AEPD (Spain) - PS/00059/2020: Difference between revisions

From GDPRhub
mNo edit summary
(7 intermediate revisions by the same user not shown)
Line 31: Line 31:
|National_Law_Name_1=§ 21 LSSI
|National_Law_Name_1=§ 21 LSSI
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758
|National_Law_Name_3=§ 48(1)(b) LGT
|National_Law_Name_3=§ 48(1) LGT
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2014-4950
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2014-4950


Line 54: Line 54:
}}
}}


The Spanish Data Protection Authority (AEPD) imposed a record fine of € 8.125.000 on Vodafone España due to the continuous and numerous violations of several provisions, including Articles 28 and 44 GDPR, the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Information Society Services Act] implementing the e-Privacy Directive and the [https://www.boe.es/buscar/act.php?id=BOE-A-2014-4950 Spanish Telecommunications Act].
The Spanish Data Protection Authority (AEPD) imposed a record fine of €8,125,000 on Vodafone España due to the continuous and numerous violations of several provisions, including Articles 28 and 44 GDPR, the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Information Society Services Act] implementing the e-Privacy Directive and the [https://www.boe.es/buscar/act.php?id=BOE-A-2014-4950 Spanish Telecommunications Act].


==English Summary==
==English Summary==


===Facts===
===Facts===
The AEPD launched an investigation on Vodafone  
The AEPD launched an investigation on Vodafone due to the high number of complaints received regarding unsolicited commercial communications. The AEPD found that 191 claimants held these complaints because Vodafone had sent the communications without previous consent or after they had exercised their right to object (mainly by soliciting to be included in the internal or general Robinson list), which would be an infringement of Article 21 LSSI (the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Information Society Services Act]). Additionally, the fact that Vodafone did not facilitate or gave an option to the claimants to exercise the right to object, and the unsolicited communications ''per se'', supposed a breach of Article 48(1) LGT (the [https://www.boe.es/buscar/act.php?id=BOE-A-2014-4950 Spanish Telecommunications Act]). 
 
The AEPD also notes that Vodafone has already been sanctioned several times in a short period of time (2 years) for the same reasons, and that they however have not been able to rectify the infringing behaviour. The AEPD has continued to receive claims based on the same facts by a high number of data subjects. 
 
The AEPD also discovered that there was lack of real, continuous, permanent and audited control of the processing operations carried out by the processors in which they relied to carry out part of their commercial actions. Many of the contracts or agreements performed between them were merely a checklist, and there was no further control or verification by Vodafone on whether they provided the adequate level of protection, measures and safeguards for the processing. 
 
Additionally, it was also found that Vodafone contracted with a processor that would carry processing of data in Peru, therefore transferring data to a third country, without ensuring an adequate level of protection in any way, as the contract did not make any reference to any kind of mechanism related to international transfers of data. 


===Dispute===
===Dispute===
Ongoing
Does the continuous sending of unsolicited communications to different data subjects, some of which have already opposed, constitute a violation of the LSSI and the LGT? Does the lack of control and verification of Vodafone on the obligations of the processors they contract with suppose a violation of Article 28 GDPR? Does the contracting with a Peruvian processor without ensuring the adequate level of protection constitute a violation of Article 44 GDPR?


===Holding===
===Holding===
The AEPD imposed Vodafone the following sanctions, resulting in a record fine of € 8125000:
The AEPD imposed on Vodafone the following sanctions, resulting in a record fine of € 8 125 000:


- A € 4.000.000 fine for the infringement of Article 28 GDPR: due to the hiring of processors who do not comply with adequate safeguards;
- A € 4 000 000 fine for the infringement of Article 28 GDPR: due to the hiring of processors who do not comply with adequate safeguards, and the lack of control by Vodafone on that;


- A € 2.000.000 fine for the infringement of Article 44 GDPR: due to the carrying out of international transfers without implementing adequate safeguards (first significant sanction for this reason);
- A € 2 000 000 fine for the infringement of Article 44 GDPR: due to the carrying out of international transfers without implementing adequate safeguards ''(first significant sanction by the AEPD for this reason under GDPR)'';


- A € 150.000 fine for the infringement of Article 21 LSSI: due to the sending of unsolicited electronic commercial communications;
- A € 150 000 fine for the infringement of Article 21 LSSI: due to the sending of unsolicited electronic commercial communications;


- A € 2.000.000 fine for the infringement of Article 48(1)(b) LGT + Article 21 LSSI: due to the making of unsolicited commercial calls, after several claimants having expressed their opposition or after being included in the Robinson list. Vodafone did not guarantee the effective exercise of the right to object.
- A € 2 000 000 fine for the infringement of Article 48(1) LGT + Article 21 LSSI: due to the making of unsolicited commercial calls, after several claimants having expressed their opposition or after being included in the general or internal Robinson list. Vodafone did not guarantee the effective exercise of the right to object.


The aggravating factors used to modulate the sanction are of special relevance in this case, taking especially into account the high number of complaints in a quite short period of time. Among the aggravating factors used by the AEPD to graduate the sanctions, the following stand out:
The aggravating factors used to modulate the sanction are of special relevance in this case, taking especially into account the high number of complaints in a quite short period of time. Among the aggravating factors used by the AEPD to graduate the sanctions, the following stand out:
Line 79: Line 85:
a) The fact that the company had already been sanctioned with a fine or warning, from January 2018 to February 2020, in more than 50 occasions;
a) The fact that the company had already been sanctioned with a fine or warning, from January 2018 to February 2020, in more than 50 occasions;


b) The fact that there were 162 complaints in a period of just two years;
b) The fact that there were 161 complaints in a period of just two years;


c) The large number of marketing actions via telephone calls (around 200,000,000).
c) The large number of marketing actions via telephone calls (around 200 000 000).


==Comment==
==Comment==

Revision as of 11:35, 17 March 2021

AEPD - PS/00059/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 28 GDPR
Article 44 GDPR
§ 21 LSSI
§ 48(1) LGT
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 10.03.2021
Fine: 8125000 EUR
Parties: Vodafone España, S.A.U.
National Case Number/Name: PS/00059/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish Data Protection Authority (AEPD) imposed a record fine of €8,125,000 on Vodafone España due to the continuous and numerous violations of several provisions, including Articles 28 and 44 GDPR, the Spanish Information Society Services Act implementing the e-Privacy Directive and the Spanish Telecommunications Act.

English Summary

Facts

The AEPD launched an investigation on Vodafone due to the high number of complaints received regarding unsolicited commercial communications. The AEPD found that 191 claimants held these complaints because Vodafone had sent the communications without previous consent or after they had exercised their right to object (mainly by soliciting to be included in the internal or general Robinson list), which would be an infringement of Article 21 LSSI (the Spanish Information Society Services Act). Additionally, the fact that Vodafone did not facilitate or gave an option to the claimants to exercise the right to object, and the unsolicited communications per se, supposed a breach of Article 48(1) LGT (the Spanish Telecommunications Act).

The AEPD also notes that Vodafone has already been sanctioned several times in a short period of time (2 years) for the same reasons, and that they however have not been able to rectify the infringing behaviour. The AEPD has continued to receive claims based on the same facts by a high number of data subjects.

The AEPD also discovered that there was lack of real, continuous, permanent and audited control of the processing operations carried out by the processors in which they relied to carry out part of their commercial actions. Many of the contracts or agreements performed between them were merely a checklist, and there was no further control or verification by Vodafone on whether they provided the adequate level of protection, measures and safeguards for the processing.

Additionally, it was also found that Vodafone contracted with a processor that would carry processing of data in Peru, therefore transferring data to a third country, without ensuring an adequate level of protection in any way, as the contract did not make any reference to any kind of mechanism related to international transfers of data.

Dispute

Does the continuous sending of unsolicited communications to different data subjects, some of which have already opposed, constitute a violation of the LSSI and the LGT? Does the lack of control and verification of Vodafone on the obligations of the processors they contract with suppose a violation of Article 28 GDPR? Does the contracting with a Peruvian processor without ensuring the adequate level of protection constitute a violation of Article 44 GDPR?

Holding

The AEPD imposed on Vodafone the following sanctions, resulting in a record fine of € 8 125 000:

- A € 4 000 000 fine for the infringement of Article 28 GDPR: due to the hiring of processors who do not comply with adequate safeguards, and the lack of control by Vodafone on that;

- A € 2 000 000 fine for the infringement of Article 44 GDPR: due to the carrying out of international transfers without implementing adequate safeguards (first significant sanction by the AEPD for this reason under GDPR);

- A € 150 000 fine for the infringement of Article 21 LSSI: due to the sending of unsolicited electronic commercial communications;

- A € 2 000 000 fine for the infringement of Article 48(1) LGT + Article 21 LSSI: due to the making of unsolicited commercial calls, after several claimants having expressed their opposition or after being included in the general or internal Robinson list. Vodafone did not guarantee the effective exercise of the right to object.

The aggravating factors used to modulate the sanction are of special relevance in this case, taking especially into account the high number of complaints in a quite short period of time. Among the aggravating factors used by the AEPD to graduate the sanctions, the following stand out:

a) The fact that the company had already been sanctioned with a fine or warning, from January 2018 to February 2020, in more than 50 occasions;

b) The fact that there were 161 complaints in a period of just two years;

c) The large number of marketing actions via telephone calls (around 200 000 000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


Page 1
1/97
 Procedure No.: PS / 00059/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and with
based on the following
BACKGROUND
FIRST. Since the second quarter of 2018 they have been received in this Agency
191 claims as of the date of the commencement agreement 02/26/2020 (23 of which between
on October 1, 2019 and February 2020) against the entity VODAFONE ESPAÑA,
SAU (hereinafter VODAFONE or VDF), with NIF A80907397, in which
denounces the carrying out of marketing and commercial prospecting actions in
name and on behalf of VDF through telephone calls and by sending
electronic commercial communications (SMS messages and emails).
Such actions could violate both the regulations Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), Law 34/2002, of July 11, on services
of the information society and electronic commerce (hereinafter LSSICE),
such as Organic Law 3/2018, of December 5, on the Protection of Personal Data and
Guarantees of Digital Rights (hereinafter LOPDGD).
The above, because these denounced electronic communications are produced, for
one side and with regard to the LSSICE, without having been requested or
expressly authorized and / or without attending to the exercise of the right to oppose the shipment
of new notifications; on the other, regarding the LGT, without facilitating the possibility of
exercise the right of opposition or, once the affected party has exercised
previously your right of opposition through its inclusion in the file of
internal advertising exclusion of the indicated entities (hereinafter Robinson List
Internal -LRI-), or through the common general advertising exclusion system
named Robinson Adigital Listing -LRAD-; and, finally, as regards the
LOPDGDD without adapting the procedures and guarantees established for the execution
of marketing actions in the content of the contracts with those in charge of
the treatments that act in the name and on behalf of the person in charge (VDF) and without
offer the interested party the necessary, sufficient and appropriate means that guarantee
the protection of your rights and freedoms.
Likewise, it should be made clear that the analysis of the answers to the
information requirements of this Agency evacuated by the claimed entity are
In summary, it follows the following:

They do not explain the reason why the events happen and continue to happen
object of claim.

The origin of the data relating to the telephone line number or
e-mail address of the recipients.

The reason why there are claimants who have exercised the
right to object to receive marketing actions and / or appear in your LRI or
LRAD and, nevertheless, commercial actions have been carried out again.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/97

They do not explain the reasons why the rights exercised by
the complainants nor do they propose effective actions aimed at avoiding this
type of behavior.

Marketing actions continue after AEPD resolutions in
protection of the rights exercised and previous procedural resolutions
sanctioners urging the cancellation of commercial actions and sanctioning the
same facts now analyzed.

Regarding the process for the admission of claims provided for in article 65 of the
LOPDGDD it appears that although a satisfactory answer has been obtained for
the claimant in certain claims having stated the entity
claimed that the claimant's data were incorporated into the exclusion files of
publicity actions of the entities (LRI) (despite already being incorporated
in the LRAD), it becomes clear that the procedure carried out is not
decisive. Marketing actions continue, and may involve conduct
regular and permanent violation of the rights and freedoms of the
interested in the field of direct marketing actions, customer service
rights recognized in the aforementioned regulations (LGT, LSSICE and LOPDGDD) and absence
of appropriate technical and organizational measures for the effective implementation
of the principles and guarantees of the interested parties as indicated by current regulations
above.

To which must be added, for the purposes of lack of collaboration, that the last
claims before this Agency during the process of admission for processing have not been
attended by the entity, or they have been after the expiration of the period of 3
months, which has given rise to its admission for processing by imperative of article 65.5 of the
LOPDGDD.
It consists of the documentation received from VDF on 04/26/2019 (in pendrive given
the large volume of information, with entry registration number 021640/2019) that
the volume of commercial actions carried out in the name and on behalf of VDF
from May 2018 to March 2019 it is 200,000,000 (two hundred million).
It also consists of the balance of annual accounts (March 2018-March 2019) presented
by VDF that the net amount of the turnover exceeds 1,600 million euros
and has 4,000 employees.
Consequently, it was deemed necessary to initiate investigation actions by the
Subdirectorate General for Data Inspection aimed at clarifying the
responsibilities regarding data protection (RGPD and LOPDGDD)
the person responsible for the treatment object of the claims may have incurred
in their marketing actions and attention to the exercise of rights
established in Regulation (EU) 2016/679 of the European Parliament and of the Council
of April 27, 2016 on the protection of natural persons in what
regarding the processing of personal data and the free circulation of these data and by
which repeals Directive 95/46 / CE (hereinafter RGPD).
It was also deemed necessary to investigate the facts denounced in order to resolve the
responsibilities that may have been incurred by the person responsible for the actions of
marketing in relation to the provisions of article 48 of Law 9/2014, of 9 of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/97
May, General Telecommunications (LGT) and article 21 of Law 34/2002, of 11
July, services of the information society and electronic commerce (LSSICE).
SECOND: In view of the above, the Director of the Spanish Protection Agency
of Data urged the Subdirectorate General for Data Inspection to proceed to
carry out investigative actions necessary to clarify the facts
in denounced, by virtue of the powers of investigation granted to the authorities
of control in article 57.1 of the RGPD, and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the
following extremes:
On 02/26/2019, it was agreed to initiate investigative actions in order to
prove the possible existence of a regular and continued conduct of violation of
the data protection regulations (RGPD and LOPDGDD), LGT and LSSICE in the field
of direct marketing actions by the entity now investigated
(VDF).
The object of the research actions to be carried out is framed in the analysis of
the internally designed procedures for the data processing carried out
in the field of direct marketing in the name and on behalf of VDF, since
the data is incorporated into the information systems for which it is responsible until
which is no longer used for these purposes.
This implies that the origin of the processed data is clarified, the subsequent treatment
of these and the relationship with those in charge of the treatments, the prior verification
of inclusion in the internal or general advertising exclusion system of those affected
(internal Robinson and General Adigital listings), the management of the rights of
opposition and deletion, as well as the technical and organizational measures implemented and
their degree of compliance for the protection of the rights and freedoms of
interested.
INVESTIGATED ENTITIES
During these proceedings, investigations have been carried out into the following
entities:

VODAFONE ONO, SAU

VODAFONE ESPAÑA, SAU

VODAFONE ENABLER ESPAÑA, SL

TELEFONICA DE ESPAÑA, SAU

TELEFONICA MOVILES ESPAÑA, SAU

LYCA MOBILE, SL

XTRA TELECOM

INTERACTIVE SERVICES DIALOGUE

FLASH MEDIA EUROPE,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/97

ORANGE ESPAÑA, SAU

GLOBALIA CALL CENTER, SA

MARKTEL GLOBAL SERVICES, SA

ENGINYERIA INFORMATICA OLOT, SL

CASMAR TELECOM, SL (hereinafter Casmar)

THREE-QUARTERS FULL, SL (hereinafter TQF)
RESULT OF RESEARCH ACTIONS
1.
From the beginning of the investigative actions that are in the file
reference E / 01615/2019, 191 claims have been incorporated through the
reference file E / 09541/2018, of which 23 received since October
2019 to February 2020.
On the dates of 02/27/2019, 03/08/2019, 03/18/2019, 06/07/2019
information requirements to VODAFONE ESPAÑA, SAU and on dates of
09/18/2019 and 09/30/2019 a face-to-face inspection is carried out (whose Minutes and documentation
is incorporated into the file) at the VDF headquarters in order to be able to contrast with the
current regulations the general procedure of management of the relative data processing
to direct marketing actions through phone calls, SMS and
emails, having knowledge of the following:
1.1 In general, marketing actions can be classified
attending to several criteria.
1.1.1. Campaigns managed directly by VDF and Campaigns managed by others
entities by account and name of VDF.
The difference between campaigns managed directly by VDF from those that are
managed by other entities on behalf of and on behalf of VDF is the following:
That in the first (VDF), the databases of the recipients of the actions
commercial actions are provided by VDF and commercial actions are carried out, or
the internal Marketing Department or the internal Telesales Department
(Hereinafter TVTA), the latter through entities contracted by VDF that
make up what they call the TVTA Platform.
And the second (entities that act on behalf and on behalf of VDF) are carried out in
in its entirety by the so-called Distributors / Collaborators / Agents (who sometimes,
In turn, they subcontract the management and data processing of affected persons for the
effective performance of marketing actions in the name and on behalf of
VDF) being able, in this case, to use the databases provided by the
VDF or its own databases being in charge, according to VDF, said
distributors / collaborators / agents of the filtered data with both lists
Robinson (internal, LRI and Adigital, LRAD).
Regarding the "campaigns managed by other entities on behalf of VDF" , no
It is clear that VDF has the technical and organizational control over the treatments and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
5/97
databases used by these entities, since not even when the
"Distributor / collaborator / agent" uses its own databases or when it uses
those provided by the VDF itself, VDF does not have implanted methods or technical means
and organizational that verify the legality, the origin of these or their effective prior filtering
with LRIs or LRADs, nor for how long they are used.
There is also no evidence that VDF has real control over the commercial actions themselves.
themselves (calls, SMS and emails), but only has a formal control based on the
contractual obligations that distributors / collaborators / agents acquire with
VDF and referred only to internal informative communications, not of
prior authorizations to carry out marketing actions, in the case
that they use their own databases of distributors / collaborators / agents and
therefore unrelated to VDF. In this sense, it should be noted that from the documentation required to
VDF and to these entities it is inferred that control over marketing actions
It is a posteriori, that is, once the deficiency has been detected or a claim has been filed
Before the AEPD, the acting entities are informed and indicate, where appropriate,
corrective actions.
The internal VDF department that contracts with the entities
distributors / collaborators / agents that make up this second set of is the
called "Distribution / agents" that is divided into several sales channels, between
others: << Door to Door channel >> (hereinafter D2D), << online channel >>, << corners
physical in shopping centers and establishments >>.
1.1.2. Classification according to who materially performs the commercial actions:
These may be those carried out by:
(A) VDF's internal Marketing Department through VDF's own means.
(B) Internal Telesales Department of VDF through the entities that make up
the TVTA Platform.
(C) Department of Distributors / Collaborators / Agents through its network of
distributors / agents / collaborators .
A.- VDF's internal Marketing Department carries out its own actions of
advertising from their own databases, without prejudice to having competencies and
functions that are projected onto the TVTA department.
B.- The VDF TVTA Department is made up of the following platforms
outsourced:
For LOWI the telesales platforms are:
Global Sales Solutions Line, SL (GSS)
Emergia Contact Center, SL (Emergia)
Konecta Bto, SL (Konecta)
For VDF and ONO, the teleshopping platforms are:
Global Sales Solutions Line, SL (GSS)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/97
Emergia Contact Center, SL (Emergia)
Konecta Bto, SL (Konecta)
Telecyl, SA (Madison)
Atento Teleservicios Spain Branch in Morocco / Atento Teleservicios
Spain, SL (Attentive)
Marktel Servicios de Marketing Telefónico, SA (Marktel)
Unísono Soluciones de Negocios, SA (Unísono)
VDF states that for each of the platforms that make up the Department
internal TVTA, there is << a data protection framework agreement >> adapted to the
RGPD and, as a minimum, a contract for the provision of services which regulates the
rights and obligations, although only from the commercial sphere.
All these contracts are negotiated by the Vodafone Group purchasing center
which is located in Luxembourg (Vodafone Procurement, Sarl).
For their part, all the aforementioned entities that make up the platform of the
TVTA Department, prior to being hired, must pass a process of
<< supplier approval >> which is managed by the Vodafone Group located
in Budapest, Hungary. For this, they are sent a checklist where they are asked for a certain
information in order to validate whether it is possible to contract with said provider. The quoted
checklist is limited to answering certain questions with a "YES" or "NO", without
accreditation or content of the responses and procedures management is specified
to follow. The content of the form / checklist is as follows:
<< GOVERNMENT POLICIES
A.1 Where is your headquarters located?
A.2 Do you have a person responsible for the privacy of personal data? BUT
A.3 If yes, what is your address?
A.4 Do you have a person responsible for GDPR? BUT
A.5 If yes, what is your address?
A.6 Do they have defined and documented policies and procedures for the management of personal data? YES
DO NOT
A.7 Do the policies and procedures include a statement of commitment to the protection of
data and privacy? BUT
A.8 Do the policies and procedures have transversal rules, established profiles and responsibilities
defined on data protection and privacy? BUT
A.9 Do the policies and procedures contemplate disciplinary processes in the event of gaps in
security including appropriate escalation to report to management? BUT
A.10 Are any changes to the data protection policy informed to the management? BUT
A.11 Is the management informed of the privacy policy and the data protection procedures
on a regular basis, eg annually? BUT
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 7
7/97
A.12 If you are asked to have a record of the personal data process, would it be valid and would it be
updated? BUT
EVALUATION AND MODIFICATIONS OF THE PROCESSING OF PERSONAL DATA
B.1 Is there a procedure to assess whether a requirement or instruction from Vodafone regarding the
Vodafone's personal data processing is legitimate? BUT
B.2 Are you prepared to notify Vodafone if your assessment of the instruction or requirement on
the processing of personal data received from Vodafone is illegitimate or could lead to a
regulatory breach of the law on data protection and privacy? BUT
B.3 Have you defined a process to ensure that if there are significant changes in the way it is
process Vodafone's personal data, contact Vodafone to obtain preliminary approval
when appropriate? BUT
B.4 Would you be willing to obtain Vodafone's prior written consent before dealing with the
Vodafone personal data with an outsourced third party? BUT
B.5 Would you be willing to help Vodafone carry out the impact assessment on the
privacy of personal data for those processes that Vodafone has classified as High
Risk as stated in the GDPR regulations? BUT
B.6.1 Will it allow Vodafone to carry out audits of its Policies and procedures for the protection of
data, security and privacy? BUT
B.6.2 Will it allow Vodafone to carry out audits of the systems used to process the data
Vodafone personal? BUT
B.6.3 Will it allow Vodafone to carry out audits of the physical locations in which they are processed
said Vodafone personal data? BUT
B.7 Do you have defined processes to document the processing of personal data that you carry out
on behalf of Vodafone? BUT
B.8 Do you have defined procedures for the erasure of Vodafone's personal data in
concordance with the information retention policy or instructions provided by Vodafone?
BUT
B.9 In the absence of data retention guidelines established by Vodafone, is there a policy
data retention and erasure standard? BUT
B.10 Are there processes in place to ensure that once the contract with Vodafone has expired,
all Vodafone personal data is retrieved from all systems and returned to Vodafone and
removed from all systems? BUT
B.11 Has a procedure been established by which to identify and communicate to Vodafone any
regulation or regulatory obligation to which you are subject and that requires you to retain personal data
after the end of the contract with Vodafone? BUT
KNOWLEDGE ABOUT DATA PROTECTION OR PRIVACY AND PREPARATION OF THE
DIRECTORS INVOLVED IN THE PROCESSING OF PERSONAL DATA
C.1 Do the contracts signed by their management oblige them to protect and properly manage the
personal information? BUT
C.2 Do the contracts signed by your management oblige you to extend the responsibilities over the data
personal activities beyond the working day and after terminating the employment relationship with your company? BUT
C.3 Do the contracts signed by your employees contemplate disciplinary measures as a result of a
failed in its responsibilities with respect to personal data? BUT
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 8
8/97
C.4 Have you communicated to your management and information systems personnel that you are handling data
personal data (through the appropriate channel) the data protection policy and procedures and
Privacy? BUT
C.5 Is the privacy and data protection policy communicated to all those new workers and
to the management when there is a change in professional profile that would in turn produce new
responsibilities regarding the processing of personal data? BUT
C.6 Is defined and implemented training and training available on data protection and data protection
privacy for all personnel involved in the processing of Vodafone personal data with
in order to ensure that all personnel and management have adequate knowledge of the
requirements for the processing of personal data? BUT
C.7 Can you demonstrate that training has been provided to all new employees and to management
existing when there are changes in the responsibilities regarding the handling of personal data? YES
DO NOT
C.8 Is the training and awareness program developed on a regular basis, eg annually? BUT
RIGHTS OF INDIVIDUALS
D.1 In the event of a request for access from an individual, or any other requirement on
personal data (including any Supervisory Entity), do you have a procedure to give
coverage to Vodafone or, if required by Vodafone, meet the request directly? BUT
D.2 Is there a procedure in place to assist Vodafone in correcting personal data
processed in the systems for which you are responsible? BUT
D.3 Does the procedure have escalation processes in the communication of information to those responsible
with time limits and local rectification mechanisms? BUT
D.4 Do you have defined procedures that allow Vodafone to extract personal data from Vodafone
of the systems for which you are responsible so that Vodafone can comply with the
obligations on the portability of information of a client or an employee? BUT
D.5 Do you have a procedure that would allow Vodafone to block an individual's access to its
personal information? BUT
D.6 Could Vodafone permanently block a subject's access to personal data
individual? BUT
D.7 Could Vodafone be able to block access to an individual's personal data in a way that
temporary? BUT
D.8 Would you be in a position to meet the requirements that Vodafone may have regarding
pseudo-anonymization and anonymization of personal data? BUT
DATA SECURITY GAP-INCIDENT AND NOTIFICATION MANAGEMENT
E.1 Do you have defined processes for monitoring logs (activity) and reporting to Vodafone of
security incidents in relation to Vodafone's personal data? BUT
E.2 Are the processes for reporting security incidents and tracking logs on personal data
of Vodafone communicate in your organization? BUT
E.3 Are reports of security incidents and breaches investigated internally on a regular basis?
security of personal data, including reviewing lessons learned and identifying how many
incidents have occurred in the last 12 months? BUT
E.4 If there has been a security incident in the last 12 months that has impacted on the
Vodafone personal data Has Vodafone been notified? BUT
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 9
9/97
E.5 Is anyone in your organization responsible for managing incidents and reporting
the same to Vodafone? BUT
E.6 Does the process include the obligation to notify affected customers within 24 hours, such as
Vodafone to allow customers to investigate and make the corresponding notifications to the
regulators before the 72 hours established by GDPR? BUT
SUBPROCESSES
F.1 Is there evidence of due diligence processes for the selection of subcontractors that include
a review of the technical, physical administrative controls concerning data protection
personal? BUT
F.2 Do you ensure that you have the agreements and contracts with your subcontractors with the same or equivalent
obligations, as required in the contract with Vodafone, in relation to the processing of
personal information? BUT
F.3 Would you provide Vodafone with the list of threads involved or who would be involved?
in the processing of Vodafone's personal data? BUT
F.4 Is there a procedure to inform clients when there is a change in a used thread
by the main process in the processing of personal data? BUT
F.5 Is there a return strategy with all subcontracts to return personal data
used by the thread? BUT
LOCATION OF THE PROCESSED PERSONAL DATA
G.1 Are the employees who process Vodafone's personal data in the Economic Union
European? BUT
G.2 Are the employees who process Vodafone's personal data outside the Economic Union
European? BUT
G.3 Are the employees who process Vodafone's personal data both in the Economic Union
European as outside the European Economic Union? BUT
G.4 Do you process Vodafone's personal data in your own data centers located in Europe? BUT
G.5 Do you process Vodafone's personal data in your own data centers located outside of Europe?
BUT
G.6 Do you process Vodafone personal data in third party data centers located in Europe? YES
DO NOT
G.7 Do you process Vodafone's personal data in third-party data centers located outside of
Europe? BUT
G.8 Do you process Vodafone's personal data in Amazon AWS-type public cloud data centers?
BUT
G.9 Do you know the location of all Vodafone personal data and how / when it is used in all
the jurisdictions where it operates? BUT
G.10 ​​Do you ensure that all standards and procedures in the locations / jurisdictions where you
or its subcontractors operate are appropriate and in any case are at least comparable to the
standards and procedures that you agreed with Vodafone? BUT
G.11 Do you transfer Vodafone personal data to a country outside the European Union? BUT
G.12 If personal data from Vodafone is transferred to a location such as: Non-belonging countries
to the European Union or countries that are not included in the list of "Safe Countries" by the European Union,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 10
10/97
Are you ready to sign a data transfer agreement with Vodafone based on the clauses
of the European Union Model for export and import? BUT
DISCLOSURE TO THIRD PARTIES
H.1 Is there a defined procedure to evaluate the legitimacy or legality of the requirements for
disclosure of personal data received from third parties including bodies in charge of
ensure compliance with the Law? BUT
H.2 Are the employees who receive and process such requests aware of that process? YES
DO NOT
H.3 Does the process have all the guarantees to be safely registered? BUT
H.4 Does the process require an assessment to be performed to allow notification to the client of the
Requirement of third parties on the request for access or on the disclosure of the personal data of the
client? BUT
H.5 Does the process establish who could notify the client of the third party's requirement to access or
disclose the customer's personal data? BUT
CONTRACTS AND RESOURCES
I.1 Would your company be willing to sign a data treatment agreement with Vodafone in the
terms established by Vodafone to regulate the process? BUT
I.2 Would your company formalize an agreement with unlimited liability for the breaking of obligations
contractual in the processing of personal data? YES NO >>
Therefore, any entity that requests to join the TVTA platform has to
carry out this homologation before contracting with VDF and joining the platform
by TVTA. This homologation process consists of filling in a form
where you get an " OK" (valid) or " KO" (invalid) response . In the event that the
The result of the form is "OK", VDF generates a code called "SAP" which is the
which is attributed as an identifier to the new entity and allows it to carry out contracts in
VDF name.
VDF has the services of a third company that performs quality audits
(not specifically in terms of data protection) to verify the correct
proceed from the contracted entities and compliance with the processes defined in
the contracts.
C.- The Department of Distributors / Collaborators / Agents is divided into several
sales channels: “Door to Door” channel (hereinafter D2D), “online channel”, “corneres
physical in shopping centers and establishments ”, among others.
There are exclusive agents who sign with VDF << Agency contracts >> , in
where a general content annex is always included regarding compliance with the
data protection regulations, delegating responsibilities over the
compliance with legal obligations to agents. There are also entities
that do not sign an agency contract.
Regarding the D2D channel , two scenarios must be distinguished when analyzing its
performance, one referred to before the acquisition by VDF of ONO (on the date
01/10/2018), and another later.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 11
11/97
In the first scenario, VDF agents carry out recruitment actions “at the door
cold ” to potential clients in whose homes there is the possibility of installing
VDF fiber optic technology. Upon acceptance of the offer by the
potential client, the agent shows on his tablet the contractual conditions of the
service to contract that are accepted by the user, and subsequently occurs
a verification call by the verification body Marktel.
In the second scenario, the Distributors / Collaborators / To people sell through
of stands in shops and on the street, which in turn also reach << agreements with
other telesales and commercial agencies >> (sub-managers of the treatment by
VDF account) for the effective realization of telephone calls and that they manage
<< your own listings >> of potential customer phone numbers.
These subcontracted << other telesales and commercial agencies >> are not subject to
a prior approval process -as do those assigned to the platform of
TVTA- but currently it continues to work with those that already provided the
service in ONO before the merger with VDF (on 01/10/2018) and there is no evidence that
have verified the technical and organizational means available to them.
In these cases, VDF does not know the identity of the entities ( other agencies of
telesales and commercial) subcontracted by the Distributor / Collaborator / Agent and
does not know the guarantees of a technical or organizational nature that they have. The
Information regarding the identity of these subcontracted entities must be included in
the annex to the contract (subcontract) established for this purpose, but it only appears once
subcontracting performed, that is, VDF previously does not know the qualification
technical and organizational and the identity of these subcontracted entities as well as their
capacity to comply with current regulations.
Of the clauses of the standard contract called "Canal Presencial 2019-2020" (for
example, with CASMAR of May 1, 2019) signed between VDF and the entities
attached to the TVTA platform, there is an obligation to previously notify
VDF the list of sub-processors on behalf of VDF who will use the
distributors / collaborators / agents . This communication is collected, among others, in the
Clauses 5 (resources) and 6 (characteristics of the activity) of the aforementioned contract (
included in the file). Only in clauses 13.4 and 13.5 of the aforementioned contract is it made
reference to the obligation to comply with data protection regulations
in the following terms: “… without prejudice to the obligations assumed by the
COLLABORATOR in compliance with the Data Protection legislation in force in
every moment… ”(sic). Clause 13.6 expressly states that the
"Collaborator will be considered the person in charge of the treatment and must
formalize the standard data treatment agreement that is attached as an annex
IV… ”.
However, this communication to VDF of the subcontracted entities has a
declarative character a posteriori and is not subject to prior approval by VDF nor does it
reflected the possibility of exercising the rights of the interested parties. The purpose of
This statement, according to the VDF, is fundamentally to have
information when malpractice is detected.
The contracts, allegations and communications between two of the
distributors / Collaborators / agents (CASMAR and THE THREE QUARTERS
FULL SL,) as well as the process by virtue of which VDF is aware of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 12
12/97
entities in turn subcontracted by those, and it is concluded that it does not comply with the
requirement of prior authorization by VDF, but VDF has knowledge in the
moment of contracting after completing the informative ANNEX established at the
effect as it becomes necessary to give <<alta>> to the intervening parties (sub-managers
treatment on behalf of VDF).
Once the aforementioned ANNEX has been completed, the VDF registration of the entity to be subcontracted is requested
and are collected: name and surname (or company name), CIF / NIF and email, and it is in
that moment when VDF has knowledge of the entity's identity
outsourced. No evidence has been found that clauses 5 and
6 of the contract called "Canal Presencial 2019-2020" signed between VDF and the
entities attached to the TVTA platform. It is recalled that said clauses,
(they appear in the documentation of the file) are in the "contract of
provision of face-to-face channel services ”between VDF and Casmar dated 05/01/2019, and
which, according to the VDF, is a standard contract signed with the entities in charge.
In turn, there is also the contract between Casmar and A-Nexo Contact Center SAC, of
date 02/01/2017, in which the services of sale of products from
VDF through telephone telemarketing offers, according to the script provided by
Casmar.
VDF does not provide detailed documentation regarding the protection guarantees of
data of the contract that supports the relationship between the initial distributor and the
subcontracted or the guarantees for the fulfillment of the order. As reported
VDF, the contract is similar to that held by VDF and the initial affiliated distributors
to the TVTA platform. VDF includes as a generic contractual obligation that is
transfer the instructions to the << third parties >> ( sub-managers of the treatment by
VDF account ), so that marketing actions are carried out under the terms
indicated by VDF, but without guarantees to prove compliance.
The contracts between the VDF distributors (CASMAR and THE
THREE QUARTER FULL, SL) with << third parties >> (sub-managers of the treatment by
VDF account) and it is verified that they are not similar to the one VDF has with the
distributors attached to the TVTA platform. Two modalities can be differentiated
in relation to the determination of the origin of the data and the obligation to consult and
Filtering of exclusion files and exercise of rights (opposition):
The first, in which VDF contracts with CASMAR and the latter subcontracts with A-NEXO,
which in turn subcontracts with other natural and legal persons who are the ones who
they materially make the calls. In this case, the data used for the
making calls, according to CASMAR, is provided by A-NEXO; However, in
the contract states that CASMAR is the one who provides the data. In this sense,
Marketing actions that are the object of this contract are carried out by A-NEXO with
a data file provided by CASMAR and nothing is indicated on consultation
previous and filtered with the files of exclusion or exercise of rights. In saying
contract (seventh clause) contains the express prohibition of subcontracting with
natural or legal persons without the prior express written consent of
CASMAR.
It is recorded as a reply by CASMAR to the request for information made
by the Inspection of this AEPD on 09/11/2019, that calls from the
numbering *** TELEPHONE. 2 and 954781254 were made by A-NEXO. Regarding the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 13
13/97
destination numberings, CASMAR states that they are random. They are contributed to the file at
sample title, four emails between CASMAR management and A-NEXO
on complaints to the AEPD of improper calls being included
numbering in exclusion lists. Among others, from the numbers of CASMAR
920211348, 951117277, 958146834, 679905774 and 954781254, to the numbers
*** PHONE. 1, *** PHONE. 2.
The second, in which VDF contracts with THE THREE QUARTERS FULL, SL and this
subcontracts in turn with other natural and legal persons who are the ones who carry out
materially calls. In the contributed contracts signed between THE THREE
QUARTERS FULL and the sub-processors on behalf of VDF is not listed
any indication regarding the obligation of prior consultation and filtering with the
exclusion files or those for the exercise of rights. Nor does the origin of
the data for making commercial calls.
1.2.
Origin of the data used by VDF for the actions of
marketing and filtering obligation with Internal Robinson List and with Lista
Robinson from Adigital
The origin of the data used by VDF for marketing actions can
be grouped into five large groups: (i) generation of random numbers (ii)
databases rented to third parties (iii) records generated through the online channel
(web`s) (iv) non-VDF databases of distributors / collaborators and (v)
VDF databases used by distributors / partners
1.2.1.
(i) Generation of random numbers:
Numbers are generated from different numerical ranges at the discretion of VDF,
either for fixed or mobile numbering. In these cases it may happen that a
user has exercised the right of deletion / opposition and after the random generation
the data relating to the landline or mobile phone is included again in another campaign.
Many of these called numbers do not exist or are not assigned to any
person. In any case, these generated numbering databases
randomly, before being used for commercial actions they are crossed by VDF
both with internal Robinson and LRAD lists, as long as the exercise of the right
VDF has been informed of a specific collaborator , the latter circumstance
that does not appear in the signed contracts nor is it proven accredited, so in this case
calls are repeated.
1.2.2.
(ii) Databases "rented" to third parties.
Databases << rented to third parties >> are used . In this section you can
basically differentiate between two origins: those coming from DATACENTRIC PDM,
SA and those from MEYDIS SL
In the first case, the DATACENTRIC entity is an intermediary between VDF and the
database owner (there are various owners who provide this service to
DATACENTRIC, such as: WEBPILOT, BELEADER, ADSLASA, EGENTIC, LNVISTO,
PRESENTE SERVICE, NETSALES, etc.,). As reported to VDF, the holders of the
data provided in these databases of potential clients have given their
consent to receive commercial information. However, the circumstance of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 14
14/97
have express consent to receive commercial offers through
electronic communications (email or SMS) has not been accredited, nor
even by statistical procedures such as through samples
representative.
Regarding the mechanics of working with DATACENTRIC, it is the following:
A global order is placed by VDF that is executed monthly. The order
The internal Marketing Department of VDF carries out via email indicating
segmentation (e.g. by zip code, type of access technology
installed in the building…). Received response from DATACENTRIC with the budget,
that has previously transferred the request to its collaborators, it is reported, among
other issues, how long the database can be used.
These databases are already filtered by the general Robinson Listings
(Adigital).
In the second case, the MEYDIS entity provides VDF with databases
published in repertoires of subscribers to telecommunications services.
Generally the period during which the data can be used is one year. In
There is no contract for this service because it is less than the amount determined by
the purchasing department so an order is made according to the conditions
general contracting for this type of amounts. VDF requires MEYDIS to
requirement that the data be adequate to carry out marketing actions.
The databases received by VDF, proceeded to cross with LRI and LRAD.
1.2.3.
(iii) Data obtained through web pages, On / Line Channel, generation of
Leads.
From VDF or third-party web pages (for example, through banners ),
obtain data from potential clients who are interested in VDF services and
provide their contact information by accepting a certain privacy policy, which
It can be for specific products or services on issues raised regarding
to the availability of fiber coverage at your home, or for commercial actions
future.
Also included here is data obtained from callers
directly to VDF requesting information. These personal data thus collected
-called “leads” - they are incorporated into the << lead management tool >> called
DELIO , and then be contacted in accordance with the accepted privacy policy
at the time of providing the data on the VDF website and that may involve two
possibilities, one referring to receiving specific information and another to being a recipient of
future commercial communications.
With the DELIO tool, the user can be answered automatically since
directly view the operator the website or the channel in which the user has made
the query and has accepted the privacy policy.
If the user finally does not contract the service after receiving the call from DELIO, the
create a record in the " lead management" , in accordance with the privacy policy
accepted by the user by providing their contact details. It may happen that the data
have been incorporated to receive information on a specific product or service and, in
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 15
15/97
change, the check relative to the use of data in future actions has not been marked
commercial.
These leads are subsequently contacted through different means: calls
from the TVTA platform, SMS or Email.
However, for a lead to join DELIO, it must have occurred at the
minus the contact call. These leads are contacted within a maximum period of 48
hours, and they are made by prior request of the interested party and, after said period, they are sent
an SMS informing that an unsuccessful attempt has been made to contact by providing a number
where you can contact VDF again.
Regarding the data incorporated after having made a coverage query
fiber, it is observed that the coverage consultation process has been modified
compared to the one existing in July 2019.
In the tests carried out in the month of July 2019, it was verified that it was requested,
In addition to the address regarding the address where the query was intended, the
name, surname and telephone number and a privacy policy was offered with two
possibilities: (i) accept the treatment of the data to respond
exclusively as requested, in this case, whether or not there was fiber optic coverage -
the contact information could be provided through the website itself in that
moment, without the need to know name, surname and telephone number; (ii) in addition to
above, accept the treatment for other commercial purposes.
In the month of September 2019 it is verified that initially it is requested only
data related to the address of the domicile where the query is intended, and if the
process cannot be finalized (for example, the address is not in the base of
coverage data, written in another language or incorrectly, be it a number of
route that does not exist, etc., ..), the website offers the option of a contact system
"Click to call ", and it is at this moment where the name and telephone number are requested, putting
provision, a few check of acceptance of the privacy policy.
With the different sources of data indicated (random, databases rented from
and third generation leads ) the Department of Internal Marketing of VDF filters
data with LRAD and lists of rights exercises, and sends it to the Department
internal TVTA. The TVTA Department re-filters the data a second time
after segmenting them for distribution among the different << call center >> services
Sub-managers of the treatment on behalf of VDF who materially carry out the
calls. Some entities that make up the TVTA platform have their own
LRIs that are also subject to prior confrontation and filtering. In order to avoid that by the
over time there are variations in the database (referring to
people who have subsequently exercised the right to object), the platform for
TVTA will use the databases for one month only.
In short, in the three cases indicated, the owners of the data are
contacted by the Marketing Department or the TVTA Department at
through the different entities that make up the platform, always using the
LRAD leaked databases and lists of users who have exercised their rights.
1.2.4
(iv) Non-VDF databases used by the
Distributors / Collaborators .
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 16
16/97
This possibility is only given in campaigns managed by " third parties" using
personal databases not provided by VDF.
VDF is unaware of the legality of these third-party databases and has not
proven its legality not even indirectly such as by carrying out
samplings in order to verify the consent of the interested parties, since VDF
understands that "it is up to third parties to control their legality as long as
responsible for them ” (origin of the data, actions to prove the
consent, filtered with both LR, attention to the rights exercised, etc.,).
In relation to the calls made by these agents / distributors (and where appropriate,
other sub-processors on behalf of VDF) when a right is exercised
opposition during a call, this exercise is not transferred to VDF, but
included in the LRI of agents / distributors.
The obligation of consultation of LRAD by the distributors, is not foreseen in
the contract signed between VDF and the distributors. Whether or not the LRI lists are contrasted,
LRAD or exercise of rights, it is a circumstance that VDF is not in
willingness to verify and, furthermore, VDF understands - as it affirms it in various
occasions - which is exclusively the responsibility of the distributors in compliance with the
current regulations on data protection.
In the contracts analyzed between the distributors and the sub-managers of the
treatment on behalf of VDF, no clauses have been found that determine this
Obligation of prior consultation of exclusion lists and their filtering.
It is established that the distributors do not previously check the database used
for commercial actions with the VDF LRI. It may happen that an interested party
has exercised the right of opposition to VDF and, despite this, a distributor
repeat the call.
It has also happened that a claim against VDF has been processed before the
AEPD and that it has been resolved by urging VDF to inform the affected party that their
The data has been included in the LRI and, once this circumstance has been communicated to the affected party, with
later the call is repeated by one of these distributors. This is due to
that there is no adequate communication by VDF with distributors and
Sub-managers of the treatment on behalf of VDF.
VDF has established communication protocols through emails
for distributors and sub-processors on behalf of VDF -in case
that they exist- relative to the reminder that they cross the databases to be used with
the LRAD, which is known to have been ineffective.
Regarding the guarantees of legality in the use made by the
distributors / collaborators of the databases, in the letter dated 04/26/2019
VDF stated that these communications are made with the following content:
<< (…) if the database used by the collaborator is his -of the collaborator-
property, Vodafone requires that, first of all, they have the authorization of
Vodafone to use that database in a campaign carried out on behalf of and by
Vodafone account. Second, they are required to have obtained the
informed consent of the owner. And thirdly, they filter their base of
data with official Robinson listings .
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 17
17/97
Likewise, they must provide a simple means for the recipients of the
campaigns can exercise their right to object to continue receiving calls
or commercial communications . (…) >>
In the Inspection carried out at the VDF headquarters on September 18 and 30, the
VDF representatives clarify the following: << (…) (i) there is no authorization
relating to the use of third-party databases, that is, those belonging to the distributors and for
There is therefore no authorization process, but rather information is requested in the case of
that use these databases. (ii) VDF is not in a position to verify that
the holders of the receiving lines have given their consent or have not been
opposite, since it is an obligation that corresponds to the collaborating agents, (iii)
VDF does not ensure that each call provides an effective means of exercising
right of opposition .
1.2.5.
(v) VDF databases used by Distributors / Collaborators /.
Sometimes distributors / partners make use of databases provided
by VDF. In these cases, there are communications (indicated below) by
part of VDF referring to the obligation to use only these databases (for
be already filtered with LRAD and exercise of rights). However, there is no
any procedure enabled or controlled by VDF aimed at verifying that
only its distributors, and not others, use the database that VDF has provided for them.
provided and during the periods indicated.
two.
Measures taken by VDF in relation to the claims received
and after knowledge of the existence of inspection actions initiated by
the AEPD .
Most of the complaints received are for campaigns that it does not manage
directly VDF (those managed directly by VDF are those made through
from your TVTA Department or Marketing Department), but are about
campaigns managed by third parties, that is, distributors / collaborators and in their
case sub-managers of the treatment on behalf of VDF for these.
Regarding the adoption of measures, general measures can be distinguished , and other
more specific in relation to certain claims, consisting of requesting
distributors to include specific numbering in the LRI when it has already been
produced the call (s) or after a request from the AEPD, and are summarized in the
following:

In the month of November 2018 and in the month of July 2019 ,
COMMUNICATIONS to the entities attached to the TVTA platform, and to the
Distributors / Collaborators, respectively, in order to remind them of the obligations
in terms of data protection differentiating two cases:
to)
In case of using VDF databases : these have to be used during the
stipulated time and exclusively for the indicated campaign, since they are filtered
by LRAD and list of exercise of rights. If they are used later in
Future campaigns are advised that they may be out of date.
to)
In case of using databases of the
distributors / collaborators (outside of VDF) : they must ensure that they have
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 18
18/97
with the prior and express approval of VDF to make such calls; what
have the data in a lawful way and obtaining the express consent of the
holders, the use of databases that do not meet these requirements is prohibited;
filter your databases with LRAD and don't use media that doesn't
have been consented to by the recipients of the campaign.
In the inspection carried out at the VDF headquarters on September 18 and 30,
2019, the VDF representatives stated that they have not carried out
checks on compliance with the measures indicated in the
previous releases.
In November 2018, VDF created a numbering database
callers ( distributors and their sub-processors on behalf of VDF) in order to
to be able to identify who is making the calls.
In July 2019 this database has increased notably, in the
to the extent that in the contracts signed with the “Presencial Channel 2019-2020”
including a clause that imposes as a mandatory condition the prior identification of
the numbers from which the commercial calls are to be made.
Communications between VDF and its distributors have been added to the file
requesting the identification of the sub-processors on behalf of VDF and
the numbers that they are going to use, all of them from September
2019. This database of numbers has also been added to the file.
Callers updated as of July 2019.
Another measure that is being studied is to carry out to prevent
make calls from unidentified numbers, call routing
only through the internal VDF network, also integrating the "crossing" with the
numberings included in LRAD and list of exercise of rights, so that
have effective control of calls made on your behalf, which goes through the
caller identification and by the exclusion of commercial actions to users
who have expressed their opposition or through their inclusion in files of
exclusion of advertising actions of an internal or external nature.
Therefore, in the future it will be an essential condition to provide the service to VDF
use VDF trunks in order to be able to make certain restrictions, (lines
callers, schedule, LRAD, rights of objection, etc.,). The web interface will connect
with the VDF dialing system to pre-validate the call.
VDF begins to raise this idea at the end of May 2019 and in the months of June
and July is communicated to the collaborating agents. Meetings take place in the month of
September 2019 and in October the tests will begin with an entity to
later implement it in the rest.
In this sense, communications are provided between VDF and collaborators in the following
meaning: << Subject: Meeting this morning the commitments that have been
acquired CASMAR, THREE-QUARTER, SOLIVESA in connection with the shipment of
communicated to the collaborators, the assurance that the bases of
data with LRAD, and the adoption of measures to audit that said collaborators
comply with the processes >>. And it is also quoted that << we will work together to
implement the call routing platform that we have discussed >> . To
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 19
19/97
current date there is no evidence that this routing protocol has been implemented
from the VDF trunk and on the date of the initiation agreement, of the 191 claims
filed, 26 claims date from September 2019 to January
2020.
There are other measures related to sending communications by VDF to
distributors on specific complaints in connection with the calls, to
that the numbering of subsequent commercial actions be excluded.
As an example, they are included in the Inspection Act E / 01615/2019 / I-01 as
document number 21, several communications consisting of requesting the
distributors the inclusion of certain numbers in Robinson lists (internal and
AD), when the call / s has already been made and after a request from the AEPD.
VDF reports that it has not filed a complaint with the Police regarding calls
undue to the extent that VDF does not have the certainty of the identity of the owner of the
calling number acting on your behalf.
In the relationship between VDF and the distributors / collaborators it is not a requirement for the
payment of your commission by verifying the number from which the collection has been made
of the customer (calling numbering), but the verifications are limited to the
compliance with the requirements of the contracting of the product or service.
3. Procedure for obtaining data of recipients and exercise of actions of
marketing in relation to the sending of commercial communications by
electronic means (SMS):
The numbering recipients when sending SMS are generated randomly without
any discrimination for which commercial communications have been sent
to potential customers without the concurrence of the requirements provided in the
Article 21 of the LSSI (expressly authorized). SMS sendings are carried out
directly VDF.
4 . Sampling of evidence of non-compliance with current regulations regarding
protection of data obtained in relation to the operation of the process
described in the previous sections.
4.1- Commercial actions after a complaint procedure resolved in the AEPD
where VDF states that it has included the data of the affected party in the LRI.

On the date of 05/03/2019, by (…) a written document is presented in this agency in which
indicates that “I filed a claim with the Spanish Agency for Data Protection
on September 11, 2018 (Registration number: 193763/2018), which I attach, because
we received unsolicited commercial calls from Vodafone to the landline. Do not
We were and are not customers of Vodafone, and we were and are on the Robinson List.
The AEPD replied (files E / 07212/2018 and E / 05851/2019) that Vodafone
Spain, SAU had informed them "that they have been included in their list
Robinson, in order to ensure that the claimant is not included in future
Vodafone commercial campaigns ", (…)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 20
20/97
Well, the situation, with the inconvenience that it entails, continues to occur, they continue
Calling us at the fixed telephone operators of this company to offer us their
unsolicited commercial services , (...)
 On 05/29/2019, by (…) a written document is presented at this agency stating
that (files E / 10150/2018 and E / 07447/2019) VODAFONE, by means of a letter of
On 02/28/2019, you were notified of the inclusion of your data in the internal Robinson list to
in order to prevent your phone number from being included in future campaigns
commercial. He states that from 05/15/2019 to 05/24/2019 they have followed
producing commercial calls from VODAFONE.
Provides a recording of two calls received on 05/24/2019, in which the
check the following:
In the first call, the telemarketer asks for the claimant, and after repeated
Claimant's questions, he identifies himself as (…) of the company ONO VODAFONE
to offer discounts on services, the claimant after explaining that he / she is
on the Robinson list and that VODAFONE sent him a letter communicating such
circumstance, the telemarketer informs that they will continue to call you.
In the second call, the telemarketer asks for the owner of the line, and after
repeated questions from the claimant, he identifies himself as (…) of the ONO company
VODAFONE. the claimant states that he is on the Robinson list. The
teleoperator states that they do not consult the Robinson list file.

E / 03445/2019, whose affected is (…), denounces the reception of calls from
line 912001212 in February 2019 (files E / 09407/2018
E / 03445/2019 E / 07055/2019) where it has already identified, among others, as a calling line the
same numbering that continues to make calls, and in whose file
VODAFONE stated the inclusion of their data in the internal Robinson list and the sending of
communicated to their distributors.

In file E / 03367/2018 (and later E / 03964/2019) the
reception of calls from the lines 911251946 and 955316972, in which
VODAFONE declared the inclusion of their data in the internal Robinson list, and the sending
of notices to its distributors, reiterating the calls again on the date
later.

E / 03978/2019, report the reception of calls from the phone number
935085190 on 03/11/2019, having as a precedent the procedure of
claim E / 07329/2018 and in whose file VODAFONE stated the inclusion
of your data in the Robinson list, in addition to knowing its inclusion in the Robinson List
Adigital, and the sending of notices to its distributors.

E / 03980/2019 and E / 07960/2019, whose affected person is (…), denounces the receipt of
calls from the telephone number 954781254 on dates of 03/12/2019 and
04/01/2019, with the claim procedure as a precedent
E / 10149/2018 and in whose file the claim was transferred to VODAFONE
where, in addition to revealing the facts, the inclusion on the list was reported
Robinson from Adigital.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 21
21/97

E / 07106/2019, the claimant receives calls from the numbers
764255362, 953230927, *** TELEPHONE. 2 and 953241849, the last one as of
06/10/2019, being in LRAD since 03/19/2019 and in LRI since 04/08/2019. VDF no
has been able to identify the ownership of the calling lines, as they are not included in the database
data created for this purpose.
4.2- Commercial actions carried out from the numbers *** TELEPHONE. 2 and
954781254 by the distributors CASMAR and THREE QUARTERS FULL SL
Given the volume of claims (191 claims incorporated into the file)
that have the indicated numbering as calling lines, they have been carried out
Proceedings expressly aimed at analyzing VDF's relationship with CASMAR and
THREE QUARTERS FULL SL (hereinafter TQTF), the procedure for obtaining
of the data, and compliance with the obligation of prior consultation with the lists of
exclusion.
17 claimants have been found who manifest commercial actions carried out
from numbering 954781254, and 19 claimants with respect to those made since
the numbering *** TELEPHONE. 2, even though the numbers of the recipients
were included in LRAD, or have exercised their right to object to VDF and
listed on your LRI.
VDF states and insists once again that consultation with LRAD is the responsibility of the
third-party distributors because they are responsible for the databases and that, if
Although this obligation does not appear in the contract, through communications they have made
an awareness-raising effort in this regard. CASMAR states that it is the entity
provider "A-NEXO" which provides the Robinson list and has not transferred
no right of opposition received after making calls. However, in
the contract signed between both entities states that the Robinson listings are
contributed by Casmar.
CASMAR uses different providers, including A-NEXO, both for
provide the database used to make the calls, which at your
Once contracted with commercial sub-managers of the treatment on behalf of VDF to
the effective realization of calls.
This scheme of participants outlines several levels of action:
Level I.- VDF is the one who contracts with the CASMAR entity (and this, where appropriate, with other
collaborators) carrying out commercial actions to attract customers. The
The database to be used can be provided by VDF or by CASMAR that the
You get on your own (from other contributors).
Level II.- CASMAR subcontracts to the entity A-NEXO (and this in its case to other
collaborators) making commercial calls. CASMAR informed the AEPD
that the data used is provided by A-NEXO and, however, in the contract that
provided the figure that the data is provided by CASMAR.
Level III.- A-NEXO in turn subcontracts sales representatives to make calls,
both legal and natural persons.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 22
22/97
Level IV- Commercials hired by CASMAR, in turn, make calls for their
bill.
VDF only has a legal relationship with CASMAR and with respect to the rest
levels, it is reported in different temporary spaces and not as part of the contract
of the identity of the other collaborators. About VDF's knowledge of
the sub-managers of the treatment on behalf of VDF, CASMAR provided the
contractual documentation where the list of sub-managers of the
treatment on behalf of VDF that VDF had to approve, stating that it is in
<<blanco>> for the dynamism with which they are replacing and updating the
" Calls centers" .
CASMAR provides a list of sub-managers of the treatment on behalf of VDF
as Annex I to the contract "Canal Presencial 2019 2020" dated 05/01/2019 which has
subscribed with VDF, among which is the entity A-Nexo.
It should be added that in Annex I of the aforementioned contract between Casmar and VDF, there is a
List of 15 entities and subcontracted individuals called “list of the
approved sub-managers ” (sic), among which is the entity A-Nexo, in the
that the “current location of the treatment” (sic) is located in Peru. According
It is stated in the contract signed between Casmar and the subcontractor A-Nexo, the
Exclusion list numbering is provided by Casmar. Said annex I
It is signed by Casmar and VDF on 05/01/2019. It is not credited
that have a contract that contains the mandatory contractual clauses
type of the Commission Decision of February 5, 2010, relating to the clauses
contractual type for the transfer of personal data to those in charge of the
treatment established in third countries.
For its part, TQTF stated that VDF is aware of the sub-managers of the
treatment on behalf of VDF only at the moment in which your access to
the VDF contracting platform. In other words, TQTF requests the registration of the VDF
sub-managers of the treatment on behalf of VDF to be able to carry out the
contracting (VDF provides them with user access to the contracting platform).
Therefore, for the commercial sub-managers of the treatment on behalf of VDF
can register new lines, it is necessary that VDF has granted access to a
certain application of "discharges". VDF does not require any type of verification to
commercial sub-managers of the treatment on behalf of VDF on the data to
to be used in commercial calls, but is limited to creating a user with
password, upon request from CASMAR or TQTF, which is communicated to the salespeople or
to the final distributor to be able to register the contracted lines.
VDF knows the filing of claims before the AEPD, since since the month of
November 2018 they have been transferred from the AEPD and it is not until
month of July 2019 when he communicates it to the distributors (since he already did so in the
November 2018 for the entities that make up the Internal Department
from TVTA).
They are examples of these actions in which they have not used numbering
previously filtered with the advertising exclusion listings or have taken into account
the rights of opposition previously exercised by those affected made before
CASMAR or VDF, the following:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 23
23/97

E / 07147/2019: The claimant receives commercial calls, the last on date
of 06/12/2019 after having exercised the right of deletion against VDF on the date of
05/08/2019, and in the VDF LRI since 05/09/2019.

E / 07144/2019: The claimant receives commercial calls, the last on date
of 06/05/2019, after having exercised the right of opposition stated in the LRI of VDF
from 04/02/2019, the mobile line, and 08/20/2018 the fixed line. Also in LRAD since
March 2019.

E / 7765/2019: The claimant receives commercial calls, the last one on the date of
06/07/2019, after having requested the deletion from VDF on 06/02/2019 and
be registered in LRAD since 11/14/2017.

E / 7758/2019: The claimant receives commercial calls, the last one on the date of
06/26/2019 appearing in LRAD since 10/22/2018. In this case, the dealer
caller is TTQF on behalf of and on behalf of VDF.
These claims show that the distributors and sub-managers of the
treatment by VDF account have not used previously filtered numberings
with the advertising exclusion lists nor have they taken into account the rights of
opposition previously exercised by those affected.
VDF insists again that it does not contemplate in its contracts with distributors
the obligation to consult LRAD to understand that this corresponds to the holders of
the databases to be used, and according to the VDF, the databases used are not
filter with internal exclusion listings.
4.3- Sampling evidence of non-compliance in relation to campaigns
managed directly by VDF.
These actions are considered "directly managed by VDF" since the entity
making the call is one of those that makes up its own TVTA platform.
VDF has a process for both the TVTA platform and the
Marketing Department, use only databases that contain data
of lines that are not registered in LRAD and lists of rights exercises. Do not
However, the data treatment followed by VDF is deficient as stated
accredits below:
From the numbering 607100219, which belongs to KONECTA (belongs to the
TVTA platform), calls have been made that have led to different
claims because the data of the claimants is included in LRAD, to
Examples are listed below:

E / 03455/2019: the numbering *** TELEPHONE. 3 is registered in LRAD since
March 2017, and calls are made in March 2019.

E / 1845/2018: which gave rise to the reference sanctioning procedure
PS / 290/2018 for calls made in 2018 to a number that
was registered in LRAD since 2013 and to the new current claim of
reference E / 03821/2019. In the aforementioned sanctioning procedure, the entity recognized
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 24
24/97
responsibility for the denounced events and was sanctioned for an infraction with
€ 12,000 fine, taking advantage of a 40% reduction in the amount.
4.4- Sampling of evidence of non-compliance in relation to the sending of
commercial communications by electronic means (LSSICE) by account and name
of VDF.
As indicated in section 4, VDF stated that SMS have been sent to
randomly generated numberings, which prevents verifying compliance with the
provided in art. 21 of the LSSI, specifically the requirement to request “expressly
authorized ” , considering all the recipients << potential clients >>.
Below, of the 25 files of LSSICE, some referring to the
Fraudulent SMS sending:

E / 03977/2019
RECEIVER NUMBER: *** PHONE. 4 *** PHONE. 5
OPPOSITION: 07/05/2018
DATE OF SMS:
07/05/2018, 10/20/2018, 10/21/2018, 02/11/2019 and 02/15/2019

E / 02050/2019 and E / 08132/2018
RECEIVER NUMBER: *** PHONE. 6
OPPOSITION: 10/8/2018 ATTENDED BY VDF
DATE OF SMS:
02/04/2019, E / 2050/2019 (Antecedent E / 08123/2018, Dec 27, 2018, letter to
claimant)
NO. RECEIVER: *** PHONE. 7
OPPOSITION: THROUGH AEPD CLAIM
DATE OF SMS:
12/22/2018, 02/01/2019, 01/30/2019

E / 00126/2019
NO. RECEIVER: *** PHONE. 8
OPPOSITION: OCTOBER 2018
DATE OF SMS:
11/05/2018, 11/30/2018, 12/28/2018

E / 00084/2019
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 25
25/97
NO. RECEIVER: *** PHONE.9 *** PHONE.10 *** PHONE.11
OPPOSITION / CANCELLATION: 08/25/2018; 10/07/2018 AND ROBINSON.
DATE OF SMS:
08/25/2018, 09/06/2018, 09/23/2018, 10/30/2018
5. The face-to-face inspection actions carried out in relation to the
claims received in the AEPD in order to determine the adequacy of the
management procedure for marketing actions carried out by
VDF account and name are attached to the Inspection Certificate and in the documentation
of this file that was duly notified to the representation of the
investigated (VDF).
THIRD: On February 26, 2020 , the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the claimed party, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of article 28 of the RGPD in relation to the
Article 24 of the RGPD punishable in accordance with article 83.4 of the RGPD, for the alleged
serious violation of article 21 of the LSSICE, classified as serious in article
38.3.d) and c) of said rule, for the alleged infringement of article 48.1.b) of the LGT,
considered serious in article 77.37 of the aforementioned rule.
FOURTH: The aforementioned commencement agreement having been notified, the defendant submitted on
03/04/2020 writing requesting a copy of the file and extension of the term to
object of presenting allegations. Once the extension of the term was granted, the
file to the investigated presenting allegations on 06/9/2020 (when
affected by the suspension of terms as a consequence of the establishment of the
state of alarm) that are set out, in summary, in the following terms:
1.
The files notified include those affected who are persons
legal.
two.
The statement of facts in the Initiation Agreement makes it extremely difficult to analyze and
carry out a detailed examination which may undermine the right to self-defense.
3.
Due diligence in the terms of art 28 of the RGPD refers only to
the contracting phase with the manager and should not be understood with respect to the
subsequent monitoring of the contract.
Four.
The providers contracted by VDF of the internal telesales department
have passed a previous validation process and are subjected to processes of
audits in which the technical and organizational measures are justified with which
they count for the development of the contracted service.
5.
Regarding external providers using their own databases: these
providers do not act as processors but rather as data processors.
responsible for their own databases since these personal data are
collected on behalf of the provider and not on behalf of VDF.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 26
26/97
6.
Regarding external providers using databases provided by
VDF: VDF complies with all the requirements when contracting with those in charge
established in article 28 of the RGPD and these providers meet the conditions for
comply with their obligations, there being no lack of the duty of diligence for
that it is not appropriate to question the effective performance of the obligations
contractually assumed.
7.
Regarding regulation of the contract between the person in charge and the person in charge of the
subcontracting carried out by the person in charge, the AEPD Guide
advises the application of certain clauses such as the one used by VDF. In such
clauses indicates that it corresponds to the initial manager to regulate the new relationship and
with the same formal requirements as with the person in charge.
8.
The need for express prior authorization of the sub-processors is not a
mandatory requirement, but article 28.2 indicates that the person in charge must inform the
responsible and, where appropriate, the latter authorize, thus giving the controller the option of
stand against. This aspect is not contemplated in the AEPD Guide (option B).
9.
According to the DT5ª of the LOPDGDD, the contracts prior to 05/25/2018
will remain valid until 05/25/2022, so their content cannot be
enforceable as it is not applicable.
10.
The exhaustive control of the person in charge over those in charge would prevent “that
can dial an unauthorized telephone number ” , having had VDF the
reasonable diligence.
eleven.
The technical efforts made by VDF have not been taken into account
to implement improvements in the development phase, which were accredited in the
moment of the face-to-face inspection by the AEPD, diminishing the
technical effort in development.
12.
The contact information for telemarketing actions made available to
the providers by VDF have been previously contrasted with the data
contained in the internal Robinson and ADigital listings and specifies the time of
use to avoid outdated data.
13.
The data object of treatment can only be processed by the entities
commissioned in accordance with the VDF instructions that govern the contract, which
clearly establish the conditions under which the treatments of the
personal information.
14.
VDF asks providers to notify it of all oppositions that
may occur during telemerketing actions.
fifteen.
Personal data from the provider's databases are not transferred
at no time to VDF. Only after contracting the service are they included in the
VDF information system.
16.
After hiring, this is validated after a control call for
quality.
17.
VDF has implemented complementary measures to guarantee a control
detailed information on the activity of service providers when they use their
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 27
27/97
own databases. This control is estimated to be operational in January 2020
(new routing system through the VDF trunk).
18.
The alleged infringement of art 21 of the LSSICE, does not proceed since the
Legality of the treatments is based on the legitimate interest, as indicated in the
Recital 47 of the RGPD and this is recognized by the AEPD in its report 0173/2018.
19.
VDF at all times allows the interested party to object to receiving
communications, so it is not appropriate to impute infringement of article 38.3.d).
twenty.
Complaints related to the LSSICE are a minority and far from the
total claims submitted.
twenty-one.
Regarding the infractions related to the LGT, VDF always facilitates the
possibility of exercising the right of opposition to the interested party, as stated in art
48.1.b) of said standard. It also appears that VDF previously filters with the lists of
Advertising exclusion before providing potential customer data to suppliers.
And when the databases are external “ it is not possible to materially prevent the
making a call ” (sic) although control measures are being implemented
based on VozIP technology that prevents calling numbers included in lists
of advertising exclusion.
22.
The AEPD seems to sanction for receiving complaints without verifying the facts
described therein and automatically conclude that they correspond
with illegitimate and contrary actions to the legal system and, therefore, adopting
these decisions contrary to the onus probandi principle that governs the law
sanctioner.
2. 3.
The quantification of sanctions is disproportionate, and it cannot be argued
that VDF's conduct is a repeated and permanent breach, since only
191 interested parties of the 200 million commercial actions could be affected
carried out by VDF.
24.
They consist of prescribed infractions such as that referred to in E / 07180/2019 and others in the
that no evidence of infringement has been provided (E / 01119/2019 and E / 02809/2019).
25.
In general, the Initiation Agreement lacks sufficient motivation to support the
imputation to VDF of the infractions that it relates that is a guarantee against the
arbitrary conduct outlawed in the EC
These allegations have already been answered in the Proposal for Resolution and it is reiterated
in FD III of this Resolution.
FIFTH: After the period of allegations granted in the Agreement of initiation and
submitted allegations, it was agreed to open a period of taking evidence , according to
provided in article 77 of Law 39/2015, of October 1, on the Procedure
Common Administrative of the Public Administrations, agreeing the Instruction
practice the following tests:
1. The claims filed are deemed to have been reproduced for evidentiary purposes and that
work in the file and its documentation, the documents obtained and generated
by the Inspection Services before VODAFONE ESPAÑA, SAU , and the Report of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 28
28/97
Previous Inspection actions that are part of the files E / 01615/2019
and E / 09541/2018.
2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of
home PS / 00059/2020 presented by VODAFONE ESPAÑA, SAU , and the
accompanying documentation.
3. Request the Spanish Association of Digital Economy, C / Entença, 218 Entlo 7ª
08029 Barcelona, ​​with CIF: G61668505, certifying its inclusion and date
from the following phone numbers:
PHONE NUMBERS TO CERTIFY YOUR INCLUSION AND DATE
IN ADIGITAL'S ROBINSON LISTING
(LISTED WITH 264 PHONE NUMBERS)
Noting that the result of this test may lead to the performance of others.
SIXTH: The investigating body having warned of rectifiable deficiencies in the
documentation of the file sent to the investigated in March 2020, dated
11/13/2020 the deficiencies are corrected by sending the documentation
complete relative to the fifteen files with documentation initially
incomplete, giving a period of 10 days to present the allegations that they deem
convenient. It is clear that on 11/14/2020 this second shipment of
correction of documentation.
SEVENTH: Once the proposed tests have been carried out and the period for formulating
allegations to them and to the aforementioned second shipment of the corrected documentation
Relating to fifteen files, the investigated presented the following allegations:
1.- Two of the files sent correspond to the same claim
2.- Seven of the files submitted were not mentioned in the first
Shipping.
3.- Of the 264 telephone numbers requested from Adigital for verification
In the Robinson list, 33 are not registered, 4 are of a later date, 1 corresponds to
an archived procedure, 1 corresponds to a provider and not a claimant, 1 does not
there are commercial calls received and 1 does not correspond to VDF as an entity
claimed.
These Allegations are answered in the FD III of this Resolution. Nevertheless,
It is anticipated that they were the object of analysis by the investigating body, admitting the
annulment for the purposes of assessment in this procedure of 29 files,
resulting in the remaining files included in the Annex, in the amount of 162.
EIGHTH: On December 22, 2020, the Instruction made a proposal for
resolution that he proposed and submitted to the competent body to resolve, the following
sanctions:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 29
29/97
<That the Director of the Spanish Data Protection Agency sanctions
VODAFONE ESPAÑA, SAU, with NIF A80907397,
for violation of article 28 of the RGPD in relation to article 24 of the RGPD
typified in accordance with article 83.4 of the RGPD with administrative sanction of amount
four million euros (€ 4,000,000) considered serious for prescription purposes in
Article 73, sections j), k) and p) of the LOPDGDD,
for violation of article 44 of the RGPD typified in accordance with article 83.5.c) of the
RGPD, with an administrative penalty of two million euros (€ 2,000,000)
considered very serious for the purposes of prescription in article 72.l) of the LOPDGDD,
for violation of article 21 of the LSSICE, classified as serious in article 38.3.d)
and c) of said rule with a sanction of one hundred and fifty thousand euros (€ 150,000) and,
for violation of article 48.1.b) of the LGT, in relation to article 21 of the RGPD,
classified as serious in article 77.37 of the LGT and for violation of article 48.1.b)
of the LGT, in relation to article 23 of the LOPDGDD, classified as serious in the
Article 77.37 of the LGT, with a penalty of two million euros (€ 2,000,000)>.
An Annex was attached to the Proposal for Resolution that listed 162 files after
void assessment of 29 files as a result of deficiencies detected in
the data provided by the complainants or investigated by this AEPD, or, by
estimate of the allegations presented by the defendant.
The aforementioned Annex, which is also attached to this Resolution, consists of the
Next information.
ANNEX (Sorted by date of entry of the claim in the AEPD)
Column legend:
:
Sequential order number
R / D / C:
R óbinson / D igh / C Express onsentimiento
PF / PJ:
Natural Person / Legal Person
LGT / PD / LSSI:
Violated law
F. Robin.credit:
Accredited date inclusion in advertising exclusion lists
LINE:
Sender / Receiver
F. LINE CALL: Date of the advertising action
REFER. AEPD:
Claim reference code in the AEPD
CLAIMANT:
Claimant's name (the number indicates the times claimed)
CLAIM TEXT: Text of the claim submitted by the claimant
NINTH: After the deadline for the presentation of allegations, the
On 01/18/2021, the following allegations to the Proposal for Resolution:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 30
30/97
1)
Previous: Reiteration of the allegations presented.
two)
First: Arguments against the Proven Facts.
3)
Second: Relating to the information request files
referenced in the sanctioning procedure.
4)
Third: Rejection by the AEPD of the allegations presented by
Vodafone.
5)
Fourth: Presumed breach of article 24 RGPD. Consideration of
Vodafone as the data controller and responsibility of Vodafone.
6)
Fifth: Presumed breach of article 28 RGPD. Alleged lack of
real, continuous, permanent and audited control of the treatments carried out by
managers.
7)
Sixth: Presumed breach of article 44 RGPD. Transfers
International data.
8)
Seventh: Presumed breach of article 21 LSSICE. Send of
commercial communications without consent and to recipients who have
opposed to such treatment.
9)
Eighth: Presumed breach of the General Telecommunications Law
(LGT). Supposed lack of attention to the right of opposition to not receive communications
commercial.
10)
Ninth: On the Sanction Proposal. Legal basis and
proportionality of this.
These Allegations are answered in the Basis of Law of the present
Resolution.
Of the actions carried out in this procedure and of the documentation
in the record, the following have been accredited
PROVEN FACTS
FIRST: VDF is responsible for the processing of personal data
carried out on their behalf and on behalf of the marketing actions through
phone calls, SMS and emails, both those managed internally
from its own files as well as from the treatments that it entrusts to other entities to
Through rented files or from their own files.
SECOND: VDF does not have implemented methods or
organizational and technical means that verify, not even by procedures
statistics, the legality of the data object of treatment, its origin, its previous filtering
with the internal lists of advertising exclusion and general Róbinson exclusion, nor
with those of the entities to which it has commissioned the treatments (in charge of the
treatment) or opposition rights exercised by those affected before one and the other.
THIRD: There is no evidence that VDF has real, continuous, permanent and audited control
on the development of the processing of personal data of the actions of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 31
31/97
marketing carried out on your behalf and on your behalf, limited to a control
merely formal initial and only in some specific cases referring only to
internal informative communications of a partial nature.
There are no prior written authorizations for the treatment of databases
own of the successive managers of the treatments entrusted to VDF by its
account and name.
FOURTH: VDF has a procedure for prior authorization of entities
attached to the TVTA Department. For this, they are sent a checklist where they are
requests certain information in order to validate whether it is possible to contract with said
Service provider. The aforementioned checklist is limited to answering certain
questions with a "YES" or "NO", without specifying accreditation, guarantees,
content and management of procedures and audits as indicated in art 28 of the
GDPR.
FIFTH: In these cases, VDF is unaware of the subcontracted entities (“ other
telesales and commercial agencies ” ) guarantees of a technical or organizational nature
with which they count. Information regarding the identity of these entities
subcontracted must be included in the annex to the contract (subcontract) established at the
effect, but it only appears once the subcontracting has been carried out and for the mere effects of
facilitate access in the event of consummating the contracting on behalf of VDF, is
that is, VDF is previously unaware of the technical and organizational qualification and identity
of these subcontracted entities as well as their capacity to comply with the
current regulations on data protection.
SIXTH: VDF does not provide detailed documentation regarding guarantees of
data protection of the contract that supports the relationship between the person in charge of the
initial and subcontracted treatment, nor the guarantees for compliance with the
sublet. As reported by VDF, the contract is similar to the one maintained by the
entities initially commissioned by VDF and the initial managers assigned to the
TVTA platform. VDF includes as a generic contractual obligation that is
pass the instructions on to the sub-processors on behalf of VDF
so that the marketing actions are carried out in the terms indicated by
VDF, but without guarantees to prove compliance.
SEVENTH: The contracts between the initial managers of VDF assigned to the
TVTA platform (CASMAR and THE THREE QUARTER FULL, SL -TQF-) and the
Sub-processors are not similar, so the same guarantees do not appear in
against what is stated by VDF and the provisions of art 28 of the RGPD, without prejudice
of content deficiencies detected in contracts with managers
initial, such as the lack of follow-up measures in the execution of the contract.
EIGHTH: Regarding the Casmar entity as in charge of the treatment in
In the name and on behalf of VDF, it states that the subcontracted entity "A-NEXO" is the
provided by the Robinson list and it has not transferred any rights of
opposition received after making calls. However, in the signed contract
between both entities (Casmar and A-Nexo of June 2019) it appears that the lists of
Advertising exclusion and opposition rights are provided by Casmar. I do not know
indicates the management to be carried out on the prior consultation of the exclusion files
advertising or exercise of rights, contrary to the provisions of art 28 of the RGPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 32
32/97
NINTH: It is established that VDF contracts with TQF and this subcontracts in turn with other
natural and legal persons who are the ones who materially make the calls. In
the contributed contracts signed between TQF -as data processor
on behalf of and on behalf of VDF- and the subcontracted entities are not listed
Indications regarding the obligation of prior consultation and filtering with the files of
advertising exclusion or the exercise of rights by the various entities
intervening in marketing actions in the name and on behalf of VDF.
TENTH: There is no evidence that VDF has knowledge of the rights
exercised by those affected before the entities in charge and sub-in charge, which
originates that before calls of sequential or random type from a certain
numbering calls are repeated to those affected who have previously exercised their
right of opposition, despite, both in the case of files from
VDFs as external, that VDF has previously filtered them to avoid calls
improper.
ELEVENTH: In the case of the DATACENTRIC entity, which is an intermediary between
VDF and the owner of the rented database, there is no evidence that VDF intervenes in the
effective control of verification of the mandatory express authorization of the
affected for email communications and SMS sending.
TWELFTH: In the case of the MEYDIS entity, which provides VDF with bases of
data published in directories of subscribers to telecommunications services, not
There is a contract signed in accordance with article 28 of the RGPD, for not requiring it, according to
manifests VDF, the internal contracting system of both entities, against
the provisions of art 28 of the RGPD.
THIRTEENTH: The obligation to consult the advertising exclusion lists
by managers and sub-managers is not provided for in the contracts
subscribed for this purpose. Whether or not the aforementioned lists are contrasted is a circumstance that VDF
is not in a position to verify.
FOURTEENTH: It is clear that in the event of a claim on actions of
marketing of VDF before the AEPD and that it has been resolved by urging VDF to
inform the data subject that their data has been included in LRI and, once this
circumstance to the affected, afterwards the call is repeated. (PS / 00290/2015).
FIFTEENTH: In the Inspection carried out at the VDF headquarters on the 18th and 30th of
September, the VDF representatives affirm that: << (…) (i) there is no
authorization related to the use of third-party databases, that is, those belonging to
distributors and therefore there is no authorization process, rather it is requested
information in the event that they use these databases. (ii) VDF is not in
conditions of verifying that the holders of the receiving lines have provided their
consent or have not objected, as it is an obligation that corresponds to
collaborating agents, (iii) VDF does not ensure that each call offers a
effective means of exercising the right of opposition .
SIXTEENTH: Regarding the databases provided by VDF and
used by those in charge of the treatment in the name and on behalf of VDF, it consists
that there are communications by VDF regarding the obligation to use
only these databases. However, there is no procedure
enabled or controlled by VDF aimed at verifying managers use
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 33
33/97
only the database that VDF has provided them and during the periods
that is indicated to them. In the inspection carried out at the VDF headquarters on the dates of 18 and 30
September 2019, the VDF representatives stated that they have not
carried out checks on compliance with the measures indicated in the
previous releases.
SEVENTEENTH: Regarding commercial communications via SMS,
are carried out by generating randomly without any discrimination, so
that electronic commercial communications have been sent to potential clients
without the concurrence of the requirements provided for in article 21 of the LSSI
(expressly authorized). SMS sendings are carried out directly by VDF.
EIGHTEENTH: Without prejudice to the provisions of the annex to this Resolution, to
mode of a representative sample, in commercial actions carried out since
the numbers *** TELEPHONE. 2 and 954781254 by the distributors CASMAR and
TQF, respectively; 17 claimants have been found who manifest actions
commercials made from number 954781254, and 19 claimants regarding
of those made from the numbering *** TELEPHONE. 2, even though the numbers
of the recipients were included in LRAD, or have exercised their right to
opposition to VDF and are listed on its LRI.
NINETEENTH: In the scheme of participants in the actions of
marketing carried out by VDF, consist of the following levels of action
in relation to Casmar:
Level I.- VDF is the one who contracts with the CASMAR entity (and this, where appropriate,
subcontracts with others) carrying out commercial actions to attract customers.
The database to be used can be provided by VDF or by CASMAR that the
You get on your own (from other contributors).
Level II.- CASMAR subcontracts to the entity A-NEXO (and this in its case to other
collaborators) making commercial calls. CASMAR informed
AEPD requirement that the data used is provided by A-NEXO and, without
However, the contract you provided states that the data is provided by CASMAR.
Level III.- A-NEXO in turn subcontracts sales representatives to make calls,
both legal and natural persons,
Level IV- Commercials hired by CASMAR, in turn, make calls for their
it counts from its own numbers without informing VDF of them.
On the knowledge by VDF of the sub-managers of the treatment by
VDF account, CASMAR provided the contractual documentation where it appeared “in
Blanco ”(Annex II to the contract on-site channel of 05/01/2019), the list of sub-managers
treatment on behalf of VDF that VDF had to approve, stating that it is in
<<blanco>> for the dynamism with which they are replacing and updating the
"Call centers", that is to say, after the hiring and not previously and that
allow to verify the technical and organizational competence of these
entities.
TWENTIETH: In the contract signed between Casmar and VDF on 05/01/2019 it appears, in
separate annex and of a later date (1) referenced to said contract from which it brings cause
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 34
34/97
dated 05/01/2019 between VDF and Casmar, a relationship of 15 legal entities and
natural persons subcontracted by Casmar called "list of sub-managers
approved ” (sic), among which is the entity A-Nexo, which states that
the “current treatment location” (sic) is in Peru. It is not credited
that have a contract that contains the mandatory contractual clauses
type of the Commission Decision of February 5, 2010, relating to the clauses
contractual type for the transfer of personal data to those in charge of the
treatment established in third countries.
(1)
There is a contract dated 06/27/2019 (after the one dated 05/01/209 between VDF and
Camar) between Casmar and A-nexo (on behalf of the entity A-NEXO
CONTACT CENTER SAC, with RUC 20601266530 and address for notification purposes at
Av. De los Precursors 1192, office 303, San Miguel, Lima, Peru.)
TWENTY-FIRST: TQTF affirms at the request of the Inspection of this AEPD
that VDF is aware of the sub-processors on behalf of VDF
only at the moment in which your access to the contracting platform is requested
of VDF and only for these purposes. In other words, TQTF requests the registration of the VDF
Sub-processors in the name and on behalf of VDF to be able to carry out the
contracting (VDF provides access user to the contracting platform),
without requiring any type of verification to the commercial sub-managers of the
treatment in the name and on behalf of VDF on the data to be used in the calls
commercial nor technical and organizational conditions they have, limiting
VDF to generate a user with password, upon request from CASMAR or TQTF, which
It is communicated to the sales representatives or the final distributor (sub-managers) to be
enabled to register lines contracted in VDF systems.
TWENTY-SECOND: VDF knows the filing of claims before the AEPD,
since since November 2018 they have been transferred from
the AEPD and it is not until July 2019 when it is communicated to the
distributors (managers) without stating to date the measures adopted to
avoid improper treatment.
TWENTY-THIRD: Examples of these actions carried out by CASMAR at
numberings registered in LRAD or in VDF LRI, the following:

E / 07147/2019: The claimant receives commercial calls, the last on date
of 06/12/2019 after having exercised the right of deletion against VDF on the date of
05/08/2019, and in the VDF LRI since 05/09/2019.

E / 07144/2019: The claimant receives commercial calls, the last on date
of 06/05/2019, after having exercised the right of opposition stated in the LRI of VDF
from 04/02/2019, the mobile line, and 08/20/2018 the fixed line. Also in LRAD since
March 2019.

E / 7765/2019: The claimant receives commercial calls, the last one on the date of
06/07/2019, after having requested the deletion from VDF on 06/02/2019 and
be registered in LRAD since 11/14/2017.

E / 7758/2019: The claimant receives commercial calls, the last one on the date of
06/26/2019 appearing in LRAD since 10/22/2018. In this case, the dealer
caller is TTQF on behalf of and on behalf of VDF.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 35
35/97
This sample of claims (the totality of evidence appears in the annex to this
Motion for a Resolution) confirms that managers and sub-managers have not
used to carry out the actions of mercadoctecnia on behalf of and on behalf of VDF
numberings previously filtered with the advertising exclusion lists nor have
taking into account the opposition rights previously exercised by those affected,
either before the VDF itself or before the entities in charge or sub-in charge
when they act in the name and on behalf of VDF. Nor does it appear that in the actions
of mercadoctecnia through VDF phone calls have control
appropriate that allows you to validate the possibility of exercising the right to object to the
interested, since VDF is limited to providing managers with a certain legend
without requiring guarantees of its effective reading to those affected.
TWENTY FOURTH. The annex to this Resolution contains the list
complete and detailed of all claims taken into account in the assessment of
the facts imputed in this procedure.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679, of the
European Parliament and of the Council, of 04/27/2016, regarding the Protection of
Individuals with regard to the Processing of Personal and Free Data
Circulation of this Data (General Data Protection Regulation, hereinafter
RGPD) recognizes each Control Authority, and as established in the articles
47, 48, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of
Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the
Director of the Spanish Data Protection Agency is competent to initiate and
solve this procedure.
Article 63.2 of the LOPDGDD determines that: “The procedures processed by the
Spanish Data Protection Agency shall be governed by the provisions of the
Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, insofar as they do not contradict them, in a
subsidiary, by the general rules on administrative procedures. "
In accordance with the provisions of art. 43.1, second paragraph, of the Law
34/2002, of July 11, on Services of the Information Society and Commerce
Electronic (LSSI), the Director of the Spanish Data Protection Agency is
competent to initiate and resolve this sanctioning procedure.
In accordance with the provisions of article 84.3) of Law 9/2014, of May 9,
General of Telecommunications (hereinafter LGT), the Director of the Agency
Spanish Data Protection is competent to initiate and resolve this
sanctioning procedure.
II
Regarding the allegations presented to the commencement agreement, they have already been answered and
the Proposed Resolution, in short, in the following terms:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 36
36/97
1.
The files notified include those affected who are persons
legal.
As already indicated, 29 claims have been excluded from the valuation due to the
reasons that were proposed without being in the annex those related to
legal entities and those referenced in the VDF allegations dated 12/1/2020.
It should now be added that the scope of application of the LGT and LSSICE includes the
legal persons and, if 29 files have been excluded from the assessment, it has not been for
this reason.
two.
The statement of facts in the Initiation Agreement makes it extremely difficult to analyze and
carry out a detailed examination which may undermine the right to self-defense.
The terms of the initiation agreement are in accordance with the provisions of article 64 of the Law
39/2015, of October 1, of Common Administrative Procedure of the
Public administrations. In this sense, it should be noted that VDF has not requested practice
of any test after the start-up agreement, which may have been requested if really
considers that it undermines their right to self-defense.
Furthermore, VDF does not explain or accredit how its
right to legitimate defense and what is the real and effective damage that has been
produced. Especially when the facts show us that he has been able to allege after the
initial agreement and throughout the administrative procedure everything that at your
right, carried out, all kinds of allegations with a significant volume
both in their reasoning and in their quantity (including also, in such
consideration of the high number of pages of documents submitted by
VDF). He has also been able to provide all the documentation that he considered relevant
and necessary. The real and effective defense of the defendant has not even been diminished
in any moment.
We must bring up, for all, the Judgment of the National High Court, of 22
February 2019 (RJCA 2019/63), in which also collecting diverse jurisprudence
of the Constitutional Court, it is exhaustively stated that “consequently, outside of
the assumptions of nullity of full right only have nullifying scope those
infractions of the procedure, which have left the interested party in a situation of
real or material defenselessness for issuing a resolution contrary to their interests without
having been able to allege or not having been able to prove (SS.TC. 155/1988, of July 22 (RTC
1988, 155), FJ 4; 212/1994, of July 13 (RTC 1994, 212), FJ 4; 137/1996, of 16 of
September (RTC 1996, 137), FJ 2; 89/1997, of May 5 (RTC 1997, 89), FJ 3;
78/1999, of April 26 (RTC 1999, 78), FJ 2, among others). […] Now, I don't know
produces helplessness for these purposes, as stated in the Judgment of the Court
Supreme Court of October 11, 2012 (RJ 2012, 11351) - appeal no. 408/2010 -, "if the
interested party has been able to allege and prove in the file how much he has considered
timely in defense of their rights and position assumed, as well as appeal in
replacement, doctrine that is based on article 24.1 CE (RCL 1978, 2836), if it
within the file the allegations it deemed appropriate "(S.TS. February 27,
1991), "if it exercised, in short, all the proceeding resources, both administrative and
the jurisdictional "(S.TS. of July 20, 1992). […] Ultimately, the plaintiff does not
specifies what material helplessness the alleged vices have produced
procedural complaints, and in any case, the ANC has been able to allege and prove,
both in prior administrative and in this judicial way, how much it has estimated
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 37
37/97
convenient in defense of their rights and legitimate interests, so that no
violation of their right of defense (article 24.2 CE) ”.
Likewise, the Judgment of the Contentious-Administrative Chamber, Section 1, of the
National High Court of National High Court of April 8, 2019 (RJCA \ 2019 \ 466),
ratifies that the defenselessness must be material, translating into real damage and
effective , since “For this purpose and in general, the
doctrine of the Constitutional Court according to which, to assess the existence of injury
constitutional, the existence of a procedural defect is not enough, but it is
It is equally necessary that this has been translated into material defenselessness, that is, in
a real and effective damage, never potential and abstract, of the possibilities of
defense in a procedure with the necessary guarantees (SSTC 15/1995, of 24
January and 1/2000, of January 17, among many others). Helplessness concept with
constitutional relevance that, in any case, does not necessarily coincide with
any defenselessness of a merely procedural nature and less with any
infringement of procedural norms, but requires, as an indispensable condition,
that the impossibility of alleging and proving one's rights and interests and refuting the
allegations to the contrary have produced a real and effective impairment of the right
defense of the party, a material damage. Without there being helplessness
material if, despite a procedural breach, the parties
they have been able to defend their rights and legitimate interests (STC 27/2001 of January 29) ”.
3.
Due diligence in the terms of art 28 of the RGPD refers only to
the contracting phase with the manager and should not be understood with respect to the
subsequent monitoring of the contract.
It is answered in the following fundamentals of law
Four.
The providers contracted by VDF of the internal telesales department
have passed a prior validation process and are subjected to audit processes
in which the technical and organizational measures they have for the
development of the contracted service.
The selection process for entities in charge is limited to an initial checklist , without
There is a subsequent evaluation of the contract, as indicated in
later fundamentals of law.
In the face-to-face inspection, it was found that (page 11 of this Resolution),
Regarding the second scenario, Distributors / Collaborators / To people sell to
through stands in shops and on the street, which in turn also reach << agreements
with other telesales and commercial agencies >> (sub-managers of the treatment by
account and on behalf of VDF) for the effective realization of telephone calls and that
they manage << their own lists >> of phone numbers of potential clients.
These subcontracted << other telesales and commercial agencies >> are not subject to
a prior approval process -as do those assigned to the platform of
TVTA- but currently it continues to work with those that already provided the
service in ONO before the merger with VDF (on 01/10/2018) and there is no evidence that
have verified the technical and organizational means available to them.
It should be noted that the decision by VDF to continue working with the
entities in charge of the treatment that already provided the service in ONO before the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 38
38/97
merger with VDF (on 01/10/2018), certifies that the person responsible for said
treatments is VDF.
In these cases, VDF does not know the identity of the entities ( other agencies of
telesales and commercial) subcontracted by the Distributor / Collaborator / Agent and
does not know the guarantees of a technical or organizational nature that they have. The
Information regarding the identity of these subcontracted entities must be included in
the annex to the contract (subcontract) established for this purpose, but it only appears once
subcontracting performed, that is, VDF previously does not know the qualification
technical and organizational and the identity of these subcontracted entities as well as their
capacity to comply with current regulations.
Of the clauses of the standard contract called "Canal Presencial 2019-2020" (for
example, with CASMAR of May 1, 2019) signed between VDF and the entities
attached to the TVTA platform, there is an obligation to previously notify
VDF the list of sub-processors on behalf of VDF who will use the
distributors / collaborators / agents . This communication is collected, among others, in the
Clauses 5 (resources) and 6 (characteristics of the activity) of the aforementioned contract (
included in the file). Only in clauses 13.4 and 13.5 of the aforementioned contract is it made
reference to the obligation to comply with data protection regulations
in the following terms: “… without prejudice to the obligations assumed by the
COLLABORATOR in compliance with the Data Protection legislation in force in
every moment… ”(sic). Clause 13.6 expressly states that the
"Collaborator will be considered the person in charge of the treatment and must
formalize the standard data treatment agreement that is attached as an annex
IV… ”.
However, this communication to VDF of the subcontracted entities has a
declarative character a posteriori and is not subject to prior approval by VDF nor does it
reflected the possibility of exercising the rights of the interested parties. The purpose of
This statement, according to the VDF, is fundamentally to have
information when malpractice is detected.
5.
Regarding external providers using their own databases: these
providers do not act as processors but rather as data processors.
responsible for their own databases since these personal data are
collected on behalf of the provider and not on behalf of VDF.
It is answered in the following fundamentals of law
6.
Regarding external providers using databases provided by
VDF: VDF complies with all the requirements when contracting with those in charge
established in article 28 of the RGPD and these providers meet the conditions for
comply with their obligations, there being no lack of the duty of diligence for
that it is not appropriate to question the effective performance of the obligations
contractually assumed.
It is answered in the following fundamentals of law
7.
Regarding regulation of the contract between the person in charge and the person in charge of the
subcontracting carried out by the person in charge, the AEPD Guide
advises the application of certain clauses such as the one used by VDF. In such
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 39
39/97
clauses indicates that it corresponds to the initial manager to regulate the new relationship and
with the same formal requirements as with the person in charge.
The aforementioned Guide tries to summarize the initial conditions that must be met by the
contracts between the person in charge and the person in charge, without prejudice to the follow-up that the
responsible must perform to evaluate the effective compliance with the clauses
subscribed.
It should be considered that the Guide contains guidelines that must be adapted to each
specific case, since the cited guide expressly warns that "This document
aims to identify the key points to keep in mind at the time of
establish the relationship between the controller and the person in charge of the
treatment, as well as identifying the issues that directly affect the
management of the relationship between the two. Likewise, it aims to offer guidance, by way of
of recommendation, to prepare the document that regulates said relationship ”.
In the same sense, it is expressly noted that its Annex I when collecting an example
of what could be the contract of the treatment manager, that "These clauses
are for guidance only and should be adapted to the specific circumstances of the
treatment that is carried out ”; in such a way that, throughout the Guide and by multiple
pathways, it is undoubtedly clear that these are orientations, that they are not
exempt the data controller from carrying out the treatment contract according to the
RGPD in relation to the concurrent circumstances in each individual case
concrete.
8.
The need for express prior authorization of the sub-processors is not a
mandatory requirement, but article 28.2 indicates that the person in charge must inform the
responsible and, where appropriate, the latter authorize, thus giving the controller the option of
stand against. This aspect is not contemplated in the AEPD Guide (option B).
Article 28.2 of the RGPD indicates that “The person in charge of the treatment will not resort to another
commissioned without the prior authorization in writing, specific or general, of the person in charge.
In the latter case, the person in charge will inform the person in charge of any change
provided for in the incorporation or replacement of other managers, thus giving the
responsible for the opportunity to oppose such changes ” .
This implies that prior written authorization will be required for the person in charge
of the treatment can resort to another person in charge. And that said authorization can be
specific (with indication of the subcontracted entity) or general. Only in the latter
Of course, there is already a general authorization from the person responsible for the treatment,
It is when you have to report changes in the incorporation or substitution of other
managers, with respect to which, in addition, the person responsible for the
treatment (for example, if it does not meet the technical or organizational measures that
set in the general authorization).
From the above, it is concluded that prior authorization is always mandatory.
The authorization prior to the outsourcing of managers must evaluate, in any case
and among other issues, the technical and organizational conditions that the
in charge of the treatment to carry out the contract. As configured
in article 28.2 of the RGPD is not a simple communication of a formal nature, but
which constitutes a real material requirement for compliance with the GDPR.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 40
40/97
9.
According to the DT5ª of the LOPDGDD, the contracts prior to 05/25/2018
will remain valid until 05/25/2022, so their content cannot be
enforceable as it is not applicable.
The 5th transitory provision of the LOPDGDD determines that “The contracts of
in charge of the treatment subscribed before May 25, 2018 under the
of the provisions of article 12 of Organic Law 15/1999, of December 13, of
Protection of Personal Data will remain valid until the date of
expiration date indicated in them and in case of having agreed
indefinite, until May 25, 2022.
During these periods, either party may require the other to modify
of the contract so that it is in accordance with the provisions of article 28 of the
Regulation (EU) 2016/679 and in Chapter II of Title V of this organic law ”.
The 5th transitional provision of the LOPDGDD allows "to maintain the validity" of the
treatment manager contracts signed prior to the application of the
GDPR. It refers only to the term of the contract.
This is so because in compliance with one's own proactive responsibility for the
responsible for the treatment, require their material adaptation to the RGPD. The
Obligations arising from the legal text must be fulfilled from the full application
of the same in May 2018.
Well, this Provision also refers to the modification of the contract
so that it is in accordance with the provisions of article 28 of the RGPD. As we have
indicated, we can understand that such modification is restricted to the formal content of the
Article 28 of the RGPD, allowing each of the parties to require the other to
modification of the contract in order to comply with the aforementioned precept. But it does not affect the
application of the principles and material obligations of the RGPD since it is a
norm with direct effect of an imperative nature and no provision could go against
of this character.
Therefore, the validity of the contracts of the person in charge of the treatment until the
05/25/2022 will be maintained as long as its content conforms to the principles
provided in the RGPD and the LOPDGDD.
10.
The exhaustive control of the person in charge over those in charge would prevent “that
can dial an unauthorized telephone number ” , having had VDF the
reasonable diligence.
The control of the data controller over the person in charge must be reasonable
and adequate throughout the development of the contract and in this case include
affected the rights and freedoms of the interested parties repeatedly without VDF
has adopted appropriate corrective measures in order to avoid infractions such as
now analyzed.
eleven.
The technical efforts made by VDF have not been taken into account
to implement improvements in the development phase, which were accredited in the
moment of the face-to-face inspection by the AEPD, diminishing the
technical effort in development.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 41
41/97
The technical efforts made by VDF to avoid claims before the AEPD do not
they state that it has been implanted to this day.
12.
The contact information for telemarketing actions made available to
the providers by VDF have been previously contrasted with the data
contained in the internal Robinson and ADigital listings and specifies the time of
use to avoid outdated data.
The data of the interested parties object of advertising actions have not been contrasted
with the advertising exclusion lists and opposition rights, especially when
have been exercised before managers or sub-managers and have not been communicated to the
responsible nor has the latter obliged its communication, especially with regard to
advertising actions that start from random numbers.
13.
The data object of treatment can only be processed by the entities
commissioned in accordance with the VDF instructions that govern the contract, which
clearly establish the conditions under which the treatments of the
personal information.
VDF does not record the monitoring of the execution of the signed contracts
with those in charge in the name and on behalf of the person in charge.
14.
VDF asks providers to notify it of all oppositions that
may occur during telemarketing actions.
There is no evidence that VDF requires managers to communicate the rights of
opposition exercised by the interested parties and has deployed technical and
organizational that allow them to be taken into account in subsequent advertising campaigns.
fifteen.
Personal data from the provider's databases are not transferred
at no time to VDF. Only after contracting the service are they included in the
VDF information system.
The personal data processed by the managers are made on behalf of
and on behalf of VDF as a responsible entity regardless of whether it is
are included in your information system.
16.
After hiring, this is validated after a control call for
quality.
The quality control call is made once the contracting of the
service offered on behalf of VDF, a circumstance that is left out of this
process.
17.
VDF has implemented complementary measures to guarantee a control
detailed information on the activity of service providers when they use their
own databases. This control was estimated to be operational in January
2020 (new routing system through the VDF trunk).
There is no evidence that VDF has implemented technical and organizational measures to guarantee
a detailed control of the activity of those in charge who act on behalf of and
on behalf of VDF as of January 2020. Example of subsequent claims
(January and February 2020) are, among others, the following:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 42
42/97
01/22/2020
E / 02252/2020
AAA
01/23/2020
E / 02255/2020
BBB
01/24/2020
E / 02262/2020
CCC
01/25/2020
E / 02263/2020
DDD
01/27/2020
E / 02266/2020
EEE
01/28/2020
E / 02269/2020
FFF
02/03/2020
E / 02271/2020
GGG
02/03/2020
E / 02274/2020
Hhh
18.
The alleged infringement of art 21 of the LSSICE, does not proceed since the
Legality of the treatments is based on the legitimate interest, as indicated in the
Recital 47 of the RGPD and this is recognized by the AEPD in its report 0173/2018.
The LSSICE requires in article 21 expressly authorized authorization for
electronic advertising communications, and in the present case there is no evidence.
19.
VDF at all times allows the interested party to object to receiving
communications, so it is not appropriate to impute infringement of article 38.3.d).
There is no evidence that both the VDF and the managers and sub-managers who act in
name and on behalf of VDF have the technical and organizational measures that
allow to carry out the right of opposition exercised by the interested party since
the reiteration of advertising actions after the exercise of such right is recorded.
twenty.
Complaints related to the LSSICE are a minority and far from the
total claims submitted.
It appears in the annex to this Proposal that the number of claims for infringement to
the LSSICE amount to twenty-four (24) of the 162 taken into account in this
Resolution.
twenty-one.
Regarding the infractions related to the LGT, VDF always facilitates the
possibility of exercising the right of opposition to the interested party, as stated in art
48.1.b) of said standard. It also appears that VDF previously filters with the lists of
Advertising exclusion before providing potential customer data to suppliers.
And when the databases are external “ it is not possible to materially prevent the
making a call ” (sic) although control measures are being implemented
based on VozIP technology that prevents calling numbers included in lists
of advertising exclusion.
The allegation cannot be accepted since, as stated in the facts
tested and in the attached annex, advertising actions have been carried out on behalf of and in
name of VDF repeatedly even though the interested party is in the relationship of
advertising exclusions or having previously exercised their right to object to
such actions, contrary to the provisions of article 48.1.b) of the LGT.
22.
The AEPD seems to sanction for receiving complaints without verifying the facts
described therein and automatically conclude that they correspond
with illegitimate and contrary actions to the legal system and, therefore, adopting
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 43
43/97
these decisions contrary to the onus probandi principle that governs the law
sanctioner.
It appears in the documentation of the file notified to VDF in March 2020
sufficient reasons to enervate the presumption of innocence since the
VDF in its responses to the information requirements of this AEPD
manifests its error and proceeds to correct it promptly, informing the claimant. Do not
However, this infringing conduct and subsequent adoption of measures allegedly
corrective measures are permanently repeated, and sometimes consist of up to three
subsequent claims of the same affected person after being “supposedly” treated on the
right of opposition to VDF
2. 3.
The quantification of sanctions is disproportionate, and it cannot be argued
that VDF's conduct is a repeated and permanent breach, since only
191 interested parties of the 200 million commercial actions could be affected
carried out by VDF.
Regarding the graduation and final quantification of the proposed sanctions, the
note that, without prejudice to the new amounts indicated in the RGPD and criteria of
graduation applied, and only for comparative purposes with the repealed LOPD, the amount
it would be far superior to the current proposal. Specifically, and for comparative purposes only
With the LOPD, one hundred and forty-one (141) infractions of the RGPD that
would suppose separately and applying the LOPD, an amount close to six
million euros, considering the minimum amount (€ 40,001). In the same sense,
one hundred twenty-four (124) infractions to the LGT and twenty-four (24) to the LSSICE, in
which the amounts have also been weighted jointly.
Furthermore, with respect to the allegation that "they could only be affected
191 interested parties of the 200 million commercial actions carried out by
VDF ”, it should be noted that, as may be the case in this proceeding,
the confluence of various claims of affected individuals is put
shows an action of the person in charge that in general (that is, not
only in the specific cases presented by the claimants) from which it appears that
These specific cases are the reflection of a common guideline or policy applied to all
those affected persons who are in the same case as the interested parties and who are not
are claiming neither before VDF nor before the AEPD.
From the claims presented, a pattern of conduct is inferred in the treatment of
personal data in connection with VDF's marketing operations (which
includes gross negligence in your performance and inaction) that directly impacts, and
in a general and indiscriminate way, in the rights and freedoms of citizens.
24.
They consist of prescribed infractions such as that referred to in E / 07180/2019 and others in the
that no evidence of infringement has been provided (E / 01119/2019 and E / 02809/2019).
The files referred to in the allegation do not appear among the one hundred and sixty-two
(162) valued in this Resolution.
25.
In general, the Initiation Agreement lacks sufficient motivation to support the
imputation to VDF of the infractions that it relates that is a guarantee against the
arbitrary conduct outlawed in the EC
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 44
44/97
Motivation is required for the sake of art. 35 of the LPACAP, establishing the Tribunal
Supreme a series of elements must concur for this to be adequate.
Thus, the motivation has a finalist character, that is, that the requirement is met
legal to explain or externalize the nucleus of the administrative decision, from which
the interested party can deploy his means of defense. As determined by the
Judgment of the Contentious-Administrative Chamber, Section 1, of the Hearing
National of September 13, 2019, " The requirement of the motivation of the acts
administrative responds, according to reiterated jurisprudential doctrine, of which it is
exponent of the Judgment of the Supreme Court of July 16, 2001, for the purpose of
that the interested party can know exactly and precisely the when, how and why
of what is established by the Administration, with the necessary breadth for the defense of
their rights and interests, also allowing, in turn, the bodies
jurisdictional knowledge of factual and regulatory data that allow them
resolve the judicial challenge of the act, in the judgment of its power of review and
control of administrative activity; in such a way that the lack of that motivation or its
notorious insufficiency, insofar as they prevent challenging that act with serious
possibility of criticizing the bases and criteria on which it is founded, make up a vice of
voidability, as soon as the interested party is left defenseless.
All this without prejudice to the logical discrepancy of who obtains a resolution
unfavorable to their interests, which does not constitute a lack of motivation, because their
The right does not reach the granting of the request, since no one has the right to be
give the reason, but that the decision offered offers the necessary explanation
so that the administrator can know exactly and precisely the content of the
act >> ”.
The motivation can be brief and succinct, but always sufficient so that
allow the interested party to know the administrative decision-making reasons (STS of 15
December 1999).
For the motivation to be sufficient, it must be concrete, that is, it must refer to
to the particular case discussed in the specific administrative procedure (STS of 23
September 2008) and consistent with the decision-making content. If the decision
administrative authority involves the exercise of discretionary powers, it is necessary that
the logical process that determines such decision is made explicit (STS of December 15,
1998).
Regarding the lack of motivation of the initiation agreement, reason for which it is alleged
arbitrariness in the performance of this AEPD, it should be noted that they consist
sufficiently reasoned in the commencement agreement the infractions charged on the basis of
in the documentation that is in the file and that has its origin both in the
face-to-face inspection carried out (whose documentation is known to VDF) at the headquarters of
VDF as in the one attached in the claims of those affected and that appears in the
proceedings. In the same sense, the infraction now imputed of Transfer
International without the appropriate measures required in the RGPD, there is also
documented and accredited of the VDF's own manifestations in the
documentation provided to this AEPD.
The examination of the administrative file and the various resolutions issued in
its bosom, is revealed clearly, in a broad and reasoned, concrete and congruent way, the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 45
45/97
why of the administrative decision, complying more than sufficiently with the
prescriptions established by the Law.
III
Regarding the allegations presented to the taking of evidence and the second shipment
of files in order to correct deficiencies in the documentation initially
notified, they are summarized in the following:
1.- Two of the files submitted correspond to the same claim.
2.- Seven of the files submitted were not mentioned in the first
Shipping.
3.- Of the 264 telephone numbers requested from Adigital for verification
In the Robinson list, 33 are not registered, 4 are of a later date, 1 corresponds to
an archived procedure, 1 corresponds to a provider and not a claimant, 1 does not
there are commercial calls received and 1 does not correspond to VDF as an entity
claimed.
In the first place, the allegations made by VDF on 12/1/2020 did not
they detail the procedures to which it refers. However, it is meant that
there are several claims that make up different files of the same
claimant, since for the same facts they have formulated several claims
successive as the VDF continues to carry out the events now charged.
Second, it should be noted that of the initial 191 claims that gave
origin of the present procedure have been eliminated from the valuation, accepting
partially the VDF allegations dated 12/1/2020, twenty-nine claims
(29) for various reasons, such as not including the inclusion of the numbering on time
in the advertising exclusion lists or prior exercise of rights, as well as the lack
numbering of the issuing, incoming call or date of the advertising activity, or that
the claims were directed to entities other than VDF (in two cases). Without
However, if those others in which the VDF itself confirms in its
own written reply to the requirements of the AEPD that the claimant
was included in the advertising exclusion lists or that he had exercised
previously the right of opposition before VDF, and that work in the file.
It should be added that in the Annex of notified files it is true that they appear in
various cases in which some of them do not belong to the present
process. In this sense, it should be clarified that such circumstance is due to the fact that
have also indicated, together with the specific file being assessed in this present
procedure, those previous ones - indicatively and without being added to the
now valued- and with the same claimant for the same facts and already resolved by
Resolution of this Agency in accordance with article 65 of the LOPDGDD, which allows
prove the lack of technical and organizational measures continued over time in
Regarding the attention of the rights exercised by those affected. It can be summed up in
that have also been indicated (without adding to those now valued) the
repeat offenses after resolutions of this Agency in protection of rights
opposition / cancellation previously exercised by the same claimant before VDF. In
The allegations made by VDF on 12/1/2020 do not detail the procedures
to which it refers. All this shows the pattern of behavior, which
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 46
46/97
Above we mention, in relation to the obligations of protection of
data corresponding to VDF.
Regarding the 14 numbers sent to Adigital in the practice of tests that VDF
alleges are repeated, it should be noted that, although what they are is not indicated,
correspond to claims that originate from the same telephone number receiving the
the improper call, so it does not affect the facts now valued.
VDF alleges that another 49 numbers are not in the file, without indicating
which, so its analysis is not possible.
VDF adds that 33 numbers of the practice test list do not include registration in
Robinson, without indicating which ones. In this regard, it has already been indicated and this is stated in the
record, that VDF in its own responses to the requirements of this
AEPD claimed that they were included in Robinson.
The rest of the allegations refer to 4 other telephone numbers receiving the
calls, which does not indicate which ones.
Finally, although these allegations refer to merely formal aspects and without
indicate your reference, it is insisted that from now on they will only be taken into account for your
valuation in the present procedure the claims before the AEPD that appear
in the aforementioned Annex (162 claims), having eliminated from the Annex those
claims / files showing defects, even formal ones.
IV
Regarding the allegations presented to the Proposal for Resolution, they are summarized
as indicated above in the fifth antecedent, in the following:
1. Previous: Reiteration of the allegations presented.
2. First: Arguments against the Proven Facts.
3. Second: Relating to the information request files
referenced in the sanctioning procedure.
4. Third: Rejection by the AEPD of the allegations presented by
Vodafone.
5. Fourth: Presumed breach of article 24 RGPD. Consideration of
Vodafone as the data controller and responsibility of Vodafone.
6. Fifth: Presumed breach of article 28 RGPD. Alleged lack of control
real, continuous, permanent and audited of the treatments carried out by
managers.
7. Sixth: Presumed breach of article 44 RGPD. Transfers
International data.
8. Seventh: Presumed breach of article 21 LSSICE. Send of
commercial communications without consent and to recipients who have
opposed to such treatment.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 47
47/97
9. Eighth: Presumed non-compliance with the General Telecommunications Law (LGT).
Supposed lack of attention to the right of opposition to not receive communications
commercial.
As a question prior to answering the allegations, and regarding the documentary block
provided by VDF, to point out that it is made up of a series of documents among which
find a “ proposal for VODAFONE the DEVELOPMENT AND
HOSTING to control robinsons in the Door to Door area, following their
instructions based on the Robinsones 2020 List Management Service ”, dated 17
August 2020. Such document is unsigned between the parties (page 20
of the aforementioned documentation), in such a way that we are not accredited that indeed such
proposal is implemented.
Likewise, they also provide a contract for the provision of services of the face-to-face channel
between VDF and CASMAR that it seems that they present as a new model to be subscribed with
your suppliers. This contract, although completed with the data of the parties,
it is neither dated nor signed. Nor does it accredit that this contract is
is running at this time or, where appropriate, what are the specific guarantees
implemented on the rights of those affected with which it is being carried out.
Such documents do not prove the installation and current operation of the system.
that they claim to have implemented (which they call "routing"), not even
corroborated by the screenshots presented in the documentation. Furthermore, at the
date continue to initiate sanctioning proceedings for the same facts
as a consequence of the claims presented before this AEPD.
The person responsible for the treatment, derived from his proactive responsibility, must
certify that it has complied, that it complies and that it will comply with the provisions of the
RGPD and LOPDGDD. And to prove that it complies at present, mere
part documents, drafts; it is reliably unknown if it has led to
effect its content. Compliance accreditation must occur through a
certificate of the company itself or with the contribution of the aforementioned documents with
full legal validity (arts. 1254, 1258 and 1261 of the Civil Code).
In relation to this, Report 0064/2020 of the Legal Office of the AEPD attributes
to the person responsible for the treatment, within the obligations of responsibility
proactively, the burden of “… guaranteeing the protection of said right through the
compliance with all the principles contained in article 5.1 of the RGPD,
adequately documenting all the decisions you make in order to be able to
prove it ”.
Notwithstanding the foregoing, we cannot ignore that the fact that they are
implementing this new system indicates that previously they were not
carrying out, that the VDF contributors did not contrast with the Robinson List,
the VDF internal Robinson list or the internal Robinson list of contributors;
and that VDF did not control the contrast process either, that is, it did not know if its
collaborators were complying with his instructions and with the regulations of
Data Protection.
Let us remember that VDF has the obligation to control the treatment of its
collaborators as if he did it himself, implementing all kinds of systems and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 48
48/97
security and monitoring measures that verify compliance with your instructions
and compliance with data protection regulations.
In the new documents provided, they continue with the same approach as the one they have
maintained throughout the procedure in terms of those in charge of the treatment.
That is, they indicate in such documentation that the collaborators with whom they contract
call on behalf of VDF to offer products VDF: "That so
above, the scope of this service provision contract is door-to-door promotion
door of the Services in the name and on behalf of VODAFONE-ES and VODAFONE-
ONO ” (page 24 of the documentation provided).
However, they are forced to present themselves in their own name and as responsible for the
Treatment: “ Likewise, the COLLABORATOR will have its own databases
of potential clients who must comply with the requirements established by the
applicable regulations on data protection and to which the
VODAFONE services in the event that they show interest. Thus,
The COLLABORATOR must present himself to said potential clients on his own
name, as responsible for the treatment of the same, complying with the
applicable regulations regarding the protection of personal data ” (page 30 and 31 of
the documentation provided).
If contributors use their own databases, then VDF considers them
responsible for the treatment until the sale has to be validated. However,
above, VDF has access to these databases through the information that the
telephone numbers that its collaborators use: “ The CONTRIBUTOR must
inform VODAFONE at all times of all those phone numbers that
both the COLLABORATOR and their third-party collaborators use to contact
Clients or possible Clients of VODAFONE in the development of the activity object of the
present contract. In this sense, the use of telephone numbers does not
previously informed VODAFONE will be understood as a breach of the
contract ”(page 33 of the documentation provided).
We can observe a clear incongruity between these manifestations, which
It will result in a lack of definition of who is responsible and in charge of the treatment
between the parties, being able, likewise, to transmit confusing information to the client or
potential customer about who is responsible for the treatment.
The truth is that VDF is responsible for the treatment, since, although the bases
data are not specific to VDF, the company controls them by providing instructions
to carry out the treatments as if they were their own within the framework of a contract in the
that the collaborator acts and processes personal data on behalf of and on behalf of VDF.
Special mention must be made regarding the emails exchanged
by VDF and its collaborators and that have been provided with this documentation. In
an email dated July 30, 2019 VDF indicates to CASMAR, when
use their own databases, which "On the other hand, in the event that they carry out
Calls using their own databases, not provided by Vodafone, must
make sure to:
- That they have the prior and express approval of Vodafone to carry out said
calls.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 49
49/97
- That they have the data in a lawful way, informing and obtaining the
consent of the owners to be able to carry out commercial actions on behalf of
Vodafone. We remind you that the use of databases for the purposes of
recruitment on behalf of Vodafone that do not meet this requirement.
- Filter your databases with public Robinson lists, for example the managed one
by ADigital, prior to the start of the campaign.
- Do not use means of communication that have not been consented to by the
campaign recipients ”, (page 54 of the documentation provided).
This shows that they carry out commercial actions on behalf of VDF. The
Collaborator does not have any own interest regarding the result of the operation,
Except for the financial compensation that you will receive for such service.
That, before making the calls, they have to verify that they have the approval
of VDF. The databases, then, are prepared by the collaborators
specifically for VDF, as they must have your prior approval and go through
various filters. At that time the collaborators are already in charge of the treatment.
In the same email they indicate that “In both scenarios -VDF databases and
collaborator databases- , it is essential that the collaborator:
- Provide a simple means for any recipient of the campaign to
communicate your wish not to continue receiving calls or commercial messages
on behalf of Vodafone.
- Immediately transfer to Vodafone the data of those recipients who
have communicated that they do not wish to receive further commercial communications and
make sure they do not contact them again in future broadcasts ”.
This VDF command, whatever databases are used by the VDF
collaborators (own of the collaborators and elaborated for VDF), puts of
I state again that the collaborator is in charge of the treatment from the
beginning. That, although VDF indicates in the new contract model that they are
responsible for the treatment and that “the COLLABORATOR must appear before
said potential clients on their own behalf, as the person responsible for the treatment of
the same ”, the truth is that it commands them that the right of opposition can be exercised
before the collaborator in front of VDF. This circumstance shows that they are
processing personal data on behalf of and on behalf of VDF.
Previous R)
Regarding the reiteration of the allegations presented, it must be
note that they have already been answered in the Proposal for a Resolution and that they appear in
the FD II of this Resolution.
However, it must be emphasized that the 15 files that are the object of the second shipment
notified in November 2020 they do not correspond to fifteen files
additional, but is due to the material correction of incomplete documentation by
so consider the investigating body, in order to correct deficiencies and avoid in all
moment to violate the right to defense for the sake of the principle of transparency that
must preside over all administrative action.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 50
50/97
Regarding the lack of evidence and imputation of infractions for mere
assumptions, it should be noted that the documentation in the file is
infers undoubtedly the facts now sanctioned. Not only through
face-to-face inspection carried out in September 2019 at the VDF headquarters
and that this is stated in the Inspection Certificate, but in the documentation attached to the aforementioned
Minutes and in the documentation provided by the claimants and which is completed in the
proceedings.
The lack of motivation, alleged in a generic way, in the answer to the
allegations by the investigating body cannot be admitted since the motivation
has been reasoned and sufficient for each of the allegations presented and
in accordance with the provisions of article 35.1 of Law 39/2015. What has not been
distorted by VDF have been the facts now analyzed after presenting this AEPD
Sufficient evidence to prove the alleged facts.
Regarding classifying all the "collaborators" (sic) as in charge of the
treatment when according to the VDF they are not, it is necessary to insist on the provisions of the
definition of "Responsible for the treatment" and reports of this AEPD and the Committee
European Data Protection and that are detailed and developed in the FD of this
Resolution.
Regarding the allegation that the contracting by VDF of its managers of the
treatment is in accordance with the provisions of art. 28 of the GDPR, it must be rejected
plan, since in the FD of this Resolution (and in the Proposal for
Resolution) explains and details in detail the reasons why VDF has
the aforementioned article 28 has been violated.
VDF also alleges that the violation of article 44 of the RGPD (Transfer
International Data without the due guarantees required by the RGPD) does not appear in the
Initiation Agreement when the AEPD already had all the documentation from the
investigation phase. This allegation must be rejected whenever the agreement of
start complies with the provisions of article 64 of Law 39/2015 of October 1, of the
PACAP, where section 2.b) in fine expressly indicates “… without prejudice to
what results from the instruction ”. Said article is complemented by the provisions of the
Article 89.3 of said rule when it states that “In the proposed resolution,
they will fix in a reasoned way the facts that are considered proven and their exact
legal qualification, the infringement that, where appropriate, they constitute, will be determined,
the person or persons responsible and the sanction proposed, the assessment of
the tests carried out, especially those that constitute the foundations
basic measures of the decision, as well as the provisional measures that, if applicable,
they would have adopted… ”.
VDF also alleges that the specific conditions under which the
make claims related to breach of the LSSICE. The allegation
should be rejected since the accreditation that the electronic communication has
been requested or expressly authorized has not been verified by VDF in any
moment even throughout the present procedure, as indicated in article 21.1
of said rule.
Regarding the allegation of lack of accreditation of the breach of article
48.1.b) of the LGT, it should be noted that it has been accredited and thus works in the
documentation of the file regarding the tests carried out that in the name and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 51
51/97
On behalf of VDF, commercial calls were made to lines listed in the
advertising exclusion lists (Robinson), contrary to the provisions of article 23
of the LOPDGDD.
Finally, and grouping the last three previous allegations (9, 10 and 11), it is necessary to
mean that each and every one of the infractions charged in the present
procedure have been sufficiently reasoned and motivated, as well as that in all
At the moment, the proportionality of the sanction has been justified, having, in addition,
VDF warned in the Proposal for Resolution that if files had been initiated
independent, the sanction would be higher.
It also alleges arbitrary action on the part of the AEPD in the processing of the
sanctioning procedure. In this sense, it should be noted that, in the first place, it does not specify
the arbitrary action that it alleges and, secondly, the sanctioning procedure is
has processed in the legally required manner in accordance with the applicable regulations in each
alleged infraction and in accordance with the provisions of the fourth Additional Provision of the
LOPDGDD. Consequently, the claim must be rejected.
1R)
to)
<Regarding the lack of implementation of effective measures, VDF alleges that
has gradually implemented a centralized "routing system" of shares
advertising that guarantees the rights of those affected>.
The allegations are not proven, and if so, the facts to which the
This procedure refers to are prior to the alleged implantation of
said system, so its analysis for the purposes of the infractions does not proceed now
sanctioned, without prejudice to the fact that in the future it will be evaluated in the case of
that its implementation is accredited and is in accordance with the provisions of the RGPD, LGT and
LSSICE.
In addition, it should be noted that the supposed new system implemented for
"Routing" progressively and culminating its supposed implementation in February
of 2020, there is no evidence that it has been effective since they continue to date
receiving claims for the same reasons to this AEPD. And, the greater
abundance, additional or supplemental claims continue to be received from
the now claimants for the same facts without evidence of any action by VDF,
as responsible for the processing of data imputed, to mitigate or
minimize the effects of the violation of their fundamental right to the protection of
data, enshrined in the EC in its article 18.4, and developed in the RGPD and
LOPDGDD, as well as in the LGT and LSSICE, even having knowledge through the
This procedure is their identities and facts that are the subject of the claim.
In this sense, and for informational purposes only, there are new claims
complementary to those already carried out by the following claimants:
Ñ.Ñ.Ñ., E / 10495/2019, dated 09/16/2020, NRE: e2000002161.
OOO, E / 07697/2018 and E / 05544/2019, dated 06/11/2020, NRE: 019495/2020.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 52
52/97
PPP, E / 01633/2019, dated 09/30/2020, NRE: e2000003876.
QQQ, E / 07183/2019, E / 04493/2019, dated 09/26/2020, NRE: e2000003364.
RRR, E / 08276/2019, dated 10/28/2020, NRE: e2000007996.
SSS, E / 08043/2019, dated 10/13/2020, NRE: e2000005754.
TTT, E / 08276/2019, dated 10/28/2020, NRE: e2000007996.
UUU, E / 07106/2019, dated 11/17/2020, NRE: e2000010906.
b) <VDF alleges lack of identification of calling numbers and
recipients>.
In this sense, it is insisted that the files in which the action is not credited
undue commercial have been withdrawn from valuation for several reasons already mentioned
previously. It should be clarified once again, which is stated in the documentation of the
file calls to numbers not included in the exclusion systems
advertising, but that in the response to the request of this AEPD has been
manifested by VDF the inclusion in the advertising exclusion systems and / or
in their systems of exclusion of the receiving line, which is why they appear in the
annexed.
This type of affirmations by VDF has given rise, in the files
concrete in which such an affirmation has been made, to a favorable resolution by
part of this AEPD, so now it is not appropriate to allege otherwise at the risk of what
more interested in each moment. VDF adds that the CASMAR entity (by doing so
extensible to the rest of the intervening entities) is responsible for the databases
of the receiving numbers and without the VDF having intervened even though the
responsible for the treatment. This claim should be rejected outright on the basis of
the very definition of "data controller" in article 4.7 of the RGPD, and
because the VDF itself affirms its non-intervention in the treatment when it is the
responsible for this.
c)
<VDF claims that it has a specific procedure to facilitate the
exercise and attention of the right of opposition in advertising campaigns
managed directly by VDF (SMS and email) and can unsubscribe>
In this regard, it should be emphasized that article 21.1 of the LSSICE requires “request or
express authorization " to carry out the advertising action, without prejudice to compliance
of other requirements, and such request or express authorization is not accredited by VDF
that as the person in charge of the treatment is the one obliged to accredit it.
VDF lists a series of file references in which it indicates that the
affected did not exercise any right. In this regard, and analyzed the references
indicated, it means that once the check has been made, or if they are in
the Robinson list, refer to the lack of express authorization, the affected person accredits
have exercised their rights, or VDF did not respond to the request for information
carried out from the Inspection of this Agency (E / 07056/2019 and E / 08284/2019)
being obliged to do so.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 53
53/97
VDF adds that it is the managers who must make the appropriate consultations to
advertising exclusion lists. In this regard, it should be emphasized again that the
responsible for the treatment, in this case VDF, is obliged, by virtue of the
provided in article 28 of the RGPD, to be contracted with those entities in charge of
sufficient technical and organizational capacity to carry out the assignment and VDF be
able to monitor all the treatment ordered so that the treatments object
Customs strictly comply with the RGPD and LOPDGDD.
d)
<VDF alleges that in Proven Fact Four, reference is made to a
sanction file of reference PS / 00290/2015, when said file is foreign
to VFD>.
In this sense, the material spelling error must be pointed out and corrected, that said
file refers to the reference PS / 00290/2018 as stated in the Agreement
of Start, and of which VDF has full knowledge from the beginning of the present
process.
and)
VDF alleges that it is accused of a general lack of collaboration with the
AEPD. In this sense, the allegation in section c) above has already been answered,
inasmuch as VDF has not responded to several requests for information in the
prior investigation issued by this AEPD, giving rise to its lack of response to the
start of inspection actions.
F)
<VDF alleges inadmissible to impute lack of action and communication with
collaborators>.
In this regard, it should be noted that during the prior inspection process in 2019,
It was established that VDF did not comply with the duty to inform those in charge of
the deficiencies that VDF should have detected in the treatments ordered or
nor did he impose adequate corrective measures, to which he was obliged in
quality of data controller, to avoid in the future the repetition of the
deficiencies in the treatments, either because I was unaware of them, or because simply
It did not demand its correction and adjustment of measures in accordance with the RGPD.
In this sense, there is an email sent in July 2019 to
some of the managers, not all or even the sub-managers, in which it is
informs them of the obligation to cross their files with the exclusion lists
advertising in which no corrective measures were imposed, when on that date VDF
I was already aware of the claims made by the claimants before this
AEPD.
Likewise, there is another subsequent informative letter, in November 2020, with more
information on the fulfillment of its obligations in which it explains to the
managers, and not sub-managers, the new routing system that is being
implementing, with an end date of February 2020, to carry out actions
of marketing, but continues without requiring and imposing corrective measures
adequate to avoid the recurrence of deficiencies in the future even when,
insists, on that date VDF was already aware of the claims made by
the claimants before this AEPD and the inspection had already been carried out
in person by the Inspection of this AEPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 54
54/97
In this regard, it should be emphasized that, regarding the first email of July
2019, the information was partial and with no general character to all those in charge,
and that they in turn inform the sub-managers, otherwise it was an email
specific to certain managers who, even so, there is no evidence that the
obligations that it reported or imposed corrective measures, since
the claims continued.
Regarding the second informative letter of November 2020, it should be emphasized in
which is much later than the investigations carried out within the present
proceedings. Consequently, the effectiveness of the aforementioned email was no more
beyond that an informal communication without intention of obligation and distribution
partial since it did not impose corrective measures.
The emails that VDF sends to some of its treatment managers
reminding you of your obligations in terms of Data Protection are insufficient in
the framework of proactive responsibility. The
insufficiency of the “measures” adopted due to the undoubted fact that the
The problem examined in this sanctioning procedure continues to occur without
solution of continuity.
But it is that, in addition, the abandonment of their obligations is shown by the simple
comparison of the measures that VDF would have taken if data processors
have breached any of the terms that constitute the hard core of the
object of the contract (marketing campaigns). VDF would not have limited itself to sending
e-mails reminders that they have to perform the contract, but that there would be
imposed penalties or even proceeded to the termination of the contract. The same
diligence is what has to be applied regarding proactive responsibility and
Data Protection.
Consequently, the allegation must be rejected as the fault has been established
due diligence by the person in charge (VDF) in the follow-up and monitoring of
data processing commissioned.
g)
On the condition of person or persons in charge of the intervening entities
in the treatments carried out in the name and on behalf of VDF, it has already been
answered in the Proposal for a Resolution. However, the answer is reiterated and
expands on the Fundamentals of Law of this resolution.
2R)
< VDF alleges, among others, the existence of files open to persons
legal and that have been withdrawn for this reason>.
It should be noted that this allegation has already been answered, so it insists on
that the scope of application of LGT and LSSICE includes legal persons. The
The fact that files have been withdrawn (29 in total, of the initial 191) has already
been challenged in the sense that the withdrawal is due to uncertainty in
the data, and not for the alleged reason of corresponding to legal persons and always
for the sake of transparency that should govern all administrative action.
<Regarding the existence of numbering or receiving lines that are not
found in the Robinson list>, it has already been answered that the VDF itself in its
briefs in response to the information requirements stated the opposite and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 55
55/97
accepted their inclusion, informing this AEPD that from now on they were included in the
VDF internal listing of exclusions.
Regarding the files outside the VDF, it has already been answered that they only affected
two and have already been withdrawn from valuation in the present procedure, finding
among the 29 omitted in the Annex.
The fact of withdrawing 15% of valuation files does not imply a decrease
of the guilt in the imputed facts, since an infringement of the RGPD is imputed (together
to those of the LGT and LSSICE) typified in article 83.4 in which it is provided as a limit
maximum administrative penalty the amount of 10,000,000 (or 2% of the billing
annual). In addition, it has already been indicated that having initiated procedures
independent sanctioners, the amount would have been greater than that now sanctioned,
even if the repealed LOPD had been applied. Do not forget that the legislator
The European Union has modified the amount of penalties and is now the applicable regulation.
The amount of the sanction is motivated and adjusted to the law within the
discretionary criteria followed by the doctrine of this AEPD without any
moment can be classified as arbitrary. In this sense, it should be added that
RGPD sanctions are different from those of the repealed LOPD, resulting in the
order of fifteen times higher by mandate of the European legislature, so there is no
they are affordable amounts. In addition, article 83.4 RGPD now imputed, allows
impose amounts up to 2% of the global total annual business volume that, in this
In this case, it is of the order of 1,600 million, so the maximum amount established
legally in the RGPD it could be 32 million euros, and double in the case of the
83.5 RGPD, when the one now imposed is 4 and 2 million euros, respectively,
that is, the fifth (or tenth part in the infraction of art 44 of the RGPD) part on the
applicable maximum. Consequently, the amount of the administrative penalty imposed
(art 58.2.i RGPD) is proportional to the alleged facts.
Regarding the alleged files, the following means:
Regarding E / 04471/2018, there is the line in the advertising excursion system
as recorded in the file and accredited by the claimant with registration number
entry (NRE): 199267/2018.
Regarding files E / 07183/2019 and E / 07940/2019, the
codes (first column of the annex) RDC and RD, respectively, and accredited by the
documentation in the file.
<Regarding the different legal personality alleged of the VDF ESPAÑA entities,
VDF ONO, LOWI and VDF Services>, it should be noted that in the Inspection they witness
before VDF it was stated that the aforementioned entities are part of the VDF Group in Spain
and that with regard to marketing actions are governed by the same
procedure and that said Group was represented by Vodafone España SAU, as it was
the person responsible for the decisions of the treatments of the rest.
And so it is stated in the Inspection Certificate:
page 2 Inspection Certificate,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 56
56/97
<< The entities that are part of the Vodafone Group in Spain are VODAFONE
ESPAÑA SAU, (hereinafter VDF) VODAFONE ONO, SAU (VDFONO hereinafter
hereinafter) and VODAFONE ENABLER ESPAÑA, SL (hereinafter LOWI), hereinafter
referred to direct marketing actions, specifically to the management of
recruitment campaigns, in general, are governed by the same process, (with
small differences relating to, for example, teleshopping providers (TVTA in
successive). •
Regarding the process of unifying the information systems between VDF and
VDFONO, the process regarding the segment "individuals" is finalized, while
that the process regarding the “companies” segment is currently on hold
until having the appropriate verifications of its correct operation in the segment
"Individuals". LOWI's Customer Management Systems (CRM hereinafter)
they remain independent >>).
In this regard, it must be emphasized in what has already been said previously that the decision by VDF of
continue currently working with the entities in charge of the treatment that
they already provided the service in ONO before the merger with VDF (on 01/10/2018),
certifies that the person responsible for the treatment operations analyzed in the
This procedure carried out by ONO from that date is VDF. For such
reason, the infractions analyzed in this procedure are imputed
entirely to VDF as it is the entity that decides the ends and means, without prejudice to
that Lowi's customer management information systems continue to be
Independent.
<Regarding the content of the Annex attached to the Proposal for Resolution>, it is
It means that the JJJ acronym claimant has the reference E / 01489/2019.
Regarding the claimant of acronyms LLL, the references E / 07671/2018 correspond
and the subsequent research reference E / 04688/2019, as well as the references
E / 08243/2018 and E / 07690/2018. Regarding the claimant of acronym MMM ,
correspond to the reference E / 01633/2019. And regarding the claimant of acronyms NNN
the references E / 10149/2018 and that of the subsequent investigation actions
E / 07960/2019, as well as the file references E / 07775/2019 and
E / 07960/2019. However, this allegation does not affect the merits of the case, limiting itself
to make some corrections when the important thing would have been to enter the file
and settle the issues raised in the claim, which are none other than the
violation of the fundamental right to data protection of the complainants and
correct, now yes, the organizational and technical deficiencies that cause the
claims, or where appropriate, minimize their impact.
<As an allegation of duplication of "procedures" (sic)>, which must refer to
"Files" (section 5), the following should be noted, the same as in the previous
paragraph, which is now corrected, and that the reference file must appear
E / 09407/2018.
However, once the aforementioned material errors have been detected in the Annex, and now
correct, it should be noted that they do not affect either quantitatively or on the
matter raised in this proceeding nor do they cause any defenselessness because the
claimants are the same and are in the heart of this procedure,
Therefore, after its correction in accordance with article 109.2 of Law 39/2015, of PACAP, the
claim must be rejected.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 57
57/97
In section 6 of the same allegation, it insists on the lack of documentation of the
reference files E / 07608/2018, E / 07190/2019 and E / 07188/2018 (the latter
has not been found affected by the procedure, so the
reference provided). Regarding the first two, claimants with acronyms FJJN and
FRPM respectively, it should be noted that there is no evidence that the information provided
by this Agency has been incomplete after the correction made by the Instruction
with the second shipment of documentation in November 2020. Consequently, the
claim must be rejected.
Finally, in section 6 of the second claim, it is added that <the AEPD has not
issued to all claimants notice of the agreement to initiate this
procedure, so once again the conduct of the AEPD has been arbitrary>.
In this regard, this Agency does not record the facts referenced, so the
The allegation must be rejected, and regarding arbitrariness it should be noted that the Proposal
Resolution has been reasoned and adjusted both in form and in substance to the
legally established regulations, so that there is no arbitrary behavior or
unfounded by the AEPD.
3R)
VDF alleges, <that DF III of the Proposal for Resolution does not answer with
sufficient motivation for the allegations presented, which undermines the right to
defense of the alleged entity>.
In this regard, it must be added that the reply by the investigating body to the
allegations made by VDF after the agreement to initiate this procedure,
they were answered in their entirety and sufficiently reasoned. We bring back to
this point the reasoning already set out in this resolution on what is really
constitutes lack of motivation and that can produce helplessness, and that, does not occur
in the assumption examined.
However, add that with respect to the claim made by VDF that <” AEPD
does not seem to take into account that these are third-party entities and that the controls have
to respect current regulations on commercial and labor matters. The level of control
intended by the AEPD (continuous, permanent and audited) not only does it not have
legal support, but would imply an interference in the activity of the collaborators
that can hardly be executed without violating these regulations (ie possible
indication of illegal transfer of workers from these companies to companies
main). Especially considering that the AEPD's criteria to assess whether a
control is adequate or not, it is only that of its result and, in his opinion, it only enjoys
of such a condition if it is absolutely infallible ”>, it should be noted that there is no
no transgression in the activities of the collaborators because there is no impact on
its commercial activity, but only in what affects the processing of data of a nature
personal.
The person responsible for the treatment is the one who has the ability to determine the purposes and
the means of the treatment and in this case a contract of manager of the
treatment. Indicate the means of treatment, how the treatment has to be carried out
by means of the corresponding instructions and how to verify that it is
Executing in the manner entrusted does not imply neither more nor less than delimiting
elements of the contracting that is being carried out between both
entities.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 58
58/97
There would in no case be that illegal transfer of workers that they allege. First,
because none of the circumstances legally foreseen for
this as it comes from art. 43 of Royal Legislative Decree 2/2015, of October 23,
approving the revised text of the Workers' Statute Law (a
from now on, ET); thus neither the object of the service contracts between the companies
is limited to a mere making available to the workers of the transferring company to
the transferee company, nor does the transferor company lack an activity or a
own and stable organization, or does not have the necessary means for the
development of its activity, or does not exercise the functions inherent to its condition of
entrepreneur: here we find two different legal entities that have their own
own organizational structure, where there is no possible confusion between the two.
And, secondly, because the person responsible for the treatment does not send instructions or orders
to the employees of the manager, but to the manager himself, who will act as
consider the management power over your own employees (art. 20.3 ET).
Without prejudice to expanding the answer to the following sections of the allegation in
the following Fundamentals of Law and those already answered during the
sanctioning procedure and that has already been included above in the present
resolution, we now proceed to answer succinctly:
Regarding the erroneous inclusion of files, it has already been answered, not without insisting
now that the withdrawal of 29 files has not been motivated by the "inclusion
erroneous files ”, but for the sake of transparency, and only in two cases and that
Through the hearing provided to VDF for the instruction to the documentation of the
file has been corrected,
Regarding the confusing and disorderly exposition of the initiation agreement, note that the
allegedly has not requested any practical evidence in order to clarify, in his opinion,
deficiencies that prevent you from exercising your right to defense, which if you have
instructor body in order to avoid it. It should be added that the documentation sent to
VDF in March 2020 is duly ordered in order of entry date
in this AEPD.
Regarding the previous filtering of the VDF database, note, as it has been
accredited (On-site Inspection of September 2020), that in none of the chaos
this filtering has been successful. Not in the databases owned by VDF, every time
that delivered to the managers they did not filter with the exclusion lists
exercised before them, nor in the databases from those in charge of the
they were not filtered with the VDF exclusion listings. In both cases, there was
a total lack of communication between the treatment participants (VDF and
managers and vice versa) as a consequence of poor organizational means and
technicians established in the communication protocols between the entities, which
they simply did not exist, and that their correct implementation was the responsibility of VDF
as responsible for the treatments carried out between the entities
intervening parties. All this has led to the violation of the guarantees and rights of
those affected in a systematic way and without the person in charge (VDF) detecting it and in its
case, correct. Furthermore, it is materially impossible for the managers to follow
the instructions of the person in charge (VDF) simply because these instructions or
they were confusing, or they were rare, or they did not exist, which cannot be accepted
entity such as VDF, which is one of the first telecommunications operators in the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 59
59/97
country with millions of subscribers and, at least it is assumed, with sufficient experience and
linked to the performance of personal data processing. In short, VDF does not
intervened, and must imperatively intervene, to oblige those in charge of all
moment to respect the guarantees and rights imposed by the RGPD.
It should be added that, with respect to the LGT, the right to object must be interpreted
according to the RGPD and LOPDGDD, while according to the LSSICE it is necessary
prior authorization for electronic communications. In both cases, neither
the person in charge (VDF) has implemented the appropriate protocols for
communication between the different intervening entities in order to guarantee the
rights of those affected, despite being legally obliged to do so.
Regarding the fact that VDF will implement the rejection of contracts that do not comply with the
protocol established by VDF, it should be noted that, first of all, that protocol
must exist containing detailed instructions and mandates that in a way
clearly avoid any deviation of actions; and secondly, and in what now
affects, it is not enough to reject contracts that violate this type of
established protocols, but what must be avoided is reaching that
situation previously violating the guarantees and rights of those affected.
Regarding the new "routing" system supposedly implemented by VDF of
progressively and with an end date in February 2020, it has already been said in this
Resolution that is neither accredited nor there are indications that it is, since the
own claimants of the files of this procedure have presented with
after that date new claims complementary to the initial one and
the AEPD continues to receive claims for the same events to date, in
concrete one years later. All this denotes that either the new system has not been
implanted, or where appropriate, it is highly inefficient so it should be reconsidered
its structure and operation. The infringement of the rights of the interested parties is
keep producing.
VDF alleges that no corrective measures have been implemented because the facts are
"Sporadic and exceptional" (sic). Just remember the forty plus
disciplinary proceedings initiated in the last two years to VDF by this AEPD and
the high percentage of material and human resources that this AEPD is using
to safeguard or restore the fundamental right to data protection and
guarantees of those affected as a result of the numerous claims that
are reiterated before this AEPD against VDF. Consequently, qualify as “sporadic and
exceptional ” the facts now analyzed cannot be admitted.
Regarding the fact that the AEPD has not accredited the infractions committed, the present
procedure deals with it and thus they are duly documented, and by not
mere assumptions as alleged, but by objective facts that are accredited
from the documentation provided by the claimants as well as from the investigations
carried out by this AEPD, and that VDF has not been able to disprove.
4R)
About the Data Controller as indicated in art 24 of the RGPD, is
a broad concept, which seeks to provide effective and comprehensive protection to
interested.
This has been determined by the case law of the CJEU. For example, the STJUE in the case
Google-Spain of May 13, 2014, C-131/12, considers in a broad sense the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 60
60/97
responsible for the treatment to guarantee “ an effective and complete protection of
interested ”.
In the same way, such effective and complete protection must be deployed in the assumption
that the data processing is carried out by the person responsible for the treatment through a
in charge of the treatment, because if not, it would be violating the letter and the purpose of the
GDPR. There would be a "flight" of the right to data protection.
Thus, in the Report of the Legal Office of the AEPD of July 20, 2006, it is found
that “what is important to delimit the concepts of responsible and in charge of
treatment does not turn out to be the cause that motivates the treatment of these, but the sphere
of direction, control or management that the person in charge may exercise over the
treatment of personal data that are in their possession by virtue of
that cause and that it would be entirely forbidden to the person in charge of the treatment ” ; in
In our case, the control, direction and ordering of the treatment corresponds to VDF.
When the managers use their own databases, the control, direction and
ordering of VDF, in whose name and representation they call potential clients. The
The manager does not decide on the purpose of its databases, but it is VDF who
it tells them what they can and should use them for.
The art. 33.2 of the LOPDGDD indicates that they are considered responsible and not in charge
those who "in their own name and without evidence that they act on behalf of another
establish relationships with those affected ” ; which, interpreted in the opposite sense,
assumes that the person in charge is the person who on behalf of the person in charge establishes relations with
the affected. This is regardless of whether it is necessary to access data
on behalf of third parties.
The manager, to be one, has no self-interest in the outcome of the
Treatment object of order, without prejudice to the financial compensation received
for the service provided and what happens in the case under examination. The
managers have no interest of their own, act on behalf of and on behalf of the
responsible, fulfilling his orders and for his purposes, and this is what
determines that they are commissioned from the beginning. The use of own databases or
alien in nothing changes such perception.
In this sense, Report 0064/2020 of the Legal Office of the AEDP (dated
12/18/2020) establishes that “Likewise, another criterion to consider is whether the entity
involved in the treatment does not pursue any purpose of its own in relation to the
treatment, but you are simply paid for the services rendered, since in
in this case, he would act, in principle, as manager rather than responsible
(section 60) ” - Guidelines 07/2020 of the European Data Protection Committee
(CEPD) on the concepts of data controller and processor in the RGPD
(pending final adoption at this time after completing the process
of public consultation) of September 2, 2020-.
Regarding the non-application of the aforementioned STS 1562/2020, we must mean that if
turns out to be applicable to the present case since what it shows is that
For the purposes of data protection regulations, an entity is in charge of
treatment, even if you work with your own databases. The situation is the same
than in which we are now, with the difference that VDF is identical
circumstance has understood that its collaborators are not in charge of treatment
but responsible for the treatment.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 61
61/97
It is crystal clear that you are responsible for the treatment when you decide
on the means and purposes of the treatment. VDF claims to the contrary that “it cannot be
responsible for the treatment of practically all the personal data object of
analysis in this procedure, as it is not the entity that provides the bases
of data in question, does not provide the collaborators with the means to carry out the
data processing, nor does it decide, or set in any way, the parameters
identification of the recipients of the commercial action, being this carried out in
completely independently, and in their best judgment, by the
collaborators ”. However, you are determining the means of treatment when
chooses that collaborators use their own databases, specially elaborated
for VDF, and allows them a certain margin of action with respect to the parameters
identification of the recipients of the commercial action.
Ratifying the foregoing, Report 0064/2020 of the AEDP Legal Office (of
dated 12/18/2020) asserts that “In any case, it should be carefully analyzed and in
depth of the legal relationship established between the parties in order to identify
who determines the ends and the means, for which the repeatedly cited
CEPD guidelines give different criteria that can be used to establish these
positions, assuming that the word "determine" implies actually exercising a
influence on the ends and means, for which it is not an obstacle that the service is defined
in a specific way by the person in charge, provided that the person in charge is
present a detailed description and can make the final decision on how to
that the treatment is carried out and to be able to request changes if necessary, without
that the person in charge can subsequently introduce modifications in the elements
essential processing without the approval of the person in charge (section 28) or
give the manager a certain margin of maneuver to make some decisions
in relation to the treatment (section 35) being able to leave to the person in charge the taking of
decisions on non-essential means (paragraph 39), so that the processor does not
you must treat the data in a way other than in accordance with the instructions
of the person in charge, without prejudice to the fact that said instructions may leave a certain degree
of discretion on how to best serve the interests of the controller by allowing the
in charge of choosing the most appropriate technical and organizational measures (section 78) ”.
It is clear that VDF, having examined the specific case of this proceeding
sanctioner, is someone who "really exerts an influence on the ends and the means";
the simple assertion of VDF that its collaborators are not in charge of the
treatment does not undermine the reality of the facts. It is VDF “who can take the
final decision on the way in which the treatment is carried out and can request
changes".
In relation to the means of treatment, the person in charge of the treatment will establish
the means of treatment to a greater or lesser extent depending on your strategy
commercial. The fact that the person in charge of the treatment Vodafone grants certain
room for maneuver or that your instructions leave you some discretion, do not
obstacle so that you continue to be considered in charge of the treatment.
For all these reasons, VDF collaborators are legally in charge of the treatment
because VDF determines the means (the collaborators' own databases)
although VDF provides them with instructions allowing them a certain margin for this purpose
autonomy in terms of the choice of parameters to make these calls.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 62
62/97
Determine what are the means of treatment, what covers with what, how and the
when the treatment is to be carried out, encompasses any decision-making action
of the person responsible for the treatment, regardless of the extent of it.
VDF adds that “ Complementarily to the above, as the AEPD well knows, the
position of advertising service providers is subject to regulation
specific in article 46.2 of the RLOPD regarding the processing of data in
advertising campaigns, regulations that remain in force as long as they do not contradict or
conflicts with the provisions of the RGPD, establishing, in its section 2 b), that:
"In the event that an entity contracts or entrusts third parties to carry out a
specific advertising campaign for your products or services, entrusting you with the
treatment of certain data, the following rules will apply: b) When the
parameters were determined solely by the contracted entity or entities,
said entities will be responsible for the treatment ”.
Well, the sole repealing provision of the LOPDGDD establishes in its section
third that “Likewise, any provisions of equal or lower
rank contradict, oppose, or are incompatible with the provisions of the
Regulation (EU) 2016/679 and in this organic law ”.
Although it does not expressly repeal the RLOPD, it will be understood tacitly repealed
in all those matters that contradict, oppose, or are incompatible
with the provisions of the RGPD and the LOPDGDD. The precept of the RLOPD cited is
surpassed by the RGPD and the LOPDGDD, according to the conceptualization of what it is to be
responsible and in charge of the treatment.
In any case, we are not in a factual situation in which the parameters
they are determined solely by the contracted entities; rather the opposite, it is
VDF who, as the data controller, is setting the parameters.
In summary, in the assumption examined, the collaborators hired to carry out
direct marketing actions, are responsible for the treatment of VDF when carrying out
direct marketing actions in his name and on his behalf. They act under the
VDF brand exclusively. It is VDF who determines the ends and means of the
treatment, being significant that the databases which the person in charge of the
treatment makes available to VDF are prepared specifically for these
last (it is the medium that VDF chooses). And, we cannot forget, even if it is by title
merely illustrative, that the new routing system, which they point out to have
implemented, integrates all those in charge of the treatment in such network of
routing.
5R)
Going to the genesis of the concept of data processor and following the
Opinion 1/2010, of 2/16, of the GT29, “ The concept of data processor does not
contained in Convention 108. The role of the processor was recognized
for the first time in the Commission's first proposal - although it did not introduce
the concept— in order to “avoid situations in which the treatment by third parties
on behalf of the person responsible for the treatment of the file has the effect of reducing the
level of protection enjoyed by the interested party ”. The concept of manager
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 63
63/97
treatment is only explicitly and autonomously included in the modified proposal of
the Commission and after a proposal from the European Parliament when, before
cover its current formulation in the Common Position of the Council. like the
definition of the controller, the definition of the controller
encompasses a wide variety of agents who can play this role ('person
physical or legal, public authority, service or any other body »). Existence
of a processor depends on a decision made by the
data controller, who may decide that the data is processed within its
organization, for example by personnel authorized to process data under their
direct authority (see, conversely, article 2.f)), or delegate all or one
part of the processing activities in an external organization, that is - as
stated in the explanatory memorandum to the Commission's amended proposal—,
in "a legally distinct person acting on his own behalf."
Therefore, in order to act as data processor, two
basic conditions: on the one hand, to be a legal entity independent of the
responsible for the treatment and, on the other, carry out the processing of personal data by
account of this one ”.
Regarding the allegation made, VDF answers in it when it indicates that
“Actually, the referred regulation establishes the obligation on the part of the person responsible for
carry out suitability checks during the selection of those suppliers to
those who intend to provide personal data and, likewise, the minimum conditions under
which they must process said personal data, and said
conditions in the corresponding contract that will contemplate all aspects
required in article 28 RGPD… ”, which in the present case has not been done.
Article 28.1 of the RGPD states: “1. When a treatment is to be carried out for
account of a data controller, this will only choose a manager who
offers sufficient guarantees to apply technical and organizational measures
appropriate, so that the treatment is in accordance with the requirements of the
this Regulation and guarantee the protection of the rights of the interested party. " . I know
notes that it refers to the technical and organizational measures that must be
guarantee in all treatment subject to order. That is, since before the order
of the treatment itself, as it is the appropriate choice of the one who will act
as manager, until the end of the service as indicated in the article itself
28.3.g).
And continues article 28.3.h): “will make available to the person in charge all the
information necessary to demonstrate compliance with obligations
established in this article, as well as to allow and contribute to the realization
of audits, including inspections, by the manager or another auditor
authorized by said person in charge ”.
Regarding the performance of audits as an ideal means for the person responsible
of the treatment continuously supervise the person in charge of the treatment, the
Guidelines 07/2020 of the European Data Protection Committee (CEPD) on the
concepts of data controller and processor in the RGPD of 2 of
September 2020 establish that -the translation is ours- “97. The obligation to
use only processors "who provide guarantees
sufficient "contained in article 28, paragraph 1, of the GDPR is an obligation
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 64
64/97
keep going. It does not end when the controller and the person in charge of the
treatment enter into a contract or other legal act. Instead, the controller must, at
appropriate intervals, verify processor warranties, including through
audits and inspections where appropriate ".
In the same way that the person responsible for the treatment audits those treatments that
performs directly and by your hand, you must audit the treatments that other
performed by your order.
In the present case, VDF has not complied with either of the transcribed sections,
especially, when being able and having the legal obligation to do so (with audits
and inspections), VDF has not required the data controller to comply with
its obligations, a breach that should be attributed only to VDF as responsible
treatment.
6R)
Regarding the breach of article 44 of the RGPD.
Of the evidence in the documentation of the file and this is reflected in
the TWENTIETH Proven Fact, specifically the treatment manager contract
signed between VDF and Casmar on 05/1/2019, in which VDF as responsible
of the treatment subscribes with Casmar that to carry out the treatment object of
order is made from a third country (Peru) without complying with the due guarantees that
required by the RGPD, by consenting - with full knowledge of the signatory parties since
as stated in the contract- that Casmar will carry it out through the entity
sub-manager (A-Nexo) in the name and on behalf of VDF (according to the signed contract of
date 05/01/2019 between VDF and Casmar and the subsequent contract signed between Casmar and A-
link dated 06/27/2019). In said contract it is stated verbatim: “location of the
treatment: Peru ”(sic). Consequently, the person responsible for this Transfer
International (TI) without the due guarantees agreed between VDF and Casmar through
the sub-commissioned entity based in Peru -A-nexo-, is none other than VDF when acting in
quality of data controller commissioned under the aforementioned conditions
For this reason, VDF is the one obliged to impose and establish the due guarantees so that
that IT can be carried out according to the requirements established in the RGPD.
7R)
Regarding the breach of article 21.1 of the LSSICE.
Article 21 of the LSSICE: " Prohibition of commercial communications made to
via email or equivalent electronic means of communication.
1. The sending of advertising or promotional communications by
email or other equivalent electronic means of communication that
had not previously been requested or expressly authorized by the
recipients of the same.
2. The provisions of the previous section shall not apply when there is a
prior contractual relationship, provided that the provider had obtained lawfully
the recipient's contact details and will use them to send communications
commercial related to products or services of your own company that are
similar to those that were initially contracted with the client.
In any case, the provider must offer the recipient the possibility of opposing the
processing of your data for promotional purposes using a simple procedure
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 65
65/97
and free, both at the time of data collection and at each of the
commercial communications that you direct.
When the communications have been sent by email, said
means must necessarily consist of the inclusion of an email address
email or other valid email address where this right can be exercised,
being forbidden the sending of communications that do not include said address ”.
It is already established from the beginning of the procedure that the marketing actions in
name and on behalf of VDF would be made using random numbers (and
e-mail addresses) to "potential clients" in whose domicile or area was available
installed VDF services. It has also been alleged that such numberings
(used to send SMS) were previously crossed with the lists of
advertising exclusion, which at no time is done and without prejudice to
which is explained later.
Now VDF alleges that the SMS sent were made to clients under the
exception of article 21.2 of the LSSICE.
Well, it could be like this in some chaos unrelated to this procedure, but at present
If the opposite has been proven, that is, that the recipients were not customers of
VDF and had even exercised their right of opposition, so the
application of the aforementioned section of article 21 (21.2) of the LSSI. Files
Relating to non-compliance with the LSSICE are indicated with the code “C” in the
column of the Annex to the Proposal for Resolution and which is now also attached.
Consequently, the claim must be rejected.
8R)
Regarding the LGT, VDF alleges alleged non-compliance.
The Preamble of the LOPDGDD states the following:
"In Title IV there are collected" Provisions applicable to specific treatments ",
incorporating a series of assumptions that in no case should be considered
exhaustive of all lawful treatments. Within them it is worth appreciating, firstly
Second, those for which the legislator establishes a presumption "iuris
tantum »of prevalence of the legitimate interest of the person in charge when they are carried out
with a series of requirements, which does not exclude the legality of this type of treatment
when the conditions set forth in the text are not strictly fulfilled, although in
In this case, the person in charge must carry out the legally required weighting, when
not presume the prevalence of their legitimate interest. … "
Article 23.4 of said rule (LOPDGDD) states:
"4. Those who intend to make direct marketing communications must
previously consult the advertising exclusion systems that could affect your
action, excluding from the treatment the data of those affected who had
expressed their opposition or refusal to it. For these purposes, to consider
Once the above obligation has been fulfilled, consulting the exclusion systems will suffice.
included in the list published by the competent control authority.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 66
66/97
It will not be necessary to carry out the query referred to in the previous paragraph when the
affected would have provided, in accordance with the provisions of this organic law, its
consent to receive the communication to whoever intends to carry it out. ".
It is already indicated in this Resolution (FD V) and that it is not necessary to reiterate, the reasons
whereby the application of the LGT prevails in Spanish law, as a norm
special, against the RGPD and LOPDGDD as general rules.
In the present case, since the authorization provided in the second
paragraph of the aforementioned section 4 of article 23, because there is no consent of the
claimants, has been sufficiently accredited throughout the procedure that
both VDF, as responsible for the treatment, and those in charge who
they acted on behalf of and on behalf of VDF they did not suppress those receiving lines
that were previously included in the advertising exclusion systems of
your marketing actions. This is reflected in the column of the Annex of the
Motion for a Resolution and which is now also attached with the code "R".
Consequently, VDF has violated the aforementioned article 48.1.b) in relation to the 23 of
the LOPDGDD for which the allegation must be rejected.
9R)
VDF alleges a clear defenseless position during these proceedings
sanctioner.
Regarding the principle of prohibition of arbitrariness, it should be noted that there is no evidence
any action by this AEPD of diversion of legal actions, but that all the
The procedure followed has been adjusted to the legal regulations both in form and in the
motivations for their administrative acts, evidence and other legal guarantees and
constitutional enforceable.
There is no doubt that the present sanctioning procedure is complex and voluminous,
but even so, all the required legal guarantees have been met. Even in the
rectification of material errors as indicated in art. 109 of the LPACAP, in
special in the complementary shipment is rectification -that not of inclusion of new
files-, giving a hearing to the interested party as indicated in the aforementioned norm and art
105 of the EC To which must be added that, while the suspension of deadlines
In accordance with the state of alarm decreed in Spain, the investigating body considered
as an urgent procedure, sending the file (it was carried out in March 2020) in order to avoid
defenselessness and that during the time the defendant was suspended, the defendant ordered
the time needed to analyze the documentation (about ten thousand pages), which in
normal conditions without suspension of terms would have had a maximum of 15 days
deadline for the study and preparation of the defense line.
Regarding the imputation of infringement of article 44 of the RGPD (Transfer
International personal data without the guarantees required in the RGPD) in the
Proposed Resolution, mention has already been made in this Resolution.
Finally, it should be meant that VDF has not requested any test practice
during the sanctioning procedure in support of any line of defense that
considered appropriate in the face of the imputed infractions. The only test practiced
has been requested by the investigating body in order to avoid defenselessness of the claimed, has
proceeded to correct material errors after analyzing the more than ten thousand sheets
of which the file consists and has provided VDF with an Annex with the summary
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 67
67/97
structured the facts precisely so that it would have the possibility of treating it
automatically and for the sake of transparency and thus avoid any impediment that
could cause a reduction in their rights, giving the mandatory hearing and
deadline for allegations, as VDF has done. Consequently, it proceeds
reject the allegation as there is no arbitrariness in the actions of the AEPD or
violation of the defense principle, but it is established that during the development of the
This sanctioning procedure has been observed all the legal guarantees
established.
V
Article 2.4 GDPR. Relationship with Directive 2000/31 / EC of the European Parliament and
of the Council of June 8, 2000 regarding certain legal aspects of the
Information society services, in particular electronic commerce in the
internal market (hereinafter Directive 2000/31 / EC).
"4. This Regulation shall be without prejudice to the application of the Directive.
2000/31 / EC, in particular its rules on the liability of providers
intermediary services established in its articles 12 to 15 ”.
In this regard, LSSICE incorporates the aforementioned Directive into the Spanish legal system
2000/31 / EC.
Article 95 GDPR. Relationship with Directive 2002/58 / EC of the European Parliament and of the
Council of July 12, 2002 regarding the processing of personal data and the
protection of privacy in the electronic communications sector (as far as
successive Directive 2002/58 / EC).
"This Regulation will not impose additional obligations on natural persons
or legal matters regarding treatment in the framework of the provision of services
public electronic communications in public communication networks of the
Union in areas where they are subject to specific obligations with the same
objective established in Directive 2002/58 / EC of the European Parliament and of the
Council of July 12, 2002 ”.
In this regard, the LGT incorporates the aforementioned Directive into the Spanish legal system
2002/58 / CE.
In relation to the aforementioned articles of the RGPD mentioned above (articles 2.4 and 95) and the
mentioned LGT and LSSICE, the Legal Report of this AEPD of
reference 0173/2018, already known to the investigated person who alleges it in her writing.
In the same sense, Opinion 5/2019 is pronounced on the interaction between the
Directive on Privacy and Electronic Communications and Regulation
general data protection, in particular with regard to competition,
functions and powers of the data protection authorities Adopted on 12
March 2019, in paragraphs 66 to 70 and 86 in conclusions, and which are reproduced below
continuation:
<66. In the event that national legislation confers on the protection authority of
competency data for the application of the Directive on privacy and
electronic communications, the legislation should also determine the functions and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 68
68/97
Powers of the data protection authority in relation to the application of the
Directive. The data protection authority cannot automatically trust
the functions and powers provided for in the RGPD to adopt measures to make
comply with national regulations on privacy and communications
electronic, since these functions and powers of the GDPR are linked to the
application of the GDPR. National legislation may assign functions and powers
inspired by the GDPR, but can also grant other functions and powers to the
data protection authority for the application of national regulations on the
privacy and electronic communications in accordance with article 15 bis of
Directive.
67. Discretionary power only exists within the established requirements and limits.
in higher standards. Article 8 (3) of the Charter requires that compliance
of the regulations on the protection of personal data is subject to the control of a
independent authority.
68. When the processing of personal data activates the material scope of application
both the GDPR and the Directive on privacy and communications
electronic data protection authorities are competent to control
subsets of the treatment that are governed by national standards of
transposition of the Directive only if national law confers on them this
competence. However, the competence of the data protection authorities
under the GDPR in any case remains non-exhaustive as regards
processing operations that are not subject to the special rules
contained in the Directive. This demarcation line cannot be modified by the
national legislation transposing the Directive (for example, by extending the
material scope of application beyond what is required by the Directive and granting
exclusive powers for said provision to the national authority of
regulation).
69. Data protection authorities are competent to enforce the
GDPR. The mere fact that a subset of the treatment is included in the
scope of the Directive does not limit the competence of the
data protection under the RGPD.
70. When exclusive jurisdiction has been granted to a body other than the
data protection authority, national procedural law determines what should
occur when interested parties file complaints with the protection authority of
data, in relation, for example, to the processing of personal data in the form of
traffic or location data, unsolicited electronic communications or
collection of personal data through cookies, without also reporting an infringement
(potential) of the GDPR.
86. When the processing of personal data activates the material scope of application
both the GDPR and the Directive on privacy and communications
electronic data protection authorities are competent to control
the data processing operations that are governed by the national regulations of
electronic privacy only if national legislation confers on them this
competence, and such control must take place within the supervisory powers
assigned to the authority by the national legislation that transposes the Directive. >>
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 69
69/97
Consequently, in relation to the specific matter regulated by the LGT and the
LSSICE, these laws must prevail by reason of matter against the RGPD and
LOPDGDD, without prejudice to the fact that the former may need to be
complemented by the legal figures developed by the latter.
Without prejudice to the subsequent development of the events now analyzed from the
perspective of the aforementioned special laws (LGT and LSSICE), the
definitions of the legal concepts that the RGPD indicates in article 4:
Article 4 GDPR. Definitions
For the purposes of this Regulation, the following shall be understood as:
1) "personal data": any information about an identified natural person or
identifiable ("the interested party"); an identifiable natural person shall be considered any person
whose identity can be determined, directly or indirectly, in particular by means of
an identifier, such as a name, an identification number, data from
location, an online identifier or one or more elements of the identity
physical, physiological, genetic, psychic, economic, cultural or social of said person;
2) "treatment": any operation or set of operations carried out on
personal data or personal data sets, whether by procedures
automated or not, such as collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction;
6) "file": any structured set of personal data, accessible in accordance with
to specific criteria, whether centralized, decentralized or distributed in a
functional or geographic;
7) "data controller" or "controller": the natural or legal person,
public authority, service or other body that, alone or together with others, determines the
purposes and means of the treatment; whether the law of the Union or of the Member States
determines the purposes and means of the treatment, the person responsible for the treatment or
Specific criteria for their appointment may be established by Union law.
or from the Member States;
8) "processor" or "processor": the natural or legal person,
public authority, service or other body that processes personal data on behalf of the
responsible for the treatment;
10) "third party": natural or legal person, public authority, service or body
other than the interested party, the person responsible for the treatment, the person in charge of the treatment
and of the persons authorized to process the personal data under the direct authority
of the person in charge or the person in charge;
11) "consent of the interested party": any manifestation of free will,
specific, informed and unequivocal by which the interested party accepts, either through
a statement or a clear affirmative action, the processing of personal data that
they concern you.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 70
70/97
18) "company": natural or legal person engaged in an economic activity,
regardless of their legal form, including companies or associations that
regularly carry out an economic activity;
25) "information society service ": any service in accordance with the
definition of Article 1 (1) (b) of Directive (EU) 2015/1535 of the
European Parliament and of the Council. (Directive (EU) 2015/1535 of the Parliament
Council and of 9 September 2015, which establishes a
information procedure on technical regulations and rules
relating to information society services (OJ L 241, 17.9.2015, p.
1)).
SAW
Article 24 Responsibility of the controller
<< 1. Taking into account the nature, scope, context and purposes of the
treatment as well as risks of varying probability and severity to the rights
and freedoms of natural persons, the data controller will apply measures
appropriate technical and organizational techniques in order to ensure and be able to demonstrate that the
treatment is in accordance with this Regulation. These measures will be reviewed and
will update when necessary.
2. When they are provided in relation to the treatment activities, between
the measures mentioned in section 1 shall include the application, by the
responsible for the treatment, the appropriate data protection policies ... >>.
Report 0064/2020 of the Legal Office of the AEPD has emphatically expressed
that “ The RGPD has meant a paradigm shift when addressing the regulation of the
right to the protection of personal data, which is based on the
principle of "accountability" or "proactive responsibility" as stated
repeatedly the AEPD (Report 17/2019, among many others) and is included in the
Explanatory Memorandum of Organic Law 3/2018, of December 5, on the Protection of
Personal Data and guarantee of digital rights (LOPDGDD) ”.
The aforementioned report continues that “… the criteria on how to attribute the different
roles remain the same (section 11), reiterates that these are concepts
functional, which are intended to assign responsibilities according to the roles
of the parties (section 12), which implies that in most cases
should be addressed to the circumstances of the specific case (case by case) according to
their actual activities rather than the formal designation of an actor as
"responsible" or "manager" (for example, in a contract), as well as concepts
self-employed, whose interpretation must be carried out under the protection of European regulations
on the protection of personal data (section 13), and taking into account (section
24) that the need for a factual assessment also means that the role of a
responsible for the treatment does not derive from the nature of an entity that is
processing data but of their specific activities in a specific context… ”.
The concepts of controller and processor are not formal, but
functional and must attend to the specific case. The designation by VDF of
"Responsible for the treatment" to its collaborators, does not automatically grant them
such condition.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 71
71/97
The person responsible for the treatment is from the moment he decides the purposes and
means of treatment, not losing this condition the fact of leaving a certain margin of
action to the person in charge of the treatment or for not having access to the databases of the
in charge.
This is undoubtedly expressed in the Guidelines 07/2020 of the European Committee on
Data Protection (CEPD) on the concepts of data controller and
in charge of the RGPD -the translation is ours-, “ A data controller is
who determines the purposes and means of the treatment, that is, the why and the
how of the treatment. The controller must decide on both
purposes and means. However, some more practical aspects of the
implementation ("nonessential media") can be left to the manager
treatment. It is not necessary for the controller to actually have access to the
data that are being processed to qualify as responsible ".
In the present case, it is established that VDF is responsible for the data processing
now analyzed since as defined in article 4.7 of the RGPD is the entity that
determines the purpose and means of the treatments carried out in actions of
direct marketing of the three entities (VDF, ONO, LOWI). So in your
condition of data controller is obliged to comply with the provisions of
the transcript of art 24 of the RGPD and, especially, regarding the effective and continuous control
of “ appropriate technical and organizational measures in order to guarantee and be able to demonstrate
that the treatment is in accordance with this Regulation ” among which are
find those provided in article 28 of the RGPD in relation to those in charge
of the treatments acting in the name and on behalf of VDF.
In this sense, and in relation to the allegation raised by VDF in its brief of
allegations to the initiation agreement that those responsible for the treatments that
the various entities carry out on behalf of VDF and, therefore, those that
they have their own files, they do not act as managers but rather as
responsible for these treatments, it should be noted that in the 07/2020 Guidelines
of the European Data Protection Committee (CEPD) on the concepts of
data controller and person in charge of the RGPD -the translation is ours-, “42.
It is not necessary for the controller to actually have access to the
data being processed. Whoever outsources a treatment activity and, at the
to do so, has a determining influence on the purpose and (essential) means of the
treatment (for example, adjusting the parameters of a service in such a way that
influence whose personal data will be processed), should be considered as
responsible although he will never have real access to the data ”. Remember that VDF
determines who the calls can be made to, as they cannot be made to
who are already clients of the company, as well as filtering regarding lists of
advertising exclusion or whatever corresponds to the exercise of opposition.
Likewise, following the legal report of the AEPD dated 11/20/2019, with
internal reference 0007/2019 and STS 1562/2020 (for all), we must point out that
analyzes the legal figure of the data controller from the perspective of the RGPD
that regulates it exclusively.
<< Article 28 Responsible for the treatment
1. When a treatment is to be carried out on behalf of a person responsible for the
treatment, it will only choose a manager who offers sufficient guarantees
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 72
72/97
to apply appropriate technical and organizational measures, so that the
treatment is in accordance with the requirements of this Regulation and guarantees the
protection of the rights of the interested party.
2. The person in charge of the treatment will not resort to another person in charge without prior authorization.
in writing, specific or general, of the person in charge. In the latter case, the person in charge
will inform the person in charge of any change foreseen in the incorporation or
substitution of other managers, thus giving the person in charge the opportunity to oppose
to such changes.
3. The treatment by the person in charge will be governed by a contract or other legal act with
under Union or Member State law, which binds the person in charge
with respect to the person in charge and establish the object, duration, nature and
purpose of the treatment, the type of personal data and categories of interested parties, and the
obligations and rights of the person in charge. Said contract or legal act shall stipulate, in
particular, that the person in charge:
a) will process personal data only following documented instructions from the
responsible, including with respect to transfers of personal data to a
third country or an international organization, unless it is obliged to do so under
of the law of the Union or of the Member States that applies to the processor; in
In such case, the person in charge will inform the person in charge of this legal requirement prior to
treatment, unless such Right prohibits it for important reasons of interest
public;
b) will guarantee that the persons authorized to process personal data have
are committed to respecting confidentiality or are subject to an obligation of
confidentiality of a statutory nature;
c) take all necessary measures in accordance with Article 32;
d) will respect the conditions indicated in sections 2 and 4 to resort to another
in charge of the treatment;
e) will assist the person in charge, taking into account the nature of the treatment, through
appropriate technical and organizational measures, whenever possible, so that this
can fulfill its obligation to respond to requests that have as their object
the exercise of the rights of the interested parties established in chapter III;
f) will help the person in charge to guarantee compliance with the obligations
established in articles 32 to 36, taking into account the nature of the treatment
and the information available to the person in charge;
g) at the discretion of the person in charge, delete or return all personal data a
once the provision of treatment services ends, and will delete the copies
existing unless the preservation of personal data is required under
of the Law of the Union or of the Member States;
h) will make available to the controller all the information necessary to demonstrate
the fulfillment of the obligations established in this article, as well as
to enable and contribute to the performance of audits, including inspections, by
part of the person in charge or another auditor authorized by said person in charge.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 73
73/97
In relation to the provisions of letter h) of the first paragraph, the person in charge will inform
immediately to the person responsible if, in his opinion, an instruction violates this
Regulation or other provisions on data protection of the Union or of
Member States.
4. When a processor uses another processor to carry out
certain processing activities on behalf of the controller, will be imposed on
this other person in charge, through a contract or other legal act established in accordance with the
Union or Member State law, the same obligations to
data protection than those stipulated in the contract or other legal act between the
responsible and the person in charge referred to in section 3, in particular the provision
of sufficient guarantees of application of appropriate technical and organizational measures
so that the treatment is in accordance with the provisions of this
Regulation. If that other person in charge breaches their data protection obligations,
The initial manager will remain fully accountable to the person responsible for the
treatment with regard to the fulfillment of the obligations of the other
in charge.
5. The adherence of the person in charge of the treatment to a code of conduct approved by
pursuant to Article 40 or to an approved certification mechanism pursuant to Article
42 may be used as an element to demonstrate the existence of the guarantees
sufficient referred to in sections 1 and 4 of this article.
6. Notwithstanding the fact that the person in charge and the person in charge of the treatment celebrate a
individual contract, the contract or other legal act referred to in sections 3 and 4
of this article may be based, totally or partially, on the clauses
contractual type referred to in sections 7 and 8 of this article, inclusive
when they are part of a certification granted to the person in charge or in charge of
in accordance with articles 42 and 43.
7. The Commission may establish standard contractual clauses for the matters to which it is
refer to sections 3 and 4 of this article, in accordance with the procedure for
examination referred to in article 93, paragraph 2.
8. A supervisory authority may adopt standard contractual clauses for the
matters referred to in sections 3 and 4 of this article, in accordance with the
coherence mechanism referred to in article 63. >>
9. The contract or other legal act referred to in sections 3 and 4 shall consist of
written, including in electronic format.
10. Without prejudice to the provisions of articles 82, 83 and 84, if a person in charge of the
treatment violates these Regulations by determining the purposes and means of the
treatment, you will be considered responsible for the treatment with respect to said
treatment. >>
The definition of 'processor' includes a wide range of actors, since
be they natural or legal persons, public authorities, agencies or other bodies.
The existence of a data processor depends on a decision taken by the
responsible for the treatment, who may decide to carry out certain
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 74
74/97
treatment operations or contract all or part of the treatment with a
in charge.
The essence of the role of "processor" is that personal data
are processed in the name and on behalf of the person responsible for the treatment. In practice,
It is the person in charge who determines the purpose and the means, at least the essential ones,
while the processor has a function of providing services to the
Responsible for the Treatment. In other words, "acting in the name and on behalf of
of the person responsible for the treatment » means that the person in charge of the treatment
service of the interest of the controller in carrying out a task
specific and that, therefore, follows the instructions established by the person responsible for the
treatment, at least as regards the purpose and essential means of the
entrusted treatment.
Article 28, section 1, of the RGPD establishes that “When a
treatment on behalf of a data controller, he will choose only a
manager that offers sufficient guarantees to apply technical measures and
appropriate organizational, so that the treatment is in accordance with the
requirements of this Regulation and guarantee the protection of the rights of the
interested".
The obligation provided for in article 28.1 of the RGPD -to select a person in charge of the
treatment that offers sufficient guarantees to guarantee the application of the
Regulation and the rights and freedoms of the interested party - it is not exhausted in the action
prior to the selection and hiring of the treatment manager. This forces the
responsible for the treatment to be evaluated at all times during the execution of the
contract if the guarantees (technical or organizational) offered by the person in charge of the
treatment are sufficient.
The 07/2020 Guidelines of the European Data Protection Committee (CEPD) on the
concepts of data controller and processor in the RGPD -translation is
our- have, without a doubt, that, -, “ 97. The obligation to use only
the processors "who provide sufficient guarantees" contained in
Article 28 (1) of the GDPR is a continuous obligation. It does not end in the
moment in which the controller and the person in charge of the treatment conclude a contract or
another legal act. Instead, the controller should, at appropriate intervals, verify the
assurances from the manager, including through audits and inspections when
corresponds ”.
And this because the person responsible for the treatment is the one who has the obligation to guarantee
the application of data protection regulations and the protection of the rights of
interested parties, as well as being able to prove it (articles 5.2, 24, 28 and 32 of the
GDPR). Control of compliance with the law extends throughout the
treatment, from start to finish. The person responsible for the treatment must
Act, in any case, diligently, consciously, committed and actively.
That mandate of the legislator is independent of whether the treatment is carried out
directly the person in charge of the treatment or that it carries out using a
in charge of the treatment. Where the Law does not distinguish, we cannot distinguish ourselves.
In addition, the treatment carried out materially by a person in charge of treatment by
account of the person responsible for the treatment belongs to the sphere of action of this
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 75
75/97
Lastly, in the same way as if he did it directly himself. The person in charge of
Treatment, in the case examined, is an extension of the person responsible for the
treatment.
The data controller has the obligation to integrate and deploy the protection
of data within everything that constitutes your organization, in all its areas. I know
must bear in mind that ultimately the determining purpose is to
guarantee the protection of the interested party.
Interpret it in the opposite sense - the obligations that article 28 of the RGPD imposes
to the data controller are limited to verifying the capabilities of the processor ab
initio and to sign the contract of data processor - not only would they contravene the
current legislation constituting a clearly fraudulent action, but rather
would violate the spirit and purpose of the GDPR.
In light of the principle of proactive responsibility (art 5.2 RGPD), the person responsible for the
treatment must be able to demonstrate that it has taken into account all the elements
provided for in the RGPD.
The data controller must take into account whether the data controller
provides adequate documentation that demonstrates such compliance,
privacy protection, file management policies, privacy policies,
information security, external audit reports, certifications,
management of the exercise of rights ... etc.
The controller must also take into account the knowledge
specialized technicians of the person in charge of the treatment, the reliability and its resources.
Only if the controller can demonstrate (principle of responsibility
proactive of article 5.2 of the RGPD) that the person in charge of the treatment is adequate during
the entire treatment phase (at all times) to carry out the order
entrusted may enter into a binding agreement that meets the requirements of the
Article 28 of the RGPD, without prejudice to the fact that the controller must follow
complying with the principle of accountability and periodically checking the
compliance of the manager and the measures in use. Before outsourcing a treatment
and in order to avoid possible violations of rights and freedoms of those affected, the
data controller must enter into a contract, other legal act or an agreement
binding with the other entity that establishes clear and precise obligations regarding
of data protection.
The person in charge of the treatment can only carry out treatments on the instructions
documented data of the person in charge, unless he is obliged to do so by Law
of the Union or a Member State, which is not the case. The person in charge of the treatment
It also has the obligation to collaborate with the person in charge in guaranteeing the rights
of the interested parties and comply with the obligations of the person responsible for the treatment of
in accordance with the provisions of the aforementioned article 28 of the RGPD (and related).
Therefore, it is insisted that the person responsible for the treatment must establish
clear modalities for such assistance and give precise instructions to the person in charge of the
treatment on how to comply with them properly and document it prior to
through a contract or another (binding) agreement and check all
moment of the development of the contract its fulfillment in the form established in the
same.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 76
76/97
However, despite the obligations of the person in charge, article 28 of the RGPD
seems to suggest that the responsibility of the processor remains
limited compared to the responsibility of the controller. In
In other words, although data controllers may, in principle, be
responsible for the damages derived from any infraction related to the
processing of personal data (including those that have been committed by the
processor) or breach of contract or other agreement (binding)
Managers may be held liable when they have acted upon
margin of the mandate granted by the controller, or have not complied
your own contractual obligations or under the GDPR. In these cases, the
data controller can be considered fully or partially responsible for
the "part" of the processing operation in which you participate. You will only be in charge
fully responsible when fully responsible for the damages
caused in terms of the rights and freedoms of the affected parties; everything
This, without avoiding the responsibility in which the person responsible for the treatment has
incurred in order to avoid them.
In the present case, despite the repeated designation as "third party" entities
by Vodafone España, SAU to the entities
<< collaborators / agents / distributors >>, it should be noted that the correct qualification
legal under the RGPD these entities must be classified as << entrusted
treatment >> , since, according to the definition, they act fully in
name and on behalf of the person in charge (VDF) for all purposes regarding
Data Protection. Consequently, from now on, these entities will be
called those in charge of the treatment with assumption of the responsibilities that
This term entails within the RGPD both for the person in charge and for the
in charge of the treatment operations. Just bring up the
content of the aforementioned STS 1562/2020 (for all), which states the following:
«In this regard, and the Judgment of the Supreme Court of June 5, 2004, which
confirms, in cassation for Unification of Doctrine, that of this AN of October 16,
2003, echoing what was argued by this Chamber, refers to the differentiation of two
responsible depending on whether the decision-making power is directed to the file or to the
data treatment. Thus, the person responsible for the file is the one who decides the creation of the
file and its application, and also its purpose, content and use, that is, who has
decision-making capacity on all the data registered in said file. The
The person responsible for the treatment, however, is the subject to whom the
decisions about the specific activities of a certain data processing,
that is, on a specific application. It would be all those assumptions in
those that the power of decision must be differentiated from the material realization of the
activity that integrates the treatment. With this, as the STS of 26
of April 2005 (cassation for unification of doctrine 217/2004), the legislator
Spanish aims to adapt to the requirements of Directive 95/46 / EC, which has as its
objective to provide a legal response to the phenomenon, which is becoming more frequent, of the
called outsourcing of computer services, where multiple
operators, many of them insolvent, created with the aim of seeking the
impunity or irresponsibility of those who follow him in the following links of the
chain. Currently, the new Regulation (EU) 2016/679 of the Parliament
Council and Council of April 27, 2016, on the protection of individuals
with regard to the processing of personal data (by which the
Directive 95/46 / CE, and of direct application as of May 25, 2018) distinguishes
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 77
77/97
also between the person in charge and the person in charge of the treatment. The
The first is defined in Article 4 (7) as "natural or legal person (...)
that determines the purposes and means of the treatment. "And the person in charge of treatment in the
paragraph 8) of the same article 4 as the one that "treats personal data on behalf of
of the person responsible for the treatment ".
This in relation to Articles 24 and 28 of the same European Regulation of
Data Protection. Responsible for and in charge of the data processing that, without place
doubtless, they are also responsible for infractions in terms of protection
of data, in such a new regulatory framework, in accordance with the provisions of article
82.2 of the repeated Regulation (EU) 2016/679 to which: Any person responsible who
participate in the treatment operation will be liable for damages
caused in the event that said operation does not comply with the provisions of the present
Regulation. A manager will only be liable for damages.
caused by the treatment when it has not complied with the obligations of the
these Regulations specifically addressed to those in charge or has acted at the
margin or against the legal instructions of the person in charge. It detaches from
all of the above that the concurrence, in the present case, of a person in charge of the
ZZZZ treatment at all exempts entity XXXX from liability now
appellant, and this despite the forcefulness of the clauses that appear in the
contract and annex to it signed by both companies (proven facts 9 and 10)
as the personal data processed was for the purpose of carrying out a
advertising campaign regarding car and motorcycle insurance that marketed the
(XXXX), ultimately for the benefit of said XXXX, such plaintiff being the one that, in
last term, determines the purposes and means of repeated data processing, therefore
that it cannot be exonerated of responsibility. >>
The STS continues, in relation to the possible exoneration of alleged responsibility
As for what is subscribed in the contract of "person in charge of the treatment", the following:
« The sanctioned conduct of obstruction or impediment by XXXX of the exercise
by his client of the right of opposition to the processing of his data, is manifested in
that said company did not adopt any kind of measure or precaution to avoid the
sending advertising to your client's email addresses by
those companies to which it entrusted the realization of the advertising campaigns.
The adoption of the necessary measures or precautions to ensure the effectiveness of the
Right to object to the processing of your data by XXXX, such as
responsible for the file, subsist even if the advertising campaigns are not carried out
starting from the data of their own files, but with databases of other
companies hired by XXXX, and in this case it was proven that the appellant
did not inform the companies with which it contracted to perform services of
publicity the opposition of the complainant to receive publicity from the Mutual, nor ultimately
made any provision to ensure the exclusion of its customer from shipments
advertising contracted with third parties. "
Consequently, it must be concluded that in all the treatments analyzed in the
antecedents in its various modalities, the data controller is
Vodafone España, SAU (VDF) and acting as managers those other
entities that act in the name and on behalf of and for the benefit of VDF.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 78
78/97
Of the documentation that is in the file that is mentioned in the
this resolution from the information collected by the Inspection of this
AEPD and VDF's own acts and manifestations, the breach is accredited by
VDF as responsible for the treatments entrusted to the effective control and
continued in time of the measures provided in the above transcribed art 28 of the
GDPR. In this regard, add that the obligation provided in article 28.3.h) RGPD,
Using at the beginning the imperative term "put" referring to the person in charge of the
treatment, generates the obligation to «demand» from the controller « compliance with the
obligations established in this article, as well as to allow and contribute to
the performance of audits, including inspections, by the controller or another
auditor authorized by said person in charge. "
Thus, it is established that those in charge of the treatment (and successive sub-processors) who
acting in the name and on behalf of VDF do not offer sufficient guarantees to
apply the appropriate technical and organizational measures to the treatment commissioned by
VDF. And neither are the tasks duly documented by VDF
entrusted to the successive managers who carry out the treatments in
name and on behalf of the person in charge (VDF). Furthermore, they are listed as approved by
VDF treatments that violate the scope of application of the RGPD by allowing
treatments in third countries without adequate legal guarantees.
There is also no prior written authorization from VDF with knowledge of the
technical and organizational measures of successive entities subcontracted to others
managers, since the VDF is only informed once the sub-manager has already
is already chosen for the sole purpose of assigning an access code to the
VDF client management applications. VDF, as the data controller,
does not know in advance who and under what conditions a
manager / sub-manager to act on their own behalf and under their
specific specifications - which do not exist - and accepts without qualms this behavior of
continuously and repeatedly since at least April 2018, even having
knowledge of this anomaly.
Nothing appears in the relationship between VDF and managers and successive sub-managers
with respect to the requirements listed in the aforementioned article 28.3, which, in summary, is
specify in previously defining by the data controller (VDF) the object,
duration, nature, purpose, types of data, categories, obligations and rights of
interested parties, and mandatory powers of continuous control ... etc. Only in
specific occasions it is cited to have informally communicated one or other guidelines
specific actions of action without implying any effective control of VDF with the
treatments entrusted (and in turn sub-entrusted) on their own and in their
Name.
Therefore, non-compliance with data protection regulations must be
fully imputed to the person responsible for the treatment (VDF) by not acting in a
clear, active and effective in stipulating and enforcing the appropriate specifications for
carry out the treatment entrusted on your behalf adequately in time.
There is also no evidence that VDF has carried out continuous monitoring throughout the cycle.
of execution of the treatments commissioned and in turn sub-commissioned by other
entities on their behalf despite numerous known claims and
ongoing investigations carried out by AEPD and of which VDF had
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 79
79/97
knowledge, and especially regarding the repeated conduct already sanctioned
previously in PS / 00290/2018.
Consequently, according to the aforementioned, VDF has seriously infringed - reiterated and
systematic- the obligations imposed as the person responsible for the treatments
carried out on his behalf of the provisions of 28 of the RGPD, in relation to the
responsibilities required of all data controller by art 24 of the RGPD,
especially with regard to the principles and proactive responsibility declared
in articles 5.1.f) and 5.2) of the RGPD.
On the other hand, article 44 of the RGPD states the following:
<< Article 44 General principle of transfers
Only transfers of personal data that are subject to treatment will be made
or will be after their transfer to a third country or international organization if, to
reservation of the other provisions of this Regulation, the person in charge and the
in charge of the treatment fulfill the conditions established in the present
chapter, including those relating to subsequent transfers of personal data
from the third country or international organization to another third country or other organization
international. All the provisions of this chapter shall apply in order to
ensure that the level of protection of natural persons guaranteed by this
Regulation is not undermined >>.
In the present case, accredited the International Transfer of data to a third country
(Peru) without the appropriate measures required in the RGPD, there is no evidence that VDF in quality
responsible for the treatment has fulfilled the conditions established in the
Chapter V of the RGPD (Already justified in the answer to claim 6R) on page
65 of this Resolution).
VII
Secondly, it should be noted that from the perspective of the GDPR there are
various legal concepts that directly complement those incorporated in the
LGT and LSSICE.
In this sense, regarding the LGT regarding the right to object (right to
opposition) to receive unwanted calls for commercial communication purposes and to be
informed of this, the concept of opposition will be applied in accordance with the RGPD. I know
must add that, according to the LOPDGDD, Title IV, which includes «Provisions
applicable to specific treatments ” , incorporates a series of assumptions that in no
case should be considered exhaustive of all lawful treatments. Within them
It is worth noting, in the first place, those for which the legislator establishes a
presumption "iuris tantum" of prevalence of the legitimate interest of the person in charge when
are carried out with a series of requirements. Along with these assumptions are collected
others, such as the advertising exclusion files in which the legality of the treatment
comes from the existence of a public interest, in the terms established in the
article 6.1.e) of the RGPD, which requires, in accordance with the provisions of article 8.2,
find contemplated in a norm with the force of law that provides it, that, in
In this case, it is article 23 of the LOPDGDD itself that regulates the “systems of
advertising exclusion ” .
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 80
80/97
This is provided by art 21 of the RGPD:
<< Right of opposition
1. The interested party will have the right to object at any time, for reasons
related to your particular situation, what personal data concerning you
are subject to a treatment based on the provisions of Article 6 (1),
letters e) or f), including profiling based on these provisions.
The data controller will stop processing personal data, unless
prove compelling legitimate reasons for the treatment that prevail over the
interests, rights and freedoms of the interested party, or for the formulation, the
exercise or defense of claims.
2. When the purpose of the processing of personal data is marketing
direct, the interested party will have the right to object at any time to the treatment of
personal data concerning you, including profiling in the
insofar as it is related to the aforementioned marketing.
3. When the interested party opposes the treatment for direct marketing purposes,
personal data will no longer be processed for these purposes.
4. At the latest at the time of the first communication with the interested party, the
right indicated in sections 1 and 2 will be explicitly mentioned to the interested party
and it will be presented clearly and apart from any other information.
5. In the context of the use of information society services, and not
Notwithstanding the provisions of Directive 2002/58 / EC, the interested party may exercise their
right to object by automated means that apply specifications
techniques.
6. When personal data is processed for scientific research purposes or
historical or statistical purposes in accordance with Article 89 (1), the
interested party will have the right, for reasons related to their particular situation, to
oppose the processing of personal data concerning you, unless it is
necessary for the fulfillment of a mission carried out for reasons of interest
public >>.
The foregoing, without prejudice to the sanctioning regime being the one regulated in the
LGT.
Regarding the LSSICE, the need for express authorization by the recipients of
commercial communications by electronic means are specifically collected
in art 21.1 of the LSSICE, which states:
<< Article 21. Prohibition of commercial communications made through
email or equivalent electronic means of communication.
1. The sending of advertising or promotional communications by
email or other equivalent electronic means of communication that
had not previously been requested or expressly authorized by the
recipients of the same >>,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 81
81/97
Without prejudice to the fact that for the formal purposes of obtaining authorization, the norm
applicable is the provisions of art 4.11, in relation to art 19 of the LSSICE, which
has:
<< 1. Commercial communications and promotional offers will be governed, in addition
of by this Law, by its own regulations and those in force in commercial matters and
advertising.
2. In any case, Organic Law 15/1999, of December 13, of
Protection of Personal Data, and its implementing regulations, especially,
Regarding the obtaining of personal data, the information to the
interested parties and the creation and maintenance of personal data files >>.
However, regarding the right to object, article 21.2 of the LSSICE
establishes the obligation to offer the recipient the possibility of opposing the
processing of your data for promotional purposes using a simple procedure
and free, both at the time of data collection and at each of the
commercial communications that direct you.
<< Article 21.2. Prohibition of commercial communications made through
email or equivalent electronic means of communication.
(…)
2. The provisions of the previous section shall not apply when there is a
prior contractual relationship, provided that the provider had obtained lawfully
the recipient's contact details and will use them to send communications
commercial related to products or services of your own company that are
similar to those that were initially contracted with the client.
In any case, the provider must offer the recipient the possibility of opposing the
processing of your data for promotional purposes using a simple procedure
and free, both at the time of data collection and at each of the
commercial communications that you direct.
When the communications have been sent by email, said
means must necessarily consist of the inclusion of an email address
email or other valid email address where this right can be exercised,
It is forbidden to send communications that do not include said address >>.
In this sense, this modality of exercise of the right of opposition constitutes a
specific obligation in the field of commercial communications made to
through electronic means. By virtue of article 95 of the RGPD, no
impose additional obligations that have the same objective, as it would be, in this
case, the duty to consult the advertising exclusion systems provided for in article
23.4 of the LOPDGDD, which, for this reason, is not applicable.
In any case, the offense is regulated in the sanctioning regime of the LSSICE.
Regarding the rights exercised by those affected to avoid being recipients of
direct marketing actions.
Recital 70 of the RGPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 82
82/97
<< If personal data are processed for direct marketing purposes, the
interested party must have the right to object to said treatment, including the
profiling insofar as it is related to such marketing
direct, either with respect to an initial or subsequent treatment, and this in any
moment and at no cost. Said right must be explicitly communicated to the
interested and present clearly and apart from any other information >>.
Likewise, the aforementioned legal concepts indicated by the RGPD (including the
provided in art 21 RGPD transcribed above) and directly applicable to the LGT, it is
They also incorporate into the LOPDGDD as follows:
Art 23 LOPDGDD.
Article 23. Advertising exclusion systems.
<< 1. The processing of personal data that is intended to prevent the sending
of commercial communications to those who have expressed their refusal or
opposition to receiving them. For this purpose, information systems may be created, general
or sectoral, in which only the data essential to identify
the affected. These systems may also include preference services,
by which those affected limit the reception of commercial communications
those from certain companies.
2. The entities responsible for the advertising exclusion systems will notify
the competent control authority its creation, its general or sectoral nature, as well
as the way in which those affected can join them and, where appropriate,
assert your preferences. The competent control authority will make public in its
electronic headquarters a list of the systems of this nature that were
communicated, incorporating the information mentioned in the previous paragraph. To such
In effect, the competent control authority to which the creation has been communicated
of the system will make it known to the other control authorities for their
publication by all of them.
3. When an affected party expresses to a person in charge his wish that his data not
are processed for the referral of commercial communications, it must inform you
of the existing advertising exclusion systems, being able to refer to the
information published by the competent control authority.
4. Those who intend to make direct marketing communications must
previously consult the advertising exclusion systems that could affect your
action, excluding from the treatment the data of those affected who had
expressed their opposition or refusal to it. For these purposes, to consider
Once the above obligation has been fulfilled, consulting the exclusion systems will suffice.
included in the list published by the competent control authority.
It will not be necessary to carry out the query referred to in the previous paragraph when the
affected would have provided, in accordance with the provisions of this organic law, its
consent to receive the communication to whoever intends to make it. >>
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 83
83/97
VIII
In the event of an infringement of the RGPD precepts, among the
corrective powers available to the Spanish Data Protection Agency,
As a supervisory authority, Article 58.2 of said Regulation contemplates the
following:
“2 Each supervisory authority shall have all the following corrective powers
listed below:
(…)
b) punish any person responsible or in charge of the treatment with warning
when the processing operations have infringed the provisions of this
Regulation;"
(...)
d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time;
(…)
i) impose an administrative fine in accordance with article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of each
particular case;".
According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d)
above is compatible with the sanction consisting of an administrative fine.
IX
Therefore, VDF as responsible for the treatments carried out on behalf of and
on your behalf and in accordance with the evidence available in the
present moment, it is considered that the facts presented could violate the
established in article 28, with the scope expressed in the Fundamentals of
Previous rights, which, if confirmed, could entail the commission of a
offense typified in article 83.4.a) of the RGPD, which under the heading " Conditions
general rules for the imposition of administrative fines ” provides the following:
Article 83.4.a) of the RGPD,
"4. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a
39, 42 and 43 ".
Considered serious for the purposes of prescription in article 73 of the LOPDGDD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 84
84/97
Article 83.5.c) of the RGPD,
"5. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
c) transfers of personal data to a recipient in a third country or a
international organization according to articles 44 to 49 ”.
In the present case, the performance by VDF in the capacity of
responsible for the treatment of an international transfer of data to a third country
(Peru) by consenting to Casmar to carry out for A-Nexo the actions of
marketing in the name and on behalf of VDF, according to the signed contract dated
05/01/2019 between VDF and Casmar and the subsequent contract signed between Casmar and A-nexo
dated 06/27/2019; Infringement considered very serious for the purposes of prescription in the
art 72.l) of the LOPDGDD.
X
Article 71 of the LOPDGDD. Infractions.
The acts and conducts referred to in sections 4, 5 constitute offenses.
and 6 of Article 83 of Regulation (EU) 2016/679, as well as those resulting
contrary to the present organic law.
Article 72.1.l) Violations considered very serious.
<< 1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the
following:
l) The international transfer of personal data to a recipient who is
find in a third country or an international organization, when there is no
the guarantees, requirements or exceptions established in articles 44 to 49 of the
Regulation (EU) 2016/679. >>
Article 73 LOPDGDD. Violations considered serious.
<< Based on what is established in article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:
j) The hiring by the person in charge of the treatment of a person in charge of treatment
that does not offer sufficient guarantees to apply the technical measures and
appropriate organizational arrangements in accordance with the provisions of Chapter IV of the Regulations
(EU) 2016/679.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 85
85/97
k) Entrusting the processing of data to a third party without the prior formalization of a
contract or other written legal act with the content required by article 28.3 of the
Regulation (EU) 2016/679.
p) The processing of personal data without carrying out a prior assessment of the
elements mentioned in article 28 of this organic law.
In the present case, VDF is charged with the violation of article 28 of the RGPD,
punishable in accordance with article 83.4.a) of the RGPD, offense typified in Article
73 of the LOPDGDD, sections j), k), p), and classified as serious for the purposes of
prescription.
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state :
"1. Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute title for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
d) the degree of responsibility of the person in charge or the person in charge of the treatment,
taking into account the technical or organizational measures that have been applied by virtue of
of articles 25 and 32;
h) the way in which the supervisory authority learned of the infringement, in
in particular if the person in charge or the person in charge notified the infringement and, if so, in what
measure;
i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures (…);
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through the infringement.
For its part, in relation to article 83.2.k) RGPD, article 76 “ Sanctions and measures
corrective measures ”of the LOPDGDD provides:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 86
86/97
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of treatment of
personal information.
c) The benefits obtained as a result of the commission of the offense.
(…)
In accordance with the transcribed precepts, and derived from the instruction of the
procedure for the purpose of setting the amount of the penalty for infringement of article 28 of
RGPD to VDF as responsible for the aforementioned offense typified in article 83.4.a)
of the RGPD, the fine that should be imposed should be graduated as follows:
Infringement for breach of the provisions of article 28 in relation to the 24
of the RGPD, typified in article 83.4.a) and classified as serious for the purposes of
prescription in article 73, sections j), k), p) of the LOPDGDD:
In the present case, the following graduation criteria are considered concurrent:
. The nature, severity and duration of the offense, taking into account the nature,
scope or purpose of the processing operations in question; refering to
nature and severity, it is established that the treatments object of analysis respond to a
Manifest situation of imbalance to the detriment of the rights of the interested parties.
. The intentionality or negligence appreciated in the commission of the infraction; at
present case, there is serious negligence in the conduct of VDF since after
repeated claims and knowing the facts now analyzed continues without
apply appropriate corrective measures.
. The continuing nature of the offense. In the case under examination, it is proven
an offense and of long duration, from the second quarter of 2018 to date.
. The high link of the activity of the offender with the performance of treatment of
personal information. It is known that VDF is an entity with more than fifteen million
of clients whose personal data are systematically processed in the exercise of
its attributions as one of the main telecommunications operators.
. The benefits obtained as a result of the commission of the offense. Is
It is obvious that the treatments of the marketing actions now analyzed
They respond to profit making.
. The status of the responsible entity as a large company and its turnover
(according to the audited annual accounts report corresponding to the March period
2018 to March 2019, more than 1,600 million euros of turnover and with more than
4,000 employees).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 87
87/97
. High volume of data and processing that constitutes the object of the file.
It consists of the documentation provided by VDF that the treatment of the shares
of marketing exceed two hundred million.
. High number of affected. They comprise, at least, the 162 claimants.
. The imputed entity (VDF) does not have adequate procedures for
performance in the hiring and effective monitoring of those in charge of the treatment
so that the infringement is not the consequence of a specific anomaly in the
operation of these procedures but a persistent and continuous defect of the
personal data management system designed by the person in charge in terms of
the treatments delegated to those in charge of these.
Considering the exposed factors, the initial assessment that reaches the amount of the
The fine for the infringement charged by art 28 of the RGPD is € 4,000,000 (four
million euros) and for the infringement charged by art 44 of the RGPD, typified in the
Article 83.5.c) of the RGPD is € 2,000,000 (two million euros).
XI
Both the initiation agreement and the proposed resolution warned of the
following:
“If the infringement is confirmed, it could also be agreed to impose the person responsible
(Vodafone España, SAU) the adoption of appropriate measures to adjust its
action to the regulations mentioned in this act, in accordance with the provisions of
the aforementioned article 58.2.d) of the RGPD, according to which each control authority may
“Order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period… ”.
In this case, in the resolution adopted, this Agency may require the entity to
responsible so that, within the period to be determined, it adapts to the regulations of
protection of personal data processing operations delegated to the
managers and all this with the scope expressed in the Fundamentals of Law of the
present agreement and without prejudice to what results from the instruction.
It is noted that not meeting the requirements of this body may be
considered as a serious administrative offense by “not cooperating with the Authority
of control ”in view of the requirements made, and such conduct may be assessed at
the time of the opening of an administrative procedure punishable by a fine
pecuniary ”.
In the present case, VDF is ordered in the operative part of this
Resolution, by virtue of the corrective powers indicated in article 58.2.d) of the
RGPD, order VDF that within six months from the notification of
this Resolution, accredit to this AEPD that you have adjusted to the provisions of the
RGPD and LOPDGDD all the treatment operations analyzed in the present
procedure referred to in articles 17, 21, 24, 28 and 44 to 49 of the RGPD and 12, 15, 18,
23, 40 to 43 of the LOPDGDD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 88
88/97
XII
Article 21 of the LSSICE. Prohibition of commercial communications made to
via email or equivalent electronic means of communication.
<< 1. The sending of advertising or promotional communications by
email or other equivalent electronic means of communication that
had not previously been requested or expressly authorized by the
recipients of the same.
2. The provisions of the previous section shall not apply when there is a
prior contractual relationship, provided that the provider had obtained lawfully
the recipient's contact details and will use them to send communications
commercial related to products or services of your own company that are
similar to those that were initially contracted with the client. Throughout
In this case, the provider must offer the recipient the possibility of opposing the
processing of your data for promotional purposes using a simple procedure
and free, both at the time of data collection and at each of the
commercial communications that you direct.
When the communications have been sent by email, said
means must necessarily consist of the inclusion of an email address
email or other valid email address where this right can be exercised,
It is forbidden to send communications that do not include said address. >>
In the present case, it is established that the treatments carried out by sending
electronic communications (SMS, email) through the different channels used
they lack the express authorization of the recipients. Communications made to
via SMS were carried out without offering the recipient the possibility of effective and
proven to object to the treatment. This possibility was not implemented until
November 2018 through a link to an exclusive website for this purpose, without
that it became effective every time the opposition exercises were not attended.
In addition, it is clear that commercial communications have been made in the name and by
VDF account by electronic means to recipients who had not authorized them
expressly and that they had no commercial relationship with VDF.
From the evidence obtained, it is observed that the VDF procedure for the
carrying out direct marketing actions through communications
electronic commercials to potential clients, does not guarantee compliance with the
Article 21 of the LSSICE, when addressing the actions of sending SMS to numbers and
randomly generated addresses, which prevents verifying the existence of
prior and express authorization or, failing that, the existence of a commercial relationship
prior similar services.
XIII
Article 38 of the LSSICE. Infractions.
"1. Violations of the precepts of this Law will be classified as very serious,
severe and mild.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 89
89/97
2. The following are very serious offenses: a) (No content) b) Failure to comply with the
obligation to suspend transmission, data hosting, access to the network or the
provision of any other equivalent intermediation service, when a body
competent administrative authority orders it, by virtue of the provisions of article 11. c)
(Repealed) d) (Repealed)
3. The following are serious offenses:
c) The massive sending of commercial communications by email or other means
equivalent electronic communication, or its insistent or systematic sending to a
same recipient of the service when the requirements are not met in said shipments
established in article 21.
d) The significant breach of the obligation of the service provider
established in section 1 of article 22, in relation to the procedures for
revoke the consent given by the recipients.
XIV
Article 39 of the LSSICE. Sanctions
<< Sanctions. 1. For the commission of the infractions included in the previous article,
The following sanctions will be imposed:
a) For the commission of very serious offenses, a fine of 150,001 to 600,000 euros.
The reiteration within three years of two or more very serious offenses,
sanctioned with firm character, may give rise, depending on their circumstances, to the
sanction of prohibition of action in Spain, for a maximum period of two
years.
b) For the commission of serious offenses, a fine of 30,001 to 150,000 euros. >>
Article 40 of the LSSICE. Grading of the amount of penalties.
"The amount of fines that are imposed will be graduated according to the following
criteria:
a) The existence of intentionality.
b) Period of time during which the offense has been committed.
c) The recidivism by commission of infractions of the same nature, when thus
has been declared by final resolution.
d) The nature and amount of the damages caused.
e) The benefits obtained by the infringement.
f) Billing volume affected by the infringement committed.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 90
90/97
g) Adherence to a code of conduct or an advertising self-regulation system
applicable with respect to the offense committed, which complies with the provisions of article
18 or in the eighth final provision and that has been favorably informed by the
competent body or bodies ”.
In the present case, the aggravating factors from a) to f) are assessed against the VDF entity.
indicated in the above transcribed art 40 of the LSSICE.
XV
Article 45 of the LSSICE. Prescription.
"Very serious infractions will prescribe after three years, serious ones after two years and
mild ones at six months; the sanctions imposed for very serious offenses will prescribe
at three years, those imposed for serious offenses at two years and those imposed by
minor absences per year ”.
In the present case, there is no statute of limitations for serious offenses committed.
by VDF.
XVI
The facts presented could imply for Vodafone España, SAU the commission of
infringement of article 21 of the LSSICE.
These offenses are classified as serious in article 38.3.c) and d) of the aforementioned
Law, each may be sanctioned with a fine of € 30,001 to € 150,000, of
in accordance with article 39 of the aforementioned LSSICE.
XVII
After the evidence obtained in the preliminary investigations and instruction phase, the
considers that the sanction to be imposed should be adjusted in accordance with the following
criteria established by art. 40 of the LSSI:
- The existence of intentionality, an expression that must be interpreted as equivalent
to the degree of guilt according to the Judgment of the National Court of
11/12/2007 relapse to Appeal no. 351/2006, corresponding to the entity
denounced the determination of a system for obtaining informed consent
that conforms to the mandate of the LSSICE (section a).
- Period of time during which the offense has been committed, since it is the
claim of May 2018, (section b).
- The recidivism by commission of infractions of the same nature, when thus
has been declared by final resolution as the recidivism has been accredited
of the same conduct that was sanctioned in the reference procedure
PS / 00290/2018 (section c).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 91
91/97
- The nature and amount of the damages caused, in relation to the volume of
users affected by the infringement, more than 12 million commercial actions of
marketing, (section d) and more than 200 million commercial actions.
- The benefits obtained by the infringement, in relation to the volume of users to whom
that affects the offense (section e).
- Billing volume affected by the infringement committed, since it exceeds one thousand
six hundred million euros in the accounting period from March 31, 2018 to March 31,
2019 (section f).
In accordance with these criteria, it is deemed appropriate to impose on Vodafone Spain,
SAU for violation of article 21 of the LSSI a penalty of € 150,000 (one hundred
fifty thousand euros).
XVIII
Article 48.1.b) of the LGT
<< Article 48. Right to the protection of personal data and privacy in relation
with unsolicited communications, with traffic and location data and with
subscriber guides.
1. Regarding the protection of personal data and privacy in relation to
unsolicited communications end users of communications services
electronic companies will have the following rights:
b) To oppose receiving unwanted calls for commercial communication purposes
that are carried out through systems other than those established in the previous letter and
be informed of this right >>.
In the present case, it is proven that commercial actions have been carried out by
account and on behalf of VDF through calls to recipients (end users) who
had expressed their opposition, either in front of the calling entity, or prior
inclusion in Adigital's Robinson exclusion list and / or internal lists of
exclusion of each of the entities involved in the entrusted treatment
by VDF in its own name.
From the evidence obtained, indicated in the antecedents, it is observed that the
VDF procedure to carry out direct marketing actions to
through telephone calls does not guarantee compliance with the right of opposition
of the end users with whom it contacts not to receive commercial calls, nor in the
case of:
1.
campaigns managed directly by VDF, nor in,
1.
campaigns managed by managers and sub-managers, either
using VDF's own database which does not verify that they are used
complying with its instructions, either by using the databases of
those in charge of the treatment hired on behalf of and on behalf of VDF. VDF
does not know how the treatment is carried out by the managers and their
sub-managers. He does not know the contracts between them, and therefore does not have information
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 92
92/97
on the origin of the data or who assumes, in this subcontracting, the obliged
consultation of files of exclusion of advertising actions.
It is also established that VDF does not communicate an exercise of the right of opposition that
satisfied at the request of an affected party or after the resolution of a claim in the
AEPD to those in charge and that these in turn subcontract the material realization of
the calls. This situation has the consequence of reducing the
exercise of the right of opposition provided for in the aforementioned precepts, and makes
the opposition procedure ineffective as nothing prevents them from being carried out again
commercial calls to those affected who are in the cases described.
XIX
Article 77.37 LGT. Serious offenses.
<< The following are considered serious offenses:
37. The serious violation of the rights of consumers and end users,
as established in Title III of the Law and its implementing regulations.
In the present case, the facts analyzed are considered a serious infraction given the great
volume of marketing actions carried out and claims received in
this AEPD as a consequence of the rights violated to the interested parties, as well
as for the excessive and continuous duration of the marketing actions
carried out in the name and on behalf of VDF.
Article 83. Prescription
<< 1. The infractions regulated in this Law will prescribe, the very serious ones, to the three
years; the serious ones, after two years, and the minor ones, after one year.
The statute of limitations for infringements will begin to run from the day on
that had been committed. Initiation will interrupt the prescription, knowingly
of the interested party, of the sanctioning procedure. The limitation period will revert to
run if the sanctioning file was paralyzed for more than a month for
cause not attributable to the presumed responsible.
In the event of continued infringement, the initial date of the computation will be that in
that the infringing activity or that of the last act with which the infringement
is consumed. However, it will be understood that the offense persists as long as the
equipment, apparatus or facilities that are the subject of the file are not
disposition of the Administration or there is reliable evidence of its impossibility of
use.
2. The sanctions imposed for very serious offenses will prescribe after three years; the
imposed for serious offenses, after two years, and those imposed for minor offenses, after one year. The
limitation period of sanctions will begin to be computed from the day
following the one in which the resolution imposing the
sanction. The prescription shall be interrupted by the initiation, with the knowledge of the interested party, of the
execution procedure, running the term again if it is paralyzed
for more than a month for reasons not attributable to the offender. >>
XX
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 93
93/97
Article 79.1, c) LGT. Sanctions .
1. For the commission of the offenses typified in the previous articles,
will impose the following sanctions:
c) For the commission of serious offenses, the offender will be fined a fine of
up to two million euros. >>
XXI
The facts presented, suppose the commission by VDF, of an infraction of the
Article 48.1.b) of the LGT Law, contained in its Title III, which indicates the right: (…) b)
To object to receiving unwanted calls for commercial communication purposes that
are carried out through systems other than those established in the previous letter and to be
informed of this right ”.
Although the aforementioned article does not explicitly configure such right, you should go to
the data protection regulations already indicated in the previous Fundamentals in the
that regulates the right of opposition: article 21 of the RGPD, and article 23 of the
LOPDGDD.
This offense is classified as "serious" in article 77.37) of said
norm, which considers as such: “ 37. The serious violation of the rights of
consumers and end users, as established in title III of the Law and its
development regulations ”. may be sanctioned with a fine of up to € 2,000,000, of
in accordance with article 79.1.c) of the aforementioned LGT.
In accordance with the indicated precepts, in order to set the amount of the sanction to
impose in the present case, it is considered that the sanction to be imposed should be graduated
in accordance with the following criteria established in article 80.1) and 2) of the LGT:
<< 1. The amount of the penalty imposed, within the limits indicated, is
will graduate taking into account, in addition to the provisions of article 131.3 of the Law
30/1992, of November 26, on the Legal Regime of public administrations and
of the Common Administrative Procedure (it must be understood as referring to article 29 of the
40/2015, October 1, from RJSP) , the following:
a) The seriousness of the offenses previously committed by the subject to whom the
sanctions. b) The social repercussion of the infractions.
c) The benefit that has been reported to the offender by the fact that is the subject of the offense.
d) The damage caused and its repair.
e) Voluntary compliance with the precautionary measures that, where appropriate, are imposed
in the sanctioning procedure.
f) Refusal or obstruction of access to the facilities or to provide information or
required documentation.
g) The cessation of the infringing activity, previously or during the processing of the
sanctioning file.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 94
94/97
2. The financial situation will also be taken into account when setting the sanction.
of the offender, derived from their assets, their income, their possible charges
family and other personal circumstances that prove that they affect you. The
The offender will be obliged, where appropriate, to pay the fees that he would have owed
satisfy in the event of having made the notification referred to in the article
6 or having enjoyed a title for the use of the public domain
radioelectric >>.
In the specific case, the following aggravating factors are indicated to quantify the sanction
fine:
a) The seriousness of the offenses previously committed by the subject to whom the
sanctions. It is clear that the entity has been sanctioned with a fine or warning since
January 2018 to February 2020 more than 50 times.
b) The social repercussion of the infractions. The fact that there are 162 claims in
the term of just under two years as stated in the AEPD and the large number of
marketing actions through phone calls (about two hundred million
of marketing actions) allows the strong repercussion
of the treatments now analyzed.
c) The benefit that has been reported to the offender by the fact that is the subject of the offense. All
commercial actions are aimed at increasing profits
reported that can be estimated in the increase in customers between 2018 and
2020:

In mobile telephony, the number of mobile telephone contract Clients
it amounted to 11.4 million at the end of the quarter.

In fixed broadband, the Customer base grew again to reach 3.2
millions.

In fiber, it increased by 60,000 to close the year with 2.9 million.

On Vodafone TV, the number of Clients grew by 36,000 and exceeded at the close
1.3 million in the last quarter.
d) The damage caused and its repair. The damage caused to the
privacy of those affected, that even having exercised their right of exclusion to
marketing actions, were contacted again for the same purpose,
sometimes repeatedly and insistently.
f) Refusal or obstruction of access to the facilities or to provide information or
required documentation. It is clear that VDF has not met the latest requirements
of information issued by this AEPD. (E / 07056/2019 and E / 08284/2019).
g) There is also no evidence of the cessation of the infringing activity, previously or during the
processing of the investigation file and even after the inspection
face-to-face at the VDF premises in September 2019, since they consist of
subsequent claims before this AEPD for the same facts.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 95
95/97
In relation to the financial situation of the offender, it is clear that VDF is one of the
largest telecommunications operators with annual turnover of more than 1,600
million euros and more than 4,000 employees.
After the evidence obtained in the preliminary investigations phase, it is considered that
The penalty to be imposed should be graduated in the amount of € 2,000,000 (two million
euros).
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:
FIRST:
IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for an offense
of Article 28 of the RGPD in relation to Article 24 of the RGPD, typified according to
Article 83.4.a) of the RGPD with an administrative penalty of four million
euros (€ 4,000,000).
IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for infringement of the
Article 44 of the RGPD typified in accordance with article 83.5.c) of the RGPD, with sanction
administrative amount of two million euros (€ 2,000,000).
IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for infringement of the
Article 21 of the LSSICE, classified as serious in Article 38.3.d) and c) of said
regulation with a sanction of one hundred and fifty thousand euros (€ 150,000)
IMPOSE to VODAFONE SPAIN, SAU , with NIF A80907397 , for infringement of the
article 48.1.b) of the LGT, in relation to article 21 of the RGPD and article 23 of the
LOPDGDD, classified as serious in article 77.37 of the LGT with sanction of
amount of two million euros (€ 2,000,000).
SORT to VODAFONE SPAIN, SAU , with NIF A80907397 , so that in the
period of six months from the notification of this Resolution, certify
before this AEPD that has adjusted to the provisions of the RGPD and LOPDGDD all the
treatment operations analyzed in this procedure referring to the
Articles 17, 21, 24, 28 and 44 to 49 of the RGPD and 12, 15, 18, 23, 40 to 43 of the LOPDGDD.
SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, SAU, with
NIF A80907397, with address at Avda. De América 115, 28042 Madrid.
THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the Agency
Spanish for Data Protection in the banking entity CAIXABANK, SA. In case
Otherwise, it will be collected in the executive period.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 96
96/97
Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline to make the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred to Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
Mar Spain Martí
Director of the Spanish Agency for Data Protection
ANNEX (Sorted by date of entry of the claim in the AEPD)
Column legend:
:
Sequential order number
R / D / C:
R óbinson / D igh / C Express onsentimiento
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 97
97/97
PF / PJ:
Natural Person / Legal Person
LGT / PD / LSSI:
Violated law
F. Robin.credit:
Accredited date inclusion in advertising exclusion lists
LINE:
Sender / Receiver
F. LINE CALL: Date of the advertising action
REFER. AEPD:
Claim reference code in the AEPD
CLAIMANT:
Claimant's name (the number indicates the times claimed)
CLAIM TEXT: Text of the claim submitted by the claimant
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es