AEPD - PS/00010/2020
|AEPD - PS/00010/2020|
|Relevant Law:||Article 6(1)(a) GDPR|
Article 6(1)(b) GDPR
Article 83(2)(b) GDPR
Article 83(2)(g) GDPR
Article 83(5) GDPR
|Parties:||Telefónica Móviles España|
|National Case Number/Name:||PS/00010/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Agencia Espñola Protección de Datos (AEPD) fined telecoms company Telefonica Mobiles España €70,000 for erroneously processing a customer's data to issue invoices for services associated with another person.
Telefonica Mobiles España (the respondents) charged the complainant's current account on a recurring basis from 2 January - 2 November 2018, for the use of two telephone lines that she did not contract to or authorise. It was then discovered that the holder of one of these lines, for whose usage the complainant had been charged for ten months, was a third party; the respondents later acknowledged that this was the result of a transcription error.
Did the respondents have a lawful basis for recording the claimant's personal data in their files and then processing it to issue invoices for services associated with another person?
The AEPD held that the telecoms company 's actions were a breach of Article 6(1) GDPR. Article 6(1) does not apply here because they failed to prove that they had a lawful basis for processing the complainant's data in such a case.
In its decision the AEPD referred to the lawful bases of Article 6(1)(a) and 6(1)(b) in particular, stating that the actions of the respondents were in breach of Article 6(1) GDPR because the complainant's personal data had been incorporated into the company's information systems without proving that the complainant had legitimately contracted to do so, or that the complainant had given her consent for the collection or subsequent processing in this case, or that there was any other factor that would have made the processing lawful.
Aggravating and mitigating factors for the fine: In determining the size of the fine pursuant to Article 83(5), the AEPD stated that Articles 83(2)(b) (the "unintentional but signficant negligent" character of the infringement) and 83(2)(g) (the categories of personal data affected by the infringement - in this case "basic personal identifiers") both applied as aggravating factors.
Under Spanish law, Telefonica Mobiles España has a little over a month to pay the fine, unless they decide to appeal the decision, in which they have a one or two months from the day of the notification of the decision to do so, depending on the avenue they pursue.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Style ID: PS/00010/2020 938-300320 DECISION ON DISCIPLINARY PROCEEDINGS From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: Mrs. A.A.A. (hereinafter, the complainant) on 22 May 2019 filed a complaint with the Spanish Data Protection Agency. The complaint is directed against Telefónica Móviles España, S.A.U. with NIF A78923125 (hereinafter, the claimant). The reasons on which your complaint is based are that there have been recurrent charges on your current account corresponding to the telephone lines ***TELÉFONO.1 and ***TELÉFONO.2 which you did not contract, nor did you authorize them. It adds that the holder of the line ***TELÉFONO.2 is a third party due to a credit made to his bank account by the latter. It also points out that the events took place between 2 January and 2 November 2018. And, among other things, it provides the following documentation: • Bank debit documents for January, May, July, August, September, October and November 2018 • Bank document from Telefónica, with the third party as the beneficiary and the claimant's bank account number. SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant, the Subdirectorate General of Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, by virtue of the investigative powers granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two of Organic Law 3/2018 of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD). As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been requested. The following points are also noted: • The documentation provided by the claimant includes Telefónica's debits to its bank account corresponding to the mobile telephone lines ***TELÉFONO.1 and ***TELÉFONO.2. • It appears from the documentation provided by the claimant that her current account was credited by Telefónica and a third party as beneficiary. On May 22, 2019, this Agency received a letter of allegations from Telefónica stating that these lines were active from November 22, 2017 until they were cancelled at the request of the claimant on August 30, 2018, and that on this date they cancelled the only invoice generated on January 1, 2018 for an amount of 0.33 euros in relation to the line ***TELÉFONO.1. They indicate that the claimant's data were never reported to credit and equity files. And they provide the following documentation: - Copy of the cancellation invoice of 1 January 2018 for the telephone line ***PHONE.1. - Screenshots of your phone line bill cancellation systems ***PHONE.2. - Copy of the Merger + contract that includes both lines, as well as a copy of the contracts of lines ***TELÉFONO.1 and ***TELÉFONO.3. THIRD: On January 24, 2020, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the defendant, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, 2011, on the Common Administrative Procedure of Public Administrations (hereinafter referred to as LPACAP), for the alleged infringement of Article 6.1 of the RGPD, as defined in Article 83.5 of the RGPD. FOURTH: Having been notified of the above-mentioned agreement, the defendant requested an extension of the period initially granted to make representations and subsequently submitted a written statement of allegations in which, in summary, it states: "that a transcription error occurred since, as the Agency itself indicates, it is accredited by the screen provided and invoices that the correct address is C/ ***DIRECCIÓN.1, ***LOCALIDAD.1However, all the invoices and the debt associated to the name of the claimant were cancelled as soon as the facts were known, and it is not possible at present to locate the contract of the line ***TELÉFONO.2, proceeding as soon as the facts are known to cancel all the invoices generated, and at no time are the data included in the files of patrimonial solvency and credit. It is agreed to reduce the sanction initially imposed in this sanctioning procedure". FIFTH: On February 19, 2020, the period for the practice of evidence began, and it was agreed: 1. To consider the claim filed by the claimant and its documentation, the documents obtained and generated that form part of the file, as reproduced for evidential purposes, and 2. SIXTH: The Motion for Resolution was notified on June 8, 2020, for the alleged infringement of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, proposing a fine of 70,000 euros. The Respondent presented allegations to the Motion for Resolution on June 22, 2020, affirming and ratifying in its brief of allegations dated February 14, 2020, presented to the Agreement of initiation of the File PS/00010/2020, requesting to reduce the sanction proposed in the present sanctioning procedure, considering it disproportionate. PROVEN FACTS 1.- It is recorded that there have been recurrent charges on the claimant's current account corresponding to the telephone lines ***TELÉFONO.1 and ***TELÉFONO.2 which she did not contract, nor did she authorize them. 2.- The holder of the line ***TELÉFONO.2 is a third party due to a credit made to the claimant's bank account by the claimed. 3.- The events took place between January 2 and November 2, 2018. 4.- Bank documents of the claimant corresponding to January, May, July, August, September, October and November 2018. 5.- It consists of a bank document of credit from Telefónica, with the third party as the beneficiary and the claimant's bank account number. 6.- The entity complained of acknowledges this error and states that it is a transcription error and that it has not been able to locate the contract for the line ***TELÉFONO.2. LEGAL FOUNDATIONS I The Director of the Spanish Data Protection Agency is competent to resolve this procedure, in accordance with the provisions of Article 58.2 of the RGPD and Articles 47 and 48.1 of the LOPDGDD. II The defendant is accused of committing an infringement for breach of Article 6 of the RGPD, "Legality of processing", which indicates in its paragraph 1 the cases in which the processing of third party data is considered lawful: "1. Treatment shall be lawful only if at least one of the following conditions is met: a) the data subject has given his or her consent to the processing of his or her personal data for one or more specified purposes; b) the processing is necessary for the execution of a contract to which the party concerned is a party or for the application at his request of pre-contractual measures; (...)". The infringement is defined in Article 83.5 of the RGPD, which considers it as such: "“5. Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, of up to 4% of its total annual turnover in the preceding business year, whichever is the greater a) The basic principles for treatment, including conditions for consent under Articles 5, 6, 7 and 9. Article 72 of the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), under the heading "Infringements considered very serious" provides: "In accordance with the provisions of Article 83(5) of Regulation (EEC) No 2016/679, infringements that substantially violate the articles mentioned therein, and in particular the following, are considered very serious and shall be subject to a three-year limitation period: (…) b) The processing of personal data without meeting any of the conditions for the lawfulness of processing laid down in Article 6 of Regulation (EU)2016/679. III The documentation in the file provides evidence that the defendant violated Article 6.1 of the RGPD since it processed the personal data of the complainant without having any legitimacy to do so. The claimant's personal data were incorporated into the company's information systems, without her proving that she had legitimately contracted, had her consent to the collection and subsequent processing of her personal data, or that there was any other cause that made the processing carried out lawful. It can be deduced that the contracts provided (Movistar Fusión) where the claimant appears as the holder, refer to the numbers ***TELÉFONO.3 as the first line and ***TELÉFONO.1 as the second line. There is no indication of the type of contract or place of contracting of the line ***TELÉFONO.2. That the mobile telephone lines were contracted in the physical store of Movistar in ***LOCALIDAD.2 located in the street ***DIRECCIÓN.2. These contracts correspond to the lines ***TELÉFONO.1 and ***TELÉFONO.3, not to the line ***TELÉFONO.2 indicated by the claimant. The respondent states that the invoices were sent to the claimant's address listed in their systems in the town of Lugo, while it has been possible to verify that the address listed in the contracts, and in the screen prints of their systems, is the one indicated by the claimant at the time of filing the complaint with this Agency, in the town of ***LOCALITY.1. In the screen printout of the cancellation of debts on line ***TELÉFONO.2, it is verified that it has a different NIF identifier from that of the claimant. It should be noted that the defendant acknowledges this error and states that it is a transcription error and that it has not been able to locate the contract for the line ***TELÉFONO.2. The claimant's personal data was recorded in the files of the claimed person and was processed for the issuance of invoices for services associated with the claimant. As a result, the personal data has been processed without having accredited the legal authorization to do so. However, and this is the essential point, the claimed does not prove the legitimacy of the processing of the claimant's data. In short, the respondent has not provided any document or evidence to show that the entity, in such a situation, would have shown the minimum diligence required to verify that its interlocutor was in fact the one it claimed to have. Respect for the principle of lawfulness, which is at the heart of the fundamental right to protection of personal data, requires evidence that the controller has taken the necessary steps to prove this. If this is not done - and if this Agency, which is responsible for ensuring compliance with the regulations governing the right to protection of personal data, does not demand it - the result would be to empty the principle of lawfulness of its content. IV In accordance with the provisions of Article 83.1 and 83.2 of the RGPD, in deciding whether to impose an administrative fine and the amount thereof in each individual case, account shall be taken of the aggravating and mitigating factors listed in the aforementioned article, as well as of any other factor that may be applicable to the circumstances of the case. "Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive. "Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. In deciding whether to impose an administrative fine and the amount of the fine in each individual case, due account shall be taken of the circumstances of the case: a) the nature, seriousness and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damages they have suffered b) the intentionality or negligence of the infringement; c) any measure taken by the controller or processor to mitigate the damages suffered by the data subjects; d) the degree of responsibility of the person responsible or the processor, taking into account the technical or organisational measures they have implemented under Articles 25 and 32; e) any previous offence committed by the person responsible for or in charge of the processing; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and to mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the person responsible for or in charge of the infringement notified it; i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible for or in charge of the same case, compliance with those measures; j) adherence to codes of conduct pursuant to Article 40 or to certification schemes approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement. With regard to article 83.2 (k) of the RGPD, the LOPDGDD, article 76, "Sanctions and corrective measures", provides: "2. In accordance with Article 83(2)(k) of Regulation (EU) 2016/679, they may also be taken into account: a) The continuing nature of the infringement. b) The link between the activity of the offender and the processing of personal data. c) The benefits obtained as a result of the commission of the infringement. d) The possibility that the conduct of the person concerned could have led to the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) To have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases where there are disputes between them and any interested party". Consequently, they have been taken into account as aggravating factors: - In the present case we are dealing with an unintentional but significant negligent action identified (section 83.2b). - Basic personal identifiers (name, an identification number, the line identifier) are affected (section g). The balance of the circumstances referred to in Article 83.2 of the RGPD, with respect to the infringement committed by violating the provisions of Article 6 thereof, allows for a penalty of 70,000 euros (seventy thousand euros), classified as "very serious", for the purposes of prescription, in Article 72.1.b) of the LOPDGDD. Therefore, in accordance with the applicable legislation and having assessed the criteria for the graduation of the penalties whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE TELEFONICA MOVILES ESPAÑA, S.A.U. with NIF A78923125, for an infringement of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, a fine of 70,000 Euros (seventy thousand Euros). SECOND: NOTICE this resolution to TELEFONICA MOBILES ESPAÑA, S.A.U. THIRD: To warn the sanctioned party that he/she must make the sanction imposed effective once this resolution is enforceable, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in article. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of 29 July, in relation to art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the tax identification number of the sanctioned party and the procedure number that appears in the heading of this document, into the restricted account nº ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency in the banking institution CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period. Once the notification has been received and once it has been executed, if the date of execution is between the 1st and 15th of each month, inclusive, the period for making the voluntary payment will be up to the 20th of the following month or the immediately following working month, and if it is between the 16th and last day of each month, inclusive, the period for payment will be up to the 5th of the second following month or the immediately following working month. In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, data subjects may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly lodge an administrative appeal with the Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. It must also send the Agency the documentation that accredits the effective filing of the contentious-administrative appeal. If the Agency is not aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it will terminate the precautionary suspension. Mar España Marti Director of the Spanish Data Protection Agency