AEPD - PS/00275/2019

From GDPRhub
AEPD - PS/00275/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR

Article 83(5) GDPR

Article 72 of the Spanish Data Protection Law (LOPDGDD)

Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 3. 2. 2020
Fine: EUR 50,000
Parties: VODAFONE ESPAÑA
National Case Number: PS/00275/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD imposed a fine of EUR 50,000 on Vodafone España, S.A.U. (data controller), due to the breach of its duty of processing personal data according to the principle of confidentiality, as required by Article 5(1)(f) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The fine followed a complaint submitted by a Spanish citizen who claimed that the data controller had sent some services invoices to her neighbour, and that, although the letters were clearly addressed to that neighbour on the envelope (name and address), the content included personal data of the complainant (name, national ID number, address, etc).

The data controller did not answer to AEPD's first requirement, but it finally did so during the allegations phase and admitted a technical “mistake” on the wrong delivery. It also specified that the technical mistake had been fixed, and that, although the data controller may be responsible for its commission, it was no guilty nor was there any intention.

Dispute[edit | edit source]

The AEPD had to assess whether the data controller's culpability is determining for finding a violation and for imposing a fine.

Holding[edit | edit source]

Based on Article 83(5) GDPR and Article of 72 the Spanish Data Protection Law (LOPDGDD), the AEPD found that the confidentiality principle has been breached and decided to impose the fine of EUR 50,000. The fine was calculated after the consideration of the following facts: (1) the breach only affected two individuals and (2) the breach was no significantly harmful, but (3) the data controller is a big company, (4) it showed a significant lack of diligence, and (5) its business is clearly related to personal data.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

RESOLUTION OF THE PENALTIARY PROCEDURE 

The procedure instructed by the Spanish Data Protection Agency and based on the following 

FIRST CURRENTS: Ms. A.A.A. (hereinafter, the claimant) on March 12, 2019 filed a complaint with the Spanish Data Protection Agency, the same agency is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (hereinafter, the claimant), in which he states that the operator sends his bills with his personal data to the address of his neighbor. On one hand, the letterhead of the letterhead contains the claimant's full name and address, but the invoice corresponds to the name, ID card, address, etc. of the claimant.  With the letter of complaint, a copy of the letter sent by the complainant is provided. 

SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, by virtue of the powers of investigation granted to the supervisory authorities in Article 57.1 of Regulation (EU)2016/679 (General Data Protection Regulation, hereinafter referred to as the GDPR), and in accordance with the provisions of Title VII, Chapter I, Section Two, of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter referred to as the LOPDGDD).As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been complained about. Likewise, the following points have been established: This Agency has transferred the present complaint to the one complained about by electronic means, granting him a period of one month for his reply and it is recorded as the date of acceptance by the latter on 20 May 2019. Once this period of time has elapsed, it has not responded to the request made by this body, and for this reason this claim is admitted for processing with regard to the security measures adopted, and without the entity having responded to the Spanish Data Protection Agency. 

THIRD: On 26 September 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of Article 5.1(f) of the GDPR, as defined in Article 83.5(a) of the GDPR.

FOURTH: Having been notified of the above-mentioned agreement to initiate proceedings, the respondent presented written negotiations by letter dated 11 October 2019, and formulated the following allegations in summary: "the complainant states in its complaint that Vodafone sends its invoices to the address of its neighbour, with the details of the neighbour appearing on the letterhead of the letter, but the details of the neighbour appearing on the invoice. The AEPD states in the Agreement to Initiate Proceedings that the company I represent has not responded to the request for information notified to it.Vodafone, in the first place, wishes to state that after receiving the information request E/5008/2019, Vodafone analysed the complaint and began the necessary steps to solve the problem that had been brought to our attention.It was verified that, in fact, in the contract of the claimant the address that she had consigned was already her correct one, with the floor 3ºC, but we verified that under the same client ID there was a card that contained both the data of the claimant and those of her neighbor. It is possible that the facts have had some problem in the migration of the data contained in one system to another different system. In this sense, it is relevant to highlight the repeal of Article 130 of Law 30/1992, of 26 November, on the Legal System of Public Administrations and Common Administrative Procedure. Its replacement by Article 28.1 of Law 40/2015 of 1 October, on the Legal System for the Public Sector, eliminates the mention of "simple failure to comply", making the rule "nullum poena sine culpa" prevail.This only highlights the lack of room for liability without fault, a principle that governs or should govern in the administrative sphere, as it is a manifestation of the "ius puniendi" of the State, and therefore a liability regime without fault is inadmissible in our legal system. It may not be sanctioned for infringement of article 6.1. of the GDPR, without reference to the subjective element of the type, with neither intent nor fault nor negligence being demonstrated.Additionally, taking into account the special nature of the sanctioning Law that determines the impossibility of imposing sanctions without taking into account the will of the subject actor or the factors that could have determined the breach of a legal obligation, this party maintains the impropriety of the imposition of any sanction. Thus, the Supreme Court in Judgment of December 21, 1998 (RJ1998/10226)(Appeal 9074/1991), January 27, 1996 (RJ 1996\926) (Appeal 640/1992) and January 20, 1997 (RJ 1997\257) (Appeal 2689/1992)". The Supreme Court also points out in its Judgment of July 20, 1990, Ar. 6163, that, as can be seen, the conduct described does not have any intention of being fraudulent, nor is it culpable. Therefore, in the absence of any culpability, it is inappropriate to impose a sanction on my client, since one of the essential requirements of the administrative law on sanctions is missing. In the alternative, and in the event that, despite the explanations given above, the Agency considers that it deserves a sanction for the commission of an infringement of Article 6.1 of the GDPR, the amount of said sanction should be moderated, and imposed in a minimum amount, taking into account the following circumstances set out in Article 83.2 of the GDPR. In the alternative, and in the event that, in spite of the explanations given above, the Agency should consider that the party I represent deserves to be penalised for committing an infringement of article 6.1 of the GDPR, the amount of said penalty should be moderated, being imposed as a minimum".

FIFTH: On October 28, 2019, the trial period began, and it was agreed: (a) to consider the claim filed by the claimant and its documentation, the documents obtained and generated which form part of file E/05008/2019, and (b) as having been reproduced for the purposes of proof.- to consider as reproduced for evidential purposes, the allegations to the agreement of initiation of PS/00275/2019, presented by the denounced entity.

SIXTH: On November 29, 2019, the Proposal for Resolution was issued and notified to Vodafone on December 3 of the same year, for alleged infringement of Article 5.1.f) of the GDPR, typified in article 83.5 of the GDPR, proposing a fine of 50,000 euros. Vodafone presented allegations to the Proposed Resolution, stating that it is reiterated in the allegations already made to the Initiating Agreement.  Of the proceedings carried out in the present procedure, of the information and documentation presented by the parties, the following have been accredited:PROVEN FACTS Of the information and documentation provided by the parties in this procedure, the following facts are accredited. 
On March 12, 2019, the claimant filed a complaint with the Spanish Data Protection Agency, stating that the operator was sending his bills with his personal details to his neighbour's address. On one hand, the letterhead of the letter contains the details of the neighbour (full name and address), but the invoice corresponds to the name, ID card, address, etc. of the claimant.2 The AEPD notified the claim, stating the date of acceptance as 20 May 2019, and the entity has not responded to the AEPD.3Dated 11 October 2019, the entity complained of during the negotiation period states that the facts are the result of a specific error, that this error has now been corrected and that the data on the complainant's neighbors have been disassociated. It provides a screenshot with the corrected data. RIGHT FOUNDATIONS I By virtue of the powers that article 58.2 of the GDPRrecognizes to each control authority, and in accordance with the provisions of articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.IISe accuses the defendant of committing an infringement for violation of Article 5.1.f) of the GDPR, which states that: "1:  (...) f) processed in such a way as to ensure adequate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures" The infringement of Article 5.1.f) of the GDPR, for which VODAFONE is responsible, is defined in Article 83 of the aforementioned legal text, which, under the heading "General conditions for the imposition of administrative fines", states: "5. Violations of the following provisions shall be punished, in accordance with paragraph 2, with administrative fines of a maximum of 20,000,000 Euros or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, whichever is greater: a) The basic principles for treatment, including the conditions for consent under Articles 5, 6, 7 and 9."La Ley Orgánica 3/2018, de Protección de Datos Personales y Garantía de los Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements considered very serious" provides: "1.)2016/679 are considered very serious and shall be subject to a three-year limitation period for infringements that substantially violate the articles mentioned therein, and in particular the following: a) The processing of personal data in breach of the principles and guarantees set out in Article 5 of Regulation (EU)2016/679.          It is important to note that the complainant has provided a copy of the letterhead on which the details of his neighbour (full name and address) appear, but the invoice corresponds to the name, ID card, address etc., of the complainant.  Therefore, there is no doubt, given the regulation that violates the duty of secrecy of Article 5.1.f) of the GDPR.   It does not comply with the security measures that give rise to the violation of confidentiality in article 5 LOPDGDD. In order to determine the administrative fine to be imposed in this case, it is necessary to comply with the provisions of Articles 83(1) and 83(2) of the GDPR, which state that 'Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive'. "Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. 

In deciding whether to impose an administrative fine and the amount of such fine in each individual case, due account shall be taken:(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage and injury they have suffered(d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures implemented pursuant to Articles 25 and 32 (f) the degree of cooperation with the supervisory authority for the purpose of remedying the infringement and mitigating the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement(i) where the measures referred to in Article 58(2) have been ordered against the operator or processor concerned with the same case, compliance with those measures; (j) adherence to codes of conduct under Article 40 or to certification schemes approved under Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial gains or losses avoided, directly or indirectly, through the infringement."With regard to paragraph (k) of Article 83.2 of the GDPR, the LOPDGDD, Article 76, 'Sanctions and corrective measures', provides: '2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continuous nature of the infringement.b) The link between the activity of the offender and the processing of personal data.c) The benefits obtained as a result of the commission of the infringement.d) The possibility that the conduct of the affected party could have led to the commission of the infringement.e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity.f) The effect on the rights of minors.g) The availability, when not mandatory, of a data protection representative. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative dispute resolution mechanisms in those cases where there are disputes between them and any interested party."In accordance with the precepts transcribed, for the purposes of determining the amount of the fine that should be imposed on the person claimed to be responsible for an infringement classified in article 83.5.a) of the GDPR, it is estimated that the following factors are present: - Only two persons have been affected by the conduct of the person claimed. - The damage caused to those affected by the breach of confidentiality of their data cannot be considered significant. - The lack of diligence demonstrated by the respondent can be considered significant. There is an evident link between the processing of personal data and the activity carried out by the Respondent.  - The respondent is considered a large company. For the purposes of setting the amount of the penalty to be imposed in this case, it is considered that the penalty to be imposed should be graduated in accordance with the following criteria established in article 76.2 of the LOPDGDD:-The link between the activity of the offender and the processing of personal data, (section b).The balance of the circumstances contemplated in Article 83.2 of the GDPR, with respect to the infringement committed by violating the provisions of Article 5.1.f) of the GDPR, allows for a sanction of 50,000 (fifty thousand euros), considered as "very serious", for the purposes of the prescription of the same, in 72.1. a) of the LOPDGDD. Therefore, in accordance with the applicable legislation and having assessed the criteria for the downgrading of the penalties whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO IMPOSE ON VODAFONE ESPAÑA, S.A.U, with NIF A80907397, for an infringement of Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR, a fine of 50,000.00 euros (fifty thousand euros).SECOND: TO NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U..THIRD: TO WARN the sanctioned party that it must make the sanction imposed effective once this resolution is enforceable, in accordance with the provisions of Article 5.1.f) of the RGPD.   98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the period for payment of volunteers established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the Tax Identification Number of the sanctioned party and the number of the procedure that appears in the heading of this document, in restricted account no. ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A. Otherwise, it shall be collected during the enforcement period.Once the notification has been received, and once it has been enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for voluntary payment will be the 20th of the following month or the next working month, and if it is between the 16th and last day of each month, inclusive, the deadline for payment will be the 5th of the second following month or the next working month.In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties..6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month as from the day following notification of this decision or directly with the Contentious Administrative Court of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.Finally, it is noted that in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution may be suspended in administrative proceedings if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. He will also have to send to the Agency the documentation that accredits the effective lodging of the contentious-administrative appeal.   If the Agency were not aware of the lodging of the contentious-administrative appeal within the period of two months from the day following the notification of the present resolution, it would terminate the precautionary suspension.