AEPD (Spain) - PS/00104/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
(8 intermediate revisions by 2 users not shown)
Line 50: Line 50:
}}
}}


AEPD fined telecom firm YOIGO EUR 55,000 for a breach of the principle of integrity and confidentiality. The claimant was able to access and modify personal data of a third party. Attenuating factors under Spanish administrative law were invoked, leading to a reduced fine of EUR 33.000.
AEPD fined telecom firm YOIGO EUR 55,000 for a breach of article 32(1) GDPR. The claimant was able to access and modify personal data of a third party. Mitigating factors under Spanish administrative law were invoked, leading to a reduced fine of EUR 33.000.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
On 26/12/2018 AEPD received a complaint against XFERA MOVILES, S.A (YOIGO). The reason for the complaint is the fact that the claimant was able to access the data of a third party (personal data, invoices, telephone numbers and calls) in his personal space on the website of the company (miyoigo.yoigo.com). In the same way, the third party could, using its own password, manage the claimant's data.  
On 26/12/2018 AEPD received a complaint against XFERA MOVILES, S.A (YOIGO). The reason for the complaint is the fact that the claimant was able to access the data of a third party (personal data, invoices, telephone numbers and calls) in his personal space on the website of the company (miyoigo.yoigo.com). In the same way, the third party could, using its own password, manage the claimant's data.  
The claimant repeatedly asked YOIGO and the distributor to solve this situation, without obtaining any solution. AEPD requested information from the respondent to clarify the facts. After a first evasive response, there was no response to a second request.
The claimant repeatedly asked YOIGO and the distributor to solve this situation, without obtaining any solution. AEPD requested information from YOIGO to clarify the facts. After a first evasive response, there was no response to a second request.
 
===Dispute===
 
=== Dispute ===
Did YOIGO violate the principle of integrity and confidentiality (Art. 5 GDPR, further developed in article 32.1 GDPR) by allowing the complainant to visualize and modify the personal data of a third party?  
Did YOIGO violate the principle of integrity and confidentiality (Art. 5 GDPR, further developed in article 32.1 GDPR) by allowing the complainant to visualize and modify the personal data of a third party?  


=== Holding ===
===Holding===
AEPD considered that YOIGO processed the personal data of the claimant in violation of the principle of integrity when it managed the change of ownership of a telephone line. It also considered that the principle of confidentiality was breached, since the personal data of the claimant, at least the mobile phone number, was revealed to a third party, also client of YOIGO.
AEPD considered that YOIGO processed the personal data of the claimant in violation of the principle of integrity when it managed the change of ownership of a telephone line. It also considered that the principle of confidentiality was breached, since the personal data of the claimant, at least the mobile phone number, was revealed to a third party, also client of YOIGO. These principles are specified in article 32 GDPR (security of processing).


In determining the amount of the fine, certain aggravating factors of article 83 GDPR were considered. The lack of diligence in processing personal data, their recidivism and the lack of response to the request for information by the AEPD determined the amount of the fine in EUR. 55,000. Nonetheless, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) could be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge their responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed penalty.
In determining the amount of the fine, certain aggravating factors of article 83 GDPR were considered. The lack of diligence in processing personal data, their recidivism and the lack of response to the request for information by the AEPD determined the amount of the fine in EUR. 55,000. Nonetheless, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) could be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge their responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed penalty.
Line 70: Line 68:




== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Revision as of 13:58, 31 August 2020

AEPD - PS/00104/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 55.000 EUR
Parties: n/a
National Case Number/Name: PS/00104/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD.es (in ES)
Initial Contributor: Pablo Rossi

AEPD fined telecom firm YOIGO EUR 55,000 for a breach of article 32(1) GDPR. The claimant was able to access and modify personal data of a third party. Mitigating factors under Spanish administrative law were invoked, leading to a reduced fine of EUR 33.000.

English Summary

Facts

On 26/12/2018 AEPD received a complaint against XFERA MOVILES, S.A (YOIGO). The reason for the complaint is the fact that the claimant was able to access the data of a third party (personal data, invoices, telephone numbers and calls) in his personal space on the website of the company (miyoigo.yoigo.com). In the same way, the third party could, using its own password, manage the claimant's data. The claimant repeatedly asked YOIGO and the distributor to solve this situation, without obtaining any solution. AEPD requested information from YOIGO to clarify the facts. After a first evasive response, there was no response to a second request.

Dispute

Did YOIGO violate the principle of integrity and confidentiality (Art. 5 GDPR, further developed in article 32.1 GDPR) by allowing the complainant to visualize and modify the personal data of a third party?

Holding

AEPD considered that YOIGO processed the personal data of the claimant in violation of the principle of integrity when it managed the change of ownership of a telephone line. It also considered that the principle of confidentiality was breached, since the personal data of the claimant, at least the mobile phone number, was revealed to a third party, also client of YOIGO. These principles are specified in article 32 GDPR (security of processing).

In determining the amount of the fine, certain aggravating factors of article 83 GDPR were considered. The lack of diligence in processing personal data, their recidivism and the lack of response to the request for information by the AEPD determined the amount of the fine in EUR. 55,000. Nonetheless, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) could be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge their responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed penalty.

On June 11, 2020, YOIGO proceeded to pay the sanction in the amount of EUR 33,000 applying therefore the two previously mentioned reductions. This implied the recognition of their responsibility and the resignation to any action or appeal in administrative channels against the sanction. After these events, the AEPD decided to terminate the procedure.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Style ID: PS/00104/2020
DECISION R/00297/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT
VOLUNTEER
In sanction procedure PS/00104/2020, conducted by the Agency
Spanish Data Protection Agency to XFERA MÓVILES, S.A. (YOIGO), having regard to the
complaint filed by A.A.A., and based on the following,
BACKGROUND
FIRST: On April 1, 2020, the Director of the Spanish
Data Protection agreed to initiate disciplinary proceedings against XFERA MÓVILES,
S.A. (YOIGO) (hereinafter referred to as the Respondent), by means of the Agreement as transcribed:
<<
Style ID: PS/00104/2020
935-090320
AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS
Of the actions carried out by the Spanish Data Protection Agency
and based on the following
FACTS
FIRST: On 26/12/2018 he is admitted to the Spanish Agency for the Protection of
Details of the claim made by Mr. A.A.A. (hereinafter, the claimant) against
XFERA MÓVILES, S.A., with NIF A82528548 -commercial name YOIGO- (from now on,
the claimed or IIGO).
The reason for your complaint is the conduct of the respondent who, on the occasion of
that the claimant and his or her spouse subscribe in person at a
IIGO the change of ownership of a mobile line from the wife to the claimant,
proceeded to link that phone number to a third party's data. The claimant
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/14
states that, as a consequence of such action, when it agrees to
"myyoigo.yoigo.com" can display the data of the third party - personal data
complete, bills, phone numbers you call - and would have the ability to
modify them. He claims that, in the same way, that third person could, using his
own password, manage the claimant's data.
It adds that, despite complaints to YOIGO, visits to the establishment
of the distributor and to the complaint to the OMIC of ***LOCALITY, on the date of
has not yet succeeded in rectifying the irregularity, limiting the claimed and
your distributor to take responsibility for each other.
Attached to your claim is a copy of the customer's copy of the
called "Change of Owner" which bears the anagram of YOIGO. In it, it appears as
date of application 29/11/2018. In the section "Details of the point of sale" you will find
"***Data"; as "Data of the current holder" B.B.B. and its VAT number; in the section "Data of the
The "new holder" is the name, surname and tax identification number of the claimant, his address, the
date of birth and e-mail address. In the section "Services" the indication:
"YOIGO number changing holder ***PHONE.1". "Type of contract/price
current", "La SINFIN 5 GB". Also included in the document are the twenty-digit
the claimant's bank account into which the bill payment is debited and the
domiciliation mandate number.
SECOND: A.- In view of the complaint, the AEPD, within the framework of the file
E/01044/2019, by letter dated 01/02/2019, sent the complaint to
Data Protection Officer (DPD) of YOIGO and asked him for information on the
origin of the facts denounced and on the measures it would have adopted to
to put an end to the irregular situation generated. The document was notified electronically
and, as evidenced by the FNMT certificate in the file, was placed
provision at the electronic headquarters on 01/02/2019, the notification being accepted by
the claimed on 5/02/2019.
On 05/04/2019, a letter from the DPD of the respondent was received by this Agency
in which it states that it has "simply received a change of owner form and that
it is not apparent what the claim may be". However, it was verified that in the
document notified to the entity by the AEPD included the account of events
denounced in addition to being asked for certain information and, as a document
The copy of the change of holder document was provided in the annex. However, the
The Agency reiterated its request for information to the DPD of YOIGO by writing to the
12/04/2019, made available on the website on that date and whose
The notification was accepted by the respondent on 15/04/2019. The Respondent's DPD did not
responded to the request for information notified to it by this Agency

Also on 01/02/2019 the claimant was notified of the transfer of his
claim to the claimed entity.
In accordance with the provisions of Article 65.5 of Organic Law 3/2018
of Data Protection and Guarantee of Digital Rights (LOPDGDD), on
18/06/2019 the agreement to admit this claim was signed.
B.- Under the reference E/6279/2019 and in accordance with article 67.1 of the LOPDGDD, the
Data Inspection of the AEPD carried out inspection actions that
concluded with the Report of Previous Inspection Actions, signed by the
The Acting Inspector, of which the fragment relating to the outcome of such
performances:
<<RESULT OF THE RESEARCH ACTIONS
On April 12, 2019, the complaint was transferred to XFERA
MOBILES, S.A. (YOIGO), in the actions with reference E/01044/2019. I do not know
receives an answer.
On June 19, 2019, the present proceedings begin.
On 5 July 2019, a request for information is sent to XFERA
MOBILES, S.A. (YOIGO). The notification is made electronically through
noti@. According to this notification system, automatic rejection has taken place when
ten calendar days after it is made available.
On 23 August 2019, the complainant sent this Agency the
following information and statements:
1 Provide a copy of bank transactions between July 4, 2018 and July 5, 2010
February 2019 where thirteen charges are displayed with concept "Receipt /yoigo"
which he claims are related to lines ***PHONE.2 and
***Phone.1, three of them with value date "05/12/2018", "04/01/2019",
“05/02/2019”.
2 It provides a screen shot of MIYOIGO with the following data:
a. The section "personal information" contains: C.C.C. ***NIF.3
b. In the section of "contact address" it is stated: STREET
***ADDRESS.1
c. In the section "lines of your contract" you will find the lines:
***PHONE.1, ***PHONE.3, ***PHONE.4
On 29 August 2019, the complainant sent this Agency the
following information and statements:
1. That the company did not resolve the change of ownership or that by agreeing to the
your wife's password to MIYOIGO, all the data will appear in the name of
C.C.C.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
4/14
2. That, thanks to friendly talks with C.C.C., the complainant and his
woman could have been discharged.
3. Provides screenshots of conversations with YOIGO:
a. Message from the complainant to YOIGO:
"Good afternoon, Thursday 29th from the Yoigo store in Majadahonda
I asked for a change of holder of my wife's line B.B.B. DNI ***NIF.2 tlf.
***Phone.1 to my name, A.A.A. DNI ***NIF.1 tlf. ***PHONE 2
the shop assistant made us sign a paper and made us
photocopy of the IDs, and we send you by gmail a bank receipt in
at that very moment, well, someone pressing a wrong key
he put my wife's tlf in the name of a C.C.C. DNI ***NIF.3 tlf.
***Phone.3. Since Monday 3rd, when this person realizes
that they've added a phone that he hasn't processed, has
presented a paper to you and calls us to tell us and my wife
sent a complaint via email with a response, but without
solution."
a. Message of 10 December 2018 from the complainant:
"...Requesting also by this letter the immediate restitution of the
B.B.B.'s contract name to your phone number
***PHONE.1"
a. Dated December 10, 2018 at 11:41 a.m.
answer:
"The change of owner is managed in the store, and they have been
responsible for the mistake, so they're the ones who have to
correct it. We can't do anything from here. “
a. On 10 December 2018 at 16:36 the complainant
answer:
"Good afternoon, you are claiming that the store staff is the
that dumps the owner change data into the system? Because Miss
of afternoons of the store affirms that they give transfer by suitcase and that it
have done well and can do nothing."
a. On December 11, 2018 YOIGO responds:
"The change of owner is a procedure that can only be carried out from
store, so they are the ones who take all the data and
to make the corresponding management, any doubt or problem is them
who can help you fix it."
a. On 21 December 2018 at 14:23 the complainant
write to YOIGO:
"Good morning, I'm at the Yoigo store in Gran Plaza 2.
Majadahonda, this matter cannot be fixed and I am told that many
days that the contracts have been sent. There's an open incident. …
could have the courtesy to follow up and answer to me for
that the change in ownership is not properly resolved?"
a. Dated 21 December 2018 at 14:26 YOIGO
answer:
"...as we have previously indicated to you the change of owner
is only handled by the store, if they have a problem with the
you'd have to tell the store to talk to his master so he can
solve it...">>
LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the
supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to resolve this procedure.
II
Article 5 of the RGPD deals with the principles that should govern the
processing of personal data and mentions among them those of "integrity and
confidentiality". The precept states:
"1. Personal data shall be:
 (…)
 (f) Treated in such a way as to ensure adequate safety of the
personal data, including protection against unauthorised or unlawful processing
against their accidental loss, destruction or damage, by the application of measures
appropriate techniques or organisational arrangements (<<integrity and confidentiality>>)"
The principle of integrity is developed through Articles 32 to 34 of the
RGPDs in Section II of Chapter IV under the heading "Security of
personal data". Article 32, "Security of processing", provides:
"Taking into account the state of the art, the implementation costs, and the nature, extent, context and purposes of the processing, as well as the varying degrees of probability and seriousness of risks to the rights and freedoms of natural persons, the
the controller and the processor shall implement technical and organisational measures
appropriate to ensure a level of safety commensurate with the risk, which may
include, among others:
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/14
(a) the pseudonymisation and encryption of personal data
(b) the ability to ensure the confidentiality, integrity, permanent availability and resilience of processing systems and services;
(c) the ability to restore the availability of and access to personal data quickly in the event of a physical or technical incident;
(d) a process of regular verification, evaluation and assessment of effectiveness
of technical and organisational measures to ensure the security of processing.
2. In assessing the adequacy of the level of security, particular consideration shall be given to
takes account of the risks involved in the processing of data, in particular as a result of the accidental or unlawful destruction, loss or alteration of personal data
transmitted, stored or otherwise processed, or the unauthorised disclosure of or access to such data.
3. (…)
4. The controller and the processor shall take steps to ensure that any person acting under the authority of the controller or the processor and having access to personal data may process such data only on instructions from the controller, unless he or she is required to do so by the law of
Union or Member States." (The underlining is from the AEPD)
The violation of the principles of integrity and confidentiality of which
The liability of the defendant is defined in Articles 83.4.a) and 83.4.b) respectively.
83.5.a) of the RGPD, precepts that they establish:
Article 83.4: "Violations of the following provisions shall be sanctioned,
according to paragraph 2, with administrative fines of 10,000,000 Eur as
maximum or, in the case of an enterprise, an amount equivalent to 4% as
maximum of the total annual overall turnover of the previous financial year,
opting for the larger one:
(a) the obligations of the person responsible and the person in charge under Articles 8, 11,
25 to 39,42 and 43;".
Article 83.5: "Violations of the following provisions shall be sanctioned,
according to paragraph 2, with administrative fines of 20,000,000 Eur as
maximum or, in the case of an enterprise, an amount equivalent to 4% as
maximum of the total annual overall turnover of the previous financial year,
opting for the larger one:
(a) The basic principles for treatment, including the conditions for
consent under Articles 5, 6, 7 and 9. 
With regard to the prescription of the infringements, it must be in accordance with the provisions of
the Organic Law 3/2018, of Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) whose article 73, g) considers a serious infringement, being
its two-year limitation period, "The breach, as a result of the
lack of due diligence, technical and organizational measures that would have
implemented as required by Article 32(1) of Regulation (EU)
For its part, Article 72(1)(i) of the LOPDGDD considers a very serious infringement of the law.
serious, in which case the limitation period of three years, "The violation of the
principle of confidentiality as set out in article 5 of this organic law".
III
The documentation in the file provides solid evidence that the
processed the complainant's personal data in violation of the principle of
integrity, Article 5(1)(f) in connection with Article 32(1)(b) and (c), both of the GPRS,
when he handled the change of ownership of a mobile line that had been requested by the
claimant, as the new owner, and its hitherto owner, Ms. B.B.B.
Likewise, there is evidence that, as a consequence of such action, the following was violated
the principle of confidentiality (Article 5.1.f, GPRS) as they were disclosed to a
third party, also a customer of the claimant, personal data of the claimant, at least
the mobile phone number subject to the change of ownership that the operator linked to
that person.
It is accredited that on 29/11/2018 the claimant and Mrs. B.B.B. requested
before a YOIGO distributor the change of ownership in favor of the first in line
mobile ***TELÉFONO.1 that belonged to the latter. Work in the file copy of the
customer copy of the document, with the YOIGO anagram, of change of
ownership in which the personal data of the old and the new owner are recorded.
With respect to the claimant, in addition to NIF, name and two surnames, the postal address and
e-mail and the twenty-digit bank account for the direct debit of the
bill payment.
Furthermore, several points show that, on the occasion of the change of
ownership of the line requested by the claimant, the respondent did not apply the measures
organisational and technical measures necessary to ensure the security of the data processed.
Neither the availability of your data by the complainant nor the capacity of the
operator claimed to replace the claimant in the availability of data
personal concerns quickly, once the entity was
sufficiently informed of the irregularity.
In that sense, it is accredited through the screenshots of the terminal
The mobile phone number provided by the complainant in relation to the communications he had with
the SAC of YOIGO, which the respondent limited itself to replying on several occasions
-Despite the abundant information provided by the complainant, the
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
8/14
irregularities arising from the change of ownership of line ***TELÉFONO.1 were
competition from the distributor. These documents provided by the claimant
They also show that the defendant had knowledge of the facts, at least,
since 08/12/2018. Circumstance which, together with the claimant's statement in the
date on which he filed his complaint, 26/12/2018, that the operator has not yet
the irregularity, it shows that it lacked mechanisms to replace
quickly to the affected person in the availability of their data, in short, to guarantee
the integrity of the personal data processed.
Furthermore, it is proven that the claimant provided the SAC de YOIGO with the
name, surname, ID card and telephone number of the third party - also a customer of
operator - to which he linked the mobile line number that was the subject of the request for change of
ownership. Whether this data is visible to the claimant, as he claims, or not,
it seems clear that the claimant's mobile phone number was disclosed to the third party
that was the subject of a change in ownership. As the claimant has explained the third
contacted by phone on 03/12/2018 to inform them that the line
***TELÉFONO.1 had been linked to your personal data.
IV
Article 58 of the RGPD, "Powers", says in point 2:
"Each supervisory authority shall have all the following corrective powers
indicated below:
(…)
"(i) to impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of
each individual case;"
It should be taken into consideration in order to determine the sanction to be imposed, the provision of article 83.3. of the RGPD according to which "If a person responsible or in charge
processing operations intentionally or negligently failed, in respect of the same processing operations or linked operations, to comply with several provisions of this
Regulations, the total amount of the administrative fine shall not exceed
provided for the most serious infringements'.
In similar terms, Article 29.5. of Law 40/2015, on the Legal System
of the Public Sector indicates that "When the commission of an infraction necessarily results in the commission of another or others, only the sanction corresponding to the most serious infraction committed should be imposed". (The underlining is from the AEPD)
In view of the above, the provisions of Articles 83(1) and 83(2) must be complied with
of the RGPD, precepts that they indicate: 
Each supervisory authority shall ensure that the imposition of administrative fines under this Article for infringements of this Regulation by the person responsible or in charge, on a voluntary basis, to
mechanisms for alternative dispute resolution, in those cases where there are disputes between them and any interested party".
referred to in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.
"Administrative fines shall be imposed, depending on the circumstances of
each individual case, in addition to or instead of the measures referred to in
Article 58(2)(a) to (h) and (j) In deciding whether to impose an administrative fine and the amount of such fine in each individual case, due account shall be taken:
(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as
such as the number of stakeholders affected and the level of damages
that have suffered;
(b) the intentional or negligent nature of the infringement;
(c) any measures taken by the controller or processor to
to alleviate the damages suffered by those concerned;
(d) the degree of responsibility of the controller or processor,
taking into account the technical or organisational measures they have implemented in
(b) the intentional or negligent nature of the infringement;
(e) any previous breach committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority for the purpose of remedying
to the infringement and to mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in
in particular whether the person responsible or the person in charge notified the infringement and, if so
to what extent;
(i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible for or in charge of the same case, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to
certification approved in accordance with Article 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as the financial benefits obtained or the losses avoided, directly
or indirectly, through the infringement."
With regard to article 83.2 (k) of the RGPD, the LOPDGDD, article 76, "Sanctions and corrective measures", provides:
 "In accordance with the provisions of Article 83(2)(k) of Regulation (EU) 2016/679, the following may also be taken into account
(a) The continuing nature of the infringement.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
10/14
(b) The linking of the activity of the offender with the carrying out of data processing
personal.
(c) The profits obtained as a result of the commission of the offence.
(d) the possibility that the conduct of the person concerned might have led to the commission
of the infraction.
(e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.
f) The effect on the rights of minors.
g) The availability, when it is not compulsory, of a data protection representative.
h) )The submission by the person responsible or in charge, on a voluntary basis, to
mechanisms for alternative dispute resolution, in those cases where there are disputes between them and any interested party".

In accordance with the above provisions, and without prejudice to the results of the investigation
of the procedure, in order to determine the amount of the administrative fine to be imposed on the
claimed as responsible for a violation of articles 5.1.f, of the RGPD
-as set out in Article 83(5)(a) of the said regulation and 5(1)(f) in relation to Article 32(1)(b)
and (c) - specified in Article 83(4)(a) of the RGPD - in an initial assessment, the
The following factors aggravate the guilt and/or unlawfulness of the conduct in question:
- The circumstance of Article 83.2(b) RGPD. The defendant acted with a
serious lack of diligence in handling a change of ownership of the line
***Phone.1 in the name of the claimant. The lack of diligence in complying with
obligations imposed on it by data protection regulations to make the
The principle of integrity was also evident in the refusal to react to the
caused by unnecessarily perpetuating the violation of the fundamental right
of the claimant to guarantee the integrity of his personal data. When the claim
that we are concerned with entered this Agency, on 26/12/2018, YOIGO had not yet disassociated itself from
the claimant's line the third party's data. And that, despite the fact that, as stated
On 08/12/2018, the complainant had already submitted his complaint, with documentary evidence
to the company's customer service.
- The circumstance of article 83.2.e) of the RGPD, "any previous infraction committed by
the controller or processor", to be implemented in accordance with
to the provisions of Article 29.3 of Law 40/2015, on the Legal Regime of the Public Sector,
that in citing the criteria to be considered in the graduation of the penalty, it refers
(paragraph d,) a "Recidivism, by commission within a year of more than one
infringement of the same nature when it has been declared in a final decision in
administrative". It is worth mentioning the sanctioning decisions issued by this Agency in the
proceedings PS/385/2019, signed on 07/02/2020, in which the facts sanctioned
occur on 05/11/2018, and in PS/237/2019, signed on 19/11/2019, in which the events
sanctioned occur on 06/08/2018.
-the circumstance described in Article 83(2)(f), RGPD. The entity has not
responded nor to the request for information urging him to adopt
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
11/14
measures to end the incidence - with the qualifications made in the Fact
Second - nor to the request made in the course of the Investigation Actions
previous.
- The circumstance described in article 83.2.k) of the RGPD in relation to the
76.2(b) of the LOPDGDD: the linking of the activity of the offender with the processing of
personal data. By its very nature the activity that the claimed develops as
The processing of personal data of its customers is implicit in the
customers.
Therefore, on the basis of the above,
By the Director of the Spanish Data Protection Agency,
AGREED:
FIRST: Initiate disciplinary proceedings against XFERA MÓVILES, S.A,
with NIF A82528548, for the alleged infringement of articles 5.1.f) and 32.1.b) and c) of the
RGDP typified, respectively, in articles 83.5.a) and 83.4.a) of the Regulations
(EU) 2016/679.
SECOND: Appoint D.D.D. as instructor and E.E.E. as secretary, indicating that
any of them may be challenged, where appropriate, in accordance with the provisions of
Articles 23 and 24 of Law 40/2015 of 1 October on the Legal System for the Sector
Public (LRJSP).
THIRD: TO INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim by the claimant and his documentation, the documents
obtained and generated by the Subdirectorate General for Data Inspection during the
investigation phase, as well as the report of previous Inspection actions.
FOURTH: THAT for the purposes set forth in article 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure for Public Administrations, the
55,000 (fifty-five thousand euros) would be the applicable penalty
without prejudice to the outcome of the investigation.
FIFTH: NOTIFY the present agreement to the claimed one granting her a period of
hearing within ten working days to make the allegations and to present the
evidence that you deem appropriate. In your pleading you must provide your
VAT number and the procedure number in the heading of this document.
If you do not make any representations within the stipulated time limit, this initiating agreement may
be considered as a motion for resolution, as provided for in Article 64(2)(f) of
Law 39/2015 of 1 October on the Common Administrative Procedure of the
Public Administration (hereinafter LPACAP).
In accordance with Article 85 of the LPACAP, in the case of
that the sanction to be imposed was a fine, may acknowledge its responsibility within
of the time allowed for the submission of claims under this agreement to commence; the
which will be accompanied by a 20% reduction in the penalty to be imposed in
the present procedure. With the application of this reduction, the sanction would be
44,000, with the procedure being resolved by the imposition of this
sanction.
Similarly, at any time prior to the resolution of the
The Commission shall, in accordance with this procedure, carry out the voluntary payment of the proposed penalty
which will result in a 20% reduction in its amount. With the application of this
reduction, the penalty would be set at
termination of the procedure.
The reduction for the voluntary payment of the penalty is cumulative with the one
The same applies to the recognition of liability, provided that this
recognition of responsibility is shown within the time limit
granted to make representations on the opening of the proceedings. The payment
of the amount referred to in the preceding paragraph may be made at any
moment before the resolution. In this case, if it is appropriate to apply both
reductions, the amount of the penalty would be set at
In any case, the effectiveness of either of the two above-mentioned reductions
shall be conditioned upon the waiver or relinquishment of any action or remedy in the
administrative sanction against the sanction.
If you choose to proceed with the voluntary payment of any of the
amounts indicated above ('44,000 or '33,000) must be made
cash by depositing it in the account nº ES00 0000 0000 0000 0000 opened
on behalf of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure in
the heading of this document and the reason for the reduction in the amount to which
welcomes.
Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure in accordance with the quantity
admitted.
The procedure will last a maximum of nine months from
the date of the agreement to initiate or, where appropriate, the draft agreement to initiate.
After this period, the agreement will expire and, consequently, the
actions; in accordance with the provisions of Article 64 of the LOPDGDD.
Finally, it is noted that in accordance with the provisions of Article 112.1 of the
LPACAP, there is no administrative appeal against this act.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
13/14
Mar Spain Marti
Director of the Spanish Data Protection Agency
>>
 SECOND: On June 11, 2020, the claimant paid the
33,000 by making use of the two reductions provided for
in the above transcribed Inception Agreement, which implies recognition of the
responsibility.
THIRD: The payment made, within the period granted to make allegations to
the opening of the procedure, entails the waiver of any action or appeal in
administrative sanctioning and acknowledgement of responsibility in relation to
the facts referred to in the Agreement to Initiate.
LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the
control, and in accordance with Article 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights (in
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
is competent to penalise infringements committed against it
Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General
of Telecommunications (hereinafter referred to as LGT), in accordance with the
Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the
information and electronic commerce (hereinafter referred to as the ISESA), as provided for in
43.1 of the said Act.
II
Article 85 of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), under the heading
"Termination in sanctioning proceedings" provides the following:
"1. Penalty proceedings are initiated if the offender acknowledges his
responsibility, the proceedings may be terminated with the imposition of the penalty
as appropriate.
2. Where the penalty is solely pecuniary in nature or where it is
impose a financial penalty and a non-pecuniary penalty but has been justified
the impropriety of the second, voluntary payment by the alleged perpetrator, in
any time before the resolution, will imply the termination of the procedure,
except as regards the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the penalty is solely of a pecuniary nature,
the body competent to decide on the procedure shall apply reductions of, at
at least 20 % of the amount of the proposed penalty, which may be cumulated
with each other. These reductions shall be determined in the notification of
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
14/14
initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this paragraph may be increased
by regulation.
In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure PS/00104/2020, of
in accordance with Article 85 of the LPACAP.
SECOND: NOTICE this resolution to XFERA MÓVILES, S.A. (YOIGO).
In accordance with the provisions of Article 50 of the LOPDGDD, this
The decision will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure
The interested parties may lodge an appeal with the
administrative litigation before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months of
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
Mar Spain Martí
Director of the Spanish Data Protection Agency