AEPD (Spain) - PS/00227/2019: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 22: Line 22:
|Published:||n/a
|Published:||n/a
|-
|-
|Fine:||60.000 euro
|Fine:||EUR 60,000
|-
|-
|Parties:||XFERA MÓVILES
|Parties:||XFERA MÓVILES
Line 39: Line 39:
|}  
|}  


Following an investigation the Spanish Data Protection Authority imposed a fine of 60.000 Eur on XFERA MÓVILESfor the violation of Article 6(1)(a) GDPR.
Following an investigation the Spanish Data Protection Authority imposed a fine of EUR 60,000 on XFERA MÓVILES for violation of Article 6(1)(a) GDPR.


==English Summary==
==English Summary==

Revision as of 16:39, 12 February 2020

AEPD - PS/00227/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Type: Investigation
Outcome: Violation
Decided: 4.2.2020
Published: n/a
Fine: EUR 60,000
Parties: XFERA MÓVILES
National Case Number: PS/00227/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

Following an investigation the Spanish Data Protection Authority imposed a fine of EUR 60,000 on XFERA MÓVILES for violation of Article 6(1)(a) GDPR.

English Summary

Facts and questions arising

Ms Y subscribed a contract with Xfera Moviles for the provision of an internet connection. After a few months, the company interrupts the service. Following a phone request, Ms Y learned that she was no longer a party to the contract. In fact, although she was still paying for it, the service was being provided to another person, who had requested such change few weeks earlier.

Notwithstanding the clear incongruence of the information provided by the third party, Xfera operators accepted the request, changed the contract without Ms Y's consent and sent invoices to the new billing address. Moreover, such invoices still contained details of Ms Y, such as email address and bank account, which she had never agreed to disclose.=

Holding

According to the AEPD, the controller violated Art. 6(1)(a) GDPR. The data subject had never authorized, amongst the others, the contractual changes, the linking of her data with a new name and the disclosure of such information.

On that subject, the Agency refers to a long-established, consistent national case-law which requires the controller to prove the existence of a consent in case it intends to use it for justifying a processing operation. In the present case, such proof was missing and the company was found responsible of a violation of Art. 6 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Procedure No.: PS/00227/2019



DECISION ON DISCIPLINARY PROCEEDINGS

From the procedure instructed by the Spanish Data Protection Agency and based on the following

BACKGROUND

FIRST: The affected party filed a claim with the Spanish Data Protection Agency on 10/05/2019. The claim is directed against XFERA MÓVILES, S.A. (MASMOVIL), with NIF A82528548 (hereinafter XFERA) . The reasons on which the complaint is based are, in summary, the following: that both the fixed telephone line and the Internet connection via ADSL suddenly stopped working; that when he contacted the company he was informed that there had been a change in the owner's name, address and type of Internet access, now by fibre optics, but that his ID card, bank account and e-mail address were still on record; that these new service conditions led to a change in the contract that resulted in charges to his bank account and that despite having filed a complaint with the company on 30/05/2018, with incident number ***INCIDENCIA.1, On the date the complaint is submitted to the Agency, there is still no fixed telephone or Internet connection, although the mobile lines included in the contract do work. Nor can it connect to the Customer Area; which according to the complainant took place on 29/05/2018

And, among other things, the following documentation is attached:

Combined Services Contract MASMOVIL individuals SEPA Document
Invoice dated 1 March 2018 containing the claimant's details and ADSL Internet access for the contract

***CONTRACT.1 (Obtained via the Customer Area website)

Invoice dated 1 June 2018 containing the changed data and fibre optic Internet access corresponding to the contract ***CONTRACT.2

(Obtained via the Customer Area website)

Complaint dated ***DATE.1 filed with the Directorate General of Police, with certificate number ***STATEMENT.1, enclosing two typewritten sheets on one side, setting out the facts.

SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant / of the facts and documents of which this Agency has become aware, the Subdirectorate General of Data Inspection proceeded to carry out preliminary investigative actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter referred to as GPRD), and in accordance with the provisions of Title VII, Chapter I, Section 2 of the Law
Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD).

1	In the documentation provided by the claimant, it is noted that there has been a change of contract where the name of the contract holder and the address have been changed, keeping the bank account of the claimant.

1.	On 6 and 8/12/2018 this Agency received two exactly identical letters from XFERA corresponding to the transfer of the complaint. In them he states, having filed a complaint with the Directorate General of Police, that "...taking into account that these facts are already being officially investigated through criminal proceedings, we request that this procedure be resolved in order to clarify the possible causes of the incident...". It should be mentioned that, in these writings, although the file to which they refer is the correct one, they name as claimant a different person from the one who has filed the claim in this case. It's probably a claimant from another file.

2.	On 10/05/2019 a new letter was received by this Agency from XFERA, this time with the correct claimant, partially answering what was required. It states that two incidents were opened with a management date of 20/08/2018 (***INCIDENCIA.1 and ***INCIDENCIA.2) and another later incident with a management date of 11/09/2018 (INCIDENCIA.3). The defendant informs that as a consequence of these incidents the name of the contract holder has been rectified, while at the same time it was confirmed that the contract

***CONTRACT.1 did not generate any billing so it is "no action pending".
When asked about the status of the legal proceedings mentioned in their first submission, in which they requested to be kept waiting for a decision, they said that they were unaware of the status of the proceedings.

They provide a screen print of the impersonation incident processing where you can see the incident number ***INCIDENCIA.4 and the creation date of 11/11/2018 and the unresolved status.

As regards the causes that have motivated the complaint, they inform that they cannot be completely exposed at the time of presentation of this document.

Finally, they state that they are taking appropriate action internally to implement new training measures, including external advice, for all staff involved in the business processes.

3.	When asked by this Agency about the way in which the identity theft took place and the procedure used for the accreditation of identity, it did not give an answer to the questions raised.

THIRD: On June 11, 2019, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against the defendant for the alleged infringement of Article 6.1(a) of the RGPD, as defined in Article 83.4 of the RGPD.

FOURTH: Upon notification of the above-mentioned agreement to initiate the proceedings, the respondent submitted a brief of

submissions on 01/07/2019, stating, in summary, the following: the error of assessment of the infringement of Article 6.1 of the RGPD and that at all times their actions were in accordance with the law in force, a different matter being the intervention of a third party in bad faith with a view to defrauding; that there is evidence in the file of the opening of criminal proceedings to investigate the facts that are the subject of the same agreement of initiation and that the same criminal proceedings prevent the continuation of those proceedings, which must be suspended until they are resolved; the invocation of the principle of presumption of innocence due to the insufficient justification of the alleged administrative sanction and the closure of the file.


FIFTH: On 31/07/2019, the instructor of the procedure agreed to the opening of a trial period, and the following were agreed:

-	To consider as reproduced for evidential purposes the claim filed by the claimant and its documentation, the documents obtained and generated by the Inspection Services that form part of file E/10393/2018.
-	To consider as reproduced for evidential purposes, the allegations to the agreement of initiation PS/00227/2019 presented by XFERA MÓVILES, S.A. and the documentation that accompanies them.
-	Ask XFERA for a copy of the content of incidents MM177623, MM234465 and MM272613.

-	Request from the complainant documentation in their possession related to sanctioning procedures that for any reason were not provided at the time of the complaint or any other statement in relation to the facts reported and a copy of your ID card.

The defendant's representation filed a letter of extension on 13/08/2019, which was answered by letter of 26/08/2019.

SIXTH: On 05/11/2019, a proposal for a resolution was issued by the Director of the Spanish Data Protection Agency to sanction XFERA for infringement of Article 6.1(a) of the RGPD, typified in Article 83.5(a) of the RGPD, with a fine of 60,000 euros. It was also accompanied by an Annex containing a list of the documents on file so that copies could be obtained of those deemed appropriate.

XFERA's representatives submitted a written statement on 5 December 2019 in which they reiterated the allegations made during the proceedings and stated that, in any event, the penalty would have to be reduced in order to comply with the principle of proportionality.

SEVENTH: Of the actions carried out in the present procedure, the following have been accredited:

PROVEN FACTS

FIRST . 03/07/2018 of the complainant in which he denounces XFERA stating that both the fixed telephone line and the Internet connection via ADSL stopped working and that he contacted the company to inform them that they
had produced a change of owner, address and type of Internet access (now by fibre optic), but that his ID card, his bank account for direct debit purposes and his e-mail address continued to be recorded; that these new conditions led to a change of contract that caused charges to be made to his bank account and that despite having filed a complaint with the company, on the date the complaint was presented to the Agency, he still had no fixed telephone or Internet connection, although if the mobile lines included in the contract were working, he could not connect to the company's Customer Area either.

SECOND: Complaint filed with the National Police Station on ***DATE.1,
The complainant states, among others:

"That these years pass with normality carrying out the payment of invoices to the day, until the Tuesday I pass day 29/05/2018 it realizes that the connection to Internet does not work for or that it contacts with the company Masmovil who inform him that the ADSL does not work (what had contracted the appearing one), but if the fiber.

They also inform you that a change of contract was made on 05/18/2018 which includes an internet connection by optical fiber and a fixed line as well as a change in the data with which the service was initially contracted (those of the appearing party) to include a new fixed line 919295228, as well as the contracting of optical fiber instead of the ADSL that the appearing party had contracted.

That in the new contract the data of the applicant is changed, appearing as the holder A.A.A. with ID card ***NIF.1 and address at

***DIRECTION.1 of Madrid.

He doesn't know who this person is since he hasn't heard that name in his life.

THIRD: A COMBINED SERVICES CONTRACT FOR PARTICULAR MOBILE has been signed by the entity and the claimant on 08/09/2016, in which

their personal data are included, and two mobile telephone lines associated with the numbers ***TELÉFONO.1 and ***TELÉFONO.2 are recorded as contracted services
and fixed telephony and broadband Internet access services, linked to the fixed line ***TELÉFONO.3, no change of holder or data of the
previous holder.

FOURTH: It also provides a document of Acceptance of direct debit payment of invoices in a bank account of its ownership.

FIFTH: A copy of the invoice issued by XFERA nº ***BILL.1, dated 01/03/2018, containing the personal details of the claimant (name, surname, ID card, bank account details, etc.)

SIXTH: A copy of the invoice issued by XFERA, nº ***BILL.2, dated 01/06/2018, containing the personal data of the third party:

At the same time, the form of payment on the invoice includes direct debit and the holder of the same account as the claimant is associated with

B.B.B.

SEPTIMO. XFERA on 10/05/2018 has provided a screenshot of its computer systems related to the processing of impersonation incidents, number ***INCIDENCIA.4 and creation date of 11/11/2018, unresolved status. At the bottom is the following comment: "please verify, I attach the call where the operator calls the customer to make technology migration but even though the customer gives other different data, the operator, instead of verifying/contrasting, makes mysim change of address, name directly".

EIGHTH: XFERA has not provided any document that accredits or justifies the modification of the conditions indicated above in the contract carried out with the claimant.

LEGAL FOUNDATIONS

I

By virtue of the powers that Article 58.2 of the RGPD grants to each supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

II

As a preliminary point, it is necessary to resolve the argument put forward by the representation of the respondent, based on the existence of a criminal preliminary ruling.

It is stated that having become aware that certain facts that could constitute an alleged crime of fraud under article 248 and following of the Criminal Code, a complaint has been lodged with the national police, which would lead to the suspension of the present proceedings in view of a possible criminal offence of false documentation, impersonation and fraud. In particular, as a result of the complainant's complaint, Avon has learned that its recruitment process may have been misrepresented by the fraudulent use of the complainant's identity by a third party.

It should be borne in mind that Article 77.4 of Law 39/2015 of 1 October on the Common Administrative Procedure of Public Administrations (LPACAP): "In proceedings of a punitive nature, the facts declared to be proven by final criminal court decisions shall bind the Public Administrations with respect to the punitive proceedings they conduct". However, even if there were prior criminal proceedings in progress, which are not recorded, it should be noted that there is no triple identity necessary to apply Article 77 of the LPACAP, (of
 
subject, fact and foundation), between the administrative offence that is assessed and the possible criminal offence(s) that could result from the alleged Preliminary Diligence carried out by a court. This is because the offending party would obviously not be the same - with regard to infringements of the LOPD the person responsible is the XFERA, while the person responsible for a possible crime of usurpation of personality or fraud would be the third party who had posed as the claimant. Nor would the legal basis be the same: while the legal asset protected by the LOPDGDD is the fundamental right to the protection of personal data, the legal asset protected in the criminal types whose commission would be investigated, if appropriate, by the Court of Instruction would be civil status, assets, etc.

In this sense, the Judgment of the Audiencia Nacional of 27/04/2012 (rec. 78/2010) is very enlightening, in which the Court pronounces itself in the following terms against the appellant's allegation that the AEPD has infringed Article 7 of R.D. 1398/1993 (a rule that was in force until the entry into force of the LPACAP): "In this sense, Art. 7 of Royal Decree 1398/1993, of 4 August, on the procedure for the exercise of disciplinary powers, only provides for the suspension of the administrative procedure when the effective and real existence of criminal proceedings is verified, if it is considered that the identity of the subject, fact and legal basis of the administrative offence and the criminal offence that may correspond concur.

However, in order for a preliminary ruling on criminal matters to be available, it must directly affect the decision to be taken or be essential to the decision, which is not the case here, where there is a separation between the facts for which the decision under appeal punishes the appellant and those which the appellant alleges are potentially unlawful. Thus, even if, in the present case, and due to the facts now in dispute, criminal proceedings were also initiated against the distribution company, the truth is that both the sanctioning conduct and the protected legal asset are different in both ways (contentious-administrative and criminal). In the criminal field, the protected legal good is a possible documentary falsification and fraud, and in the administrative field, on the other hand, the power of disposal of your personal data by its owner, so that such an objection by the defendant must be rejected".

In view of the above, the question raised by the representation of XFERA cannot be accepted and must be rejected.

III

Article 5 of the RGPD deals with the principles that should govern the processing of personal data and mentions among them that of legality, loyalty and transparency, pointing out that

"1. The personal data shall be:

a)	treated in a lawful, loyal and transparent manner in relation to the data subject ("lawfulness, loyalty and transparency");

Furthermore, Article 6, Lawfulness of processing, of the RGPD states that:

"1. Treatment shall be lawful only if at least one of the following conditions is met:

a)	the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes;
b)	the processing is necessary for the execution of a contract to which the person concerned is a party or for the implementation at his request of pre-contractual measures;

(…)”

Article 7 of the RGPD, Conditions for Consent, states that

"Where the processing is based on the consent of the data subject, the controller must be able to prove that the data subject consented to the processing of his or her personal data.

2.	If the consent of the data subject is given in the context of a written statement which also relates to other matters, the request for consent shall be presented in such a way as to be clearly distinguished from other matters, in an intelligible and easily accessible form and using clear and simple language. No part of the declaration which constitutes a breach of these Regulations shall be binding.

3.	The data subject shall have the right to withdraw his/her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to withdrawal. Before giving consent, the person concerned shall be informed of this. It will be as easy to withdraw consent as it is to give it.

4.	In assessing whether consent has been freely given, the utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data that are not necessary for the performance of that contract".

And Article 4 of the RGPD, Definitions, in paragraph 11, states that:

"(11) "Consent of the data subject" means any freely given, specific, informed and unambiguous expression of his or her wishes by which the data subject signifies his or her agreement, either by declaration or by clear affirmative action, to personal data relating to him or her being processed.

Also Article 6, Treatment based on the consent of the affected person, of the new Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of the digital rights (hereinafter LOPDGDD), indicates that

"In accordance with Article 4(11) of Regulation (EU) No 2016/679, the consent of the person concerned means any free, specific, informed and unequivocal expression of will by which he or she accepts, either by statement or clear affirmative action, the processing of personal data concerning you.

2.	When it is intended to base the processing of data on the consent of the data subject for a variety of purposes, it must be specifically and unequivocally stated that such consent is granted for all of them.

3.	The execution of the contract may not be made subject to the consent of the person concerned to the processing of personal data for purposes unrelated to the maintenance, development or control of the contractual relationship".

It is attributed to the claimed party the violation of article 6 of the RGPD; in accordance with the facts declared as proven, it is accredited that the claimed party carried out the modification of the data contained in the telephone contract signed with the claimant, linking them to the personal data of a third party that had nothing to do with it without its consent.

IV

In accordance with the above, the processing of data requires the existence of a legal basis that legitimizes it, such as the consent of the data subject validly given.

From the documentation on file, it is clear that XFERA violated Article 6.1.a) of the RGPD, since the aforementioned entity carried out an illicit treatment of the claimant's personal data, materialized in the alteration of the conditions and personal data of the claimant contained in the contract that joined them, associating her NIF and her bank details to the name, surname and address corresponding to a third party; that both the mobile telephone line and the ADSL contracted stopped working after the aforementioned modifications and that in view of the claim filed by the claimant before XFERA it was qualified as fraud for its study.

In similar cases, the Contentious Administrative Chamber of the National Court of Justice has considered that when the data subject denies consent to the processing of his or her data, the burden of proof falls on the person who asserts its existence, and the data controller must collect and keep the necessary documentation to prove the data subject's consent. Thus, the SAN of 31/05/2006 (Rec. 539/2004), Fundamento de Derecho Cuarto.

The claimant has provided a copy of the contract signed with the company dated 08/09/2016 where there is no change of owner or previous owner's data, as well as the invoices before and after the aforementioned modification. The first invoice contains her address and direct debit data linked to her personal data, while the second invoice contains her personal data modified to include those of a third party outside the company, and the payment method is direct debit, linking the third party as the owner of the same account as the claimant.

It should be noted that respect for the principle of the lawfulness of data requires proof that the data subject has consented to the processing of the data of personal character and display reasonable diligence which is essential to prove this. Failure to do so would render the principle of legality meaningless.

In this regard, XFERA in a letter of 10/05/2018 has provided capture of

screen related to the processing of impersonation incidents, incident number ***INCIDENCIA.4 and creation date of 11/11/2018, unresolved At the bottom is the following comment:" please verify, I attach the call where the operator calls the customer to make technology migration but even though the customer gives other different data, the operator, instead of verifying/contrasting, makes mysim change of address, name directly".

Furthermore, it should be noted that despite the Agency's request for information, the respondent did not provide an answer to the questions raised, such as the way in which the alleged impersonation took place and the procedure used to prove the identity, limiting itself to pointing out that the causes that led to the incident could not be exposed as the events were not known.

V

The infringement attributed to the respondent is defined in Article 83(5)(a) of the RGPD, which considers that the infringement of "the basic principles for processing, including the conditions for consent under Articles 5, 6, 7 and 9" is punishable, in accordance with Article 83(5) of that Regulation, "with administrative fines of 20.000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, whichever is greater".

Article 71 of the LOPDGDD, Infringements, states for the purposes of the statute of limitations that: "The acts and conduct referred to in Article 83(4), (5) and (6) of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law, constitute infringements".

And in its article 72, it considers for the purposes of prescription, that they are: "Infractions considered very serious:

1.	In accordance with Article 83(5) of Regulation (EU) 2016/679, infringements that substantially infringe the articles mentioned therein, and in particular the following, are considered very serious and shall be subject to a three-year limitation period:

(…)
b)	The processing of personal data without meeting any of the conditions for the lawfulness of processing set out in Article 6 of Regulation (EU) 2016/679.

(…)”

In accordance with the facts considered to be proven, the respondent violated Article 6.1.a) of the RGPD, by illegally processing the personal data of the complainant without her consent, modifying the conditions and
 
personal data contained in the contract that joined them, associating their NIF and bank details with the name, surname and address of a third party, an offence that is typified in article 83.5.a) of the RGPD and which for the purposes of prescription is determined in article 72.1.b) of the LOPDGDD.

VI

In order to establish the administrative fine to be imposed, the provisions contained in Articles 83(1) and 83(2) of the RGPD must be observed:

"Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 5 and 6 is in each individual case effective, proportionate and dissuasive.

2.	Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. In deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of this:

a)	the nature, seriousness and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damages suffered;
b)	the intentionality or negligence of the infringement;

c)	any action taken by the controller or processor to mitigate the damage suffered by data subjects;
d)	the degree of responsibility of the controller or processor, taking into account the technical or organisational measures they have implemented pursuant to Articles 25 and 32;

e)	any previous breach committed by the controller or processor;
f)	the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
g)	the categories of personal data affected by the infringement;

h)	the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the person responsible for or in charge of the infringement notified it;

i)	where the measures referred to in Article 58(2) have been ordered in advance against the person responsible for or in charge of the same case, compliance with those measures;

j)	adherence to codes of conduct pursuant to Article 40 or to certification schemes approved in accordance with Article 42, and
k)	any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.

With regard to Article 83(2)(k) of the RGPD, the LOPDGDD, in its Article 76, 'Sanctions and corrective measures', states that "In accordance with Article 83(2)(k) of the Regulation (EU)

2016/679 may also be taken into account:

a)	The continuing nature of the infringement.
b)	Linking the activity of the offender with the processing of personal data.
c)	The benefits obtained as a result of the commission of the infringement.

d)	The possibility that the conduct of the person concerned could have led to the commission of the infringement.
e)	The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.
f)	Affecting the rights of minors.
g)	To have, when not mandatory, a data protection delegate.
h)	The submission by the person responsible or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases where there are disputes between them and any interested party".

In accordance with the provisions transcribed above, and without prejudice to the outcome of the proceedings, for the purposes of setting the amount of the fine to be imposed in the present case for the infringement defined in article 83.5 of the RGPD for which XFERA is held liable, in an initial assessment, the following factors are considered to be concurrent:

The purely local scope of the processing carried out by the entity in question, since it is a single processing operation carried out without consent in the supply contract that bound them.

Only one person has been affected by the offending behaviour.

The damage caused to the claimant by having to file a complaint with the entity and a denunciation with the police and, furthermore, according to her own statements, the duration of the infraction since at the date of filing the complaint with the Agency she was still without a fixed telephone or Internet connection.

The manner in which the supervisory authority became aware of the infringement, insofar as this was through the complaint of the affected party.

The claimed entity has not specified the measures implemented in order to prevent similar incidents from occurring in order to avoid incidents such as the one that occurred by altering the contractual data of its owner without consent, etc.

There is no evidence that the entity had acted maliciously, although there is evidence of a rather undiligent performance.

The link between the activity of the offender and the processing of personal data, since in its normal activity it treats customer data as well as third party data. The claimed entity is considered to be a large company.


Therefore, in accordance with the criteria of graduation established in article 83 of the RGPD and 76 of the LOPDGDD, a sanction of 60,000 euros is imposed for which XFERA must respond.


Therefore, in accordance with the applicable legislation and assessed the criteria for the graduation of the sanctions whose existence has been accredited,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE XFERA MÓVILES, S.A. (MASMOVIL), with NIF A82528548, for an infringement of article 6.1.a) of the RGPD, typified in article 83.5.a) of the RGPD, a fine of 60,000 euros (sixty thousand euros).

SECOND:	NOTIFY	la	presente	resolución	a	XFERA	MOBILE,	S.A.

(MASMOBILE).


THIRD: To warn the sanctioned party that he/she must make the sanction imposed effective once this resolution is enforceable, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in article. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of 29 July, in relation to article 62 of Law 58/2003, of 17 December, by means of its entry, indicating the tax identification number of the person sanctioned and the number

of procedure appearing in the heading of this document, in the restricted account nº ES00 0000 0000 0000, opened in the name of the Spanish Agency
of Data Protection in the CAIXABANK, S.A. Bank. Otherwise, it will be collected during the executive period.

Once the notification has been received and once it has been executed, if the date of execution is between the 1st and 15th of each month, inclusive, the period for making the voluntary payment will be up to the 20th of the following month or the immediately following working month, and if it is between the 16th and last day of each month, inclusive, the period for payment will be up to the 5th of the second following month or the immediately following working month.

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within one month from the day following notification of this decision, or directly lodge an administrative appeal with the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating
 
Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Act.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing to the Spanish Data Protection Agency, presenting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. It must also send to the Agency the documentation that proves the effective lodging of the contentious-administrative appeal. If the Agency is not informed of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present decision, it shall terminate the precautionary suspension.

Mar Spain Marti

Director of the Spanish Data Protection Agency