AEPD - PS/00198/2020

From GDPRhub
AEPD - PS/00198/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 01.09.2020 [[Category:]]
Fine: 45.000 EUR
Parties: Telefónica Móviles España, S.A.U.
National Case Number/Name: PS/00198/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

1 September 2020 - The Spanish Data Protection Agency (AEPD) decided to early finish the sanction procedure against Telefónica Móviles España, S.A.U. (the defendant) for the infringement of Article 6(1) of the GDPR, as the defendant agreed to an early and guilty voluntary payment of the corresponding part (45,000 €) of the fine suggested by the AEPD (75,000 €).

English Summary[edit | edit source]

Facts[edit | edit source]

The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen stating that, since 2015, the defendant (i) not only has used the phone number of the claimant to train its employees, but also (ii) it has unauthorizedly accessed his/her client profile and (iii) has sent him/her a big amount of SMS and even made 534 phone calls from number 1002. The claimant attached the SMS and phone calls as evidence of his/her claim.

Dispute[edit | edit source]

The defendant answered to the AEPD investigation requests stating that, in June 2020, it sent an email to the claimant informing that new measures have been taken in order to block the calling phone number (1002); it also stated that it has checked the detail of the SMS provided by the claimant as an evidence and, although some measures have been already taken in order to avoid such situation, those measures have been strengthened. The defendant also declared that it has included technical measures in order to prevent commercial agents and any business area to manually call the claimant; between such measures, the defendant included an information message ("This phone number is related to a real client, so any unlawful use is forbidden"). The AEPD started the corresponding sanction procedure.

Holding[edit | edit source]

Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have breached the lawfulness of processing principle as per article 6(1) GDPR: on the basis of the available evidences, and although the defendant admitted its mistake and declared that new measures in order to avoid such situations have been taken, it did not prove the lawfulness of the data processing. Consequently, after considering some aggravating circumstances [(i) there is a negligence by the defendant, (ii) basic personal data have been affected, (iii) there has been a continuous breach, and (iv) there is a clear connection between the busines activity of the defendant and the processing of personal data related to clients and third parties], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 75,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine with two possible discounts: (i) acknowledging of its liability (60,000 €) and early voluntary payment (45,000 €). The defendant agreed to both concepts, so it paid 45,000 € and the sanction procedure was closed by the AEPD.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/11936-031219 Procedure Nº: PS / 00198/2020RESOLUTION R / 00399/2020 TERMINATION OF THE PROCEDURE FOR PAYMENTVOLUNTARYIn the sanctioning procedure PS / 00198/2020, instructed by the AgencySpanish Data Protection Agency to TELEFÓNICA MÓVILES ESPAÑA, SAU , after thecomplaint filed by AAA , and based on the following,BACKGROUNDFIRST: On July 13, 2020, the Director of the Spanish Agency forData Protection agreed to initiate a sanctioning procedure against TELEFÓNICAMÓVILES ESPAÑA, SAU (hereinafter, the claimed), through the Agreement that istranscribe:<<Procedure Nº: PS / 00198/2020935-200320AGREEMENT TO INITIATE THE SANCTIONING PROCEDUREOf the actions carried out by the Spanish Agency for the Protection ofData and based on the following:ACTSFIRST: D. AAA (hereinafter, the claimant) dated December 29, 2019filed a claim with the Spanish Agency for Data Protection. TheThe claim is against Telefónica Móviles España, SAU with NIF A78923125(hereinafter, the claimed).The claimant states that since 2015 Movistar uses its mobile line( *** PHONE. 1 ), to carry out tests, to train your employees and alsomakes unauthorized access to your customer file, and even in stores andtelephone service, for which he shows his disagreement with the series of SMSreceived on your line, which do not correspond to you.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/11In addition, it states that since October it has received a total of 534 calls fromnumber (1002) which he had to block, since they are harassment bythe claimed one.Provides as proof of your claim, the SMS received and calls from the1002.SECOND: In accordance with article 65.4 of the LOPGDD, which has provided amechanism prior to the admission for processing of claims made beforethe AEPD, consisting of transferring them to the Data Protection Delegatesdesignated by those responsible or in charge of the treatment, for the intended purposesin article 37 of the aforementioned rule, or to these when it has not designated them,transfer of the claim to the claimed entity to proceed with its analysis andrespond to the complaining party and to this Agency within one month.As a result of this process, on June 11, 2020, the claimedstates that it proceeds to send a letter to the claimant through the address of itsemail and inform you that they have taken new measures remainingblocked said numbering for internal purposes of the object that cannot be used,as well as for communication campaigns.They attach a copy of the letter sent to the claimant.On the other hand, it indicates that the claimant exercised his right of access whichwas responded by letter on April 10, 2017.Next, they state that they have analyzed the detail of the SMS that it providesas evidence by the claimant and observe that, although measures had been taken withsaid numbers, currently they have been strengthened and have adoptednew measures, always trying to eradicate the problem that exists with itsnumeration.Of course, they point out that you cannot prevent other senders from sendingcommunications to the line object of the claim. However, they have implementedC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/11different developments that avoid the manual introduction of the aforementioned line bycommercial agents and / or third parties, again reinforcing the blocking ofany SMS from the different systems and platforms that issuemessages related to any business area in the Movistar environment. It is sothat have implemented measures since 2014 in order to prevent the treatmentunauthorized of the claimant's personal data.In this sense, in May 2016 they published a statement in the toolof information available to the different agents that attend 1004called "Eclypse" in the segment of companies to which theclaimant with the warning not to use the aforementioned line for testing or ascontact information. In July 2017, it published the same statement for the segmentresidential, and in June 2018 it reinforced operations through the coordinators ofcustomer service centers.In any case, they point out that they have implemented new measures regarding thecited numbering object of the claim:1.- They have modified the entry of OOSS (Service Orders), so inIf any field is left blank due to lack of information, thecited numbering.2.- They have also modified the OOSS in "flight" with the same previous criteriaand currently said modification is already executed.3.- From logistics they have in turn proceeded to inhibit said numbering,for any communication of a fault, not being able in any case to include it ascontact number.4.- They have again reviewed all the measures adopted and have introducedan informative message that is included in the front in case it is triedenter such numbering by mistake."This phone belongs to a real customer, its misuse is prohibited"C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/11THIRD: The result of the transfer process initiated in the previous Event does notallowed to understand satisfied the claims of the claimant. Consequently, withdated June 19, 2020, for the purposes set forth in article 64.2 of the LOPDGDD,The Director of the Spanish Agency for Data Protection agreed to admit for processing theclaim filed.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in articles 47 and 48 of the LOPDGDD,the Director of the Spanish Data Protection Agency is competent to initiateand to solve this procedure.IIThe defendant is charged with committing an infraction for violation of theArticle 6 of the RGPD, " Legality of the treatment ", which indicates in its section 1 thecases in which the processing of third party data is considered lawful:"one. The treatment will only be lawful if at least one of the following is metterms:a) the interested party gave their consent for the processing of their datapersonal for one or more specific purposes;b) the treatment is necessary for the performance of a contract in which theinterested is part or for the application at the request of this of measurespre-contractual;(…) "The offense is typified in Article 83.5 of the RGPD, which considers as such:"5 . Violations of the following provisions will be sanctioned, in accordancewith paragraph 2, with administrative fines of maximum EUR 20,000,000 or,in the case of a company, an amount equivalent to a maximum of 4% of theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/11total annual global business volume of the previous financial year, opting forthe highest amount:a) The basic principles for the treatment, including the conditions for theconsent in accordance with articles 5,6,7 and 9. "Organic Law 3/2018, on the Protection of Personal Data and Guarantee ofDigital Rights (LOPDGDD) in its article 72, under the heading " Infractionsconsidered very serious ” provides:"one. Based on what is established in article 83.5 of the Regulation (EU)2016/679 are considered very serious and will prescribe after three years the infractions thatsuppose a substantial violation of the articles mentioned in that and, inin particular, the following:(…)a) The processing of personal data without the concurrence of any of theconditions of legality of the treatment established in article 6 of theRegulation (EU) 2016/679. "IIIThe documentation in the file provides evidence that theclaimed, violated article 6.1 of the RGPD , since it processed theClaimant's personal data without having any legitimacy to do so.The respondent has recognized this error and has indicated that they have analyzed thedetail of the SMS that the claimant provides as evidence and they state that althoughmeasures had been taken with such numbering, currently thethemselves and have adopted new measures, always trying to eradicate the problemthat exists with its numbering.However, and this is the essential thing, the defendant does not accredit the legitimacy tothe treatment of the claimant's data.IVC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/11The determination of the sanction to be imposed in the present case requiresobserve the provisions of articles 83.1 and 83.2 of the RGPD, precepts that,respectively, provide the following :"Each supervisory authority will guarantee that the imposition of finesadministrative under this article for the infractions of thisRegulations indicated in paragraphs 4, 9 and 6 are in each individual caseeffective, proportionate and dissuasive. "" Administrative fines will be imposed, depending on the circumstances ofeach individual case, as an additional or substitute for the measures contemplated in theArticle 58, paragraph 2, letters a) to h) and j). When deciding to impose a fineadministrative and its amount in each individual case will be duly taken into account:a) the nature, severity and duration of the offense, taking into account thenature, scope or purpose of the processing operation in questionas well as the number of affected stakeholders and the level of damage anddamages they have suffered;b) intentionality or negligence in the infringement;c) any measure taken by the controller or processorto mitigate the damages suffered by the interested parties;d) the degree of responsibility of the person in charge of thetreatment, taking into account the technical or organizational measures that haveapplied by virtue of articles 25 and 32;e) any previous infringement committed by the person in charge or the person in charge of thetreatment;f) the degree of cooperation with the supervisory authority in order toremedy the violation and mitigate the possible adverse effects of the violation;g) the categories of personal data affected by the infringement;h) the way in which the supervisory authority learned of the infringement,in particular if the person in charge or the person in charge notified the infraction and, in suchcase, to what extent;i) when the measures indicated in Article 58 (2) have beenpreviously ordered against the person in charge or the person in chargein relation to the same matter, compliance with said measures;C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
7/11j) adherence to codes of conduct under article 40 or to mechanismscertification approved in accordance with Article 42, andk) any other aggravating or mitigating factor applicable to the circumstances of thecase, such as financial benefits obtained or losses avoided, director indirectly, through the infringement. " (The underlining is from the AEPD)In order to specify the amount of the penalty to be imposed on the one claimed byviolation of article 83.5.a) of the RGPD, it is essential to examine and assess whetherThe circumstances described in article 83.2 of the RGPD concur and if they intervenemitigating or aggravating the responsibility of the responsible entity.In accordance with the transcribed precepts, and without prejudice to what results from theinstruction of the procedure, in order to fix the amount of the fine to imposein the present case, the claimed party is considered responsible for an infringementtypified in article 83.5.a) of the RGPD , in an initial assessment, they are considered concurrentthe following factors.As aggravating factors the following:- In the present case we are facing a negligent action on significant data thatallow the identification of a person (article 83.2 b).-Basic personal identifiers are affected (name, a number ofidentification, the line identifier) ​​(article 83.2 g).- Section k), in relation to article 76.2 of Organic Law 3/2018 , in whichframes as an aggravating factor the continuing nature of the offense attributed toclaimed.-The evident link between the business activity of the claimed and theprocessing of personal data of clients or third parties (article 83.2 K, of theRGPD in relation to article 76.2 b, of the LOPDGDD).That is why it is considered appropriate to graduate the sanction to impose on the claimed andset it at the amount of € 75,000 for the violation of article 6 of the RGPD.Therefore, based on the foregoing,By the Director of the Spanish Agency for Data Protection,C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
8/11HE REMEMBERS:1. START SANCTIONING PROCEDURE for TELEFÓNICA MÓVILESSPAIN, SAU . , with NIF A78923125, for the alleged violation of article 6of the RGPD typified in article 83.5.a) of the aforementioned RGPD.2. APPOINT Mr. RRR as instructor and Ms. SSS as secretary ,indicating that any of them may be challenged, where appropriate, in accordance withwhat is established in articles 23 and 24 of Law 40/2015, of October 1, ofLegal Regime of the Public Sector (LRJSP).3. INCORPORATE to the sanctioning file, for evidentiary purposes, theclaim filed by the claimant and its attached documentation, theinformative requirements that the Subdirectorate General for Inspection ofData sent to the claimed entity in the preliminary investigation phase and itsrespective acknowledgments of receipt.4. THAT, for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1,bre, of the Common Administrative Procedure of Public Administrations,the corresponding penalty would be 75,000 euros (seventy-five thousandeuros), without prejudice to what results from the instruction.5. NOTIFY this agreement to TELEFÓNICA MÓVILES ESPAÑA, SAU,with NIF A78923125, granting a hearing period of ten business daysto make the allegations and present the evidence it deems appropriatenientes. In your statement of allegations you must provide your NIF and the number ofprocedure at the top of this document.If within the stipulated period it does not make allegations to this initiation agreement, the sameIt may be considered a resolution proposal, as established in article64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure ofthe Public Administrations (hereinafter, LPACAP).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 9
9/11In accordance with the provisions of article 85 of the LPACAP, in the event that thepenalty to be imposed would be a fine, you may recognize your responsibility within theterm granted for the formulation of allegations to the present initiation agreement; thewhich will entail a reduction of 20% of the sanction to be imposed inthis procedure. With the application of this reduction, the sanction would beestablished at 60,000 euros, resolving the procedure with the imposition of thissanction.In the same way, you may, at any time prior to the resolution of thisprocedure, carry out the voluntary payment of the proposed sanction, whichwill mean a reduction of 20% of its amount. With the application of this reduction,the penalty would be set at 60,000 euros and its payment will imply the termination of theprocess.The reduction for the voluntary payment of the penalty is cumulative to the correspondingapply for the recognition of responsibility, provided that this recognitionof responsibility is made manifest within the period granted to formulateallegations at the opening of the procedure. The voluntary payment of the referred amountin the previous paragraph it may be done at any time prior to the resolution. InIn this case, if both reductions should be applied, the amount of the penalty would beset at 45,000 euros.In any case, the effectiveness of either of the two mentioned reductions will beconditioned to the withdrawal or resignation of any action or remedy inadministrative against the sanction.In case you choose to proceed to the voluntary payment of any of the amountsindicated above, 60,000 euros or 45,000 euros, you must make it effectiveby entering the account number ES00 0000 0000 0000 0000 0000 open toname of the Spanish Data Protection Agency in Banco CAIXABANK,SA, indicating in the concept the reference number of the procedure that appears inthe heading of this document and the cause of reduction of the amount to whichwelcomes.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 10
10/11Likewise, you must send proof of admission to the Subdirectorate General ofInspection to continue the procedure according to the quantityentered.The procedure will have a maximum duration of nine months from the date ofdate of the initiation agreement or, where appropriate, the draft initiation agreement.After this period, its expiration will occur and, consequently, the file ofperformances; in accordance with the provisions of article 64 of the LOPDGDD.Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,There is no administrative appeal against this act.
Mar España Martí
Director of the Spanish Agency for Data Protection
>>SECOND : On August 7, 2020, the defendant has proceeded to pay thesanction in the amount of 45,000 euros making use of the two planned reductionsin the Initiation Agreement transcribed above, which implies the recognition of theresponsibility.THIRD : The payment made, within the period granted to formulate allegations tothe opening of the procedure, entails the waiver of any action or appeal in the processadministrative against the sanction and the recognition of responsibility in relation tothe facts to which the Initiation Agreement refers.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each authority ofcontrol, and as established in art. 47 of Organic Law 3/2018, of 5December, Protection of Personal Data and guarantee of digital rights (inhereinafter LOPDGDD), the Director of the Spanish Agency for Data Protectionis competent to sanction the infractions that are committed against saidRegulation; infractions of article 48 of Law 9/2014, of May 9, Generalof Telecommunications (hereinafter LGT), in accordance with the provisions of thearticle 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of theinformation and electronic commerce (hereinafter LSSI), as provided in article43.1 of said Law.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 11
11/11IIArticle 85 of Law 39/2015, of October 1, on Administrative ProcedureCommon of Public Administrations (hereinafter, LPACAP), under the rubric" Termination of sanctioning procedures " provides the following:"one. Initiated a sanctioning procedure, if the offender acknowledges hisresponsibility, the procedure may be resolved with the imposition of the sanctionthat proceeds.2. When the sanction is solely of a pecuniary nature or it fitsimpose a pecuniary and a non-pecuniary sanction but it has been justifiedthe inadmissibility of the second, the voluntary payment by the presumed responsible, inany time prior to the resolution, will imply the termination of the procedure,Except for the replacement of the altered situation or the determination of thecompensation for damages caused by the commission of the offense.3. In both cases, when the penalty is solely of a pecuniary nature,the competent body to resolve the procedure will apply reductions of, atless, 20% on the amount of the proposed penalty, these being cumulativeeach. The aforementioned reductions must be determined in the notification ofinitiation of the procedure and its effectiveness will be conditional on the withdrawal orwaiver of any action or appeal in administrative proceedings against the sanction.The percentage of reduction foreseen in this section may be increasedregulations.In accordance with the above,the Director of the Spanish Agency for Data Protection RESOLVES :FIRST: DECLARE the termination of procedure PS / 00198/2020 , ofin accordance with the provisions of article 85 of the LPACAP.SECOND: NOTIFY this resolution to TELEFÓNICA MÓVILES ESPAÑA,SAU .In accordance with the provisions of article 50 of the LOPDGDD, thisResolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to the administrative procedure as prescribed bythe art. 114.1.c) of Law 39/2015, of October 1, on Administrative ProcedureCommon of Public Administrations, interested parties may file an appealadministrative litigation before the Contentious-Administrative Chamber of theNational High Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-Administrative Jurisdiction, within a period of two months from theday following notification of this act, as provided in article 46.1 of thereferred Law.
Mar España Martí
Director of the Spanish Agency for Data Protection