AEPD - PS/00089/2021

From GDPRhub
AEPD - PS/00089/2021
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 7 GDPR
Article 21(1) LSSI
Type: Complaint
Outcome: Upheld
Published: 07.04.2021
Fine: 150000
National Case Number/Name: PS/00089/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA fined Orange Spain €150,000 (reduced to €90,000) for sending bulk unsolicited commercial communications without adequately obtaining the consent of the users in accordance with Articles 6 and 7 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Spanish DPA (AEPD) launched an investigation on Orange's marketing practices after several complainants lodged a complaint with the authority.

The AEPD discovered that Orange used the provision of different services to potential clients or actual clients to obtain their phone number, that was included in different databases used for commercial and marketing purposes by the sending of SMS. Both Orange and Jazztel (Orange's subsidiary) sent daily SMS to the phones in such databases, that occasionally reached the amount of 1,050,000 SMS per day.

Orange offered two different services, one that offers information about the availability of fibre in a particular location, and one that offers direct calls for supplying information about different services, that forced the user or client to accept a privacy policy. Such privacy policy included a clause that provided consent for Orange to use the personal data of the client for commercial communications.

Dispute[edit | edit source]

Is consent valid in accordance with Articles 6 and 7 GDPR?

Holding[edit | edit source]

The AEPD concluded that this way of obtaining consent was not valid. The Spanish Information Society Services Act (LSSI) implementing the e-Privacy Directive prohibits in its Article 21(1) the sending of commercial communications without express consent. The way of obtaining consent is not defined in that law, and therefore is ruled in accordance to the GDPR.

The AEPD remarks that the statement of consent shall be named as such, and that consent such be specifically given for each option of processing. Orange, however, did not offer the possibility of giving consent for each type of processing, but included consent for commercial communications in a privacy policy that was obligatory to accept for the provision of the service.

The AEPD considered that consent, under these circumstances, was not:

  • Freely given: Users were forced to accept a whole privacy policy that includes such consent.
  • Specific: They don't have an option of giving consent for each type of processing.
  • Informed: As no information about such consent for commercial communications is offered when accepting the privacy policy.

Thus, Article 21(1) LSSI has not been complied with, as there is no consent according to Articles 6 and 7 GDPR.

Serious infringements, according to the LSSI, imply a fine between €30,001 and €150,000. The AEPD decided to imposed a fine of the maximum amount, €150,000, based on the following criteria:

  • The existence of intentionality.
  • The period of time in which the infringement happened.
  • The benefits earned by it.
  • The yearly revenue of the company: €4,779,670,000 in 2019.
  • The amount of users affected and of SMS sent.
  • The fact that the company is not adhered to any kind of code of conduct or any advertisement self-regulation system.

The fine was reduced to €90,000 due to the assumption of responsibility and an early payment by Orange.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     Procedure Nº: E / 03276/2021


Of the actions carried out by the Spanish Agency for Data Protection and
based on the following


FIRST: The claim filed by Mr. A.A.A. (hereinafter, the claimant)
has entry dated March 29, 2019, in the Spanish Protection Agency
of data.

The claim is directed against ALDANITI INTERNATIONAL NETWORK, LTD, (in
ahead, the claimed one).

The claim indicates the following:

“I received an email from pulpower to confirm my subscription, as I had not done
no management, delete the mail that I have now been able to recover, as it turns out that without
accept that subscription that I also do not make, I begin to receive spam, not only do I not
I have subscribed, nor confirmed that email that they sent me, but I am subscribed in the
Robinson list, attached certificate certifying it. I request the opening of

sanctioning file. Thank you".

It all started with a confirmation email of a supposed registration in the system, and
He continued with emails where he was offered "tokens" to exchange for gifts. The
claimant does not acknowledge having ever registered in the services of the person in charge, and,
In addition, your email is listed on ADigital's Robinson list.

In the second letter it is denounced that, in the aforementioned web portal,
"cookies" with the mere visit to the page, and no way is offered not to provide or
revoke consent to said treatment.

SECOND: The Subdirectorate General for Data Inspection, learned of
the following points and carried out these actions:

     It was verified that the person responsible for the treatment and owner of the web
       established in the UK.
     The claim was incorporated into the "Internal Market Information System"
       (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the

       European Parliament and of the Council, of October 25, 2012 (Regulation
       IMI), whose objective is to promote cross-border administrative cooperation, the
       mutual assistance between Member States and the exchange of information;
       with IMI number 69346 and dated June 17, 2019. One month is given at
       authorities to manifest.

     On August 24, 2019: the data protection control authority
       in the United Kingdom (ICO) they accept the case, making a provisional file.

C / Jorge Juan, 6
28001 - Madrid 2/3

     When the time for Brexit to take effect, ICO has not made any
        action on the claim incorporated into IMI.

                            FOUNDATIONS OF LAW


In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for

Data Protection.


Prior to the initiation of sanctioning actions, it is necessary to identify the

presumed responsible for the administrative offense.

Article 64 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, referring to the Initiation Agreement in the
procedures of a sanctioning nature, establishes the following:

        "1. The initiation agreement will be communicated to the instructor of the procedure, with
transfer of how many actions exist in this regard, and the interested parties will be notified,
understanding in any case the accused as such. Likewise, the initiation will be communicated
to the complainant when the rules governing the procedure so provide.

        2. The initiation agreement must contain at least:
        a) Identification of the person or persons allegedly responsible.
        ... "

In order to be able to initiate sanctioning actions, the Agency has been requested
State Tax Administration if there was any NIF associated with the entity
claimed, for identification.

The State Tax Administration Agency has responded to the Spanish Agency
of Data Protection that has not been able to locate any NIF related to the

claimed entity.
Therefore, although the claim presented, if detrimental to the possible prescription
of the infringements claimed, could constitute an infringement of the regulations of

data protection, it is not possible to initiate sanctioning actions due to not having
Tax identification of the alleged person responsible.

Therefore, in accordance with the provisions, by the Director of the Spanish Agency for
Data Protection, IT IS AGREED:


C / Jorge Juan, 6
28001 - Madrid 3/3

SECOND: NOTIFY this resolution to the claimant.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the

arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection within a period of one month from the day
following notification of this resolution or directly contentious appeal

administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within two months from the next day

upon notification of this act, as provided in article 46.1 of the aforementioned Law.

Mar Spain Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6
28001 - Madrid