefore, in the violation of article 5.1 f) of the RGPD, which establishes the principles of integrity and confidentiality of personal data, as well as the proactive responsibility of the controller to demonstrate its compliance. Article 72.1.a) of the LOPDGDD considers very serious, for the purposes of prescription: "The processing of personal data violating the principles and guarantees established in Article 5 of Regulation (EU) 2016/679 " This offense may be punished with a fine of a maximum of € 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of a higher amount, in accordance with article 83.5.b) of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/19 In accordance with the indicated precepts, and without prejudice to what results from the instruction of the procedure, in order to fix the amount of the sanction to be imposed in In this case, it is considered that the sanction to be imposed should be adjusted according to with the following aggravating criteria established in article 83.2 of the RGPD: - The duration of the offense, taking into account the scope or purpose of the data processing operation, as well as the damages caused to the interested party and third parties, (section a). - Negligence in the infringement, when verifying the lack of due diligence of the claimed entity in the fulfillment of its obligations with respect to the management of users' personal data, (section b). - The way in which the supervisory authority learned of the infringement, since this was produced through several complaints filed by the claimant, (section h). - The existence of a previous complaint, which was not admitted for processing by this Agency, by affirming the claimed entity that it had proceeded satisfactorily the problem posed, (section k). For its part, article 76.2 of the LOPDGDD, establishes that, in accordance with the provisions in article 83.2.k) of the RGPD, it will be taken into account, as aggravating factors of the sanction, the following: - The continuing nature of the infringement, therefore, although the claimed entity states that it proceeded to solve the problems caused on 08/13/20, continues there is sending SMS with data belonging to other outsiders to the interested party, (section a). - The linking of the activity of the offender with the performance of treatment of personal data, (section b). The balance of the circumstances contemplated in article 83.2 of the RGPD, with regarding the offense committed by violating the provisions of its article 5.1.f) of the RGPD, allows setting an initial penalty of 50,000 euros, (fifty thousand euros). VI- On the sending of advertising SMS without the consent of the interested party. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/19 This section examines the presumed non-compliance, on the part of the claimed entity, of article 21 of the LSSI, which establishes the prohibition of send advertising or promotional communications, by means of communication electronic, which had not previously been requested or expressly authorized. Article 21 of the LSSI, on non-consensual commercial communications, states that: "1. The sending of advertising or promotional communications by email or other equivalent electronic means of communication that had not previously been requested or expressly authorized by the recipients of the same. 2. The provisions of the preceding section shall not be application when there is a prior contractual relationship, provided that the provider had obtained the recipient's contact details lawfully and used them for sending commercial communications regarding products or services of your own company that are similar to those that were initially the subject of contracting with the client. In any case, the provider must offer the recipient the possibility of opposing the processing of your data for promotional purposes through a simple and free procedure, both at the time of data collection as in each of the commercial communications that I address. When the communications had been sent by email, said medium must necessarily consist of the inclusion of an email address or another valid email address where this right can be exercised, being prohibited sending communications that do not include said address. " From the existing documentation in the file followed in this Agency, by the same facts denounced (E / 06604/2020), of the documentation presented by the claimant in the present sanctioning procedure (PS / 00448/2020) and of the Answers made by the claimed entity, to the requirements made by this Agency, set forth in point II, it is verified that the facts known could be constitutive of an infringement, attributable to the defendant, for violation of the Article 21 of the LSSI, for sending a large number of advertising SMS or without the authorization of the interested party and after the claimed entity affirm that they had responded to the request of the interested party not to send him again SMS. The aforementioned offense is classified as minor in art. 38.4.d) of bliss standard, which qualifies as such, “Sending commercial communications by mail C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/19 electronic or other equivalent electronic means of communication when in said shipments do not meet the requirements established in article 21 and do not constitute Serious offense". In accordance with the provisions of article 39.1.c) of the LSSI, minor offenses may be sanctioned with a fine of up to € 30,000, establishing the criteria for its graduation in article 40 of the same rule. After the evidence obtained, and without prejudice to what results from the instruction, considers that the sanction to be imposed should be adjusted in accordance with the following aggravating criteria, established in art. 40 of the LSSI: - The existence of intentionality, an expression that must be interpreted as equivalent to degree of guilt according to the Judgment of the National Court of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the entity denounced the determination of a system of obtaining the informed consent that conforms to the mandate of the LSSI. - Period of time during which the offense has been committed, since the entity stated that it had agreed not to send any more SMS to the interested party, the 08/13/20 and continued to send SMS until 11/09/20 (last SMS that this Agency knows) (section b). Based on these criteria, it is deemed appropriate to impose on the claimed entity a penalty of 20,000 euros (twenty thousand euros), for the violation of article 21 of the LSSI, regarding the sending of commercial communications through SMS without the consent of the affected party. Therefore, in accordance with the foregoing, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: START: SANCTIONING PROCEDURE to the entity XFERA MÓVILES, S.A., with CIF .: A82528548, for the following infractions: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/19 - Infringement of article 17 of the RGPD, punishable in accordance with provided in art. 58.2 of the aforementioned RGPD, for breach, of the deletion of the personal data of its databases, requested by the claimant. - Infringement of article 32 of the RGPD, punishable in accordance with provided in art. 58.2 of the aforementioned RGPD, for breach of security in the treatment of the personal data of its clients. - Infringement of article 5.1.f) of the RGPD, punishable in accordance with provided in art. 58.2 of the aforementioned RGPD, for breach of the principle of integrity and confidentiality in the processing of personal data of its customers. - Infringement of article 21 of the LSSI, regarding the sending of commercial SMS or advertising without the express consent of the recipient. APPOINT: as Instructor to D. R.R.R., and Secretary, where appropriate, to Ms. S.S.S., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). INCORPORATE: to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and his documentation, all of them part of this Administrative file. WHAT: for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, on Common Administrative Procedure of Public Administrations, the sanction that could correspond would be: - 50,000 euros (fifty thousand euros) for the violation of article 17 of the RGPD, without prejudice to what results from the instruction of this sanctioning procedure. - 30,000 euros (thirty thousand euros) for the violation of article 32 of the RGPD, without prejudice to what results from the instruction of this sanctioning procedure. - 50,000 euros (fifty thousand euros) for the violation of the article of article 5.1.f) of the RGPD, without prejudice to what results from the instruction of this sanctioning procedure C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/19 - 20,000 euros (twenty thousand euros) for the violation of article 21 of the LSSI, without detriment to what results from the instruction of this procedure sanctioner. Therefore, for the purposes provided for in art. 64.2 b) quoted, the total sanction that could correspond would be 150,000 euros (one hundred and fifty thousand euros) NOTIFY: this agreement to initiate the sanctioning file to the entity XFERA MÓVILES, S.A., granting a hearing period of ten business days to to formulate the allegations and present the evidence it deems appropriate. If within the stipulated period it does not make allegations to this initiation agreement, the same It may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; it which will entail a reduction of 20% of the penalty to be imposed in the present procedure, equivalent in this case to 30,000 euros. With the app of this reduction, the penalty would be set at 120,000 euros, resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of the amount thereof, equivalent in this case to 30,000 euros. With the application of this reduction, the sanction would be established in 120,000 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the preceding paragraph, it may be done at any time prior to the resolution. In In this case, if both reductions should be applied, the amount of the penalty would be set at 90,000 euros (ninety thousand euros). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/19 In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. If you choose to proceed to the voluntary payment of any of the amounts indicated previously, you must make it effective by entering account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of Data in Banco CAIXABANK, S.A., indicating in the concept the number of reference to the procedure in the heading of this document and the cause of reduction of the amount to which it is accepted. You must also send the Proof of admission to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Agency for Data Protection. >> SECOND: On March 3, 2021, the defendant has proceeded to pay the sanction in the amount of 90,000 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts referred to in the Initiation Agreement. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/19 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or to the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% on the amount of the proposed sanction, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditional on the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00448/2020, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to XFERA MÓVILES, S.A .. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 19/19 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-031219 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es