AEPD (Spain) - PS/00085/2021

From GDPRhub
Revision as of 09:57, 21 April 2021 by RRA (talk | contribs)
AEPD - PS/00085/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 15.04.2021
Fine: 150000 EUR
Parties: VODAFONE ESPAÑA, S.A.U.
National Case Number/Name: PS/00085/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA fined Vodafone €150,000 (reduced to €90,000) for processing personal data without consent or any other legal basis.

English Summary

Facts

Three complainants lodged a complaint with the Spanish DPA (AEPD) alleging that Vodafone was sending messages to them (0€-invoices) after they had previously asked for the erasure of their data, once their contract was terminated.

Holding

The AEPD held that Vodafone had violated Article 6(1) GDPR for processing personal data without consent or any other different legal basis. When imposing the fine, the AEPD took into account:

  • The type of data affected: basic identifiers such as names, surnames, phone number.
  • The relation between the processing and the business activities of the respondent.
  • The previous fines on the same grounds.
  • The lack of diligence regarding the erasure request.

The AEPD finally fined Vodafone €150,000, that was reduced to €90,000 due to the assumption of responsibility and the early payment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/13











     Procedure No.: PS / 00085/2021

RESOLUTION R / 00248/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY


In the sanctioning procedure PS / 00085/2021, instructed by the Spanish Agency for
Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed
by A.A.A., B.B.B., C.C.C., and based on the following,

                                 BACKGROUND


FIRST: On March 9, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against VODAFONE
SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed:


<<




Procedure No.: PS / 00085/2021




           AGREEMENT TO START THE SANCTIONING PROCEDURE




Of the actions carried out by the Spanish Agency for Data Protection and in
based on the following:




                                     FACTS



FIRST: D. A.A.A. (hereinafter claimant 1), Ms. B.B.B. (hereafter

claimant 2) and D. C.C.C. (hereinafter claimant 3) dated October 24,
2019, November 13, 2019, and July 22, 2020, respectively, filed

claims before the Spanish Agency for Data Protection. the claims
are directed against Vodafone España, S.A.U. with CIF A80907397 (hereinafter, the
claimed).

The claimants state that the claimed entity did not delete their data

personal files of your files, once the signed telephony contract has concluded.

Thus the things, they indicate that they continue receiving SMS with invoices of zero amount.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/13








That, according to the claimants, the events took place in the following periods:
during the last year (claimant 1), during the last two years (claimant 2) and

during the last 7 months (claimant 3) prior to the presentation of the
present claims.

And, among others, they provide the following documentation:

Claimant 1
    - SMS notification of a new invoice available with a payment date of 20
        September 2019.

Claimant 2

    - Claim before the Municipal Consumer Information Office of the
        *** Town Hall of LOCALIDAD.1 (Ref. 1252/19) where an invoice appears

        issued by the respondent dated September 15, 2019.

Claimant 3
    - Invoice sent by the complained party dated July 15, 2020.

    - Request made by email dated July 21, 2020 for termination of
        issuance of invoices and communications.

    - Response of the claimed indicating various procedures to follow
        to fix the issue.



SECOND: In view of the facts denounced in the claim and the
documents provided by the claimant and the facts and documents of which he has

this Agency, the Subdirectorate General for Data Inspection, has come to know
proceeded to carry out preliminary investigation actions for the

clarification of the facts in question, by virtue of the powers of investigation
granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and of

in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).




As a result of the investigative actions carried out, it is verified that the
responsible for the treatment is the one claimed.




Likewise, the following points are found:

    1. The antecedents that appear are the following:

    Files for the transfer of claims E / 11384/2019, E / 00232/2020 and
    E / 06666/2020.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/13








    In these files, the claims presented in this
    Agency to the claimed.


    With dates of January 9 and 23, 2020, and September 21, 2020, the
    briefs of allegations to the transfer of the claims sent by the
    claimed stating that the personal data of the interested parties were not

    properly disposed of due to a fault in the internal systems of the
    claimed. In all three cases, a letter was sent to the claimants in which they were
    informs of the causes that have generated the incident and that their data has been

    definitely eliminated.

    And they attach, among others, the following documents:

    - Letter dated January 9, 2020 sent to claimant 1 informing him

        that as soon as the failure of the claimed systems is resolved, their
        data would be deleted.

    - Letter dated January 23, 2020 sent to claimant 2

        informing her that it had been a computer error and that they had
        proceeded to delete your data from their systems.

    - Letter dated September 17, 2020 sent to claimant 3

        informing you that it was a computer error and that they had
        proceeded to delete your data from their systems.

    On February 7 and 11 and September 27, 2020, it was agreed to admit

    processing the claims submitted by the claimants. The
    claimed with dates of February 10, 14 and October 6, 2020.

    On March 3, 2020, it is received at this Agency, with the number of

    registration, 010434/2020, brief of allegations to the resolution of admission for processing
    stating that the data of claimant 1 had already been deleted from their

    systems.

    And, among other documents, they attach:

    - Letter sent to claimant 1 informing him of this fact.

    On June 2, 2020, the claimed status of solution is requested

    of the errors detected after the claims of claimants 1 and 2. With
    date of June 10, 2020 is received at this Agency, with registration number
    019403/2020, answering brief stating that they had verified that

    the data of claimants 1 and 2 had been canceled so the
    incidents as resolved.

    On July 22, 2020, a new claim is received for them.
    facts about which the respondent stated, in the answer to the transfer of the

    claim, that the issuance of invoices was due to another error in their systems.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/13











        FOUNDATIONS OF LAW



        I




        By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,

the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.




        II




        The claimed facts are specified in the treatment of the data of the
claimants by the claimed without standing to do so, by sending
SMS to the claimants' mobile phones informing them of the generation of

invoices in your name, when you had already terminated your contractual relationship and the
The complainant had stated: "that their data has been definitively eliminated."




        Said treatment could be constitutive of an infringement of article 6, Lawfulness
of the treatment, of the RGPD that establishes that:




        "1. The treatment will only be lawful if at least one of the following is met
terms:




        a) the interested party gave their consent for the processing of their data

personal for one or more specific purposes;

        b) the treatment is necessary for the performance of a contract in which the
interested is part or for the application at the request of this of measures

pre-contractual;



        (…) "


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/13










        In article 4 of the RGPD, Definitions, in its section 11, it states that:




        "11)" consent of the interested party ": any manifestation of free will,
specific, informed and unequivocal by which the interested party accepts, either through

a statement or a clear affirmative action, the processing of personal data that
they concern him ”.




        Also article 6, Treatment based on the consent of the affected party,
of the new Organic Law 3/2018, of December 5, on Data Protection

Personal and guarantee of digital rights (hereinafter LOPDGDD), states
what:




        "1. In accordance with the provisions of article 4.11 of the Regulation (EU)
2016/679, the consent of the affected party is understood to be any manifestation of will
free, specific, informed and unequivocal for which it accepts, either through a

declaration or a clear affirmative action, the processing of personal data that
concern.




        2. When the data processing is intended to be based on consent
of the affected party for a plurality of purposes, it will be necessary to record in a

specific and unequivocal that said consent is granted for all of them.



        3. The execution of the contract may not be subject to the consent of the affected party

processing of personal data for purposes that are not related to the
maintenance, development or control of the contractual relationship ”.




        Article 83.5 a) of the RGPD, considers that the infringement of "the principles
basic to the treatment, including the conditions for consent in accordance with
of articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the

mentioned Article 83 of the aforementioned Regulation, “with administrative fines of
€ 20,000,000 maximum or, in the case of a company, of an equivalent amount

at a maximum of 4% of the total global annual turnover for the financial year
above, opting for the one with the highest amount ”.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/13











        On the other hand, the LOPDGDD for the purposes of prescription states in its article 72:
"Violations considered very serious:




        1. In accordance with the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that

suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:




        (…)



        b) The processing of personal data without the concurrence of any of the

conditions of legality of the treatment established in article 6 of the Regulation
(EU) 2016/679.




        (…) "




        III



        The documentation in the file offers clear indications that the

claimed violated article 6 of the RGPD, since it processed the
personal data of the claimants without having any legitimacy to do so,
materialized in that they continue to receive SMS sent to the mobile regarding the

billing, even though you have requested in the past the deletion of your data and the
claimed that they would no longer receive similar notices.




    It is important to highlight that this Agency transferred the
claims made by the claimants to the claimed, giving rise to the

files E / 11384/2019, E / 00232/2020 and E / 06666/2020.


    Well, on June 2, 2020, the claimed status of

solution of the errors detected after the claims of claimants 1 and 2.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/13








    Thus it is established that on June 10, 2020, the complainant states that the data of the
Claimants 1 and 2 had been canceled so they gave the incidents as

resolved.

    Taking the above into account, on July 22, 2020 a new
claim for the same facts about which the defendant stated, in the

answer to the transfer of the claim, that the issuance of invoices was due to another
error in their systems.

   Consequently, it has carried out a processing of personal data without
has proven that it has the legal authorization to do so.




        IV




        In order to establish the administrative fine to be imposed, they must
observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which
they point out:




        "1. Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this

Regulations indicated in paragraphs 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.




        2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute title for the measures contemplated

in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:




        a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that

have suffered;

        b) intentionality or negligence in the infringement;

        c) any measure taken by the person in charge or in charge of the treatment

to alleviate the damages suffered by the interested parties;



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/13








        d) the degree of responsibility of the person in charge of the
treatment, taking into account the technical or organizational measures that have

applied by virtue of articles 25 and 32;

        e) any previous infringement committed by the person in charge or the person in charge of the

treatment;

        f) the degree of cooperation with the supervisory authority in order to establish
remedy the violation and mitigate the possible adverse effects of the violation;


        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority learned of the infringement, in
in particular if the person in charge or the person in charge notified the infringement and, if so, in what

measure;

        i) when the measures indicated in article 58, paragraph 2, have been
previously ordered against the person in charge or the person in charge of

regarding the same matter, compliance with said measures;

        j) adherence to codes of conduct under article 40 or to mechanisms
certification approved in accordance with Article 42, and


        k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct or

indirectly, through the infringement.



        In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its

Article 76, “Sanctions and corrective measures”, establishes that:



        "two. In accordance with the provisions of article 83.2.k) of Regulation (EU)

2016/679 may also be taken into account:



        a) The continuing nature of the offense.


        b) The linking of the activity of the offender with the performance of treatments
of personal data.

        c) The benefits obtained as a result of the commission of the offense.


        d) The possibility that the affected person's conduct could have led to the
commission of the offense.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/13








        e) The existence of a merger process by absorption after the commission
of the infringement, which cannot be attributed to the absorbing entity.


        f) Affecting the rights of minors.

        g) Have, when not mandatory, a delegate for the protection of

data.

        h) The submission by the person in charge or in charge, with character
voluntary, to alternative dispute resolution mechanisms, in those

assumptions in which there are controversies between those and any interested party. "


      In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, for the purpose of setting the amount of the fine
impose in the present case on the entity claimed by the offense typified in the
Article 83.5.a) of the RGPD for which the complainant is held responsible, in a
initial assessment, the following factors are considered concurrent:


         In the present case we are facing a serious negligent action (article 83.2
  b).

        Basic personal identifiers are affected (name, surname,

        mobile phone number) (article 83.2 g).

        The evident link between the business activity of the complained party and the
        processing of personal data of clients or third parties (art. 83.2 k in
        relationship with art. 76. 2 b) of the LOPDGDD.


         Any previously committed offense (article 83.2 e).
        The serious lack of diligence demonstrated then, after having communicated to

        the claimants who attended the right to object to the treatment of their
        data, he proceeded again to send them commercial communications.



        In accordance with the indicated precepts, and without prejudice to what results from the
        instruction of the procedure, in order to fix the amount of the sanction to
        impose in the present case, it is considered that the sanction should be

        impose in accordance with the following criteria established in article 76.2
        of the LOPDGDD:




        The linking of the offender's activity with the performance of treatment of
        personal data, (section b).






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/13








    The balance of the circumstances contemplated in article 83.2 of the RGPD, with
regarding the offense committed by violating the provisions of article 6.1 of the

RGPD allows setting a penalty of 150,000 euros (one hundred and fifty thousand euros),
considered as “very serious”, for the purposes of prescription of the same, in the 72.1st of
the LOPDGDD.


     Therefore, in accordance with the foregoing, by the Director of the Agency

Spanish Data Protection,


       HE REMEMBERS:






    1. INITIATE SANCTIONING PROCEDURE for VODAFONE ESPAÑA, S.A.U.,

       with NIF A80907397, for the alleged violation of article 6.1. GDPR
       typified in article 83.5.a) of the aforementioned RGPD.



    1. APPOINT Mr. D.D.D. as instructor. and as secretary to Mrs. E.E.E., indicated
       Whereas any of them may be challenged, if applicable, in accordance with the
       established in articles 23 and 24 of Law 40/2015, of October 1, of Ré-
       Legal Regime of the Public Sector (LRJSP).



    2. INCORPORATE to the sanctioning file, for evidentiary purposes, the
       claim filed by the claimant and its attached documentation, the
       documentation of E / 11384/2019, E / 00232/2020 and E / 06666/2020.


    3. THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1

       October, of the Common Administrative Procedure of the Administrations
       Public, the penalty that may correspond would be 150,000 euros (one hundred
       fifty thousand euros), without prejudice to what results from the instruction.



    4. NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with CIF
       A80907397, granting you a hearing period of ten business days so that
       formulate the allegations and present the evidence that it deems appropriate.
       In your statement of allegations you must provide your NIF and the number of
       procedure at the top of this document.



If within the stipulated period it does not make allegations to this initiation agreement, the same
It may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

the Public Administrations (hereinafter, LPACAP).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/13










In accordance with the provisions of article 85 of the LPACAP, in the event that the

penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; it

which will entail a reduction of 20% of the penalty to be imposed in
the present procedure. With the application of this reduction, the sanction would be
established at 120,000 euros, resolving the procedure with the imposition of

this sanction.



In the same way, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 120,000 euros and its payment will imply the termination

of the procedure.




The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate

allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. On
In this case, if both reductions should be applied, the amount of the penalty would be

set at 120,000 euros.



In any case, the effectiveness of either of the two mentioned reductions will be

conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts

indicated above, 120,000 euros or 90,000 euros, you must make it effective

by entering the account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Agency for Data Protection in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears in

the heading of this document and the cause of reduction of the amount to which
welcomes.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/13








Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity

entered.



The procedure will have a maximum duration of nine months from the date of

date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.




Mar Spain Martí

Director of the Spanish Agency for Data Protection

>>


SECOND: On March 30, 2021, the defendant has proceeded to pay the
sanction in the amount of 90,000 euros making use of the two planned reductions
in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.


FOUNDATIONS OF LAW

I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of

control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General

of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/13








II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,

except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,

20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.


The percentage of reduction foreseen in this section may be increased
regulations.

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:


FIRST: DECLARE the termination of procedure PS / 00085/2021, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U ..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


936-031219
Mar Spain Martí

Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es