AEPD - PS/00069/2020

From GDPRhub
AEPD - PS/00069/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 83(2)(k) GDPR
Article 83(2)(g) GDPR
Article 83(2)(b) GDPR
Article 83(2)(f) GDPR
Article 83(5) GDPR
76 (2) (b) LOPDPGDD
Type: Investigation
Outcome: Violation Found
Decided: 16.09.2020
Published: n/a
Fine: 60000 EUR
Parties: LYCAMOBILE S.L.
National Case Number/Name: PS/00069/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA (AEPD) fined Lycamobile S.L. €60000 for processing personal data without the consent of the respective data subject, therefore infringing Article 6(1)(a) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

On 23 October 2019, a complaint was lodged before a court relating to the fact that the personal data of users have been falsified by Lycamobile or a mobile telephone establishment authorized by that entity.

The personal data of the users of the prepaid cards which are registered in the Lycamobile register do not correspond to the data of the person who acquires the prepaid mobile phone card.

In addition, it was indicated that the use of the personal data of a third person that is not related to the facts stated in the complaint, has caused the complainant serious non-consensual patrimonial harm.

On 17 March 2020, the AEPD initiated the sanctioning procedure, transferred the documents to the defendant, and the latter sent allegations.

Dispute[edit | edit source]

Is the use of personal data without the consent of the persons concerned a breach of Article 6 (1) (a) GDPR?

Holding[edit | edit source]

The AEPD considered that the defendant company carried out the treatment without having any legitimacy to do so. The personal data were incorporated into the company's information systems, without it being proven that the company had legitimately contracted, had its consent to the collection and subsequent processing of its personal data, or that there was any other cause that made the processing carried out lawful.

In setting the amount of the penalty, the AEPD took into account: the link between the business activity of the respondent and the processing of personal data (83 (2) (k) GDPR); the fact that basic personal identifiers are affected (83 (2) (g) GDPR); the intentionality or negligence of the infringement (83 (2) (b) GDPR) and the lack of cooperation with the Spanish Data Protection Agency (83 (2) (f) GDPR).

Therefore, in view of the aggravating factors applied to the case, the Director of the Spanish DPA imposed a penalty of EUR 60000 on the company Lycamobile S.L.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS/00069/2020
938-300320

RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based on the following:

BACKGROUND

FIRST: On 23 October 2019, the entry comes from the Court of Instruction No 11 of ***LOCALITY.1 order of summary procedure***PROCEDURE.1 The facts set out in the Order of October 2019, a copy of which is attached, relating to the fact that users' personal data have been falsified by of Lycamobile or of a telephone establishment authorized by that entity.
The personal data of the users of the prepaid cards that are registered in the Lycamobile register do not correspond to the data of the person who acquires the prepaid mobile phone card. In particular, the data
registered personal data on the ownership of the line ***TELÉFONO.1 does not correspond to their real owner.
 It is also indicated that the use of the personal data of a third person which has no bearing on the facts as set out in the car, has caused him serious non-consensual damage. All this in a clear breach of the
current legislation on data protection. 
The claim is directed against Lycamobile, S.L. with NIF B92877141 (in the claimed one).
SECOND: In view of the facts denounced and the documents provided by the complainant, the Subdirectorate General for the Inspection of Data requests information from by letter dated 17 December 2019, without the above-mentioned entity has provided the requested information.

On 28 February 2020, pursuant to Article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the claim.

THIRD: On 17 March 2020, the Director of the Spanish Data Protection agreed to initiate sanctioning proceedings against the respondent, within accordance with Articles 63 and 64 of Law 39/2015 of 1 October on the Common Administrative Procedure for Public Administrations (hereinafter referred to as the "Common Administrative Procedure"), LPACAP), for the alleged violation of Article 6.1.a) of the RGPD, typified in Article 83.5 of the GPRS.

FOURTH: Once the above-mentioned agreement to initiate the proceedings had been notified, the respondent submitted a letter of allegations in which, in summary, it stated that the has a regulated and comprehensive procedure for identifying the customers and that there is a possibility that the perpetrator has taken over a another person's mobile phone or with a stolen mobile phone. That documentation is sent that allegedly attached to this file but which the respondent has not received
This is a situation of total helplessness. Not to be held responsible for Lycamobile may use data without the consent of the person concerned, since in the hypothetical case of a contradiction between the owner and the registration book it would be a mere error and not a liability of Lycamobile for using data without
the consent of the person concerned. That a decision is issued in due course to agree on the termination of the sanctioning procedure and, in the alternative, to agree on the application of sanctions to the least extent and in the least amount, in accordance with the law.

FIFTH: On 24 June 2020, the trial period began,
1. To consider the claim made as having been reproduced for evidential purposes by the claimant and its documentation, the documents obtained and generated that are part of the file and 2. allegations to the agreement of initiation of PS/00069/2020 and the documentation that to them accompanying, submitted by the respondent.

SIXTH: It is recorded that on 23 July 2020, a copy of the file in response to his pleading submission to the Start-up Agreement through the Electronic Notification Service, with an automatic rejection date
on 3 August 2020. 

SEVENTH: The Motion for a Resolution was notified on 7 August 2020, as alleged infringement of Article 6.1 a) of the RGPD, typified in Article 83.5 of the RGPD, and a fine of EUR 60 000 is proposed.

PROVEN FACTS
1.- The facts set out in the Order of October 2019 relating to the personal data of users has been falsified by Lycamobile or of a telephone establishment authorized by that entity.

2.- The personal data of the users of the prepaid cards that are registered in the Lycamobile register do not correspond to the data of the person who acquires the prepaid mobile phone card. In particular, the data
registered personal data on the ownership of the line ***TELÉFONO.1 does not correspond to their real owner.

3.- It is also indicated that the use of the personal data of a third person who has no connection with the facts set out in the car, has caused serious non-consensual damage. All this is set out in a manifesto
non-compliance with current data protection regulations.


LEGAL FOUNDATIONS

I
By virtue of the powers conferred on each of the parties by Article 58(2) of the GDPR authority, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.

II
Article 6, Lawfulness of processing, of the GPDR, establishes that "Processing shall only be lawful if at least one of the following conditions is met conditions:
a) the data subject has given his consent to the processing of his data for one or more specific purposes;
(b) processing is necessary for the performance of a contract in which the interested is a party to or for the application at his request of measures pre-contractual;
(…)”
Article 4 of the GPRS, Definitions, in paragraph 11, states that "(11) "Consent of the data subject" means any expression of free will specific, informed and unequivocal by which the data subject accepts, either by
a statement or clear affirmative action, the processing of personal data that concern him".
Also Article 6, Treatment based on the consent of the person concerned, of the new Organic Law 3/2018, of 5 December, on Data Protection Personal and guarantee of digital rights (hereinafter LOPDGDD), states
that:
"In accordance with Article 4.11 of the Regulation (EU) 2016/679, the consent of the person concerned is understood as an expression of will specific, informed and unequivocal reason why he accepts, either by a
a statement or clear affirmative action, the processing of personal data that you concern. 

2. When it is intended to base the processing of data on the consent of the person concerned for a variety of purposes will need to be recorded in a The Commission has also stated specifically and unambiguously that such consent is given for all of them.

3. The execution of the contract may not be subordinated to the consent of the person concerned to
processing of personal data for purposes unrelated to the maintenance, development, or control of the contractual relationship".

Article 83.5 a) of the RGPD, considers that the infringement of "the principles for treatment, including conditions for consent under the of Articles 5, 6, 7 and 9" is punishable, in accordance with Article
mentioned in Article 83 of that Regulation, "with administrative fines of 20,000,000 maximum or, in the case of a company, an equivalent amount to a maximum of 4% of the total annual turnover for the financial previous year, opting for the one with the highest amount".

On the other hand, Article 72 of the LOPDGDD states that for the purposes of prescription:
"Infringements considered very serious:

1. In accordance with the provisions of Article 83(5) of the Regulation (EU)
2016/679 are considered very serious and will be subject to a three-year statute of limitations for infringements that constitute a substantial breach of the articles mentioned in that one and, in
In particular, the following:
(…)
b) The processing of personal data without any of the conditions for the lawfulness of processing laid down in Article 6 of the Regulation (EU) 2016/679.
(…)”

III
The documentation in the file provides evidence that Article 6.1 of the RGPD was violated, since the personal data registered on the ownership of the line ***TELÉFONO.1 does not correspond to its real owner, i.e. he carried out the processing without having any legitimacy to do so. The personal data were incorporated into the information systems of the company, without proof of legitimate employment,
had your consent for the collection and further processing of your personal data, or there is some other cause that makes the processing lawful carried out.

IV
In order to determine the administrative fine to be imposed the provisions of Articles 83(1) and 83(2) of the GPRS, which they point out:
"Each supervisory authority shall ensure that the imposition of fines administrative offences under this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are on a case-by-case basis
effective, proportionate, and dissuasive.

2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures envisaged in Article 58(2)(a) to (h) and (j) In deciding to impose a fine and its amount in each individual case will be duly taken into account:

(a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of stakeholders affected and the level of damages they have suffered;
(b) the intentionality or negligence of the infringement;
(c) any measure taken by the controller or processor to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of treatment, taking into account any technical or organisational measures that have applied under Articles 25 and 32;
(e) any previous infringement committed by the person responsible for or in charge of treatment;
(f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the way in which the supervisory authority became aware of the infringement, in particular, whether the person responsible or the person in charge notified the infringement and, if so to what extent;
(i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible or the person in charge in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and 
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement.

With regard to Article 83.2(k) of the RGPD, the LOPDGDD, in its Article 76, "Sanctions and corrective measures", establishes that: 
"2. The provisions of Article 83(2)(k) of Regulation (EU) 2016/679 may also be taken into account:
(a) The continuing nature of the infringement
(b) The link between the activity of the offender and the carrying out of the processing of personal data.
c) The benefits obtained as a result of the commission of the infringement.
(d) The possibility that the conduct of the data subject may have led to the commission of the offence.
(e) The existence of a post-commission merger process of the infringement, which cannot be attributed to the absorber.
f) Affecting the rights of minors.
g) Having, when not compulsory, a delegate for the protection of data.
h) The submission by the person responsible or in charge, in a to alternative dispute resolution mechanisms, in those cases where there are disputes between them and any interested."

V
In accordance with the provisions transcribed for the purpose of fixing the amount of penalty of a fine to be imposed in the present case for the infringement in Article 3.5 of the RGPD, for which the respondent is held responsible, is considered that the following factors are concurrent:
- The obvious link between the business activity of the respondent and the processing of personal data of customers or third parties (article 83.2 k of the RGPD in relation to Article 76.2 b of the LOPDGDD.
- Basic personal identifiers are affected (name, Surname, address, tax identification number) (art. 83.2 g).
- The intentionality or negligence of the infringement (art. 83.2 b).
- Null cooperation with the AEPD (Art. 83.2 f)

Therefore, in accordance with the applicable legislation and assessed on the basis of graduation of the sanctions whose existence has been accredited, the Director of Spanish Data Protection Agency RESOLVES:

FIRST: To impose LYCAMOBILE, S.L., with NIF B92877141, for an infringement of Article 6.1(a) of the GPRS, as set out in Article 83.5 of the GPRS, a fine of 60,000 euros (sixty thousand euros).

SECOND: TO NOTIFY this resolution to LYCAMOBILE, S.L.

THIRD: To warn the sanctioned party that he must make effective the sanction imposed a once this decision becomes enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of 1 October, on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), within the payment period established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of 29 July, in relation to Article 62 of Law 58/2003, of 17 December, by means of its payment, indicating the tax identification number of the procedure set out in the heading of this document, in the account restricted No ES00 0000 0000 0000 0000, open on behalf of the Agency Spanish Data Protection in the bank CAIXABANK, S.A.. Otherwise, it will be collected during the enforcement period.

Once notification has been received and once it has become enforceable if the enforceability date the deadline for the completion of the registration process is between the 1st and 15th of each month, inclusive.
Voluntary payment will be until the 20th day of the following month or the next business day, and if is between the 16th and the last day of each month, inclusive, the deadline of payment will be made until the 5th of the second following month or immediately thereafter.

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public after it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure according to art. 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for a reversal to the Director of the Spanish Data Protection Agency within a period of a month from the day following notification of this resolution or directly contentious-administrative appeal to the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46(1) of the referred to Law.

Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the LPACAP, the final decision may be suspended in administrative proceedings as a precautionary measure if the person concerned indicates his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency, by submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registrations provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. Also
must send to the Agency the documentation proving the effective intervention of the contentious-administrative appeal. If the Agency was not aware of the lodging of the contentious-administrative appeal within two months of the day following notification of this resolution, would terminate the precautionary suspension.


Mar España Marti
Director of the Spanish Data Protection Agency