AEPD - PS/00008/2020
|AEPD - PS-00008-2020|
|Relevant Law:||Article 6(1) GDPR|
|National Case Number/Name:||PS-00008-2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The spanish data protection authority (AEPD) imposed a fine in the amount of 6,000 EUR on Oliveros Ustrell because the company could not proof the existence of consent for data processing activities, including the transfer of data to Vodafone.
The AEPD found different data processing activities related to the claimant. The claimant argued that he had received a message from Vodafone about a purchase made in a physical shop. The complainant denies that this purchase actually happened.
Further, a seller from Oliveros Ustrell forwarded an unsigned number portability contract to Vodafone concerning the claimant. Oliveros Ustrell was unable to provide proof of the order.
In addition, the AEPD could not find a legal basis for the collection and processing of personal data on the information systems of the Oliveros Ustrell.
Whether the collection and process of personal data from Oliveros Ustrell was based on consent.
Since the AEPD did not receive evidence of the existence of consents for the different data processing activities and no other justifications apply, the AEPD considered these activities as unlawful.
The original amount of the fine was set up to 10,000 Euro. The AEOD considered the voluntarily payment from Oliveros Ustrell of the fine and therefore deducted the amount to 6,000 Euro.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/14 936-031219 Procedure No.: PS / 00008/2020 RESOLUTION R / 00166/2020 OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTARY In the sanctioning procedure PS / 00008/2020, instructed by the Agency Spanish Data Protection to OLIVEROS USTRELL, SL , given the complaint presented by AAA , and based on the following, BACKGROUND FIRST: On February 13, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against OLIVEROS USTRELL, SL (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure No.: PS / 00008/2020 935-240719 AGREEMENT TO INITIATE PENALTY PROCEDURE Of the actions carried out by the Spanish Agency for the Protection of Data and based on the following: ACTS FIRST: Ms. AAA (hereinafter, the claimant) dated February 25, 2019 filed a claim with the Spanish Agency for Data Protection. The claim is directed against Oliveros Ustrell, SL, with NIF B62884721 (hereinafter, the claimed). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 2 2/14 The reasons on which your claim is based are that you received a message from Vodafone España, SAU (hereinafter Vodafone) thanking you for a purchase that you do not recognize, made in a physical store of which you were a customer. Thus, check through the mobile application of Vodafone that carried out a portability contracted in your name and with your data banking. Well, in the store request the contract that you have supposedly signed, but they deny it and they recognize that it is a habitual practice that they carry out: they buy Lycamobile prepaid cards and carry portabilities to customers of your store. In When you are aware of these facts, the cover line is removed. On the other hand, it indicates that the events took place on *** DATE.1 And, among others, it provides the following documentation: Vodafone service contract for number portability *** TELEPHONE.1 from Lycamobile. Copy of the claim form completed by the claimant in which claims that (i) their identity has been supplanted, (ii) their data has been processed personal and banking at your convenience and (iii) have made a contract at your name without your consent. SECOND: In view of the facts denounced in the claim and the documents provided by the claimant and the facts and documents from which it has This Agency, the Subdirectorate General for Data Inspection, had knowledge proceeded to carry out preliminary investigation actions for the clarification of the facts in question, under the powers of investigation granted to supervisory authorities in article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and pursuant to the provisions of Title VII, Chapter I, Second Section, of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigation actions carried out, it is found that the data controller is the one claimed. Also, the following points are found: The background information is as follows: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 3 3/14 On April 10, 2019, within file E / 04042/2019, it was transfers the claim to the claimed via the Notific @ service requesting (i) the decision adopted in connection with this claim, (ii) in the event of exercising the rights regulated in articles 15 to 22 of the RGPD, accreditation of the response provided to the complainant, (iii) report on the causes that have motivated the incidence that has originated the claim, (iv) report on the measures adopted to avoid similar incidents, implementation dates and controls made to verify its effectiveness and (v) any other that it considers relevant. The notification is automatically rejected after 10 days have elapsed without have been accessed. On April 22, 2019, within file E / 04042/2019, it was reiterates the transfer of the claim to the claimed through the postal services which is returned with the result "Returned to Origin by Unknown on 04/24/2019". On the signing date of August 19, 2019, it was agreed to admit the claim presented by the claimant against OLIVEROS USTRELL, SL Information request has been made to the requested party regarding (i) consent of the interested party for the processing of personal data and banks in the realization of the portability contract, (ii) copy of the contract original made in store, and (iii) report on the causes that have motivated the incident that caused the claim, dated October 9, 2019 received at this Agency, with registration number 047698/2019, written from allegations forwarded by the defendant stating that it does not have any documentation related to the data of the related operation with the claimant, and that this is because the operations were performed by a employee who left the company without knowing his current whereabouts and without being able to recover said operation by any means. Information request made to Vodafone about the hiring of unsigned portabilities and on the ported telephone number, dated November 11, 2019 is received at this Agency, with registration number 054686/2019, brief sent by the operator stating that the Portabilities are formalized through a contract signed by the client in a that the contract model includes the signature fields necessary for the previous client authorizes the change of owner and the new client authorizes the portability. The contract can be signed digitally or manually: - When the digital signature option is chosen, the contract signed by the client dumps directly into "Docuweb". The system should not move forward if it is missing any of the 2 signatures in the portability and change boxes. - When the manual signature option is chosen, the order advances in any case and the store is required to keep an original copy of the contract signed by C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 4 4/14 the customer and send this copy to "Docout" for custody. Docout reviews if the contract reaches your office and informs us otherwise. Regarding the number carried, they report that he was discharged from 26 February 2019 until February 28, 2019, the date on which the final loss. FUNDAMENTALS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, The Director of the Spanish Agency for Data Protection is competent to initiate and to solve this procedure. II Article 58 of the RGPD, " Powers ", says: "2 Each supervisory authority shall have all the following powers corrective indicated below: (…) b) sanction any person responsible or responsible for the treatment with warning when the processing operations have violated the provisions of this Regulation; (...) d) order the data controller or processor that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period. (…) i) impose an administrative fine pursuant to article 83, in addition to or instead of measures mentioned in this section, depending on the circumstances of the case C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 5 5/14 particular (…) ” III The RGPD deals in its article 5 with the principles that must govern the treatment of personal data and mentions among them that of " legality, loyalty and transparency". The precept provides: "1 . The personal data will be: a) Treaties in a lawful, loyal and transparent manner in relation to the interested (<< legality, loyalty and transparency >>); ” Article 6 of the RGPD, “ Lawfulness of treatment ”, details in its section 1 the Assumptions in which the processing of third-party data is considered lawful: "one. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party or for the application at the request of this measures pre-contractual; (…) ” The infraction for which the claimed entity is responsible is found typified in article 83 of the RGPD that, under the heading " General conditions for the imposition of administrative fines ”, states: "5 . Violations of the following provisions will be sanctioned, according with paragraph 2, with administrative fines of maximum EUR 20,000,000 or, In the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, opting for the largest amount: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 6 6/14 a) The basic principles for treatment, including conditions for consent pursuant to articles 5,6,7 and 9. " Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) in its article 72, under the heading “ Infractions considered very serious ” states: "one. In accordance with the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in In particular, the following: (…) b) The processing of personal data without any of the conditions of lawfulness of the treatment established in article 6 of the Regulation (EU) 2016/679. ” IV The documentation in the file offers evidence that the claimed, violated article 6.1 of the RGPD , since it carried out the treatment of the Claimant's personal data without her consent. The personal data of the claimant were incorporated into the company's information systems, without has proven that it had its consent for the collection and treatment later of your personal data. Based on the above, in the case analyzed, it remains questioned the diligence used by the defendant to identify the person who contracted on behalf of the claimant. The Administrative Litigation Chamber of the National Court, in assumptions such as the one presented here, has considered that when the owner of the data denies the hiring the burden of proof corresponds to those who affirm their existence, and the person responsible for the data processing of third parties must collect and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 7 7/14 keep the necessary documentation to prove the owner's consent. We cite, for all, the SAN of 05/31/2006 (Rec. 539/2004), Law Foundation Room. Well, it follows that the claimant received a message about portability and, in the contract obtained through the Vodafone client mobile application contributed by the claimant, all the spaces for the signatures of the blank customers. On the other hand, according to Vodafone, it is mandatory that the store keep these contracts, but the claimed party states that for other reasons, it has documentation on the portability indicated in the claim. Exists evidence, in the contract provided by the claimant, that the contract for portability in the physical store of the claimed and that the contract is unsigned. Although the company states that portability does not occur if it is missing any of the signatures, the contract obtained by the claimant through the application for Vodafone mobile contains all the spaces for the signatures of the blank headlines. However, and this is the essential, the defendant does not prove the legitimacy for the treatment of the claimant's data. Ultimately, the defendant has not provided a document or evidence some that shows that the entity, in such a situation, had deployed the minimum due diligence to verify that indeed your interlocutor was the one claimed to flaunt. Respect for the principle of legality that is at the core of the fundamental right of personal data protection requires that it be proven that the responsible for the treatment deployed the essential diligence to prove that extreme. If this Agency does not act in this way - and this Agency does not demand it, it is incumbent on it for compliance with regulatory regulations of the data protection right of personal character - the result would be to empty of content the principle of legality. V C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 8 8/14 In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate : "Each supervisory authority will guarantee that the imposition of fines administrative under this article for violations of this Regulations indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. " " Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). In deciding the imposition of a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the treatment operation in question as well as the number of affected parties and the level of damage and damages they have suffered; b) the intent or negligence of the infraction; c) any action taken by the controller or processor to mitigate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have applied under articles 25 and 32; e) any previous infraction committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedy the violation and mitigate the possible adverse effects of the violation; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the person in charge or the person in charge notified the infringement and, in such case, to what extent; i) when the measures indicated in Article 58 (2) have been previously ordered against the person in charge or the person in charge in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved pursuant to article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 9 9/14 or indirectly, through the infraction. ” Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, " Sanctions and corrective measures" provides: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 The following may also be taken into account: a) The continued nature of the offense. b) The link of the activity of the offender with the performance of data processing personal. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have induced the commission of the offense. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not required, a data protection officer. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested party. ” In accordance with the precepts transcribed, and without prejudice to what results from the instruction of the procedure, in order to fix the amount of the fine sanction to impose in the present case the party claimed is considered responsible for an infringement typified in article 83.5.a) of the RGPD , in an initial assessment, they are considered concurrent the following factors. As aggravating the following: - The intent or negligence of the offense (article 83.2 b). - Basic personal identifiers (name, data) are affected banks, the line identifier) (article 83.2 g). That is why it is considered appropriate to graduate the sanction to be imposed on the claimed and fix it at the amount of € 10,000 for the violation of article 6.1 of the RGPD. Therefore, in light of the above, By the Director of the Spanish Agency for Data Protection, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 10 10/14 HE REMEMBERS: 1. INITIATE SANCTIONING PROCEDURE to Oliveros Ustrell, SL, with NIF B62884721, for the alleged violation of article 6.1. of the RGPD typified in article 83.5.a) of the aforementioned RGPD. 2. TO appoint D. BBB as instructor and Dña. CCC as secretary , indicating that any of them may be challenged, if applicable, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of 1 October, Legal Regime of the Public Sector (LRJSP). 3. INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its attached documentation, the information requirements that the General Inspection Subdirectorate of Data sent to the entity claimed in the preliminary investigation phase and their respective acknowledgments of receipt. 4. THAT for the purposes provided in art. 64.2 b) of the law 39/2015, of 1 of October, of the Common Administrative Procedure of the Administrations Public, the sanction that could correspond would be 10,000 euros (ten thousand euros), without prejudice to what results from the instruction. 5. NOTIFY this agreement to Oliveros Ustrell, SL, with NIF B62884721, granting you a hearing period of ten business days to to formulate the allegations and present the evidence that it considers convenient. In your statement of allegations you must provide your NIF and the procedure number at the top of this document. If, within the stipulated period, no allegations are made to this initial agreement, the same may be considered a resolution proposal, as established in the article C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 11 11/14 64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed were a fine, you can recognize your responsibility within the term granted for the formulation of allegations to this initial agreement; the which will entail a reduction of 20% of the sanction to be imposed in the present procedure. With the application of this reduction, the sanction would remain established at 8,000 euros, resolving the procedure with the imposition of this sanction. In the same way, at any time prior to the resolution of the present procedure, carry out the voluntary payment of the proposed sanction, which It will mean a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 8,000 euros and its payment will imply the termination of the process. The reduction for the voluntary payment of the sanction is cumulative to the one that corresponds apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the term granted to formulate allegations to the opening of the procedure. Voluntary payment of the referred amount in the previous paragraph it may be done at any time prior to the resolution. In In this case, if both reductions were to apply, the amount of the sanction would be established at 6,000 euros. In any case, the effectiveness of any of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or recourse in process administrative against the sanction. In the event that you choose to proceed to the voluntary payment of any of the amounts indicated above, 8,000 euros or 6,000 euros, must be paid by your deposit in the account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for Data Protection at Banco CAIXABANK, SA, indicating in the concept the procedure reference number that appears in the heading of this document and the reason for reduction of the amount to which welcomes. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 12 12/14 Likewise, you must send the proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months from the date of the initiation agreement or, if applicable, the draft initiation agreement. After this period will expire and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that pursuant to the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Sea Spain Martí Director of the Spanish Agency for Data Protection >> SECOND : On March 9, 2020, the requested party has paid the sanction in the amount of 6,000 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 13 13/14 THIRD : The payment made, within the period granted to make allegations to the opening of the procedure, implies the waiver of any action or recourse administrative against the sanction and the recognition of responsibility in relation to the facts referred to in the Home Agreement. FUNDAMENTALS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, on Personal Data Protection and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in the article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, of the Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the heading " Termination in sanctioning procedures " provides as follows: "one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the sanction that proceed. 2. When the sanction is solely pecuniary or fits impose a pecuniary and a non-pecuniary sanction , but it has been justified the inadmissibility of the second, the voluntary payment by the alleged responsible, in any time prior to the resolution, will imply the termination of the procedure, except with regard to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, to less, 20% on the amount of the proposed sanction, these being cumulative each. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or waiver of any administrative action or recourse against the sanction. The reduction percentage provided in this section may be increased by regulation. In accordance with the above, the Director of the Spanish Agency for Data Protection RESOLVES : FIRST: DECLARE the termination of the procedure PS / 00008/2020 , of in accordance with the provisions of article 85 of the LPACAP. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 14 14/14 SECOND: NOTIFY this resolution to OLIVEROS USTRELL, SL . In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which ends the administrative route as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, of the Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from day after notification of this act, as provided in article 46.1 of the referred Law. Sea Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es