Difference between revisions of "AEPD - PS/00014/2020"

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
(No difference)

Latest revision as of 11:42, 1 August 2020

AEPD - PS/00014/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: n/a
Fine: 75.000 EUR
Parties: n/a
National Case Number/Name: PS/00014/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: dataguidance.com (in ES)
Initial Contributor: Pablo Rossi

AEPD has fined Telefónica Móviles España EUR 75,000 for a violation of article 6 GDPR. The claimed company carried out the portability of the claimant's telephone line without his consent.

English Summary[edit | edit source]

Facts[edit | edit source]

The portability of the claimant's phone line was carried out without his consent. The telephone service was being provided by YOIGO , who transferrred the claimant's personal data to Telefonica. After this transfer, Telefonica carried out the change of ownership of the line.

Telefonica claimed that there was a human mistake, but the portability was not effectively carried out until six days after this error, leaving plenty of time for the claimant to contact the them. However, the claimant did not file any claim for cancellation of the portability process until one year after this event. During this time, the line was operating correctly at all times, without any incidents.



Dispute[edit | edit source]

Should the unconsented portability of a telephone line be considered a violation of article 6 of the GDPR?

Holding[edit | edit source]

AEPD considered that despite the existence of a human mistake (the petitioner of the portability and the owner of the line had different names and surnames), this does not prevent the actions of Telefonica from being considered as data processing without appropriate legal basis, in contravention of Article 6(1) GDPR. The unintentional negligent action by Telefónica, and the fact that the personal data affected (name and telephone line identification number) are basic personal identifiers were determining aggravating factors, setting the amount of the fine at EUR 75,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS / 00014/2020
RESOLUTION OF PENALTY PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on the following
BACKGROUND
FIRST: AAA ( hereinafter, the claimant) on October 14, 2019 filed a claim with the Spanish Agency for Data
Protection. The
claim is directed against TELEFONICA MOVILES ESPAÑA, SAU
The reasons on which the claim is based are the portability of the telephone line
SAU without your consent.
Until that day, the telephone service was provided by YOIGO, who, according to the claimant, transfers his
personal data without his authorization to the company. TELEFÓNICA MÓVILES ESPAÑA, SAU and this
executes the action changing the ownership of the line, causing the loss of said line.
* * * TELEPHONE 1 of which he is the owner, to the company TELEFÓNICA MÓVILES ESPAÑA,
SECOND: In view of the facts denounced in the claim and the documents provided by the claimant / the facts
and documents of which this Agency has been informed, the General Sub-Directorate for Data Inspection
proceeded to carry out previous actions on investigation to clarify the facts in question, by virtue of the
investigative powers granted to the supervisory authorities in article 57.1 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), and of In accordance with the provisions of Title VII,
Chapter I, Second Section, of the Organic Law 3/2018, of December 5, on the Protection of Personal Data
and guarantee of digital rights (hereinafter LOPDGDD).
As a result of the investigation actions carried out, the following facts are found:
In case E / 10113/2018, the claim is transferred to
notification date of December 17, 2018 and December 27, 2018, respectively, requesting to submit a report
on the causes that have motivated the incident that caused the claim, and on the measures adopted to
prevent similar incidents from occurring.
TELEFÓNICA MÓVILES ESPAÑA, SAU ( hereinafter the claimed) presents a brief of allegations
stating that the number *** TELEPHONE 1 It was imported to the one claimed from YOIGO on 11/05/2018 at
02:00 a.m.
TELEFÓNICA MÓVILES ESPAÑA, SAU and XFERA MÓVILES, SA (YOIGO) with
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
2/8
It indicates that in the cases of portability of lines, the agent must transfer the call to the entity that
verifies mobile portability prior to the insertion of the portability request that triggers the Technical
Specification approved by the National Market Commission and the Competition (hereinafter CNMC) for the
change of operator, but due to a specific failure of the agent who processed the discharge in the service,
portability was inserted prior to verification by a third party contrary to what was dictated in the norm.
The defendant provides the recordings of the registration request for portability and the call for
verification of verbal consent by a third party.
The defendant adds that the registrant requested that the verification call be made after the request
and that once the verification was made, three SMS were sent to the line owner in order to inform and offer
the possibility of canceling said operation .
The mobile portability operation implemented in said operator contemplates in the general portability
procedure the sending of a series of informative SMS to the telephone number that is going to be carried,
informing of the different steps through which the request made passes, but does not provide accreditation of
shipments made to this line.
The defendant also alleges that she had no record of any claim until September 18, 2019; date on
which the Arbitration Board of
* * * LOCATION. 1 submits to this Company a claim filed in connection with this process at the end of
November 2018, practically one year after the facts claimed took place. The arbitration hearing was held on
October 10, 2019 and the requested party is pending receipt of the notification of the arbitration award issued
in order to comply with its content.
The claimed operator concludes its allegations stating that currently the ownership of the line
belongs to the portability applicant, not the complainant.
And, among others, they attach the following documents.
- Recording of the discharge telephone conversation dated October 31, 2018
- Call recording Verification of verbal consent of portability dated November 1,
2018.
- Copy of the summons at the arbitration hearing
- Transfer of the claim
THIRD: On February 4, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a
sanctioning procedure for the person claimed, in accordance with the provisions of articles 63 and 64 of Law
39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of article 6 of the RGPD, typified in article
83.5 of the RGPD.
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
3/8
FOURTH: Once the aforementioned initial agreement has been notified, the defendant submitted an
allegation brief on February 24, 2020, in which, in synthesis, he stated that despite having made the
portability request insertion on October 31, 2018, this it does not occur effectively until November 5, 2019, the
claimant having had a period of six (6) days to contact the claimant.
However, the claimant does not file any claim or request for cancellation of the portability process,
and no incident reported by the claimant to said operator in relation to this request until September 18, 2019,
that is, almost a year later that the events denounced, object of the present claim, took place and during that
time the line was working correctly at all times and without any type of incident. Additionally, the claimed party
has the recording of the claimant's consent to carry her line dated November 2, 2018.
FIFTH: On March 3, 2020, the procedure instructor agreed to open a test practice period, taking into account
the previous investigation actions, E / 02655/2019.
SIXTH: On March 4, 2020, a motion for a resolution was formulated,
A78923125, for a violation of article 6 of the RGPD, typified in article 83.5 of the RGPD, a fine of € 75,000
(seventy-five thousand euros)
SEVENTH: On June 8, 2020, the defendant sent a written statement expressing the following statements
“We reiterate that we are faced with punctual human error that would not affect the general
procedure established by TME for these cases.
Likewise, we inform the AEPD that despite the fact that the portability process had started, the
CLAIMANT was subsequently contacted to request their consent.
Regarding the presumed absence of consent for contracting, regulated in article 6.1 of Regulation
(EU) 2016/679 General Data Protection (hereinafter, "RGPD"), we must say that the aforementioned precept
of the RGPD does not require that consent be presented in writing or with certain formalities, but it does
require that the consent of those affected be "unequivocal", in this case it corresponds to my representative
to prove that the CLAIMANT has the consent. To this end, we refer to the recording dated November 2, 2018
that is already in the possession of the AEPD as conclusive evidence of the granting of said consent.
For all of the above and taking into account that our agent had committed the punctual human error
of starting the portability process prior to verification, from TME we consider that the CLAIMANT would have
lent his
proposing that the TELEFONICA MOVILES ESPAÑA, SAU with NIF
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
4/8
consent to carry out the portability of your line unequivocally days before the effective portability of the line.
Therefore, we insist that there has been no violation of the article
6.1 of the RGPD for the treatment of data regarding data protection. ”
PROVEN FACTS
FIRST: Portability of the phone line has been carried out
* * * TELEPHONE 1 of which the claimant is the owner, without his consent.
Until that day, the telephony service was provided by YOIGO, who, according to the claimant,
transfers his personal data without his authorization to the claimed company and it executes the action
changing the ownership of the line, causing the loss of said line.
SECOND: The claimed entity alleges that although the portability request is made on October 31, 2018, it is
not produced effectively until November 5, 2019, so the claimant has had six (6) days to contact the
requested party.
However, the claimant does not file any claim, nor request for cancellation of the portability process,
until September 18, 2019, almost a year later, and during all this time the line was working at all times
correctly and without any incidence type.
FUNDAMENTALS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as
established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is
competent to initiate and resolve this process.
II
Article 4.11 of the RGPD defines the “consent of the interested party” as any expression of free will,
specific, informed and unequivocal by which the interested party accepts, whether by means of a declaration
or a clear affirmative action, the processing of personal data that concerns him .
For its part, article 6.1 of the RGPD establishes that " The treatment will only be lawful if at least one
of the following conditions is met:
to) the interested party gave his consent for the processing of his personal data for one or more specific
purposes;
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
5/8
b) the treatment is necessary for the execution of a contract in which the interested party is a party or for
the application at its request of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the controller;
d) the treatment is necessary to protect the vital interests of the interested party or of another natural person;
and) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the
exercise of public powers conferred on the controller;
F) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller or by a
third party, provided that the interests or fundamental rights and freedoms of the interested party that
require the protection of personal data do not prevail over said interests, particularly when the interested be
a child. ”
III
In the present case, the portability of the telephone line is denounced
* * * TELEPHONE 1 without their consent. of which the claimant is the owner, to the operator claimed because it is produced
Said operator recognizes human error in the protocol followed to carry out the portability of the line object of
this claim, since the agent must
transfer the call to the mobile portability verification entity prior to the insertion of the portability request that
triggers the Technical Specification approved by the National Commission of Markets and Competition
(hereinafter CNMC) for the change of operator, but Due to a punctual failure of the agent who processed the
discharge in the service, portability was inserted prior to verification by a third party contrary to the provisions
of the regulation.
From the locutions provided to this Agency by the defendant, it appears that in the recording of the
portability maintained between the holder of the call and the agent of the claimed, it is verified that the
identification data of the interlocutor with the agent of the operator do not match those of the claimant and line
owner.
Note at this point that although the claimed is aware that the applicant's high-portability data is
different from that of the line owner and claimant, it is heard in the recording of the third-party verification that
this verifier asks the agent of the operator claimed, if the applicant corresponds to the name and surname of
the complainant that the verifier provides and to which said agent responds "YES".
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
6/8
From this fact, it can be deduced that the requested one allows the verification to continue despite
knowing that the portability applicant's data does not coincide with the line owner's data provided by the
verifier.
Thus, in accordance with the available evidence, it is considered that the operator claimed has used the data
of the claimant, to carry
out portability, from the phone line *** TELEPHONE 1 of which he is the owner, without his consent to the
contracting, or any other cause that legitimizes the treatment of his data.
The one claimed in response to the transfer of this claim provides recordings from which it appears
that the portability of a line was carried out with the knowledge that the participants, that is, the portability
applicant and the owner of the line, had different names and surnames , which triggered an unsolicited
portability by the owner of the line, that is, the claimant, and the loss of the corresponding telephone line,
thereby contravening the provisions of Circular 1/2009 of the National Commission for Markets and
Competition in its Annex I, section “ Processing of mobile portability requests ”Point 4, which indicates that the
verifier will request the client to provide or confirm the personal data of the owner and the data related to the
line and operators.
Therefore, the known facts are considered to be constitutive of an infraction, attributable to the
respondent, for an alleged violation of article 6 of the RGPD, indicated in reason II.
IV
Article 72.1.b) of the LOPDGDD states that “ Based on what is established in article 83.5 of
Regulation (EU) 2016/679, they are considered very serious and will prescribe after three years the
infractions that suppose a substantial violation of the articles mentioned in that one and, in particular, the
following:
c) The processing of personal data without any of the conditions of lawfulness of the treatment in article
6 of Regulation (EU) 2016/679. ”
V
Article 58.2 of the RGPD provides the following: “Each supervisory authority shall have all the following
corrective powers indicated below:
b) sanction any person responsible or responsible for the treatment with warning
when the processing operations have violated the provisions of these Regulations;
d) order the data controller or processor that the operations of
treatment complies with the provisions of this Regulation, where appropriate, in a certain way and within a specified
period;
i) impose an administrative fine pursuant to article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of each particular case;
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
7/8
SAW
This infringement can be sanctioned with a fine of a maximum of € 20,000,000 or, in the case of a company,
an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, opting for
the largest amount, of in accordance with article 83.5 of the RGPD.
Likewise, it is considered that the sanction to be imposed should be graduated in accordance with the following
criteria established in article 83.2 of the RGPD:
As aggravating the following:
In the present case we are faced with unintentional negligent action, but identified significant (article 83.2 b)
Basic personal identifiers (name, an identification number, the line identifier) are affected, according to article
83.2 g)
•
•
Therefore, in light of the above,
By the Director of the Spanish Agency for Data Protection, IT IS AGREED:
FIRST: IMPOSE TELEFONICA MOVILES ESPAÑA, SAU with NIF
A78923125, for a violation of article 6 of the RGPD, typified in Article 83.5 of the RGPD, a fine of € 75,000
(Seventy-five thousand euros).
SECOND: NOTIFY this resolution to TELEFONICA MOVILES ESPAÑA,
SAU
THIRD: Warn the sanctioned that he must enforce the sanction imposed once this resolution is executive, in
accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative
Procedure of Public Administrations (hereinafter LPACAP), within the period of voluntary payment established
in art. 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to
art. 62 of Law 58/2003, of December 17, by entering, indicating the NIF of the sanctioned and the procedure
number that appears in the heading of this document, in the restricted account no. ES00 0000 0000 0000
0000 0000, open in the name of the Spanish Agency for Data Protection in the bank CAIXABANK, SA.
Otherwise, it will be collected in the executive period.
Once the notification has been received and once it is enforced, if the enforcement date is between the
1st and 15th of each month, inclusive, the deadline for making the voluntary payment will be until the 20th of the
following month or immediately after business month, and if is between the 16th and last day of each month, both
inclusive, the payment term will be until the 5th of the second following month or immediately after business.
C / Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
8/8
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public
once the interested parties have been notified.
Against this resolution, which ends the administrative procedure pursuant to art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, those interested
may optionally file an appeal for reversal with the Director of the Spanish Agency for Data Protection within a
period of one month from day after notification of this resolution or directly administrative contentious appeal
before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of
article 25 and section 5 of the fourth additional provision of Law 29 / 1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of
this act, as provided for in article 46.1 of said Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm
resolution may be provisionally suspended in administrative proceedings if the interested party expresses his
intention to file a contentious-administrative appeal. If this is the case, the interested party must formally
communicate this fact by writing to the Spanish Agency for Data Protection, presenting it
to through of the Registry Electronic of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4
of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation
that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing
of the contentious-administrative appeal within two months from the day following the notification of this
resolution, it would terminate the precautionary suspension.