AEPD - PS/00212/2019

From GDPRhub
AEPD - PS/00212/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32 GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 28. 2. 2020
Fine: 48,000 EUR
Parties: Anonymous
Vodafone Ono, S.A.U.
National Case Number/Name: PS/00212/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: {{{Initial_Contributor}}}

The Spanish Data Protection Agency (AEPD) decided to impose a fine EUR 48,000 on Vodafone Ono, S.A.U. as data controller for the infringement of the security of processing principle, as per Article 32 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The decision is the consequence of a complaint submitted by a Spanish citizen stating that, when she entered the online customer area of the data controller (with the corresponding user and password) in order to cancel a service which had been contracted in the name of her mother, the customer area gave her access to personal data of another person different to her mother (the third one); in the complaint, she included screenshots of the customer area.

The data controller did not answer to any investigation requests (neither from the claimant nor from the AEPD), so the AEPD started the sanction procedure.

In this procedure, the data controller alleged that the event probably occurred due to a human error, as both the complainant and the third person called the data controller's customer service on the same day, and the customer service agent probably provided them with the same access code. The data controller claimed that there was no guilt nor intention from its side.

Dispute[edit | edit source]

Holding[edit | edit source]

The AEPD understood that the data controller has effectively infringed the security of processing principle.

It considered the following aggravating circumstances:

(i) the data controller has committed a non-intentional, negligence action, but over significant data that allow personal identification and

(ii) personal identification data such as the name or the online access code has been affected.

It finally decided to impose a fine of EUR 60,000 on the data controller and offered the data controller the possibility of an early payment reduction of the fine, that the data controller accepted. Consequently, the final amount of the sanction has been EUR 48,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the **Spanish** original. Please refer to the **Spanish** original for more details.

RESOLUTION R/00338/2019 TO TERMINATE THE PROCEDURE FOR VOLUNTARY PAYMENT

In the sanctioning procedure PS/00212/2019, instructed by the Spanish Data Protection Agency to VODAFONE ONO, S.A.U.,   In view of the complaint submitted by A.A.A., and on the basis of the following, FIRST BACKGROUND:On 24 June 2019, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against VODAFONE ONO, S.A.U. The agreement to initiate the procedure was notified and after analysing the allegations presented, on 25 July 2019 a proposal for a resolution was issued, which is transcribed below:<Procedure no.: PS/00212/2019From the procedure initiated by the Spanish Data Protection Agency and based on the following:

BACKGROUND

FIRST: A.A.A. (hereinafter, the complainant) on January 15, 2019 filed a complaint with the Spanish Data Protection Agency.   The claim is directed against VODAFONE ONO, S.A.U. with NIF A62186556 (hereinafter, the claimant). The reasons for the claim are that on 15 January 2019, when the claimant accesses the customer area with the corresponding user name and password to cancel a service contracted in the name of her mother, she discovers that the computer system of this entity, with this user name and password, provides her with access to the data of a third party unrelated to her mother.On the same day, he communicated these facts by telephone, without having had any news about it until that moment. 

SECOND: After the reception of the complaint, the Subdirectorate General of Data Inspection proceeded to carry out the following actions: On February 21, 2019, the complaint was transferred to the claimant for its analysis and communication to the complainant of the decision taken in this regard.A copy of the communications, of the decision adopted that has been sent to the claimant on the purpose of the transfer of this complaint, and accreditation that the claimant has received the communication of this decision.   Report on the causes that have motivated the incident that has originated the claim - Report on the measures adopted to avoid similar incidents On 21 February 2019, the claimant was notified of the receipt of the complaint and its transfer to the entity complained of. The claimant has not responded to any of the requests made by the Spanish Data Protection Agency. 

THIRD: On 14 May 2019, in accordance with Article 65 of theLOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the claim presented by the claimant againstVODAFONE ONO, S.A.U.

FOURTH: On June 24, 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the claimant, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, 2011, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of Article 32 of the RGPD, typified in Article 83.

FIFTH: Having been notified of the above-mentioned agreement to initiate proceedings, the defendant, on July 15, 2019, submitted a statement of claim in which, in summary, it stated that the facts which are the subject of these proceedings had occurred as a result of a human error.The Complainant argues that on 15 January 2019 the two persons involved made a call to the VODAFONE customer service department and that as a result of this call each of them was sent a code so that they could view their invoices. It is likely that the agent, by mistake, provided the same code, which could have triggered access to the wrong information.This entity points out that in no case was there any intention or culpability in the way of acting, but rather insists that the facts have been produced by a human error.

SIXTH: On July 23, 2019, the instructor of the procedure agreed to open a period of practice of evidence, taking into account the previous actions of investigation, E/01730/2019, as well as the documents supported by the claimed on July 15, 2019:

FIRST: On 15 January 2019, when the claimant accesses the client area with the corresponding user name and password to cancel a service contracted under her mother's name, she discovers that the computer system of the said entity, with the user name and password, facilitates access to the data of a third party unrelated to her mother.

SECOND:VODAFONE claims that on January 15, 2019, the two individuals involved made a call to VODAFONE's customer service department, and that as a result of this call, each of them was sent a code so that they could view their bills. For this reason, it is likely that the agent mistakenly provided the same code, which could have led to the wrong information being accessed. However, in no case was there any intention or culpability in the way of acting, but it is an isolated fact, produced by a human error.

FUNDAMENTOS DE DERECHOI 

In the present case the defendant is accused of committing an infringement by violation of Article 32 of the RGPD that establishes the following: "1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the variable risks of probability and seriousness for the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where appropriate

(b) the ability to ensure the confidentiality, integrity, permanent availability and resilience of processing systems and services In assessing the adequacy of the level of security, particular consideration shall be given to the risks presented by the processing of data, notably as a result of the accidental or unlawful destruction, loss or alteration of, or unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed. The controller and the processor shall take steps to ensure that any person acting under the authority of the controller or processor and having access to personal data may process such data only on instructions from the controller, unless he or she is required to do so by Union law or by Member States' law."In accordance with the evidence available at this time, and without prejudice to the findings of the investigation, it is considered that the facts known could constitute an infringement, attributable to the defendant, for breach of Article 32 of the RGPD, transcribed in Ground Law I, which states that 'the controller and processor shall implement appropriate technical and organisational measures to ensure an adequate level of security'.

The infringement is typified in article 83.4 of the RGPD and is qualified as serious in article 73.1 g) of the LOPDPGDD for prescription purposes.III Article 58.Article 58.2 of the RGPD provides: "Each inspecting authority shall have all the following remedial powers indicated below:(d) to order the controller or processor to bring processing operations into conformity with the provisions of this Regulation, where appropriate, in a specified manner and within a specified time limit; (i) to impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each individual case   83(4) of the GPRS provides that 'infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines not exceeding EUR 10 000 000 or, in the case of an undertaking, by a fine not exceeding 2 % of the total annual turnover in the preceding business year, whichever is the greater

Likewise, it is considered that the sanction to be imposed should be graduated in accordance with the following criteria established in article 83.2 of the RGPD2b) Basic personal identifiers are affected (name, identification number, line identifier), according to article 83.2 g) In view of the above, the following PROPOSAL FOR A RESOLUTION is issued by the Director of the Spanish Data Protection Agency to VODAFONE ONO, S.A.U,   with NIF A62186556, for an infringement of Article 32 of the RGPD, typified in Article 83.4 a) of the RGPD, a fine of 60,000.00  Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you are informed that you may, at any time prior to the resolution of the present procedure, carry out the voluntary payment of the proposed penalty, which will entail a reduction of 20% of the amount of the same. With the application of this reduction, the sanction would be established at 48,000.00 Euros and its payment would imply the termination of the procedure. The effectiveness of this reduction will be conditioned to the waiver or renunciation of any action or appeal in administrative proceedings against the sanction.

In the event that you choose to proceed with the voluntary payment of the amounts specified above, in accordance with the provisions of article 85.2 above, you must make it effective by paying it into the restricted account nº ES00 00000000 0000 0000 opened in the name of the Spanish Data Protection Agency at the CAIXABANK, S.A. Bank, indicating in the concept the reference number of the procedure that appears in the heading of this document and the voluntary payment of the reduction of the amount of the penalty. In addition, you must send the proof of payment to the S.D.G. of Inspection in order to proceed to close the file. By virtue of this, you will be notified of the foregoing and the procedure will be made clear so that within TEN DAYS you can claim what you consider to be your defence and present the documents and information that you consider relevant, in accordance with article 89.2 in relation to art. 73.1 of the LPACAP). R.R.R.INSPECTOR/INSTRUCTOR>>SECOND: On August 2, 2019, VODAFONE ONO, S.A.U. has proceeded to pay the fine in the amount of 48,000 euros, making use of the reduction provided for in the proposed resolution transcribed above. THIRD: The payment made entails the waiver of any action or appeal in administrative proceedings against the sanction, in relation to the facts referred to in the proposed resolution.  47 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter referred to as LOPDGDD), the Director of the Spanish Data Protection Agency is competent to sanction any infringements committed against the said Regulation; infringements of Article 48 of Law 9/2014, of May 9, General Telecommunications Law (hereinafter referred to as LGT), in accordance with the provisions of Article 84.3 of the GLT, and the infringements defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of 11 July, on information society and electronic commerce services (hereinafter LSSI), in accordance with article 43.1 of said Law.

Article 85 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), under the heading "Termination of disciplinary proceedings" provides that: "1.When the sanction is only pecuniary in nature, or when a pecuniary and a non-pecuniary sanction can be imposed but it has been justified that the latter is not appropriate, the voluntary payment by the presumed responsible party at any time prior to the resolution will imply the termination of the procedure, except for the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement.3In both cases, when the penalty is only pecuniary, the body responsible for deciding the procedure shall apply reductions of at least 20 % of the amount of the penalty proposed, which may be cumulative.  These reductions shall be determined in the notification of initiation of the procedure and their effectiveness shall be conditional upon the withdrawal or renunciation of any action or appeal against the penalty in administrative proceedings."In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO DECLARE the termination of procedure PS/00212/2019, in accordance with the provisions of article 85 of the LPACAP.SECOND: TO NOTIFY this resolution to VODAFONE ONO, S.A.U. In accordance with the provisions of article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to article 114.1.c) of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, the interested parties may lodge an administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the aforementioned Law. Mar España MartíDirector of the Spanish Data Protection Agency