AEPD (Spain) - PS/00235/2020

From GDPRhub
Revision as of 14:01, 1 February 2021 by Mh (talk | contribs)
AEPD - PS/00235/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 26.01.2021
Fine: 75.000 EUR
Parties: Telefónica Móviles España, S.A.U.
National Case Number/Name: PS/00235/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: CSO

The Spanish DPA (AEPD) sanctioned the telecommunications company Telefónica Móviles España, S.A.U. with a fine of €75,000 for violating Article 6(1) GDPR.

English Summary

Facts

The complainant had five telephone lines contracted with Telefónica. One of these lines was used by her son, who received a message from Telefónica informing him that he had stopped sharing mobile data with the rest of the contracted lines. The complainant went to a Telefónica store to find out what had happened. There she was told that a third party, pretending to be the complainant, had changed the ownership of the telephone line.

Dispute

The AEPD focuses its investigation on verifying whether the respondent processed the complainant's data in accordance with the principle of lawfulness of Article 6(1) GDPR. To this end, it was essential to ascertain whether the respondent took due diligence to ascertain the identity of the person who changed the ownership of the line.

Holding

According to the AEPD, the respondent processed the claimant's personal data without the legitimacy to do so. The respondent carried out the change of ownership of the claimant's line without legitimacy to do so, because the commercial agent did not verify correctly de identity of the person who requested the change of the ownership of the line. The principle of lawfulness is at the core of the fundamental right to the protection of personal data and requires that it be proven that the data controller deployed the diligence necessary to prove this. Diligent compliance with the principle of lawfulness in the processing of third-party data requires that the controller be in a position to prove it (principle of accountability).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/8










     Procedure No.: PS / 00235/2020


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:


                                   BACKGROUND


FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated March 6, 2020
filed a claim with the Spanish Agency for Data Protection. The

The claim is directed against Telefónica Móviles España, S.A.U. with NIF A78923125
(hereinafter, the claimed).

       The claimant states that it was the owner of five lines contracted with the
claimed (provide numbers), using one of them your child (*** PHONE. 1).


       Thus, on January 14, 2020, your child receives a message on his phone
indicating that said line had stopped sharing mobile data with the rest of the
lines. Contact the complainant and they state that it was deactivated and
that it was no longer his ownership.


       Well, go to a shop in the claim and they inform you that
third parties, posing as the claimant, had made a change
of ownership of the line in favor of a third party, without any type of
identity verification in this regard. That same day (01/14/2020), the new
The holder requests a duplicate SIM card in a store due to theft or loss, opening

an incident number the claimed

       The claimant provides the following with her claim letter
documents:


       1. Name and surname of the third party, address. store, date and time, and number of
           incidence.

       2. Invoices accrediting the previous ownership.


       3. Mobile capture showing the departure of your child from various date groups
           January 14, 2020.

       4. Capture WhatsApp message from a contact relating the request for money.

       5. Report to the Police of January 14, 2020 filed by the

           claimant and his son.


SECOND: In accordance with article 65.4 of the LOPGDD, which has provided a

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/8








mechanism prior to the admission for processing of claims made before
the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the intended purposes

in article 37 of the aforementioned rule, or to these when it has not designated them,
transfer of the claim to the claimed entity to proceed with its analysis and
respond to the complaining party and this Agency within one month.

       As a result of this process, on July 8, 2020, the claimed
states:


       That they have sent a letter of response to the claim of the claimant.
They attach a copy of the letter.

THIRD: The result of the transfer process initiated in the previous event does not

allowed to understand satisfied the claims of the claimant. In consecuense,
given that the respondent replied only that “additional measures of
security". That is why on July 24, 2020, for the purposes provided in its
Article 64.2 of the LOPDGDD, the Director of the Spanish Agency for the Protection of
Data agreed to admit the submitted claim for processing.


FOURTH: On September 25, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure to the claimed, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of Article 6.1 of the RGPD, typified in Article

83.5 of the RGPD.

FIFTH: Once the aforementioned start-up agreement was notified, the respondent requested an extension
of term to formulate allegations.


On October 5, 2020, the granting of the extension of the
mentioned term for 5 days.

Subsequently, the defendant presented allegations in which, in summary,
stated that: “TME has a consolidated and adequate procedure for
verification of the identity of our clients. In this verification procedure

identity are requested, in addition to the identifying data of the old and new
holder, the last 4 digits of the bank account of the former holder.
Therefore, it is interesting to emphasize that the reason for the situation exposed by the
claimant is due to the illegal obtaining and use of the personal data of the
claimant by the impersonator and subsequent deception of the commercial agent of

*** PHONE. 2 that processed the request to change the owner, and not to a treatment
illegitimate of the data of the claimant by my client.

Once the claim has been filed with TME, two days after having
produced the change of holder and subsequent duplicate of card, it is offered to the

claimant the possibility of restoring ownership of the line. However, the
Claimant expresses the wish that no further formalities be carried out, in the
extent to which you prefer to be advised by your lawyers.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/8








Consequently, my client considers that there has been no violation of article
6.1 of the RGPD to carry out the treatment of the claimant's data on their part,

but by an impersonator, since the treatment of these data by
TME is necessary to manage the contractual relationship with the claimant, and the
effects of carrying out said treatment, TME has established an operation that covers
sufficient guarantees to ensure compliance with current regulations in
data protection matter ”.


Requests that the circumstances that have occurred in the events be taken into account
object of the procedure and, in the event that the infringement is appreciated, the
amount of the penalty proposed in the Initiation Agreement and that Resolution is issued
ordering the filing of the present sanctioning file or alternatively,

lessen the initially proposed penalty under art. 83 of the RGPD.

SIXTH: On October 26, 2020, the procedure instructor agreed to the
opening of a period of practice tests, taking as incorporated all the
previous actions, as well as the documents provided by the claimed.


SEVENTH: On December 3, 2020, the resolution proposal was formulated,
proposing that the Director of the Spanish Agency for Data Protection
punish the complained party for an infraction of Article 6.1 of the RGPD, typified in the
Article 83.5 of the RGPD, with a fine of 75,000 euros.


EIGHTH: The proposed resolution was notified, on December 9, 2020, it requested
extension of term to formulate allegations, being granted.

The complained party submitted a brief of allegations, ratifying those made at the

Initiation Agreement, requesting a declaration of non-existence of
responsibility on the part of the claimed for an alleged infringement that is imputed in
this procedure, and a Resolution is issued ordering the filing of the
present sanctioning file to the referenced margin, and alternatively, lower
the initially proposed sanction of art. 83 of the RGPD.


 In view of all the actions, by the Spanish Agency for the Protection of
Data in this procedure are considered proven facts the following:

                                 PROVEN FACTS



FIRST: The claimant was the owner of five lines contracted with the claimed
(provides numbers), using one of them his son (*** PHONE.1).












C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/8








SECOND: It is clear that on January 14, 2020, the claimant's son receives a
message informing him that said line had stopped sharing mobile data with the
rest of the lines. Contact the claimed and inform her that the line was

deactivated and that it was no longer owned.

THIRD: It is found that the claimant went to a store of the claimed
and they inform him that third parties, posing as the claimant, had
made a change of ownership of the line in favor of a third party, without having
carried out any type of identity verification in this regard.


       It is clear that on January 14, 2020, the new owner requests in a store in the
claimed a duplicate SIM card for theft or loss, opening a number of
incidence the claimed (provide name and surname of the third party, address, store, date
and time, and incident number).


FOURTH: The respondent, acknowledges the facts, in its allegations, and states that
is due to the illegal obtaining and use of the claimant's personal data by
of the impersonator and subsequent deception of the impersonator to the commercial agent of
*** TELEPHONE. 2 that processed the request to change the owner.



                                FOUNDATIONS OF LAW

                                             I


       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority and as established in arts. 47 and 48.1 of LOPDGDD, the
Director of the Spanish Data Protection Agency is competent to resolve
this procedure.
                                            II


       The complained party is charged with the commission of an infraction for violation
of Article 6 of the RGPD, "Legality of the treatment", which indicates in its section 1 the
cases in which the processing of third party data is considered lawful:

        "one. The treatment will only be lawful if at least one of the following is met

terms:
      a) the interested party gave their consent for the processing of their data

      personal for one or more specific purposes;
      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures

      pre-contractual;
      (…) "


       The offense is typified in Article 83.5 of the RGPD, which considers as such:

      "5. Violations of the following provisions will be sanctioned, in accordance

with paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/8








total annual global business volume of the previous financial year, opting for
the highest amount:


      a) The basic principles for the treatment, including the conditions for the
      consent in accordance with articles 5,6,7 and 9. "


       Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious ”provides:


      "one. In accordance with the provisions of article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:


        (…)
       b) The processing of personal data without the concurrence of any of the
       conditions of legality of the treatment established in article 6 of the
       Regulation (EU) 2016/679. "


                                            III

      The documentation in the file provides evidence that the
claimed violated article 6.1 of the RGPD.


      In this sense, it is proven that the respondent processed the personal data of
the claimant without standing for it. It is clear that the claimed has carried out
the change of ownership of the claimant's line, without standing for it, such
as recognized by the respondent in her allegations, stating: “that it is due to the
Obtaining and illegal use of the personal data of the claimant by the
impersonator and the subsequent deception of the impersonator to the commercial agent of 1004 that

processed the request for a change of ownership ”.

       Based on the foregoing, in the case analyzed, it remains in
the diligence employed by the claimed party questioned.


       Respect for the principle of legality that is in the essence of fundamental right
protection of personal data requires that it be proven that the
responsible for the treatment displayed the essential diligence to prove that
extreme. If this Agency does not act in this way - and if this Agency does not demand it, it is incumbent upon
for compliance with the regulations governing the data protection right of

personal character - the result would be to empty the content of the principle of legality.

       The lack of diligence displayed by the entity in complying with the
Obligations imposed by the regulations for the protection of personal data
It is thus obvious. A diligent compliance with the principle of legality in the treatment
of third-party data requires that the person responsible for the treatment is in conditions

to prove it (principle of proactive responsibility).

       Thus, it has been established that the respondent processed the data
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/8








personal data of the claimant, who denies their consent to the treatment, and as long as
the first has not provided any evidence to disprove such evidence, it is estimated
that the facts that are submitted to the assessment of this Agency could be

constituting an infraction of article 6.1 of the RGPD, infraction typified in the
Article 83.5 of the aforementioned Regulation 2016/679.


                                               IV


      In order to determine the administrative fine to be imposed, the provisions
visions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

      "Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "
      "Administrative fines will be imposed, depending on the circumstances of

each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
        a) the nature, severity and duration of the offense, taking into account the
        nature, scope or purpose of the processing operation in question

        as well as the number of affected stakeholders and the level of damage and
        damages they have suffered;
        b) intentionality or negligence in the infringement;
        c) any measure taken by the controller or processor
        to mitigate the damages suffered by the interested parties;
        d) the degree of responsibility of the person in charge of the

        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;
        e) any previous infringement committed by the person in charge or the person in charge of the
        treatment;
         f) the degree of cooperation with the supervisory authority in order to

        remedy the violation and mitigate the possible adverse effects of the violation;
        g) the categories of personal data affected by the infringement;
        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infraction and, in such
        case, to what extent;

        i) when the measures indicated in Article 58 (2) have been
        previously ordered against the person in charge or the person in charge
        in relation to the same matter, compliance with said measures;
        j) adherence to codes of conduct under Article 40 or to mechanisms
        certification approved in accordance with Article 42, and
        k) any other aggravating or mitigating factor applicable to the circumstances of the

        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement. "

              Regarding section k) of article 83.2 of the RGPD, the LOPDGDD,
       Article 76, "Sanctions and corrective measures", provides:

      "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/8








         The following may also be taken into account:

       a) The continuing nature of the offense.


       b) The linking of the offender's activity with the performance of treatments
       of personal data.

       c) The benefits obtained as a result of the commission of the offense.

       d) The possibility that the affected person's conduct could have led to the

       commission of the offense.

       e) The existence of a process of merger by absorption subsequent to the commission of
       the infringement, which cannot be attributed to the absorbing entity.

       f) Affecting the rights of minors.


       g) Have, when not mandatory, a data protection officer.

       h) The submission by the person in charge or in charge, with character
       voluntary, to alternative dispute resolution mechanisms, in those
       cases in which there are controversies between those and any

       interested."

      In accordance with the transcribed precepts, in order to set the amount of the
      sanction of a fine to be imposed on the entity claimed as responsible for a
      offense typified in article 83.5.a) of the RGPD, are considered concurrent in the
      present case, as aggravating factors, the following factors:


      - The duration of the illegitimate treatment of the data of the affected party carried out by the
       claimed (article 83.2. a) of the RGPD).

      - The intentionality or negligence of the infringement (article 83.2. B) of the RGPD).


      - Basic personal identifiers are affected (personal data
       and banking (art.83.2. g) of the RGPD).

      - The obvious link between the business activity of the claimed and the
       processing of personal data of clients or third parties (article 83.2.k, of the
       RGPD in relation to article 76.2.b, of the LOPDGDD)


 Therefore, in accordance with the applicable legislation and the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:


FIRST: IMPOSE TELEFÓNICA MÓVILES ESPAÑA, S.A.U., with NIF
A78923125, for a violation of Article 6.1 of the RGPD, typified in Article 83.5
of the RGPD, a fine of 75,000 euros (seventy-five thousand euros).


SECOND: NOTIFY this resolution to TELEFÓNICA MÓVILES ESPAÑA,
S.A.U.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/8









THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account

restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the bank CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

Notification received and once executive, if the execution date is found

Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
                                                                                  938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es