AEPD - PS/00085/2021
|AEPD - PS/00085/2021|
|Relevant Law:||Article 6(1)(a) GDPR|
|Parties:||VODAFONE ESPAÑA, S.A.U.|
|National Case Number/Name:||PS/00085/2021|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD decision (in ES)|
The Spanish DPA fined Vodafone €150,000 (reduced to €90,000) for processing personal data without consent or any other different legal basis.
Three complainants lodged a complaint with the Spanish DPA (AEPD) alleging that Vodafone was sending messages to them (0€-invoices) after they had previously asked for the erasure of their data, once their contract was terminated.
The AEPD held that Vodafone had violated Article 6(1) GDPR for processing personal data without consent or any other different legal basis. When imposing the fine, the AEPD took into account:
- The type of data affected: basic identifiers such as names, surnames, phone number.
- The relation between the processing and the business activities of the respondent.
- The previous fines on the same grounds.
- The lack of diligence regarding the erasure request.
The AEPD finally fined Vodafone €150,000, that was reduced to €90,000 due to the assumption of responsibility and the early payment.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13 Procedure No.: PS / 00085/2021 RESOLUTION R / 00248/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTARY In the sanctioning procedure PS / 00085/2021, instructed by the Spanish Agency for Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed by A.A.A., B.B.B., C.C.C., and based on the following, BACKGROUND FIRST: On March 9, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against VODAFONE SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure No.: PS / 00085/2021 AGREEMENT TO START THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection and in based on the following: FACTS FIRST: D. A.A.A. (hereinafter claimant 1), Ms. B.B.B. (hereafter claimant 2) and D. C.C.C. (hereinafter claimant 3) dated October 24, 2019, November 13, 2019, and July 22, 2020, respectively, filed claims before the Spanish Agency for Data Protection. the claims are directed against Vodafone España, S.A.U. with CIF A80907397 (hereinafter, the claimed). The claimants state that the claimed entity did not delete their data personal files of your files, once the signed telephony contract has concluded. Thus the things, they indicate that they continue receiving SMS with invoices of zero amount. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/13 That, according to the claimants, the events took place in the following periods: during the last year (claimant 1), during the last two years (claimant 2) and during the last 7 months (claimant 3) prior to the presentation of the present claims. And, among others, they provide the following documentation: Claimant 1 - SMS notification of a new invoice available with a payment date of 20 September 2019. Claimant 2 - Claim before the Municipal Consumer Information Office of the *** Town Hall of LOCALIDAD.1 (Ref. 1252/19) where an invoice appears issued by the respondent dated September 15, 2019. Claimant 3 - Invoice sent by the complained party dated July 15, 2020. - Request made by email dated July 21, 2020 for termination of issuance of invoices and communications. - Response of the claimed indicating various procedures to follow to fix the issue. SECOND: In view of the facts denounced in the claim and the documents provided by the claimant and the facts and documents of which he has this Agency, the Subdirectorate General for Data Inspection, has come to know proceeded to carry out preliminary investigation actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and of in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigative actions carried out, it is verified that the responsible for the treatment is the one claimed. Likewise, the following points are found: 1. The antecedents that appear are the following: Files for the transfer of claims E / 11384/2019, E / 00232/2020 and E / 06666/2020. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/13 In these files, the claims presented in this Agency to the claimed. With dates of January 9 and 23, 2020, and September 21, 2020, the briefs of allegations to the transfer of the claims sent by the claimed stating that the personal data of the interested parties were not properly disposed of due to a fault in the internal systems of the claimed. In all three cases, a letter was sent to the claimants in which they were informs of the causes that have generated the incident and that their data has been definitely eliminated. And they attach, among others, the following documents: - Letter dated January 9, 2020 sent to claimant 1 informing him that as soon as the failure of the claimed systems is resolved, their data would be deleted. - Letter dated January 23, 2020 sent to claimant 2 informing her that it had been a computer error and that they had proceeded to delete your data from their systems. - Letter dated September 17, 2020 sent to claimant 3 informing you that it was a computer error and that they had proceeded to delete your data from their systems. On February 7 and 11 and September 27, 2020, it was agreed to admit processing the claims submitted by the claimants. The claimed with dates of February 10, 14 and October 6, 2020. On March 3, 2020, it is received at this Agency, with the number of registration, 010434/2020, brief of allegations to the resolution of admission for processing stating that the data of claimant 1 had already been deleted from their systems. And, among other documents, they attach: - Letter sent to claimant 1 informing him of this fact. On June 2, 2020, the claimed status of solution is requested of the errors detected after the claims of claimants 1 and 2. With date of June 10, 2020 is received at this Agency, with registration number 019403/2020, answering brief stating that they had verified that the data of claimants 1 and 2 had been canceled so the incidents as resolved. On July 22, 2020, a new claim is received for them. facts about which the respondent stated, in the answer to the transfer of the claim, that the issuance of invoices was due to another error in their systems. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/13 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II The claimed facts are specified in the treatment of the data of the claimants by the claimed without standing to do so, by sending SMS to the claimants' mobile phones informing them of the generation of invoices in your name, when you had already terminated your contractual relationship and the The complainant had stated: "that their data has been definitively eliminated." Said treatment could be constitutive of an infringement of article 6, Lawfulness of the treatment, of the RGPD that establishes that: "1. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the performance of a contract in which the interested is part or for the application at the request of this of measures pre-contractual; (…) " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/13 In article 4 of the RGPD, Definitions, in its section 11, it states that: "11)" consent of the interested party ": any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data that they concern him ”. Also article 6, Treatment based on the consent of the affected party, of the new Organic Law 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights (hereinafter LOPDGDD), states what: "1. In accordance with the provisions of article 4.11 of the Regulation (EU) 2016/679, the consent of the affected party is understood to be any manifestation of will free, specific, informed and unequivocal for which it accepts, either through a declaration or a clear affirmative action, the processing of personal data that concern. 2. When the data processing is intended to be based on consent of the affected party for a plurality of purposes, it will be necessary to record in a specific and unequivocal that said consent is granted for all of them. 3. The execution of the contract may not be subject to the consent of the affected party processing of personal data for purposes that are not related to the maintenance, development or control of the contractual relationship ”. Article 83.5 a) of the RGPD, considers that the infringement of "the principles basic to the treatment, including the conditions for consent in accordance with of articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the mentioned Article 83 of the aforementioned Regulation, “with administrative fines of € 20,000,000 maximum or, in the case of a company, of an equivalent amount at a maximum of 4% of the total global annual turnover for the financial year above, opting for the one with the highest amount ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/13 On the other hand, the LOPDGDD for the purposes of prescription states in its article 72: "Violations considered very serious: 1. In accordance with the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that and, in in particular, the following: (…) b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. (…) " III The documentation in the file offers clear indications that the claimed violated article 6 of the RGPD, since it processed the personal data of the claimants without having any legitimacy to do so, materialized in that they continue to receive SMS sent to the mobile regarding the billing, even though you have requested in the past the deletion of your data and the claimed that they would no longer receive similar notices. It is important to highlight that this Agency transferred the claims made by the claimants to the claimed, giving rise to the files E / 11384/2019, E / 00232/2020 and E / 06666/2020. Well, on June 2, 2020, the claimed status of solution of the errors detected after the claims of claimants 1 and 2. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/13 Thus it is established that on June 10, 2020, the complainant states that the data of the Claimants 1 and 2 had been canceled so they gave the incidents as resolved. Taking the above into account, on July 22, 2020 a new claim for the same facts about which the defendant stated, in the answer to the transfer of the claim, that the issuance of invoices was due to another error in their systems. Consequently, it has carried out a processing of personal data without has proven that it has the legal authorization to do so. IV In order to establish the administrative fine to be imposed, they must observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which they point out: "1. Each supervisory authority will guarantee that the imposition of fines administrative under this article for the infractions of this Regulations indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute title for the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/13 d) the degree of responsibility of the person in charge of the treatment, taking into account the technical or organizational measures that have applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to establish remedy the violation and mitigate the possible adverse effects of the violation; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in in particular if the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or the person in charge of regarding the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the infringement. In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of treatments of personal data. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the offense. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/13 e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a delegate for the protection of data. h) The submission by the person in charge or in charge, with character voluntary, to alternative dispute resolution mechanisms, in those assumptions in which there are controversies between those and any interested party. " In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, for the purpose of setting the amount of the fine impose in the present case on the entity claimed by the offense typified in the Article 83.5.a) of the RGPD for which the complainant is held responsible, in a initial assessment, the following factors are considered concurrent: In the present case we are facing a serious negligent action (article 83.2 b). Basic personal identifiers are affected (name, surname, mobile phone number) (article 83.2 g). The evident link between the business activity of the complained party and the processing of personal data of clients or third parties (art. 83.2 k in relationship with art. 76. 2 b) of the LOPDGDD. Any previously committed offense (article 83.2 e). The serious lack of diligence demonstrated then, after having communicated to the claimants who attended the right to object to the treatment of their data, he proceeded again to send them commercial communications. In accordance with the indicated precepts, and without prejudice to what results from the instruction of the procedure, in order to fix the amount of the sanction to impose in the present case, it is considered that the sanction should be impose in accordance with the following criteria established in article 76.2 of the LOPDGDD: The linking of the offender's activity with the performance of treatment of personal data, (section b). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/13 The balance of the circumstances contemplated in article 83.2 of the RGPD, with regarding the offense committed by violating the provisions of article 6.1 of the RGPD allows setting a penalty of 150,000 euros (one hundred and fifty thousand euros), considered as “very serious”, for the purposes of prescription of the same, in the 72.1st of the LOPDGDD. Therefore, in accordance with the foregoing, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: 1. INITIATE SANCTIONING PROCEDURE for VODAFONE ESPAÑA, S.A.U., with NIF A80907397, for the alleged violation of article 6.1. GDPR typified in article 83.5.a) of the aforementioned RGPD. 1. APPOINT Mr. D.D.D. as instructor. and as secretary to Mrs. E.E.E., indicated Whereas any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, of Ré- Legal Regime of the Public Sector (LRJSP). 2. INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its attached documentation, the documentation of E / 11384/2019, E / 00232/2020 and E / 06666/2020. 3. THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of the Administrations Public, the penalty that may correspond would be 150,000 euros (one hundred fifty thousand euros), without prejudice to what results from the instruction. 4. NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with CIF A80907397, granting you a hearing period of ten business days so that formulate the allegations and present the evidence that it deems appropriate. In your statement of allegations you must provide your NIF and the number of procedure at the top of this document. If within the stipulated period it does not make allegations to this initiation agreement, the same It may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/13 In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; it which will entail a reduction of 20% of the penalty to be imposed in the present procedure. With the application of this reduction, the sanction would be established at 120,000 euros, resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 120,000 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the preceding paragraph, it may be done at any time prior to the resolution. On In this case, if both reductions should be applied, the amount of the penalty would be set at 120,000 euros. In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts indicated above, 120,000 euros or 90,000 euros, you must make it effective by entering the account number ES00 0000 0000 0000 0000 0000 open to name of the Spanish Agency for Data Protection in Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which welcomes. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/13 Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On March 30, 2021, the defendant has proceeded to pay the sanction in the amount of 90,000 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/13 II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or to the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% on the amount of the proposed sanction, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditional on the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00085/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-031219 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es