AEPD (Spain) - PS/00209/2019: Difference between revisions

From GDPRhub
(Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |AEPD - PS/00209/2019 |- | colspan="2" style="padding: 20px; background-color:#ffffff;"...")
 
No edit summary
(One intermediate revision by the same user not shown)
Line 10: Line 10:
[[Category: Spain]]
[[Category: Spain]]
|-
|-
|Relevant Law:|||
|Relevant Law:||Article 84(3) Spanish General Law of Telecommunications
 
[[Article 57 GDPR#1|Article 57(1) GDPR]][[Category:Article 57(1) GDPR]]
 
[[Article 83 GDPR#2|Article 83(2) GDPR]][[Category:Article 83(2) GDPR]]
|-
|-
|Type:||Complaint
|Type:||Complaint
Line 38: Line 42:
|}  
|}  


The AEPD confirmed that a webpage's privacy policy lack of precision violated the GDPR.  
EUR 20,000 fine was imposed against VODAFONE ONO SAU for unsolicited commercial calls and e-mails without consent and despite the client's objection.  


==English Summary==
==English Summary==


===Facts===
===Facts===
The complainant had received many commercial calls and e-mails without having given his consent and after having informed the company that he does not want to receive these calls and e-mails.  
The complainant claimed that he received many commercial calls and e-mails, to which he hadn't consented and after having notified the company many times that he didn't want to receive them. The telephone number from which the calls were made did not belong to the company according to its statements.


===Dispute===
===Dispute===
Does the lack of specific information regarding the purposes of processing, the consent and the child’s consent as a legal basis of the processing within a privacy policy, contravene Articles 13(1), 6(1)(a) and 8 GDPR?
 


===Holding===
===Holding===
The AEPD found that GRUP BC S.L violated Article 13(1), 6(1)(a) and 8 GDPR.
The AEPD found that the company did not take any action to cease the unsolicited communication although it was aware of the complainant's objection. Thus, it imposed the fine of EUR 20,000.


==Comment==
==Comment==
''Share your comments here!''
''Share your comments here!''


Line 64: Line 67:
<pre>
<pre>


Product No.: PS/00006/2019
Procedure No:PS/00209/2019
938-0419
938-0419
 
RESOLUTION OF THE DISCIPLINARY PROCEEDINGS
 
In sanction proceedings PS/00209/2019, instructed by the Spanish Data Protection Agency, the entity VODANOONE SAU, with C.I.F. A62186556, (hereinafter referred to as the “respondent”), having regard to the complaint lodged by  A.A.A., (Mr Lante¬, “the complainant”), and on the basis of the following:
 
DECISION ON DISCIPLINARY PROCEEDINGS
 
From the procedure instructed by the Spanish Data Protection Agency and in consideration of the following
 
 
BACKGROUND
BACKGROUND
 
FIRST:Since December 2017, the complainant has submitted a number of letters to the complainant in which he denounces the entity VODAFONE, on the basis of the receipt of commercial calls, without his consent and having informed the company on several occasions that he refused to receive them.The telephone number is included in the RoRobon List since 2013 and is not a customer of the company.You also complain about the receipt of commercial emails in a number of accounts of your title, also stating that you have repeatedly objected to receiving this type of email.
FIRST: On 27/08/2018 a complaint by Mr. A.A.A. was entered in the Register of the Spanish Data Protection Agency (AEPD). (hereinafter, the claimant) in which he states that page ***URL.1 does not comply with data protection regulations.
With the letters of complaint, it is accompanied by the certificate of registration in the Robinson List since 2013 and several letters and letters sent to the company, the content and relationship of which is detailed in the document initiating the procedure and in the letter of motion for a resolution.
 
SECOND:In the light of the facts set out in the complaint and the documents provided by the complainant, the Subdirectorate-General for Data Inspection carried out measures to clarify matters, under the powers of investigation conferred on the supervisory authorities in Article 57 (1) of the GDPR.Thus, on 31/10/18, an information injunction was sent to the entity in question.
The entity responsible for the web banderacatalana.cat is the company GRUP BC, S.L., with NIF B65880916 (from now on, the claimant).
THIRD:By letter dated 18/01/19, in the context of Cases E/08257/2018, E/0482/2019 and E/2463/2019, the entity complained against provided the Agency with detailed information in the document initiating the procedure and in the motion for a resolution.
 
FOURTH:In the light of the facts reported, the documentation provided by the parties and in accordance with the evidence available, the Data Inspectorate of this Spanish Data Protection Agency took the view that the conduct of the entity complained against did not fulfil the conditions laid down by the legislation in force, with the result that a penalty procedure should be opened.Thus, on 09/09/19, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against the entity sought, pursuant to the powers set out for infringement of Article 48 (1) (b) of the LGT, arguing that:‘In the present case, it has been verified that the person concerned, being listed in the Robinson List as from year 2013 and having even exercised his right to object to the entity VOLADFONE, to object to his personal data being processed for commercial use, has continued to send advertisements to
 
Ooped
SECOND: In view of the claim formulated, the AEPD, in the framework of the file with reference E/7148/2018, by means of a letter dated 09/10/2018, notified electronically, gave notice of the claim to the reclaimed and requested information on the measures that had been adopted to put an end to the denounced irregular situation.
Data subject via e-mail and commercial calls in the following years
 
FIFTH:Notified of the initiating agreement, the entity in question, by letter of 23/09/19, put forward arguments, the content of which is set out in detail in the written motion for a resolution.
The certificate issued by the FNMT in the file proves that the letter of transfer was made available to the defendant at the electronic site on 09/10/2018 and that the automatic rejection took place on 20/10/2018.
SIXTH:On 21/10/19, the probationary period was commenced and the complaint lodged by the complainant and its documentation, the documents obtained and generated which form part of the file and reproduced for purposes of proof, the allegations made in the original agreement of PS/00209/2019, submitted by the party against which the complaint was lodged, were reproduced for the purposes of proof.
 
SEVEN:On 10/12/19, the entity is notified of the proposal to propose a¬ solution in which it is proposed that the Director of the Spanish Data Processing Agency should sanction VODAFONE España SAU, as a result¬ of an infringement of Article 48 (1) (b) of the LGT, which is classified as minor in Article 78 (11) of the LGT, with a fine of EUR 20,000 (twenty thousand euros),
The AEPD reiterated the notification to the respondent on 25/10/2018, this time through the postal mail that was delivered - as it is proved by the certificate issued by the Sociedad Estatal Correos y Telégrafos, S.A. - on 29/10/2018 at 10:37 am.
EIGHT:Notified of the motion for resolution, the entity in question puts¬ forward arguments on the proposal for the period granted for that purpose, essentially on the basis of:
 
‘The complainant claims to be receiving commercial calls at Vodafone’s * * * telecommunication telephone number by Vodafone, but does not indicate the numbers calling¬ the number * * * TELEFONO.2.We have again checked that this calling-number is not owned by Vodafone, nor does it appear in the database from which they make calls to the employees of my client.
The claimant was notified by post of a letter acknowledging receipt of his claim and informing him of the transfer to the respondent. On 31/10/2018 this letter was returned to the AEPD as it had not been removed from the post office where it was deposited after two attempts at delivery with no result.
In accordance with the Memorandum of Understanding set out in the Memorandum of Understanding set out in the Agreement to initiate this Procedure, Vodafone is reaffirming that all the telephone numbers of this customer, namely its mobile line * * * TELEFONO.3, and its fixed lines * * * Tylfon.O.4 and * * * TELEFFUNO.1, are included in the Official Digital List as well as in our internal Robinson List.Thus Vodafone could not have included them in¬ the collection campaigns directly managed by it.
 
In particular, we verified that the exact dates since they were included are the following:
In accordance with the provisions of article 65.5 of the Organic Law 3/2018, on Data Protection and Guarantee of Digital Rights (LOPDGDD), on 12/12/2018 the agreement of admission to process this claim is signed.
—  * * * TELEFFONO3:It is included in the Official Digital List from the time of¬ the submission of 11 December 2013.It is also included in our internal Robinson List as from 5 February 2019.  
 
Ooped
In accordance with article 67.1 of the LOPDGDD, the Data Inspectorate of the AEPD carries out the following actions in order to determine the facts and circumstances that justify the processing of the procedure
—  * * * TELEFFONO4:It is included in the Official Digital List from the time of¬ the submission of 11 December 2013.It is also included in our internal Robinson List as from 31 January 2019.
 
— * * * TELEFFONO1:It is included in the Official Digital List from the time of¬ the submission of 11 December 2013.It is also included in our internal Robinson List as from 15 May 2018.
On 31/01/2019 the Privacy Policy is accessed from page ***URL.1
We also verified once again that, for the services for which the complainant is a customer, as already explained in previous reporting requirements, the tant¬ has a conspicuity check that is marked so that it can also not be included in marketing years for portfolio customers.
and the following points are noted.
Similarly, my client is generally taking a number of¬ steps to avoid that third parties using its own databases to handle Vodafone’s name continue to call per sonas such¬ as the complainant that they do not wish to receive commercial calls.
In particular, these measures already known to the Agency are as follows:
- The web page ***URL.1 offers in the section called information ("Informaciò") and within it in the sub-section legal text ("Text Legal"), access to its Privacy Policy.
1. A first communication was sent to all our staff on 19 November 2018 to remind them of their obligations in terms of data protection.This is attached as Doc 1.
 
2. A simpler automatic system has been set up to¬ enable customers to oppose commercial communications.This request can be made via the darabbaa.s web page. please find attached as Doc. 2 a screen of this website.
- The Privacy Policy to which access is given informs that the person responsible for the processing of the data is "Grupo Bandera Catalana", Grup BC, S.L., (B65880916), with address in calle Venus 86 B, Terrassa 08228.
3. A database has been set up with telephone numbers that you use¬ as your colleagues when you call recruitment, in the month¬ of 2018.This database is regularly updated in order to have all the numbers used by all the partners in the different areas of the company (online, teleshopping, retail and door to door).In order to increase the number of registers in the database and to be able to identify potential contributors who do¬ not comply with their obligations as operators responsible for the databases using it and the procedures laid down at Vodafone, the contract is gradually being included in all the contracts with partners, the obli¬ contracted to provide us with the list of telephone numbers from  
 
Ooped
- The Policy of Privacy of the claimed one dedicates two sections to these questions: The person responsible (i); the purposes, legitimacy and conservation of the treatment of the data sent through contact forms, e-mails and subscription to its newsletter (ii); the recipients of the data (iii); the rights in relation to their personal data (iv); cookies (v); security of their personal data (vi) and updating of their personal data (vii).
this calls for calls to be made by both the partner and any¬ undertakings which may be subcontracted to carry out these recruitment activities.
 
4. They have been notified to cooperating companies by reminding them of their data protection obligations in respect of collecting calls on behalf of Vodafone, in particular, the directory obligation is stolen, official.In addition, Vodafone has met with the owners and managers of some of these companies for this purpose.
- In turn, the second of the above-mentioned sections - purposes, legitimacy and conservation of the processing of data sent through contact forms, e-mails and subscription to your newsletter - details, depending on the means by which the owner has provided them, what the purpose of the processing is and what the legitimacy for the processing of personal data is.
5. The implementation of other measures is being assessed as the routing of the calls made by these collaborators through Vodafone, which is to¬ be implemented fully by the end of December.In this way, these partners will only be able to make calls through specific and identified numbers, which will also prevent calls to be made to the numbers included in the list of ADHD as well as in the internal Robinson List.
 
In view of the above, my client understands that it has put all the means¬ available to it and acting in accordance with the rules, as long as all the existing measures have been taken and all the viable filters are applied to prevent practices such as those that the complainant is denouncing, deploying the utmost diligence.
For each of the means of data collection used, the following legitimacy is stated ("Legitimaciò"):
As the Agency is aware, the commercial campaigns directly managed by Vo dafone¬ are based on a robust process that is continuously reviewed and¬, today, Vodafone is assessing the campaigns carried out by third parties to ensure that they do not infringe data protection law or the rights of the persons called on in such campaigns.
 
In this connection, it should also be borne in mind that those commercial campaigns¬ are not directly carried out by Vodafone but by their collaborators.It is therefore to be understood¬ that the numbers from which calls are received are to be known in order to¬ confirm who does actually do so.The complainant has only provided a number which is not part of the database used by the cooperating companies of Vodaphfo¬ ne to make marketing campaigns as verified.
The user's consent when requesting information through our contact form.
As far as these facts are concerned, my client wishes to reiterate once again the absence of¬ an infringement in the acts carried out in the file in question.In that regard, it is important to point out the repeal of Article 130 of Law No 30/1992, which provided that ‘only natural and legal persons who are responsible for them may be penalised for acts constituting an infringement’.
The user's consent when requesting information from us through the e-mail address.
We are faced with a lack of room for fault-based liability, a principle which governs or has to apply in the administrative penalty field, since, in so far as it is said —
The user's consent when subscribing to our commercial mailings or newsletters.
Ooped
 
Cion of the State’s ius puniendi is unacceptable in our legal system for a system of liability without fault.
Later on, the legal information of the web page ***URL.1, in the same section destined to the purposes, legitimization and conservation of the treatment of the data sent through contact forms, e-mails and subscription to the newsletter, indicates that the provision of personal data requires a minimum age of 13 years or if applicable, to have sufficient legal capacity to contract (the underlining is from the AEPD).
Having regard to the special nature of the law on penalties, which makes it impossible to impose penalties without taking account of the will of the person concerned, or the factors which may have led to a breach of a legal obligation, that party maintains that the imposition of penalties is not unlawful.
 
However, as may be seen, the conduct described in the course of the¬ proceedings does not involve any intent whatsoever, either to intent, or to fault.Consequently, since there is¬ no remedy, that party confirms that it is wholly inappropriate to impose a penalty on my client as one of the essential requirements of the administrative penalty law.
Given that the ***URL.1 website, and therefore also the Privacy Policy, uses exclusively one of the co-official languages of Catalonia, Catalan, the information referred to is transcribed as offered, i.e. written in Catalan:
The complainant is considered to have acted without a minimum legal standard of probative value, leading to the demonstration of the guilt of Voida — FONE, he shows that the only number provided from the person who received the flame does not¬ belong to any of the collaborator of my client.In addition to the fact that the complainant’s ownership numbers were included in the list of Digital Rights and the internal Robinson List of Vodafone and, therefore, Vodafone’s collaborators should be able¬ to use the filtering of those numbers in the course of the commercial campaigns.
 
In this regard, it is important to draw attention to the fact that some of the¬ images of this type of campaigns use tretas of the most disparate nature and, on the basis¬ of the facts, it is done by an undertaking which is not for those who work with the idea of causing improper intent, in another call, to capture the user’s interest.
"The supply of personal data requires a minimum age of 13 years or, if necessary, sufficient legal capacity to contract") (The underlining is from the AEPD)
In the alternative, and in the event that, in spite of the explanations given above, the Agency considers that my company merits a penalty for committing an infringement of Article 48.1 (b) of the General Tax Law, the amount of that penalty should be moderated, with the minimum amount being imposed, taking into account the¬ relevant circumstances set out in Article 83.2 of the GDPR:(a) processing of the complainant’s data has been carried out locally;(b) There is no intention on the part of Vodafone that, on the contrary, it causes my client clear damage (complaints, bad image, possible fine for the¬ Agene, etc. and c) it is taking all due care that can be required for the purpose of ensuring¬ that these staff perform properly¬ in carrying out trade campaigns on behalf of Vodafone.  
 
Ooped
THIRD: On 06/02/2019, the Director of the Spanish Data Protection Agency agrees to initiate sanctioning proceedings against the defendant for the alleged infringement of Article 13.1, in relation to Articles 6.1(a) and 8.1 of the RGPD and in relation to Article 7 of Organic Law 3/2018, on Data Protection and Digital Rights Guarantees (LOPDGDD). Infringement referred to in Article 83.5 of the RGPD.
The requested entity is requested to:1There was no need to adjudicate on the matter, with the result that action 2 was closed.In the alternative, impose on my¬ own initiative the penalties for minor infringements to the minimum grade.
 
In the light of the above, the following facts are considered by the Spanish Data Protection Agency in the present proceeding.
FOURTH: The agreement to commence was notified to the defendant electronically, in accordance with the provisions of Article 14 of Law 39/2015 on Administrative Procedure
Commonwealth of Independent States (LPACAP). The certificate issued by the FNMT's Electronic Notifications and Qualified Electronic Address Service, which is in the file, proves that the agreement to initiate was made available to the entity on 07/02/2019 and was rejected on 18/02/2019.
 
This Agency reiterated the notification of the agreement to initiate the file by mail addressed to the registered office of the respondent. The certificate issued by the Sociedad Estatal Correos y Telégrafos certifies that the agreement to open the file was notified to the respondent, with the date of delivery being 10:33 on 04/03/2019.
 
In accordance with Article 73.1 of the LPACAP, 'The formalities to be completed by the interested parties must be carried out within ten days of the date of notification of the corresponding act', except when the law establishes a different period.
 
In the initiation agreement of PS /0006/2019, a period of ten working days was granted to formulate allegations and it was also stated, as provided in article 64.2.f) of Law 39/2015 that, in the event of not formulating allegations on the content of the initiation agreement within the time limit, the agreement may be considered a proposal for a resolution when it contains a precise pronouncement on the responsibility charged.
 
This Agency is not aware that the claimant has made any allegations to the agreement to initiate the sanctioning procedure.
 
By means of diligence dated 31/10/2019 the instructor of the file records the result of the access made on that date to the Privacy Policy of the web page banderacatalana.cat.
 
The screenshots obtained of that web site demonstrate that in the section "Purpose, legitimization and conservation of the treatments of the data sent through: Contact form (...) Sending of e-mails (...) Subscription to our newsletter" of the legal information continues existing identical information that the one that appeared in date 31/01/2019: The provision of personal data will require a minimum age of 13 years or, in its case, to have sufficient legal capacity to contract.
 
Likewise, the screenshots included in the certificate issued on 31/10/2019 prove that page ***URL.1 informs that "the new person in charge of the web site hosted in ***URL.2 and of the processing of personal data" is Mr. B.B.B. with tax identification number ***NIF.1 and fiscal address in calle ***DIRECCIÓN.1
 
Given that the defendant did not make any allegations to the agreement to initiate the sanctioning file, under Article 64.2.f) of the LPACAP, and given that the agreement to initiate the proceedings contained a specific and determined pronouncement on the liability of the defendant, the procedure to propose a resolution is omitted and the corresponding resolution will be issued
 
 
The following are considered to be proven in these proceedings,
 
 
FACTS
FACTS
1. — Constant inscribed on the Robinson List the following phone numbers and email addresses in the name of the complainant since 11/12/13:Telephone lines:* * * TELEFONO.1, * * * TELEFFONO4 and * * * TELEFFONO3;— E-mail addresses:* * * EMAIL.1,  * * * EMAIL.2,  * * * EMAIL.3.
1.- On 31/01/2019 the site ***URL.2 informs that Grup BC, S.L., with NIF B65880916, is responsible for the processing of personal data. It provides its postal address (calle Venus 86 B, Terrassa 08228) and an e-mail address:
2. On 21/12/17, the complainant sends, by email  * * * EMAIL.4, the documentation required by Vodafone to exercise his access and revocation rights.This documentation is sent to the addresses.
***EMAIL.1
Data protectiondedata. is:And data protectionwith@ono.
 
3. The complainant has provided a copy of a letter addressed to VODAFONE SPAIN SAU — handed over to the consignee on 12/02/18-, to receive commercial calls from the company on its telephone number  * * * TELEFIFO1, from the telephone number  * * * TELEFFONO2, and by reiterating the right of access to and cancellation of the company.
2. On that date, 31/01/2019, the privacy policy that can be accessed from the above-mentioned website refers, among other matters, to the "Purposes, legitimacy and conservation of the processing of data sent through: contact forms (...) Sending of e-mails (...) Subscription to our Newsletter (...)".
4. In the email sent by the complainant on 16/03/18, from management
 
* * * EMAIL.4 and for use for data @ vodaine. and
In this sub-section - "Subscription to our Newsletter" - the following is indicated:
Protecciondedatos@ono.es, you complain that you receive commercial calls from Vodafone, and you repeat the requests made to the company that you should not call you again.
 
5. The company recognises (by letter sent to this agency on 10/05/19) that:
" Purpose: Sending our commercial newsletter, informative and advertising communications about our products or services that are of interest to you, including by electronic means (e-mail, SMS, etc).
“08/04/17 marked negative options:“not to receive communications from Vodafone or Vodafone”;‘Do not transfer their data to other companies in the Vodafone group’;“do not use traffic and billing data for commercial purposes” and “do not use navigation data for commercial purposes”.
Legitimation: The user's consent when subscribing to our commercial mailings or newsletters.
6. The complainant provided a copy of an email dated 11/11/18, to propuestas.onovodafone@gmail.com:The e-mail address,  * * * EIMA.1, the content of which refers to the promotion of products and services of the mark VOLTAONE ONO.
Conservation: Until the interested party revokes the consent and requests the cancellation of the service.
7. — The respondent submits a copy of an e-mail dated 29/04/19, originating from dpo-spain@vodafone.com and posted to the complainant’s address, where they apologise for the event, stating that they have taken the necessary measures to avoid including them in the next business actions, and requesting that, if they are subsequently repeated, the calling line is identified against the distributor.
Obligation to provide personal data and consequences of not doing so.
"The provision of personal data requires a minimum age of 13 years or, where appropriate, have sufficient legal capacity to contract. (The underlining is from the AEPD)
 
3. The notification to the respondent of the agreement to open file PS/0006/2019 was made electronically on 07/02/2019 (date of availability) and was automatically rejected on 18/02/2019. This is confirmed by the FNMT certificate in the file.
 
4. On 04/03/2019, at 10.30 a.m., the complainant accepted the agreement to initiate PS/006/2019, since the SPEA reiterated the notification by post. The certificate issued by the Sociedad Estatal Correos y Telégrafos attesting to this is in the file.
 
5. There is no record in the Register of the AEPD of the fact that the complainant has made any allegations concerning the agreement to initiate PS/006/2019.
 
6. In date 31/10/2019, the web page banderacatalana.cat offers in matter of politics of privacy this information. In the section "Purpose, legitimacy and conservation of the treatments of the data sent through: Contact form (...) Sending of e-mails (...) Subscription to our newsletter" continues existing an identical information to the one that appeared in date 31/01/2019: The provision of personal data will require a minimum age of 13 years or, in its case, to have sufficient legal capacity to contract.
 
7. On 31/10/2019 the page ***URL.1 informs that "the new person in charge of the web hosted in ***URL.2 and of the processing of personal data" is Mr. B.B.B. with tax identification number ***NIF.1 and fiscal address in street ***DIRECTION.1
 
 
LEGAL BASIS


LEGAL BASIS
I
I
In accordance with Article 84 (3) of General Telecommunications Law 9/2014 of 9 May (General Telecommunications Act), it is¬ the responsibility of the Director of the Spanish¬ Data Protection Agency.
By virtue of the powers that Article 58.2 of the RGPD recognises to each supervisory authority, and as established in Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.
 
II
II
The joint assessment of the documentary evidence in the procedure is brought to the attention of the AEPD (AEPD) with a view of¬ the action complained of, as stated above.
However, in the present case, the following points should be clarified:
The complainant was included in the Robinson List since 2013 and stated this in both emails and letters sent to the respondent, stating that he was receiving advertising calls.
The list of all communications is to be found in the written submissions, both for¬ the file and for a motion for a resolution.However, for example, there is an email dated 21/12/17, from  * * * EMAIL.4, and to  protecciondedatos@vodafone.es;And  protecciondedatos@ono.es where the complainant attaches the document concerning the exercise of the right to access and re¬ destined for his or her data and another document dated 27/12/17, with the same origin and destination, where the complainant repeats the petitions and has shown that he still receives from the company a¬ commercial player.
With regard to the company’s claims when it indicates that the telephone number from which the commercial calls were made  (* * * TELEFIFO2), it does not belong to the company or to any of its partners, it should be noted that there is also an email sent by the complainant, on 16/03/18 to the complaint, where it is reported that he receives commercial calls from Vodafone, from the telephone number  * * * TELEFFONO.5, but there is no clarification as to the ownership of this number in¬ Vodafone’s statements.The company was brought to the attention of the company, both in¬ the e-mail sent by the complainant on 16/03/18 and by the complainant in the letter which was sent to them on 31/10/19.
Apart from this, the company has recognised that it was not until 08/04/17, when it ticked the complainant’s register with the options for:“not to receive communications from Vodafone or Vodafone”;“do not use traffic and billing data for commercial purposes” and “do not use navigation data for commercial purposes” and provides a copy of the e-mail dated 29/04/19, to  dpo-spain@vodafone.com
C/Jorge Juan, 6 www.agpd.es
28001 — Madrid sedetagd.gob.es


The defendant is accused of violating Article 13(1) of the PGI, in relation to Articles 6(1)(a) and 8 of Regulation 2016/679. Infringement typified in Article 83.5 of the RGPD and, for the purposes of prescription, qualified by the LOPDGDD as a very serious infringement (Article 72.1.h).
and to the complainant’s address, where they apologise for the event, stating that they have already taken the appropriate measures to avoid including the complainant in the form¬ of commercial activities.
 
However, the 11/11/18, Vodafone sends from:Proposals.onovoid proposals— fone@gmail.com;To the complainant’s address, * * * EIMA.1, an e-mail with a commercial content which refers to the promotion of products and services of the brand VOLTAONE ONO.
Article 13 of the RGPD, under the heading "Information to be provided when personal data are obtained from the interested party", establishes
Finally, it continues to state, on the part of the entity in question, that it does not have an unlawful¬ act of life in its acts, but it must be borne in mind that this is not at the origin of the case by¬ reference to the intention or otherwise of the commercial calls.This is sanctioned by the entity’s lack of diligence in solving a problem with a customer, since it knew about the fact that the complainant was on a Robinson list and that he continued to receive telephone calls and e-mails with the company’s promotions, he did not take any action in this respect, thereby allowing the complainant to continue to receive advertising, with the entity failing to send advertising to the complainant by means of e-mails and¬ commercial flame until he did not include it in its ‘Robinson List’.
 
On the request of the entity in question to be punished, if the pre closure¬ file is not closed, to impose a sanction  ‘for minor infringement to its minimum grade’, to indicate that, both in the opening of the file and in the motion for a resolution, the sanction imposed as minor in Article 78.11 of the LGT, punishable by a fine of up to EUR 50,000, is deemed to be in line with the minimum level requested, as 40 % of the maximum possible sanction.
"Where personal data are obtained from a data subject, the data controller shall, at the time when the data are obtained, provide the data subject with all the following information
— III —
a The identity and contact details of the controller and, where appropriate, his representative;
The facts set out above involve a breach of Article 48 (1) (b) of the Ley LGT, as set out in Title III of Law LGT, which states that:‘With regard to the protection of personal data and privacy with regard to directories of subscribers, end-users of electronic communications services shall have the following rights:(...) (b) to object to receiving unwanted calls for the purposes of commercial communication which take place through systems other than those set out in the previous paragraph and to be informed of this right ",
a The contact details of the data protection representative, if any;
This Infringement is found to be ‘minor’ in Article 78 (11) of that Standard, which it considers as such:‘Breach of public service obligations, public obligations and infringement of the rights of consumers and end-users as laid down in Title III of the Law and its implementing legislation may be fined up to EUR 50.000 in accordance with Article 79 (d) of the LGT.  
(a) The purposes of the processing for which the personal data are intended and the legal basis of the processing;' (Emphasis added)
 
In accordance with the above-mentioned precept, the data controller is obliged to inform the data subject whose personal data are collected of the "legal basis of the processing" he or she is going to carry out; this implies informing the data controller of the legitimacy of the entity collecting the data for the specific processing he or she intends to carry out. In this regard, Article 5.1.a) of the RLOPD mentions among the principles governing the processing of personal data that of "lawfulness".
 
The "lawfulness of processing" is regulated in Article 6 of the RGPD, which states
 
"1. Processing shall be lawful only if at least one of the following conditions is met
the data subject has given his consent to the processing of his personal data for one or more specific purposes.
(...) (Emphasis added by the AEPD)
 
The transcribed provision is supplemented by Article 8 of the same legal text
-RGPD- which deals with the "Conditions applicable to the child's consent to information society services":
 
"Where Article 6(1)(a) applies in relation to the direct supply of information society services to children, processing of a child's personal data shall be considered lawful when the child is at least 16 years old. If the child is under 16 years of age, such consent shall be considered lawful only if and to the extent that it was given or authorised by the holder of parental authority or guardianship over the child.
Member States may provide by law for a lower age for such purposes, provided that it is not lower than 13 years.
 
2. The controller shall make reasonable efforts to verify in such cases that the consent was given or authorised by the holder of parental authority or guardianship over the child, taking into account available technology.
3. Paragraph 1 shall be without prejudice to general provisions of the contract law of the Member States, such as rules concerning the validity, formation or effect of contracts in relation to a child. (Emphasis added by the ECDPA)
 
Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter referred to as LOPDGDD), which entered into force on December 7 (Final Provision Sixteen), has made use of the authorization granted by Article 8.1., last paragraph, of the RGPD to Member States to determine the age at which it is lawful for a person under 16 years of age to give his or her consent to the processing of his or her data in connection with the direct provision of information society services.
 
The LOPDGDD, within the limits of Regulation 2016/697, sets the age for consenting to the processing of data at 14 years of age. Article 7 of the LOPDGDD under the heading "Consent of Minors", states
 
"1. The processing of the personal data of a minor may only be based on his/her consent when he/she is over fourteen years of age.
Exceptions are made in cases where the law requires the assistance of the holders of parental authority for the conclusion of the legal act or transaction in the context of which consent to processing is sought.
 
2. The processing of the data of minors under fourteen years of age, based on consent, shall be lawful only if the consent of the holder of parental authority or guardianship is given, to the extent determined by the holders of parental authority or guardianship". (The underlining is from the AEPD)
 
III
 
The ***URL.1 web page offers the telematic sale of various products and offers the possibility to those who wish to subscribe to its commercial bulletin or newsletter with the aim of receiving informative and advertising communications about its products or services; communications that - it says - will also be received by electronic means "(E-mail, SMS, etc)".
 
The website details that the legal basis for the processing of personal data through the sending of commercial bulletins is the consent given by the user when he or she subscribes to these mailings. The website states as follows:
 
"Obligation to provide your personal data and consequences of not doing so
 
The provision of personal data requires a minimum age of 13 years or, where appropriate, have sufficient legal capacity to contract.


The personal data requested are necessary to manage your requests and/or provide you with the services you may contract, so that, if you do not provide them, we will not be able to attend to you correctly or provide the service you have requested".
In accordance with the above, and without prejudice to the outcome of the proceedings, for the purposes of determining the amount of the penalty to be imposed in the present case, it is considered appropriate to graduate the penalty to be imposed in accordance with the following criteria laid down in Article 80 (1) and (2) of the LGT:
- Cessation of the unlawful activity, prior to or during the procedure of the former¬ penalty order (paragraph g).
- The taking into account of the economic situation of the offender (point 2).
Following evidence obtained at the stage of previous investigations, it is considered appropriate to graduate the penalty to EUR 20,000 (twenty thousand euros).
Therefore, in the light of the above, by the Director of the Spanish Data Protection Agency,
HEREBY ORDERS:
FIRST:Imposing an amount of EUR 20,000 (twenty thousand euros) to the entity VODAIONE ONO SAU, with C.I.F. A62186556, for infringement of Article 48 (1) (b) of Law LGT, which is classified as ‘minor’ in Article 78 (11) of the Law.
SECOND:Notify the complainant of this decision and report back to the complainant on the outcome of the complaint.
THIRD:Please note that the sanction imposed must be effective once this decision is enforceable, in accordance with the provisions of Article 98.1 (b¬) of Law No 39/2015 of 1 October 2015 on the administrative and administrative procedure for public¬ administrations (LPACAP), within the period for voluntary payment referred to in Article 68 of the General Tax Collection Regulation, approved by Royal De¬ Creto 939/2005 of 29 July 1992, in conjunction with Article 62 of Law No 58/2003 of 17 December 1992, by entering into the restricted account No  ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency with the Banco CAIXABANK, S.A. or else, it will be collected in a limited period of time.¬
Once they have been notified and enforceable, if the date of enforceability is between 1 and 15 of each month inclusive, the period for payment¬ will be until the 20th day of the following month or immediately, and if the date of enforceability is¬ between 16 and the last day of each month, both inclusive, the time limit for payment is until 5 of the second next or immediate working month.  


It seems appropriate to recall - for the purposes of applying Article 8 of the GPRS - that commercial bulletins sent by electronic means constitute an information society service. In this respect, we refer to the definition given in the Annex to Law 34/2002 on Information Society Services (LSSI):
Pursuant to Article 82 of Law 62/2003 of 30 December on¬ tax, administrative and social measures, this Resolution shall be made public once it has been notified to the persons concerned.The publication will¬ be made in accordance with Instruction 1/2004 of 22 December on the Spanish Data Protection Agency on the publication of its resolutions.
Pursuant to Articles 112 and 123 of the LPACAP, the interested parties may lodge an appeal against this decision before the Director of the Spanish Data Protection Agency within one month of making this decision¬, or, directly, an administrative appeal before the Chamber for Contentious Administrative Proceedings¬ of the National High Court, pursuant to¬ Article 25 and paragraph 5 of the fourth additional provision of Law No 29/1998 of 13/07, governing the Jurisdiction of the Administrative Courts, within the period of¬ two months from the day following notification of this act, as provided for in Article 46 (1) of the aforementioned Law.
"For the purposes of this Law, it is understood that:
Finally, it should be noted that, in accordance with Article 90.3 (a) of the LPACAP, the final decision may be suspended as a precautionary measure if it is¬ clear that they intend to bring administrative proceedings.If this is the case, the person concerned must formally notify this fact in writing, addressed to the Spanish Data Protection Agency, by means of the Agency’s¬ Electronic Medicinal Product website [https://sedeagpd.gob.es/sede-electronicaweb/], or through one of the other registers provided for in Article 16.4 of Law 39/2015 of 1 October 2013.He shall also transfer to the Agency the documents attesting to the actual lodging of the appeal.If the Agency is not aware of the lodging of the contentious appeal proceedings within two months of the day following the notification of this decision, it would terminate the provisional suspension.
a. Information society services or services: any service normally provided for payment, at a distance or by electronic means and at the individual request of the recipient. (...)Information society services are, among others and provided that they represent an economic activity, the following:
Martes España Martí
The contracting of goods and services by electronic means
(...)
4. The sending of commercial communications. (...)" (Emphasis added)
 
The Privacy Policy of the web page banderacatalana.cat., in compliance with the obligation imposed by article 13.1 of the RGPD, provides information about the identity and contact details of the person responsible for the treatment (section a, of the precept). The person responsible who on the date of the opening of the agreement to initiate the sanctioning process was Grup BC, S.L., with NIF B65880916.
 
It also informs - as required by section b, of article 13.1, of the RGPD - of the purposes of the data processing and of the legitimacy of the processing it carries out. This information is provided by distinguishing three hypotheses that correspond to the three ways in which the Privacy Policy of the site provides for the collection of data from third parties: the contact forms, the sending of emails or the subscription to the news magazine (newsletter).
 
The Privacy Policy examined always identifies "consent" as the origin or cause of the legitimacy of the data processing - for the three cases or hypotheses it contemplates. It therefore states, respectively for each of these cases, that the legitimacy is based on consent "when requesting information from us through the contact form", or "when requesting information from us through your e-mail address" or "when subscribing to your commercial mailings".
 
Thus, the legality of the processing of personal data of third parties is protected by Article 6.1.a) of the RGPD.
 
At this point, it should be stressed that Article 6 of the GPRS is linked to Article 8 of the same legal text, which warns that when the data subject's consent (Article 6(1)(a) of the GPRS) is applied in relation to the direct provision of Information Society services to children, processing is lawful only if the minor is at least 16 years old, and Member States may set a lower age limit provided that the minor has reached the age of 13. It should be remembered that the LOPDGDD has set this age at 14 (Article 7 of the LOPDGD).
 
However, the Privacy Policy of the website states that the provision of personal data requires a minimum age of 13 years or, if appropriate, having sufficient legal capacity to contract (the underlining is from the AEPD). According to this statement, it seems that the person over thirteen and under fourteen years of age can consent to the processing of their personal data. Information that is contrary to the provisions of Article 8 of the RGPD, in relation to its Article 6.1.a, and Article 7.1 of the LOPDGDD.
 
The information provided by the website coincides with the criterion initially adopted by the draft Organic Law on Data Protection and which, in the end, was not reflected in the Law. On the contrary, the LOPDGDD of 5 December, which came into force on 7 December, sets the lower limit for the minor
of age consents to the processing of their data in 14 years old.
 
It should be added to the above that the claimant, in addition to not having made any allegations to the agreement to start the file, despite the fact that it is proven that he has received it (see Proven Facts), has not rectified the information provided in his Privacy Policy.
 
In short, as article 13.1.c) of the RGPD requires that the person responsible for the processing of the data, when these are obtained directly from the data subject, informs about the legal basis of the processing and, given that the information that the Privacy Policy of the Catalan flag website.cat provides in relation to the legal basis of the processing of personal data for commercial purposes - data that is collected when filling out the form in the newsletter - contravenes the RGPD - articles 6.1.a in relation to article 8.1- and the LOPDGD
-Article 7-, the information provided on the website ***URL.1, for which GRUP BC, S.L. was responsible on the date on which the agreement to commence was notified, infringes Article 13(1)(c) of the RGPD.
 
IV
 
Article 58.2 of the RGPD states:
 
"Each supervisory authority shall have all the following corrective powers as set out below:
(…)
to punish any controller or processor with a warning where processing operations have infringed the provisions of this Regulation.
(…)
impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the individual case,
(…)”
 
On the appropriateness of opting, in the present case, for the penalty of a fine provided for in Article 83(5) of the GPSD or for the penalty of a warning under Article 58(2)(b), recital 148 of Regulation 2016/679 should be referred to, which offers the following reflection:
 
"In case of a minor infringement, or if the fine likely to be imposed would constitute a disproportionate burden on a natural person, a warning may be imposed instead of a penalty in the form of a fine. However, particular attention should be paid to the nature, gravity and duration of the infringement, its intentional nature, the measures taken to mitigate the damage suffered, the degree of liability or any previous relevant infringement, the manner in which the supervisory authority became aware of the infringement, compliance with measures ordered against the person responsible or entrusted, adherence to codes of conduct and any other aggravating or mitigating circumstances" (emphasis added by the AEPD)
 
Having analysed the circumstances of the case in question, since the examination of the Privacy Policy of the respondent shows that in December 2018, in general, it had been updated to the terms of the RGPD and that the erroneous information provided regarding the age at which a minor could consent to the processing of his or her personal data could be
caused by the fact that it adopted the criterion that the draft Organic Law on Data Protection initially set - according to which the age limit was 13 years - and did not rectify it later - when the LOPDGDD was approved and changed the criterion of the draft establishing 14 years as the minimum age - it is considered appropriate to punish the infringement of the RGPD for which it is responsible with a warning and not with the fine provided for in Article 83.5 RGPD, as this decision is more in line with the spirit of the RGPD in the light of recital 148.
 
 
Therefore, in accordance with the applicable legislation,
 
the Director of the Spanish Data Protection Agency RESOLVES:
 
FIRST: TO IMPOSE on GRUP BC S.L. (BANDERACATALANA.CAT), with NIF
B65880916, for an infringement of Article 13(1), in connection with Articles 6(1)(a) and 8 of Regulation (EU) 2016/679, General Data Protection Regulation (RGPD), and Article 7 of the LOPDGDD, as defined in Article 83(5) of the RGPD, a warning sanction provided for in Article 58(2)(b) of the RGPD)
 
SECOND: TO NOTIFY this resolution to GRUP BC S.L. (BANDERACATALANA.CAT).
 
THIRD: In accordance with the provisions of Article 50 of the LOPDPGDD, this Resolution will be made public once it has been notified to the interested parties.
 
Against this resolution, which puts an end to the administrative procedure according to article 48.6 of the LOPDPGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, file an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly file an administrative appeal with the Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.
 
Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of the LPACAP, the firm resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. He must also send to the Agency the documentation that accredits the effective filing of the contentious-administrative appeal. If the Agency is not aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it will terminate the precautionary suspension.
 
Mar Spain Martí
Director of the Spanish Data Protection Agency
Director of the Spanish Data Protection Agency
</pre>
</pre>

Revision as of 11:13, 6 March 2020

AEPD - PS/00209/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 84(3) Spanish General Law of Telecommunications

Article 57(1) GDPR

Article 83(2) GDPR

Type: Complaint
Outcome: Upheld
Decided: n/a
Published: n/a
Fine: EUR 20,000
Parties: VODAFONE ONO SAU
National Case Number: PS/00209/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

EUR 20,000 fine was imposed against VODAFONE ONO SAU for unsolicited commercial calls and e-mails without consent and despite the client's objection.

English Summary

Facts

The complainant claimed that he received many commercial calls and e-mails, to which he hadn't consented and after having notified the company many times that he didn't want to receive them. The telephone number from which the calls were made did not belong to the company according to its statements.

Dispute

Holding

The AEPD found that the company did not take any action to cease the unsolicited communication although it was aware of the complainant's objection. Thus, it imposed the fine of EUR 20,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.


Procedure No:PS/00209/2019
938-0419
RESOLUTION OF THE DISCIPLINARY PROCEEDINGS
In sanction proceedings PS/00209/2019, instructed by the Spanish Data Protection Agency, the entity VODANOONE SAU, with C.I.F. A62186556, (hereinafter referred to as the “respondent”), having regard to the complaint lodged by  A.A.A., (Mr Lante¬, “the complainant”), and on the basis of the following:
BACKGROUND
FIRST:Since December 2017, the complainant has submitted a number of letters to the complainant in which he denounces the entity VODAFONE, on the basis of the receipt of commercial calls, without his consent and having informed the company on several occasions that he refused to receive them.The telephone number is included in the RoRobon List since 2013 and is not a customer of the company.You also complain about the receipt of commercial emails in a number of accounts of your title, also stating that you have repeatedly objected to receiving this type of email.
With the letters of complaint, it is accompanied by the certificate of registration in the Robinson List since 2013 and several letters and letters sent to the company, the content and relationship of which is detailed in the document initiating the procedure and in the letter of motion for a resolution.
SECOND:In the light of the facts set out in the complaint and the documents provided by the complainant, the Subdirectorate-General for Data Inspection carried out measures to clarify matters, under the powers of investigation conferred on the supervisory authorities in Article 57 (1) of the GDPR.Thus, on 31/10/18, an information injunction was sent to the entity in question.
THIRD:By letter dated 18/01/19, in the context of Cases E/08257/2018, E/0482/2019 and E/2463/2019, the entity complained against provided the Agency with detailed information in the document initiating the procedure and in the motion for a resolution.
FOURTH:In the light of the facts reported, the documentation provided by the parties and in accordance with the evidence available, the Data Inspectorate of this Spanish Data Protection Agency took the view that the conduct of the entity complained against did not fulfil the conditions laid down by the legislation in force, with the result that a penalty procedure should be opened.Thus, on 09/09/19, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against the entity sought, pursuant to the powers set out for infringement of Article 48 (1) (b) of the LGT, arguing that:‘In the present case, it has been verified that the person concerned, being listed in the Robinson List as from year 2013 and having even exercised his right to object to the entity VOLADFONE, to object to his personal data being processed for commercial use, has continued to send advertisements to 
Ooped
Data subject via e-mail and commercial calls in the following years
FIFTH:Notified of the initiating agreement, the entity in question, by letter of 23/09/19, put forward arguments, the content of which is set out in detail in the written motion for a resolution.
SIXTH:On 21/10/19, the probationary period was commenced and the complaint lodged by the complainant and its documentation, the documents obtained and generated which form part of the file and reproduced for purposes of proof, the allegations made in the original agreement of PS/00209/2019, submitted by the party against which the complaint was lodged, were reproduced for the purposes of proof.
SEVEN:On 10/12/19, the entity is notified of the proposal to propose a¬ solution in which it is proposed that the Director of the Spanish Data Processing Agency should sanction VODAFONE España SAU, as a result¬ of an infringement of Article 48 (1) (b) of the LGT, which is classified as minor in Article 78 (11) of the LGT, with a fine of EUR 20,000 (twenty thousand euros),
EIGHT:Notified of the motion for resolution, the entity in question puts¬ forward arguments on the proposal for the period granted for that purpose, essentially on the basis of:
‘The complainant claims to be receiving commercial calls at Vodafone’s * * * telecommunication telephone number by Vodafone, but does not indicate the numbers calling¬ the number * * * TELEFONO.2.We have again checked that this calling-number is not owned by Vodafone, nor does it appear in the database from which they make calls to the employees of my client.
In accordance with the Memorandum of Understanding set out in the Memorandum of Understanding set out in the Agreement to initiate this Procedure, Vodafone is reaffirming that all the telephone numbers of this customer, namely its mobile line * * * TELEFONO.3, and its fixed lines * * * Tylfon.O.4 and * * * TELEFFUNO.1, are included in the Official Digital List as well as in our internal Robinson List.Thus Vodafone could not have included them in¬ the collection campaigns directly managed by it.
In particular, we verified that the exact dates since they were included are the following:
—  * * * TELEFFONO3:It is included in the Official Digital List from the time of¬ the submission of 11 December 2013.It is also included in our internal Robinson List as from 5 February 2019. 
Ooped
 —  * * * TELEFFONO4:It is included in the Official Digital List from the time of¬ the submission of 11 December 2013.It is also included in our internal Robinson List as from 31 January 2019.
— * * * TELEFFONO1:It is included in the Official Digital List from the time of¬ the submission of 11 December 2013.It is also included in our internal Robinson List as from 15 May 2018.
We also verified once again that, for the services for which the complainant is a customer, as already explained in previous reporting requirements, the tant¬ has a conspicuity check that is marked so that it can also not be included in marketing years for portfolio customers.
Similarly, my client is generally taking a number of¬ steps to avoid that third parties using its own databases to handle Vodafone’s name continue to call per sonas such¬ as the complainant that they do not wish to receive commercial calls.
In particular, these measures already known to the Agency are as follows:
1.	A first communication was sent to all our staff on 19 November 2018 to remind them of their obligations in terms of data protection.This is attached as Doc 1.
2.	A simpler automatic system has been set up to¬ enable customers to oppose commercial communications.This request can be made via the darabbaa.s web page. please find attached as Doc. 2 a screen of this website.
3.	A database has been set up with telephone numbers that you use¬ as your colleagues when you call recruitment, in the month¬ of 2018.This database is regularly updated in order to have all the numbers used by all the partners in the different areas of the company (online, teleshopping, retail and door to door).In order to increase the number of registers in the database and to be able to identify potential contributors who do¬ not comply with their obligations as operators responsible for the databases using it and the procedures laid down at Vodafone, the contract is gradually being included in all the contracts with partners, the obli¬ contracted to provide us with the list of telephone numbers from 
Ooped
this calls for calls to be made by both the partner and any¬ undertakings which may be subcontracted to carry out these recruitment activities.
4.	They have been notified to cooperating companies by reminding them of their data protection obligations in respect of collecting calls on behalf of Vodafone, in particular, the directory obligation is stolen, official.In addition, Vodafone has met with the owners and managers of some of these companies for this purpose.
5.	The implementation of other measures is being assessed as the routing of the calls made by these collaborators through Vodafone, which is to¬ be implemented fully by the end of December.In this way, these partners will only be able to make calls through specific and identified numbers, which will also prevent calls to be made to the numbers included in the list of ADHD as well as in the internal Robinson List.
In view of the above, my client understands that it has put all the means¬ available to it and acting in accordance with the rules, as long as all the existing measures have been taken and all the viable filters are applied to prevent practices such as those that the complainant is denouncing, deploying the utmost diligence.
As the Agency is aware, the commercial campaigns directly managed by Vo dafone¬ are based on a robust process that is continuously reviewed and¬, today, Vodafone is assessing the campaigns carried out by third parties to ensure that they do not infringe data protection law or the rights of the persons called on in such campaigns.
In this connection, it should also be borne in mind that those commercial campaigns¬ are not directly carried out by Vodafone but by their collaborators.It is therefore to be understood¬ that the numbers from which calls are received are to be known in order to¬ confirm who does actually do so.The complainant has only provided a number which is not part of the database used by the cooperating companies of Vodaphfo¬ ne to make marketing campaigns as verified.
As far as these facts are concerned, my client wishes to reiterate once again the absence of¬ an infringement in the acts carried out in the file in question.In that regard, it is important to point out the repeal of Article 130 of Law No 30/1992, which provided that ‘only natural and legal persons who are responsible for them may be penalised for acts constituting an infringement’.
We are faced with a lack of room for fault-based liability, a principle which governs or has to apply in the administrative penalty field, since, in so far as it is said — 
Ooped
Cion of the State’s ius puniendi is unacceptable in our legal system for a system of liability without fault.
Having regard to the special nature of the law on penalties, which makes it impossible to impose penalties without taking account of the will of the person concerned, or the factors which may have led to a breach of a legal obligation, that party maintains that the imposition of penalties is not unlawful.
However, as may be seen, the conduct described in the course of the¬ proceedings does not involve any intent whatsoever, either to intent, or to fault.Consequently, since there is¬ no remedy, that party confirms that it is wholly inappropriate to impose a penalty on my client as one of the essential requirements of the administrative penalty law.
The complainant is considered to have acted without a minimum legal standard of probative value, leading to the demonstration of the guilt of Voida — FONE, he shows that the only number provided from the person who received the flame does not¬ belong to any of the collaborator of my client.In addition to the fact that the complainant’s ownership numbers were included in the list of Digital Rights and the internal Robinson List of Vodafone and, therefore, Vodafone’s collaborators should be able¬ to use the filtering of those numbers in the course of the commercial campaigns.
In this regard, it is important to draw attention to the fact that some of the¬ images of this type of campaigns use tretas of the most disparate nature and, on the basis¬ of the facts, it is done by an undertaking which is not for those who work with the idea of causing improper intent, in another call, to capture the user’s interest.
In the alternative, and in the event that, in spite of the explanations given above, the Agency considers that my company merits a penalty for committing an infringement of Article 48.1 (b) of the General Tax Law, the amount of that penalty should be moderated, with the minimum amount being imposed, taking into account the¬ relevant circumstances set out in Article 83.2 of the GDPR:(a) processing of the complainant’s data has been carried out locally;(b) There is no intention on the part of Vodafone that, on the contrary, it causes my client clear damage (complaints, bad image, possible fine for the¬ Agene, etc. and c) it is taking all due care that can be required for the purpose of ensuring¬ that these staff perform properly¬ in carrying out trade campaigns on behalf of Vodafone. 
Ooped
The requested entity is requested to:1There was no need to adjudicate on the matter, with the result that action 2 was closed.In the alternative, impose on my¬ own initiative the penalties for minor infringements to the minimum grade.
In the light of the above, the following facts are considered by the Spanish Data Protection Agency in the present proceeding.
FACTS
1.	— Constant inscribed on the Robinson List the following phone numbers and email addresses in the name of the complainant since 11/12/13:Telephone lines:* * * TELEFONO.1, * * * TELEFFONO4 and * * * TELEFFONO3;— E-mail addresses:* * * EMAIL.1,  * * * EMAIL.2,  * * * EMAIL.3.
2.	— On 21/12/17, the complainant sends, by email  * * * EMAIL.4, the documentation required by Vodafone to exercise his access and revocation rights.This documentation is sent to the addresses.
Data protectiondedata. is:And data protectionwith@ono.
3.	The complainant has provided a copy of a letter addressed to VODAFONE SPAIN SAU — handed over to the consignee on 12/02/18-, to receive commercial calls from the company on its telephone number  * * * TELEFIFO1, from the telephone number  * * * TELEFFONO2, and by reiterating the right of access to and cancellation of the company.
4.	In the email sent by the complainant on 16/03/18, from management
* * * EMAIL.4 and for use	 for data @ vodaine.	 and
Protecciondedatos@ono.es, you complain that you receive commercial calls from Vodafone, and you repeat the requests made to the company that you should not call you again.
5.	The company recognises (by letter sent to this agency on 10/05/19) that:
“08/04/17 marked negative options:“not to receive communications from Vodafone or Vodafone”;‘Do not transfer their data to other companies in the Vodafone group’;“do not use traffic and billing data for commercial purposes” and “do not use navigation data for commercial purposes”.
6.	The complainant provided a copy of an email dated 11/11/18, to  propuestas.onovodafone@gmail.com:The e-mail address,  * * * EIMA.1, the content of which refers to the promotion of products and services of the mark VOLTAONE ONO.
7.	— The respondent submits a copy of an e-mail dated 29/04/19, originating from dpo-spain@vodafone.com and  posted to the complainant’s address, where they apologise for the event, stating that they have taken the necessary measures to avoid including them in the next business actions, and requesting that, if they are subsequently repeated, the calling line is identified against the distributor.

 LEGAL BASIS
I
In accordance with Article 84 (3) of General Telecommunications Law 9/2014 of 9 May (General Telecommunications Act), it is¬ the responsibility of the Director of the Spanish¬ Data Protection Agency.
II
The joint assessment of the documentary evidence in the procedure is brought to the attention of the AEPD (AEPD) with a view of¬ the action complained of, as stated above.
However, in the present case, the following points should be clarified:
The complainant was included in the Robinson List since 2013 and stated this in both emails and letters sent to the respondent, stating that he was receiving advertising calls.
The list of all communications is to be found in the written submissions, both for¬ the file and for a motion for a resolution.However, for example, there is an email dated 21/12/17, from  * * * EMAIL.4, and to  protecciondedatos@vodafone.es;And  protecciondedatos@ono.es where the complainant attaches the document concerning the exercise of the right to access and re¬ destined for his or her data and another document dated 27/12/17, with the same origin and destination, where the complainant repeats the petitions and has shown that he still receives from the company a¬ commercial player.
With regard to the company’s claims when it indicates that the telephone number from which the commercial calls were made  (* * * TELEFIFO2), it does not belong to the company or to any of its partners, it should be noted that there is also an email sent by the complainant, on 16/03/18 to the complaint, where it is reported that he receives commercial calls from Vodafone, from the telephone number  * * * TELEFFONO.5, but there is no clarification as to the ownership of this number in¬ Vodafone’s statements.The company was brought to the attention of the company, both in¬ the e-mail sent by the complainant on 16/03/18 and by the complainant in the letter which was sent to them on 31/10/19.
Apart from this, the company has recognised that it was not until 08/04/17, when it ticked the complainant’s register with the options for:“not to receive communications from Vodafone or Vodafone”;“do not use traffic and billing data for commercial purposes” and “do not use navigation data for commercial purposes” and provides a copy of the e-mail dated 29/04/19, to  dpo-spain@vodafone.com
C/Jorge Juan, 6	 www.agpd.es
28001 — Madrid	 sedetagd.gob.es 

and to the complainant’s address, where they apologise for the event, stating that they have already taken the appropriate measures to avoid including the complainant in the form¬ of commercial activities.
However, the 11/11/18, Vodafone sends from:Proposals.onovoid proposals— fone@gmail.com;To the complainant’s address,  * * * EIMA.1, an e-mail with a commercial content which refers to the promotion of products and services of the brand VOLTAONE ONO.
Finally, it continues to state, on the part of the entity in question, that it does not have an unlawful¬ act of life in its acts, but it must be borne in mind that this is not at the origin of the case by¬ reference to the intention or otherwise of the commercial calls.This is sanctioned by the entity’s lack of diligence in solving a problem with a customer, since it knew about the fact that the complainant was on a Robinson list and that he continued to receive telephone calls and e-mails with the company’s promotions, he did not take any action in this respect, thereby allowing the complainant to continue to receive advertising, with the entity failing to send advertising to the complainant by means of e-mails and¬ commercial flame until he did not include it in its ‘Robinson List’.
On the request of the entity in question to be punished, if the pre closure¬ file is not closed, to impose a sanction  ‘for minor infringement to its minimum grade’, to indicate that, both in the opening of the file and in the motion for a resolution, the sanction imposed as minor in Article 78.11 of the LGT, punishable by a fine of up to EUR 50,000, is deemed to be in line with the minimum level requested, as 40 % of the maximum possible sanction.
— III —
The facts set out above involve a breach of Article 48 (1) (b) of the Ley LGT, as set out in Title III of Law LGT, which states that:‘With regard to the protection of personal data and privacy with regard to directories of subscribers, end-users of electronic communications services shall have the following rights:(...) (b) to object to receiving unwanted calls for the purposes of commercial communication which take place through systems other than those set out in the previous paragraph and to be informed of this right ",
This Infringement is found to be ‘minor’ in Article 78 (11) of that Standard, which it considers as such:‘Breach of public service obligations, public obligations and infringement of the rights of consumers and end-users as laid down in Title III of the Law and its implementing legislation may be fined up to EUR 50.000 in accordance with Article 79 (d) of the LGT. 

In accordance with the above, and without prejudice to the outcome of the proceedings, for the purposes of determining the amount of the penalty to be imposed in the present case, it is considered appropriate to graduate the penalty to be imposed in accordance with the following criteria laid down in Article 80 (1) and (2) of the LGT:
-	Cessation of the unlawful activity, prior to or during the procedure of the former¬ penalty order (paragraph g).
-	The taking into account of the economic situation of the offender (point 2).
Following evidence obtained at the stage of previous investigations, it is considered appropriate to graduate the penalty to EUR 20,000 (twenty thousand euros).
Therefore, in the light of the above, by the Director of the Spanish Data Protection Agency,
HEREBY ORDERS:
FIRST:Imposing an amount of EUR 20,000 (twenty thousand euros) to the entity VODAIONE ONO SAU, with C.I.F. A62186556, for infringement of Article 48 (1) (b) of Law LGT, which is classified as ‘minor’ in Article 78 (11) of the Law.
SECOND:Notify the complainant of this decision and report back to the complainant on the outcome of the complaint.
THIRD:Please note that the sanction imposed must be effective once this decision is enforceable, in accordance with the provisions of Article 98.1 (b¬) of Law No 39/2015 of 1 October 2015 on the administrative and administrative procedure for public¬ administrations (LPACAP), within the period for voluntary payment referred to in Article 68 of the General Tax Collection Regulation, approved by Royal De¬ Creto 939/2005 of 29 July 1992, in conjunction with Article 62 of Law No 58/2003 of 17 December 1992, by entering into the restricted account No  ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency with the Banco CAIXABANK, S.A. or else, it will be collected in a limited period of time.¬
Once they have been notified and enforceable, if the date of enforceability is between 1 and 15 of each month inclusive, the period for payment¬ will be until the 20th day of the following month or immediately, and if the date of enforceability is¬ between 16 and the last day of each month, both inclusive, the time limit for payment is until 5 of the second next or immediate working month. 

Pursuant to Article 82 of Law 62/2003 of 30 December on¬ tax, administrative and social measures, this Resolution shall be made public once it has been notified to the persons concerned.The publication will¬ be made in accordance with Instruction 1/2004 of 22 December on the Spanish Data Protection Agency on the publication of its resolutions.
Pursuant to Articles 112 and 123 of the LPACAP, the interested parties may lodge an appeal against this decision before the Director of the Spanish Data Protection Agency within one month of making this decision¬, or, directly, an administrative appeal before the Chamber for Contentious Administrative Proceedings¬ of the National High Court, pursuant to¬ Article 25 and paragraph 5 of the fourth additional provision of Law No 29/1998 of 13/07, governing the Jurisdiction of the Administrative Courts, within the period of¬ two months from the day following notification of this act, as provided for in Article 46 (1) of the aforementioned Law.
Finally, it should be noted that, in accordance with Article 90.3 (a) of the LPACAP, the final decision may be suspended as a precautionary measure if it is¬ clear that they intend to bring administrative proceedings.If this is the case, the person concerned must formally notify this fact in writing, addressed to the Spanish Data Protection Agency, by means of the Agency’s¬ Electronic Medicinal Product website [https://sedeagpd.gob.es/sede-electronicaweb/], or through one of the other registers provided for in Article 16.4 of Law 39/2015 of 1 October 2013.He shall also transfer to the Agency the documents attesting to the actual lodging of the appeal.If the Agency is not aware of the lodging of the contentious appeal proceedings within two months of the day following the notification of this decision, it would terminate the provisional suspension.
Martes España Martí
Director of the Spanish Data Protection Agency