AEPD (Spain) - PS/00008/2020

From GDPRhub
Revision as of 08:38, 26 March 2020 by AL (talk | contribs)
AEPD - PS-00008-2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 19.03.2020
Fine: 6,000 EUR
Parties: n/a
National Case Number/Name: PS-00008-2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish data protection authority (AEPD) imposed a fine of 6,000 EUR on Oliveros Ustrell because the company could not prove the existence of consent for data processing activities, including the transfer of data to Vodafone.

English Summary

Facts

The AEPD found different data processing activities related to the claimant. The claimant argued that he had received a message from Vodafone about a purchase made in a physical shop. The complainant denies that this purchase actually happened.

Further, a seller from Oliveros Ustrell forwarded an unsigned number portability contract to Vodafone concerning the claimant. Oliveros Ustrell was unable to provide proof of the order.

In addition, the AEPD could not find a legal basis for the collection and processing of personal data on the information systems of the Oliveros Ustrell.

Dispute

Whether the collection and process of personal data from Oliveros Ustrell was based on consent.

Holding

Since the AEPD did not receive evidence of the existence of consents for the different data processing activities and no other justifications apply, the AEPD considered these activities as unlawful.

The original amount of the fine was set up to EUR 10,000. The AEPD considered the voluntarily payment from Oliveros Ustrell of the fine and therefore deducted the amount to EUR 6,000.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Page 1
1/14
936-031219
Procedure No.: PS / 00008/2020
RESOLUTION R / 00166/2020 OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTARY
In the sanctioning procedure PS / 00008/2020, instructed by the Agency
Spanish Data Protection to OLIVEROS USTRELL, SL , given the complaint
presented by AAA , and based on the following,
BACKGROUND
FIRST: On February 13, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against OLIVEROS
USTRELL, SL (hereinafter, the claimed), through the Agreement that is transcribed:
<<
Procedure No.: PS / 00008/2020
935-240719
AGREEMENT TO INITIATE PENALTY PROCEDURE
Of the actions carried out by the Spanish Agency for the Protection of
Data and based on the following:
ACTS
FIRST: Ms. AAA (hereinafter, the claimant) dated February 25, 2019
filed a claim with the Spanish Agency for Data Protection. The
claim is directed against Oliveros Ustrell, SL, with NIF B62884721 (hereinafter, the
claimed).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/14
The reasons on which your claim is based are that you received a message from
Vodafone España, SAU (hereinafter Vodafone) thanking you for a purchase
that you do not recognize, made in a physical store of which you were a customer.
Thus, check through the mobile application of
Vodafone that carried out a portability contracted in your name and with your data
banking.
Well, in the store request the contract that you have supposedly signed, but
they deny it and they recognize that it is a habitual practice that they carry out: they buy
Lycamobile prepaid cards and carry portabilities to customers of your store. In
When you are aware of these facts, the cover line is removed.
On the other hand, it indicates that the events took place on *** DATE.1
And, among others, it provides the following documentation:
 Vodafone service contract for number portability *** TELEPHONE.1
from Lycamobile.
 Copy of the claim form completed by the claimant in which
claims that (i) their identity has been supplanted, (ii) their data has been processed
personal and banking at your convenience and (iii) have made a contract at your
name without your consent.
SECOND: In view of the facts denounced in the claim and the
documents provided by the claimant and the facts and documents from which it has
This Agency, the Subdirectorate General for Data Inspection, had knowledge
proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, under the powers of investigation
granted to supervisory authorities in article 57.1 of Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and
pursuant to the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).
As a result of the investigation actions carried out, it is found
that the data controller is the one claimed.
Also, the following points are found:
The background information is as follows:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/14
On April 10, 2019, within file E / 04042/2019, it was
transfers the claim to the claimed via the Notific @ service requesting (i) the
decision adopted in connection with this claim, (ii) in the event of exercising
the rights regulated in articles 15 to 22 of the RGPD, accreditation of the
response provided to the complainant, (iii) report on the causes that have motivated the
incidence that has originated the claim, (iv) report on the measures adopted
to avoid similar incidents, implementation dates and controls
made to verify its effectiveness and (v) any other that it considers relevant.
The notification is automatically rejected after 10 days have elapsed without
have been accessed.
On April 22, 2019, within file E / 04042/2019, it was
reiterates the transfer of the claim to the claimed through the postal services
which is returned with the result "Returned to Origin by Unknown on 04/24/2019".
On the signing date of August 19, 2019, it was agreed to admit the
claim presented by the claimant against OLIVEROS USTRELL, SL
 Information request has been made to the requested party regarding (i)
consent of the interested party for the processing of personal data and
banks in the realization of the portability contract, (ii) copy of the contract
original made in store, and (iii) report on the causes that have motivated the
incident that caused the claim, dated October 9, 2019
received at this Agency, with registration number 047698/2019, written from
allegations forwarded by the defendant stating that it does not have
any documentation related to the data of the related operation
with the claimant, and that this is because the operations were performed by a
employee who left the company without knowing his current whereabouts and
without being able to recover said operation by any means.
 Information request made to Vodafone about the hiring of
unsigned portabilities and on the ported telephone number, dated
November 11, 2019 is received at this Agency, with registration number
054686/2019, brief sent by the operator stating that the
Portabilities are formalized through a contract signed by the client in a
that the contract model includes the signature fields necessary for the
previous client authorizes the change of owner and the new client authorizes the
portability. The contract can be signed digitally or manually:
- When the digital signature option is chosen, the contract signed by the client
dumps directly into "Docuweb". The system should not move forward if it is missing
any of the 2 signatures in the portability and change boxes.
- When the manual signature option is chosen, the order advances in any case and
the store is required to keep an original copy of the contract signed by
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/14
the customer and send this copy to "Docout" for custody. Docout reviews
if the contract reaches your office and informs us otherwise.
Regarding the number carried, they report that he was discharged from 26
February 2019 until February 28, 2019, the date on which the
final loss.
FUNDAMENTALS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,
The Director of the Spanish Agency for Data Protection is competent to initiate
and to solve this procedure.
II
Article 58 of the RGPD, " Powers ", says:
"2 Each supervisory authority shall have all the following powers
corrective indicated below:
(…)
b) sanction any person responsible or responsible for the treatment with warning
when the processing operations have violated the provisions of this
Regulation;
(...)
d) order the data controller or processor that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period.
(…)
i) impose an administrative fine pursuant to article 83, in addition to or instead of
measures mentioned in this section, depending on the circumstances of the case
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
5/14
particular
(…) ”
III
The RGPD deals in its article 5 with the principles that must govern the
treatment of personal data and mentions among them that of " legality, loyalty and
transparency". The precept provides:
"1 . The personal data will be:
a) Treaties in a lawful, loyal and transparent manner in relation to the
interested (<< legality, loyalty and transparency >>); ”
Article 6 of the RGPD, “ Lawfulness of treatment ”, details in its section 1 the
Assumptions in which the processing of third-party data is considered lawful:
"one. The treatment will only be lawful if at least one of the following is met
terms:
a) the interested party gave their consent for the processing of their data
personal for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the
interested party or for the application at the request of this measures
pre-contractual;
(…) ”
The infraction for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading " General conditions for
the imposition of administrative fines ”, states:
"5 . Violations of the following provisions will be sanctioned, according
with paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
total global annual turnover of the previous financial year, opting for
the largest amount:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/14
a) The basic principles for treatment, including conditions for
consent pursuant to articles 5,6,7 and 9. "
Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading “ Infractions
considered very serious ” states:
"one. In accordance with the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned therein and, in
In particular, the following:
(…)
b) The processing of personal data without any of the
conditions of lawfulness of the treatment established in article 6 of the
Regulation (EU) 2016/679. ”
IV
The documentation in the file offers evidence that the
claimed, violated article 6.1 of the RGPD , since it carried out the treatment of the
Claimant's personal data without her consent. The personal data of the
claimant were incorporated into the company's information systems, without
has proven that it had its consent for the collection and treatment
later of your personal data.
Based on the above, in the case analyzed, it remains
questioned the diligence used by the defendant to identify the
person who contracted on behalf of the claimant.
The Administrative Litigation Chamber of the National Court, in
assumptions such as the one presented here, has considered that when the owner of the
data denies the hiring the burden of proof corresponds to those who affirm their
existence, and the person responsible for the data processing of third parties must collect and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 7
7/14
keep the necessary documentation to prove the owner's consent.
We cite, for all, the SAN of 05/31/2006 (Rec. 539/2004), Law Foundation
Room.
Well, it follows that the claimant received a message about portability and,
in the contract obtained through the Vodafone client mobile application
contributed by the claimant, all the spaces for the signatures of the
blank customers.
On the other hand, according to Vodafone, it is mandatory that the store
keep these contracts, but the claimed party states that for other reasons,
it has documentation on the portability indicated in the claim. Exists
evidence, in the contract provided by the claimant, that the contract for
portability in the physical store of the claimed and that the contract is unsigned.
Although the company states that portability does not occur if it is missing
any of the signatures, the contract obtained by the claimant through the application
for Vodafone mobile contains all the spaces for the signatures of the
blank headlines.
However, and this is the essential, the defendant does not prove the legitimacy for
the treatment of the claimant's data.
Ultimately, the defendant has not provided a document or evidence
some that shows that the entity, in such a situation, had deployed the
minimum due diligence to verify that indeed your interlocutor was the one
claimed to flaunt.
Respect for the principle of legality that is at the core of the fundamental right
of personal data protection requires that it be proven that the
responsible for the treatment deployed the essential diligence to prove that
extreme. If this Agency does not act in this way - and this Agency does not demand it, it is incumbent on it
for compliance with regulatory regulations of the data protection right of
personal character - the result would be to empty of content the principle of legality.
V
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 8
8/14
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate :
"Each supervisory authority will guarantee that the imposition of fines
administrative under this article for violations of this
Regulations indicated in sections 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "
" Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). In deciding the imposition of a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the treatment operation in question
as well as the number of affected parties and the level of damage and
damages they have suffered;
b) the intent or negligence of the infraction;
c) any action taken by the controller or processor
to mitigate the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the
treatment, taking into account the technical or organizational measures that have
applied under articles 25 and 32;
e) any previous infraction committed by the person in charge or the person in charge of the
treatment;
f) the degree of cooperation with the supervisory authority in order to put
remedy the violation and mitigate the possible adverse effects of the violation;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement,
in particular if the person in charge or the person in charge notified the infringement and, in such
case, to what extent;
i) when the measures indicated in Article 58 (2) have been
previously ordered against the person in charge or the person in charge
in relation to the same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or to mechanisms
of certification approved pursuant to article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 9
9/14
or indirectly, through the infraction. ”
Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
" Sanctions and corrective measures" provides:
"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
a) The continued nature of the offense.
b) The link of the activity of the offender with the performance of data processing
personal.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected party could have induced the commission of
the offense.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not required, a data protection officer.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. ”
In accordance with the precepts transcribed, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the fine sanction to impose
in the present case the party claimed is considered responsible for an infringement
typified in article 83.5.a) of the RGPD , in an initial assessment, they are considered concurrent
the following factors.
As aggravating the following:
-
The intent or negligence of the offense (article 83.2 b).
-
Basic personal identifiers (name, data) are affected
banks, the line identifier) ​​(article 83.2 g).
That is why it is considered appropriate to graduate the sanction to be imposed on the claimed and
fix it at the amount of € 10,000 for the violation of article 6.1 of the RGPD.
Therefore, in light of the above,
By the Director of the Spanish Agency for Data Protection,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 10
10/14
HE REMEMBERS:
1. INITIATE SANCTIONING PROCEDURE to Oliveros Ustrell, SL, with
NIF B62884721, for the alleged violation of article 6.1. of the RGPD
typified in article 83.5.a) of the aforementioned RGPD.
2. TO appoint D. BBB as instructor and Dña. CCC as secretary ,
indicating that any of them may be challenged, if applicable,
in accordance with the provisions of articles 23 and 24 of Law 40/2015, of 1
October, Legal Regime of the Public Sector (LRJSP).
3. INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and its attached documentation, the
information requirements that the General Inspection Subdirectorate of
Data sent to the entity claimed in the preliminary investigation phase and
their respective acknowledgments of receipt.
4. THAT for the purposes provided in art. 64.2 b) of the law 39/2015, of 1 of
October, of the Common Administrative Procedure of the Administrations
Public, the sanction that could correspond would be 10,000 euros (ten
thousand euros), without prejudice to what results from the instruction.
5. NOTIFY this agreement to Oliveros Ustrell, SL, with NIF
B62884721, granting you a hearing period of ten business days to
to formulate the allegations and present the evidence that it considers
convenient. In your statement of allegations you must provide your NIF and the
procedure number at the top of this
document.
If, within the stipulated period, no allegations are made to this initial agreement, the same
may be considered a resolution proposal, as established in the article
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 11
11/14
64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, in the event that the
sanction to be imposed were a fine, you can recognize your responsibility within the
term granted for the formulation of allegations to this initial agreement; the
which will entail a reduction of 20% of the sanction to be imposed in
the present procedure. With the application of this reduction, the sanction would remain
established at 8,000 euros, resolving the procedure with the imposition of this
sanction.
In the same way, at any time prior to the resolution of the present
procedure, carry out the voluntary payment of the proposed sanction, which
It will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 8,000 euros and its payment will imply the termination of the
process.
The reduction for the voluntary payment of the sanction is cumulative to the one that corresponds
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the term granted to formulate
allegations to the opening of the procedure. Voluntary payment of the referred amount
in the previous paragraph it may be done at any time prior to the resolution. In
In this case, if both reductions were to apply, the amount of the sanction would be
established at 6,000 euros.
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or recourse in process
administrative against the sanction.
In the event that you choose to proceed to the voluntary payment of any of the amounts
indicated above, 8,000 euros or 6,000 euros, must be paid by
your deposit in the account number ES00 0000 0000 0000 0000 0000 opened in the name of the
Spanish Agency for Data Protection at Banco CAIXABANK, SA, indicating
in the concept the procedure reference number that appears in the
heading of this document and the reason for reduction of the amount to which
welcomes.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 12
12/14
Likewise, you must send the proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of nine months from the
date of the initiation agreement or, if applicable, the draft initiation agreement.
After this period will expire and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is pointed out that pursuant to the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.
Sea Spain Martí
Director of the Spanish Agency for Data Protection
>>
SECOND : On March 9, 2020, the requested party has paid the
sanction in the amount of 6,000 euros making use of the two planned reductions
in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 13
13/14
THIRD : The payment made, within the period granted to make allegations to
the opening of the procedure, implies the waiver of any action or recourse
administrative against the sanction and the recognition of responsibility in relation to
the facts referred to in the Home Agreement.
FUNDAMENTALS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, on Personal Data Protection and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in the article
43.1 of said Law.
II
Article 85 of Law 39/2015, of October 1, of the Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the heading
" Termination in sanctioning procedures " provides as follows:
"one. Initiated a sanctioning procedure, if the offender acknowledges his
responsibility, the procedure may be resolved with the imposition of the sanction
that proceed.
2. When the sanction is solely pecuniary or fits
impose a pecuniary and a non-pecuniary sanction , but it has been justified
the inadmissibility of the second, the voluntary payment by the alleged responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except with regard to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offense.
3. In both cases, when the sanction is solely pecuniary in nature,
the competent body to resolve the procedure will apply reductions of, to
less, 20% on the amount of the proposed sanction, these being cumulative
each. The aforementioned reductions must be determined in the notification of
initiation of the procedure and its effectiveness will be conditioned to the withdrawal or
waiver of any administrative action or recourse against the sanction.
The reduction percentage provided in this section may be increased
by regulation.
In accordance with the above,
the Director of the Spanish Agency for Data Protection RESOLVES :
FIRST: DECLARE the termination of the procedure PS / 00008/2020 , of
in accordance with the provisions of article 85 of the LPACAP.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 14
14/14
SECOND: NOTIFY this resolution to OLIVEROS USTRELL, SL .
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which ends the administrative route as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, of the Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within two months from
day after notification of this act, as provided in article 46.1 of the
referred Law.
Sea Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es