AEPD - PS/00104/2020
|AEPD - PS/00104/2020|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32(1) GDPR
|National Case Number/Name:||PS/00104/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD.es (in ES)|
|Initial Contributor:||Pablo Rossi|
AEPD fined telecom firm YOIGO EUR 55,000 for a breach of article 32(1) GDPR. The claimant was able to access and modify personal data of a third party. Mitigating factors under Spanish administrative law were invoked, leading to a reduced fine of EUR 33.000.
English Summary[edit | edit source]
Facts[edit | edit source]
On 26/12/2018 AEPD received a complaint against XFERA MOVILES, S.A (YOIGO). The reason for the complaint is the fact that the claimant was able to access the data of a third party (personal data, invoices, telephone numbers and calls) in his personal space on the website of the company (miyoigo.yoigo.com). In the same way, the third party could, using its own password, manage the claimant's data. The claimant repeatedly asked YOIGO and the distributor to solve this situation, without obtaining any solution. AEPD requested information from YOIGO to clarify the facts. After a first evasive response, there was no response to a second request.
Dispute[edit | edit source]
Did YOIGO violate the principle of integrity and confidentiality (Art. 5 GDPR, further developed in article 32.1 GDPR) by allowing the complainant to visualize and modify the personal data of a third party?
Holding[edit | edit source]
AEPD considered that YOIGO processed the personal data of the claimant in violation of the principle of integrity when it managed the change of ownership of a telephone line. It also considered that the principle of confidentiality was breached, since the personal data of the claimant, at least the mobile phone number, was revealed to a third party, also client of YOIGO. These principles are specified in article 32 GDPR (security of processing).
In determining the amount of the fine, certain aggravating factors of article 83 GDPR were considered. The lack of diligence in processing personal data, their recidivism and the lack of response to the request for information by the AEPD determined the amount of the fine in EUR. 55,000. Nonetheless, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) could be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge their responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed penalty.
On June 11, 2020, YOIGO proceeded to pay the sanction in the amount of EUR 33,000 applying therefore the two previously mentioned reductions. This implied the recognition of their responsibility and the resignation to any action or appeal in administrative channels against the sanction. After these events, the AEPD decided to terminate the procedure.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Style ID: PS/00104/2020 DECISION R/00297/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT VOLUNTEER In sanction procedure PS/00104/2020, conducted by the Agency Spanish Data Protection Agency to XFERA MÓVILES, S.A. (YOIGO), having regard to the complaint filed by A.A.A., and based on the following, BACKGROUND FIRST: On April 1, 2020, the Director of the Spanish Data Protection agreed to initiate disciplinary proceedings against XFERA MÓVILES, S.A. (YOIGO) (hereinafter referred to as the Respondent), by means of the Agreement as transcribed: << Style ID: PS/00104/2020 935-090320 AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS Of the actions carried out by the Spanish Data Protection Agency and based on the following FACTS FIRST: On 26/12/2018 he is admitted to the Spanish Agency for the Protection of Details of the claim made by Mr. A.A.A. (hereinafter, the claimant) against XFERA MÓVILES, S.A., with NIF A82528548 -commercial name YOIGO- (from now on, the claimed or IIGO). The reason for your complaint is the conduct of the respondent who, on the occasion of that the claimant and his or her spouse subscribe in person at a IIGO the change of ownership of a mobile line from the wife to the claimant, proceeded to link that phone number to a third party's data. The claimant C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/14 states that, as a consequence of such action, when it agrees to "myyoigo.yoigo.com" can display the data of the third party - personal data complete, bills, phone numbers you call - and would have the ability to modify them. He claims that, in the same way, that third person could, using his own password, manage the claimant's data. It adds that, despite complaints to YOIGO, visits to the establishment of the distributor and to the complaint to the OMIC of ***LOCALITY, on the date of has not yet succeeded in rectifying the irregularity, limiting the claimed and your distributor to take responsibility for each other. Attached to your claim is a copy of the customer's copy of the called "Change of Owner" which bears the anagram of YOIGO. In it, it appears as date of application 29/11/2018. In the section "Details of the point of sale" you will find "***Data"; as "Data of the current holder" B.B.B. and its VAT number; in the section "Data of the The "new holder" is the name, surname and tax identification number of the claimant, his address, the date of birth and e-mail address. In the section "Services" the indication: "YOIGO number changing holder ***PHONE.1". "Type of contract/price current", "La SINFIN 5 GB". Also included in the document are the twenty-digit the claimant's bank account into which the bill payment is debited and the domiciliation mandate number. SECOND: A.- In view of the complaint, the AEPD, within the framework of the file E/01044/2019, by letter dated 01/02/2019, sent the complaint to Data Protection Officer (DPD) of YOIGO and asked him for information on the origin of the facts denounced and on the measures it would have adopted to to put an end to the irregular situation generated. The document was notified electronically and, as evidenced by the FNMT certificate in the file, was placed provision at the electronic headquarters on 01/02/2019, the notification being accepted by the claimed on 5/02/2019. On 05/04/2019, a letter from the DPD of the respondent was received by this Agency in which it states that it has "simply received a change of owner form and that it is not apparent what the claim may be". However, it was verified that in the document notified to the entity by the AEPD included the account of events denounced in addition to being asked for certain information and, as a document The copy of the change of holder document was provided in the annex. However, the The Agency reiterated its request for information to the DPD of YOIGO by writing to the 12/04/2019, made available on the website on that date and whose The notification was accepted by the respondent on 15/04/2019. The Respondent's DPD did not responded to the request for information notified to it by this Agency Also on 01/02/2019 the claimant was notified of the transfer of his claim to the claimed entity. In accordance with the provisions of Article 65.5 of Organic Law 3/2018 of Data Protection and Guarantee of Digital Rights (LOPDGDD), on 18/06/2019 the agreement to admit this claim was signed. B.- Under the reference E/6279/2019 and in accordance with article 67.1 of the LOPDGDD, the Data Inspection of the AEPD carried out inspection actions that concluded with the Report of Previous Inspection Actions, signed by the The Acting Inspector, of which the fragment relating to the outcome of such performances: <<RESULT OF THE RESEARCH ACTIONS On April 12, 2019, the complaint was transferred to XFERA MOBILES, S.A. (YOIGO), in the actions with reference E/01044/2019. I do not know receives an answer. On June 19, 2019, the present proceedings begin. On 5 July 2019, a request for information is sent to XFERA MOBILES, S.A. (YOIGO). The notification is made electronically through noti@. According to this notification system, automatic rejection has taken place when ten calendar days after it is made available. On 23 August 2019, the complainant sent this Agency the following information and statements: 1 Provide a copy of bank transactions between July 4, 2018 and July 5, 2010 February 2019 where thirteen charges are displayed with concept "Receipt /yoigo" which he claims are related to lines ***PHONE.2 and ***Phone.1, three of them with value date "05/12/2018", "04/01/2019", “05/02/2019”. 2 It provides a screen shot of MIYOIGO with the following data: a. The section "personal information" contains: C.C.C. ***NIF.3 b. In the section of "contact address" it is stated: STREET ***ADDRESS.1 c. In the section "lines of your contract" you will find the lines: ***PHONE.1, ***PHONE.3, ***PHONE.4 On 29 August 2019, the complainant sent this Agency the following information and statements: 1. That the company did not resolve the change of ownership or that by agreeing to the your wife's password to MIYOIGO, all the data will appear in the name of C.C.C. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/14 2. That, thanks to friendly talks with C.C.C., the complainant and his woman could have been discharged. 3. Provides screenshots of conversations with YOIGO: a. Message from the complainant to YOIGO: "Good afternoon, Thursday 29th from the Yoigo store in Majadahonda I asked for a change of holder of my wife's line B.B.B. DNI ***NIF.2 tlf. ***Phone.1 to my name, A.A.A. DNI ***NIF.1 tlf. ***PHONE 2 the shop assistant made us sign a paper and made us photocopy of the IDs, and we send you by gmail a bank receipt in at that very moment, well, someone pressing a wrong key he put my wife's tlf in the name of a C.C.C. DNI ***NIF.3 tlf. ***Phone.3. Since Monday 3rd, when this person realizes that they've added a phone that he hasn't processed, has presented a paper to you and calls us to tell us and my wife sent a complaint via email with a response, but without solution." a. Message of 10 December 2018 from the complainant: "...Requesting also by this letter the immediate restitution of the B.B.B.'s contract name to your phone number ***PHONE.1" a. Dated December 10, 2018 at 11:41 a.m. answer: "The change of owner is managed in the store, and they have been responsible for the mistake, so they're the ones who have to correct it. We can't do anything from here. “ a. On 10 December 2018 at 16:36 the complainant answer: "Good afternoon, you are claiming that the store staff is the that dumps the owner change data into the system? Because Miss of afternoons of the store affirms that they give transfer by suitcase and that it have done well and can do nothing." a. On December 11, 2018 YOIGO responds: "The change of owner is a procedure that can only be carried out from store, so they are the ones who take all the data and to make the corresponding management, any doubt or problem is them who can help you fix it." a. On 21 December 2018 at 14:23 the complainant write to YOIGO: "Good morning, I'm at the Yoigo store in Gran Plaza 2. Majadahonda, this matter cannot be fixed and I am told that many days that the contracts have been sent. There's an open incident. … could have the courtesy to follow up and answer to me for that the change in ownership is not properly resolved?" a. Dated 21 December 2018 at 14:26 YOIGO answer: "...as we have previously indicated to you the change of owner is only handled by the store, if they have a problem with the you'd have to tell the store to talk to his master so he can solve it...">> LEGAL FOUNDATIONS I By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to resolve this procedure. II Article 5 of the RGPD deals with the principles that should govern the processing of personal data and mentions among them those of "integrity and confidentiality". The precept states: "1. Personal data shall be: (…) (f) Treated in such a way as to ensure adequate safety of the personal data, including protection against unauthorised or unlawful processing against their accidental loss, destruction or damage, by the application of measures appropriate techniques or organisational arrangements (<<integrity and confidentiality>>)" The principle of integrity is developed through Articles 32 to 34 of the RGPDs in Section II of Chapter IV under the heading "Security of personal data". Article 32, "Security of processing", provides: "Taking into account the state of the art, the implementation costs, and the nature, extent, context and purposes of the processing, as well as the varying degrees of probability and seriousness of risks to the rights and freedoms of natural persons, the the controller and the processor shall implement technical and organisational measures appropriate to ensure a level of safety commensurate with the risk, which may include, among others: C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/14 (a) the pseudonymisation and encryption of personal data (b) the ability to ensure the confidentiality, integrity, permanent availability and resilience of processing systems and services; (c) the ability to restore the availability of and access to personal data quickly in the event of a physical or technical incident; (d) a process of regular verification, evaluation and assessment of effectiveness of technical and organisational measures to ensure the security of processing. 2. In assessing the adequacy of the level of security, particular consideration shall be given to takes account of the risks involved in the processing of data, in particular as a result of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised disclosure of or access to such data. 3. (…) 4. The controller and the processor shall take steps to ensure that any person acting under the authority of the controller or the processor and having access to personal data may process such data only on instructions from the controller, unless he or she is required to do so by the law of Union or Member States." (The underlining is from the AEPD) The violation of the principles of integrity and confidentiality of which The liability of the defendant is defined in Articles 83.4.a) and 83.4.b) respectively. 83.5.a) of the RGPD, precepts that they establish: Article 83.4: "Violations of the following provisions shall be sanctioned, according to paragraph 2, with administrative fines of 10,000,000 Eur as maximum or, in the case of an enterprise, an amount equivalent to 4% as maximum of the total annual overall turnover of the previous financial year, opting for the larger one: (a) the obligations of the person responsible and the person in charge under Articles 8, 11, 25 to 39,42 and 43;". Article 83.5: "Violations of the following provisions shall be sanctioned, according to paragraph 2, with administrative fines of 20,000,000 Eur as maximum or, in the case of an enterprise, an amount equivalent to 4% as maximum of the total annual overall turnover of the previous financial year, opting for the larger one: (a) The basic principles for treatment, including the conditions for consent under Articles 5, 6, 7 and 9. With regard to the prescription of the infringements, it must be in accordance with the provisions of the Organic Law 3/2018, of Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) whose article 73, g) considers a serious infringement, being its two-year limitation period, "The breach, as a result of the lack of due diligence, technical and organizational measures that would have implemented as required by Article 32(1) of Regulation (EU) For its part, Article 72(1)(i) of the LOPDGDD considers a very serious infringement of the law. serious, in which case the limitation period of three years, "The violation of the principle of confidentiality as set out in article 5 of this organic law". III The documentation in the file provides solid evidence that the processed the complainant's personal data in violation of the principle of integrity, Article 5(1)(f) in connection with Article 32(1)(b) and (c), both of the GPRS, when he handled the change of ownership of a mobile line that had been requested by the claimant, as the new owner, and its hitherto owner, Ms. B.B.B. Likewise, there is evidence that, as a consequence of such action, the following was violated the principle of confidentiality (Article 5.1.f, GPRS) as they were disclosed to a third party, also a customer of the claimant, personal data of the claimant, at least the mobile phone number subject to the change of ownership that the operator linked to that person. It is accredited that on 29/11/2018 the claimant and Mrs. B.B.B. requested before a YOIGO distributor the change of ownership in favor of the first in line mobile ***TELÉFONO.1 that belonged to the latter. Work in the file copy of the customer copy of the document, with the YOIGO anagram, of change of ownership in which the personal data of the old and the new owner are recorded. With respect to the claimant, in addition to NIF, name and two surnames, the postal address and e-mail and the twenty-digit bank account for the direct debit of the bill payment. Furthermore, several points show that, on the occasion of the change of ownership of the line requested by the claimant, the respondent did not apply the measures organisational and technical measures necessary to ensure the security of the data processed. Neither the availability of your data by the complainant nor the capacity of the operator claimed to replace the claimant in the availability of data personal concerns quickly, once the entity was sufficiently informed of the irregularity. In that sense, it is accredited through the screenshots of the terminal The mobile phone number provided by the complainant in relation to the communications he had with the SAC of YOIGO, which the respondent limited itself to replying on several occasions -Despite the abundant information provided by the complainant, the C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/14 irregularities arising from the change of ownership of line ***TELÉFONO.1 were competition from the distributor. These documents provided by the claimant They also show that the defendant had knowledge of the facts, at least, since 08/12/2018. Circumstance which, together with the claimant's statement in the date on which he filed his complaint, 26/12/2018, that the operator has not yet the irregularity, it shows that it lacked mechanisms to replace quickly to the affected person in the availability of their data, in short, to guarantee the integrity of the personal data processed. Furthermore, it is proven that the claimant provided the SAC de YOIGO with the name, surname, ID card and telephone number of the third party - also a customer of operator - to which he linked the mobile line number that was the subject of the request for change of ownership. Whether this data is visible to the claimant, as he claims, or not, it seems clear that the claimant's mobile phone number was disclosed to the third party that was the subject of a change in ownership. As the claimant has explained the third contacted by phone on 03/12/2018 to inform them that the line ***TELÉFONO.1 had been linked to your personal data. IV Article 58 of the RGPD, "Powers", says in point 2: "Each supervisory authority shall have all the following corrective powers indicated below: (…) "(i) to impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each individual case;" It should be taken into consideration in order to determine the sanction to be imposed, the provision of article 83.3. of the RGPD according to which "If a person responsible or in charge processing operations intentionally or negligently failed, in respect of the same processing operations or linked operations, to comply with several provisions of this Regulations, the total amount of the administrative fine shall not exceed provided for the most serious infringements'. In similar terms, Article 29.5. of Law 40/2015, on the Legal System of the Public Sector indicates that "When the commission of an infraction necessarily results in the commission of another or others, only the sanction corresponding to the most serious infraction committed should be imposed". (The underlining is from the AEPD) In view of the above, the provisions of Articles 83(1) and 83(2) must be complied with of the RGPD, precepts that they indicate: Each supervisory authority shall ensure that the imposition of administrative fines under this Article for infringements of this Regulation by the person responsible or in charge, on a voluntary basis, to mechanisms for alternative dispute resolution, in those cases where there are disputes between them and any interested party". referred to in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. "Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j) In deciding whether to impose an administrative fine and the amount of such fine in each individual case, due account shall be taken: (a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as such as the number of stakeholders affected and the level of damages that have suffered; (b) the intentional or negligent nature of the infringement; (c) any measures taken by the controller or processor to to alleviate the damages suffered by those concerned; (d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures they have implemented in (b) the intentional or negligent nature of the infringement; (e) any previous breach committed by the controller or processor; (f) the degree of cooperation with the supervisory authority for the purpose of remedying to the infringement and to mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in in particular whether the person responsible or the person in charge notified the infringement and, if so to what extent; (i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible for or in charge of the same case, compliance with those measures; (j) adherence to codes of conduct under Article 40 or to certification approved in accordance with Article 42, and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement." With regard to article 83.2 (k) of the RGPD, the LOPDGDD, article 76, "Sanctions and corrective measures", provides: "In accordance with the provisions of Article 83(2)(k) of Regulation (EU) 2016/679, the following may also be taken into account (a) The continuing nature of the infringement. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/14 (b) The linking of the activity of the offender with the carrying out of data processing personal. (c) The profits obtained as a result of the commission of the offence. (d) the possibility that the conduct of the person concerned might have led to the commission of the infraction. (e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The effect on the rights of minors. g) The availability, when it is not compulsory, of a data protection representative. h) )The submission by the person responsible or in charge, on a voluntary basis, to mechanisms for alternative dispute resolution, in those cases where there are disputes between them and any interested party". In accordance with the above provisions, and without prejudice to the results of the investigation of the procedure, in order to determine the amount of the administrative fine to be imposed on the claimed as responsible for a violation of articles 5.1.f, of the RGPD -as set out in Article 83(5)(a) of the said regulation and 5(1)(f) in relation to Article 32(1)(b) and (c) - specified in Article 83(4)(a) of the RGPD - in an initial assessment, the The following factors aggravate the guilt and/or unlawfulness of the conduct in question: - The circumstance of Article 83.2(b) RGPD. The defendant acted with a serious lack of diligence in handling a change of ownership of the line ***Phone.1 in the name of the claimant. The lack of diligence in complying with obligations imposed on it by data protection regulations to make the The principle of integrity was also evident in the refusal to react to the caused by unnecessarily perpetuating the violation of the fundamental right of the claimant to guarantee the integrity of his personal data. When the claim that we are concerned with entered this Agency, on 26/12/2018, YOIGO had not yet disassociated itself from the claimant's line the third party's data. And that, despite the fact that, as stated On 08/12/2018, the complainant had already submitted his complaint, with documentary evidence to the company's customer service. - The circumstance of article 83.2.e) of the RGPD, "any previous infraction committed by the controller or processor", to be implemented in accordance with to the provisions of Article 29.3 of Law 40/2015, on the Legal Regime of the Public Sector, that in citing the criteria to be considered in the graduation of the penalty, it refers (paragraph d,) a "Recidivism, by commission within a year of more than one infringement of the same nature when it has been declared in a final decision in administrative". It is worth mentioning the sanctioning decisions issued by this Agency in the proceedings PS/385/2019, signed on 07/02/2020, in which the facts sanctioned occur on 05/11/2018, and in PS/237/2019, signed on 19/11/2019, in which the events sanctioned occur on 06/08/2018. -the circumstance described in Article 83(2)(f), RGPD. The entity has not responded nor to the request for information urging him to adopt C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/14 measures to end the incidence - with the qualifications made in the Fact Second - nor to the request made in the course of the Investigation Actions previous. - The circumstance described in article 83.2.k) of the RGPD in relation to the 76.2(b) of the LOPDGDD: the linking of the activity of the offender with the processing of personal data. By its very nature the activity that the claimed develops as The processing of personal data of its customers is implicit in the customers. Therefore, on the basis of the above, By the Director of the Spanish Data Protection Agency, AGREED: FIRST: Initiate disciplinary proceedings against XFERA MÓVILES, S.A, with NIF A82528548, for the alleged infringement of articles 5.1.f) and 32.1.b) and c) of the RGDP typified, respectively, in articles 83.5.a) and 83.4.a) of the Regulations (EU) 2016/679. SECOND: Appoint D.D.D. as instructor and E.E.E. as secretary, indicating that any of them may be challenged, where appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015 of 1 October on the Legal System for the Sector Public (LRJSP). THIRD: TO INCORPORATE into the sanctioning file, for evidentiary purposes, the claim by the claimant and his documentation, the documents obtained and generated by the Subdirectorate General for Data Inspection during the investigation phase, as well as the report of previous Inspection actions. FOURTH: THAT for the purposes set forth in article 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure for Public Administrations, the 55,000 (fifty-five thousand euros) would be the applicable penalty without prejudice to the outcome of the investigation. FIFTH: NOTIFY the present agreement to the claimed one granting her a period of hearing within ten working days to make the allegations and to present the evidence that you deem appropriate. In your pleading you must provide your VAT number and the procedure number in the heading of this document. If you do not make any representations within the stipulated time limit, this initiating agreement may be considered as a motion for resolution, as provided for in Article 64(2)(f) of Law 39/2015 of 1 October on the Common Administrative Procedure of the Public Administration (hereinafter LPACAP). In accordance with Article 85 of the LPACAP, in the case of that the sanction to be imposed was a fine, may acknowledge its responsibility within of the time allowed for the submission of claims under this agreement to commence; the which will be accompanied by a 20% reduction in the penalty to be imposed in the present procedure. With the application of this reduction, the sanction would be 44,000, with the procedure being resolved by the imposition of this sanction. Similarly, at any time prior to the resolution of the The Commission shall, in accordance with this procedure, carry out the voluntary payment of the proposed penalty which will result in a 20% reduction in its amount. With the application of this reduction, the penalty would be set at termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the one The same applies to the recognition of liability, provided that this recognition of responsibility is shown within the time limit granted to make representations on the opening of the proceedings. The payment of the amount referred to in the preceding paragraph may be made at any moment before the resolution. In this case, if it is appropriate to apply both reductions, the amount of the penalty would be set at In any case, the effectiveness of either of the two above-mentioned reductions shall be conditioned upon the waiver or relinquishment of any action or remedy in the administrative sanction against the sanction. If you choose to proceed with the voluntary payment of any of the amounts indicated above ('44,000 or '33,000) must be made cash by depositing it in the account nº ES00 0000 0000 0000 0000 opened on behalf of the Spanish Data Protection Agency at CAIXABANK Bank, S.A., indicating in the concept the reference number of the procedure in the heading of this document and the reason for the reduction in the amount to which welcomes. Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure in accordance with the quantity admitted. The procedure will last a maximum of nine months from the date of the agreement to initiate or, where appropriate, the draft agreement to initiate. After this period, the agreement will expire and, consequently, the actions; in accordance with the provisions of Article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of Article 112.1 of the LPACAP, there is no administrative appeal against this act. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/14 Mar Spain Marti Director of the Spanish Data Protection Agency >> SECOND: On June 11, 2020, the claimant paid the 33,000 by making use of the two reductions provided for in the above transcribed Inception Agreement, which implies recognition of the responsibility. THIRD: The payment made, within the period granted to make allegations to the opening of the procedure, entails the waiver of any action or appeal in administrative sanctioning and acknowledgement of responsibility in relation to the facts referred to in the Agreement to Initiate. LEGAL FOUNDATIONS I By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the control, and in accordance with Article 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and Guarantee of Digital Rights (in (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to penalise infringements committed against it Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General of Telecommunications (hereinafter referred to as LGT), in accordance with the Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the information and electronic commerce (hereinafter referred to as the ISESA), as provided for in 43.1 of the said Act. II Article 85 of Law 39/2015 of 1 October on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), under the heading "Termination in sanctioning proceedings" provides the following: "1. Penalty proceedings are initiated if the offender acknowledges his responsibility, the proceedings may be terminated with the imposition of the penalty as appropriate. 2. Where the penalty is solely pecuniary in nature or where it is impose a financial penalty and a non-pecuniary penalty but has been justified the impropriety of the second, voluntary payment by the alleged perpetrator, in any time before the resolution, will imply the termination of the procedure, except as regards the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the penalty is solely of a pecuniary nature, the body competent to decide on the procedure shall apply reductions of, at at least 20 % of the amount of the proposed penalty, which may be cumulated with each other. These reductions shall be determined in the notification of C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/14 initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this paragraph may be increased by regulation. In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00104/2020, of in accordance with Article 85 of the LPACAP. SECOND: NOTICE this resolution to XFERA MÓVILES, S.A. (YOIGO). In accordance with the provisions of Article 50 of the LOPDGDD, this The decision will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure The interested parties may lodge an appeal with the administrative litigation before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within two months of day following notification of this act, as provided for in Article 46(1) of referred to Law. Mar Spain Martí Director of the Spanish Data Protection Agency