AEPD (Spain) - PS/00275/2019: Difference between revisions

From GDPRhub
(Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |AEPD - PS/00275/2019 |- | colspan="2" style="padding: 20px; background-color:#ffffff;"...")
 
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{{DPAdecisionBOX
! colspan="2" |AEPD - PS/00275/2019
|-
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:logoES.jpg|center|250px]]
|-
|Authority:||[[AEPD (Spain)]]
[[Category:AEPD (Spain)]]
|-
|Jurisdiction:||[[Data Protection in Spain|Spain]]
[[Category: Spain]]
|-
|Relevant Law:||[[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]
[[Category:Article 5(1)(f) GDPR]]


[[Article 83 GDPR#5|Article 83(5) GDPR]]
|Jurisdiction=Spain
[[Category:Article 83(5) GDPR]]
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoES.jpg
|DPA_Abbrevation=AEPD (Spain)
|DPA_With_Country=AEPD (Spain)


Article 72 of the Spanish Data Protection Law [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf (LOPDGDD)]
|Case_Number_Name=PS/00275/2019
|-
|ECLI=
|Type:||Complaint
|-
|Outcome:||Upheld
|-
|Decided:||n/a
[[Category:2020]]
|-
|Published:||n/a
|-
|Fine:||EUR 75,000
|-
|Parties:||[https://www.vodafone.es/c/particulares/es/ VODAFONE ESPAÑA]
|-
|National Case Number:||PS/00278/2019
|-
|European Case Law Identifier:||n/a
|-
|Appeal:||n/a
|-
|Original Language:||[[Category:Spanish]]
Spanish
|-
|Original Source:||[https://www.aepd.es/es/documento/ps-00278-2019.pdf AEPD (in ES)]
|}


The AEPD following a complaint imposed a fine of EUR 75,000 on the telecom company, Vodafone España. The data controller did not obtain the consent for the processing of the applicant’s data, as required by [Article 6 GDPR|Article 6 GDPR].
|Original_Source_Name_1=AEPD
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00275-2019.pdf
|Original_Source_Language_1=Spanish
|Original_Source_Language__Code_1=ES
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
 
|Type=Complaint
|Outcome=Upheld
|Date_Started=
|Date_Decided=
|Date_Published=03.02.2020
|Year=
|Fine=50,000
|Currency=EUR
 
|GDPR_Article_1=Article 5(1)(f) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1f
|GDPR_Article_2=Article 83(5) GDPR
|GDPR_Article_Link_2=Article 83 GDPR#5
|GDPR_Article_3=
|GDPR_Article_Link_3=
|GDPR_Article_4=
|GDPR_Article_Link_4=
 
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
 
|National_Law_Name_1= Article 72 Spanish Data Protection Law (LOPDGDD)
|National_Law_Link_1=https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Name_3=
|National_Law_Link_3=
 
|Party_Name_1=VODAFONE ESPAÑA
|Party_Link_1=https://www.vodafone.es/c/particulares/es/
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
 
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
 
|Initial_Contributor=
|
}}
 
The AEPD imposed a fine of EUR 50,000 on Vodafone España, S.A.U. (data controller), due to the breach of its duty of processing personal data according to the principle of confidentiality, as required by [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].


==English Summary==
==English Summary==


===Facts===
===Facts===
The AEPD examined a complaint submitted by a customer concerning the processing of his data by Vodafone España. The company kept sending him emails after he had expressly withdrawn his consent to the processing of his personal data, and then alleged that it was caused by a computer failure.
The fine followed a complaint submitted by a Spanish citizen who claimed that the data controller had sent some services invoices to her neighbour, and that, although the letters were clearly addressed to that neighbour on the envelope (name and address), the content included personal data of the complainant (name, national ID number, address, etc).
 
The data controller did not answer to AEPD's first requirement, but it finally did so during the allegations phase and admitted a technical “mistake” on the wrong delivery. It also specified that the technical mistake had been fixed, and that, although the data controller may be responsible for its commission, it was no guilty nor was there any intention.  


===Dispute===
===Dispute===
The AEPD had to assess whether the culpability constitutes a requirement for imposing an administrative sanction under the GDPR.
The AEPD had to assess whether the data controller's culpability is determining for finding a violation and for imposing a fine.  


===Holding===
===Holding===
The AEPD ruled that by sending the customer/complainant company emails after he had asked them to erase his data file, VODAFONE had illegally processed the his data because of the lack of valid consent under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. Thus, it imposed VODAFONE a fine of EUR 75,000 under [[Article 83 GDPR#5|Article 83(5) GDPR]], being indecisive whether there was culpability or not in the company’s actions.
Based on [[Article 83 GDPR#5|Article 83(5) GDPR]] and Article of 72 the Spanish Data Protection Law (LOPDGDD), the AEPD found that the confidentiality principle has been breached and decided to impose the fine of EUR 50,000. The fine was calculated after the consideration of the following facts:
(1) the breach only affected two individuals and
(2) the breach was no significantly harmful, but
(3) the data controller is a big company,
(4) it showed a significant lack of diligence, and
(5) its business is clearly related to personal data.  


==Comment==
==Comment==
Line 67: Line 96:


<pre>
<pre>
Procedure No.: PS/00278/2019938-051119PROCEDURE RESOLUTION of the procedure instructed by the Spanish Agency of Data Protection and based on the following FIRST: D. A.A.A. (hereinafter, the claimant) on 3 April 2019 filed a complaint with the Spanish Data Protection Agency
RESOLUTION OF THE PENALTIARY PROCEDURE
The claim is directed against Vodafone España, S.A.U. with NIF A80907397 (hereinafter, the claimant). The reasons on which the claim is based are that he requested the operator to delete his data, and they state: "that once the facts described by the claimant have been analysed, he does not maintain any active service in Vodafone, nor does he have any amounts pending payment". The following documents are attached to the claim: -Answer from the claimant to the Secretary of State for the Information Society and the Digital Agenda dated December 24, 2018.-Emails received by the claimant from the claimant dated November 28, 2018, February 27 and March 28, 2019.SECOND: After the reception of the complaint, the Subdirectorate General of Data Inspection proceeded to carry out previous investigation actions to clarify the denounced facts, having knowledge of the following extremes: On August 28, 2019, the claimant has sent this Agency the following information in relation to the denounced facts:He states that: "due to a computer error in its systems, the complainant's e-mail got "hooked" and continued to be recorded in the form of information communications regarding electronic invoices issued by Vodafone, and that is the reason why he has received these communications".They point out that: "this error has been resolved, so the claimant will not receive any further communication regarding electronic invoices from Vodafone or any other that has not previously consented".
 
On the other hand, they provide a copy of the e-mail they have sent to the complainant to inform him of the above-mentioned aspects.THIRD: On October 4, 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the complainant, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of Article 6.Article 83.5 of the GDPR.FOURTH: Having been notified of the above-mentioned agreement to initiate proceedings, the defendant submitted a written statement of objections by letter dated October 16, 2019, in which it summarized the following allegations: "As he answered the request for information received from the Agency, the facts were due to an error in the process of deleting data from our systems.   All the data were effectively deleted from all the company's systems with the exception of the mail account in the system for sending billing notices. On the other hand, it is important to emphasize that the fact that the claimant received these notices does not mean that the company I represent was billing him for any service.  That did not happen.  The sending of invoicing notices is an automatic process that is triggered a few days before the day of the month in which a client's invoicing cycle is fulfilled. This error has already been corrected and the claimant was notified by e-mail, which is attached. In this sense, it is relevant to highlight the repeal of Article 130 of Law 30/1992, of 26 November, on the Legal System of Public Administrations and Common Administrative Procedure. Its replacement by Article 28.1 of Law 40/2015 of 1 October, on the Legal System for the Public Sector, eliminates the reference to "simple non-observance", making the rule "nullum poena sine culpa" prevail.This only highlights the lack of room for liability without fault, a principle that governs or should govern in the administrative sphere, as it is a manifestation of the "ius puniendi" of the State, and therefore a liability regime without fault is inadmissible in our legal system.   It may not be sanctioned for infringement of article 6.1. of the GDPR, without reference to the subjective element of the type, with neither intent nor fault nor negligence being demonstrated.Additionally, taking into account the special nature of the sanctioning Law that determines the impossibility of imposing sanctions without taking into account the will of the subject actor or the factors that could have determined the breach of a legal obligation, this party maintains the impropriety of the imposition of any sanction.
The procedure instructed by the Spanish Data Protection Agency and based on the following  
Thus, the Supreme Court in its Judgment of December 21, 1998 (RJ1998/10226)(Appeal 9074/1991), January 27, 1996 (RJ 1996\926) (Appeal 640/1992) and January 20, 1997 (RJ 1997\257) (Appeal 2689/1992)". The Supreme Court also points out in its Judgment of July 20, 1990, Ar. 6163, that, as can be seen, the conduct described does not have any intention of being fraudulent, nor is it culpable.  Therefore, in the absence of any culpability, it is inappropriate to impose a sanction on my client, since one of the essential requirements of the administrative law on sanctions is missing. In the alternative, and in the event that, despite the explanations given above, the Agency considers that it deserves a sanction for the commission of an infringement of Article 6.1 of the GDPR, the amount of said sanction should be moderated, and imposed in a minimum amount, taking into account the following circumstances set out in Article 83.2 of the GDPR. In the alternative, and in the event that, in spite of the explanations given above, the Agency should consider that the party I represent deserves to be penalised for committing an infringement of article 6.1 of the GDPR, the amount of said penalty should be moderated, being imposed as a minimum".FIFTH: On October 25, 2019, the trial period began, and it was agreed: (a) to consider the claim filed by the claimant and its documentation, the documents obtained and generated which form part of file E/05024/2019 and (b), as having been reproduced for the purposes of proof.- to consider as reproduced for evidential purposes, the allegations to the agreement of initiation of PS/00278/2019, presented by the denounced entity.SIXTH: On November 29, 2019, the Proposal for Resolution was issued and notified to Vodafone on December 3 of the same year, for alleged infringement of Article 6.Vodafone presented allegations to the Proposed Resolution, stating that it is reiterated in the allegations already made to the Initiating Agreement. Of the actions carried out in the present procedure, of the information and documentation presented by the parties, the following have been accredited:PROVEN FACTSOf the information and documentation provided by the parties in this procedure, the following facts are accredited:
 
91º On April 3, 2019, the claimant filed a complaint with the Spanish Data Protection Agency, stating that he had requested the deletion of his data, and they stated: "that once the facts described by the claimant have been analyzed, he does not maintain any active service in Vodafone, nor does he have any amounts pending payment".  However, he continued to receive communications from that entity.2 The respondent's reply to the Secretariat of State for the Information Society and the Digital Agenda dated December 24, 2018, states that the claimant does not have any active service with Vodafone, nor does he have any amounts pending payment.3Emails received by the claimant from the claimed party dated 28 November 2018, 27 February and 28 March 2019.4 Dated 16 October 2019, the claimant provides, during the negotiation period, among others, an email sent to the claimant, where he indicates: "We are contacting you in relation to your claim that has been transferred to us by the Spanish Data Protection Agency within file E/05024/2019.  By means of this letter, we would like to inform you that the sending of the e-mails to your e-mail account informing you that your electronic invoice is available, is due to a computer error since these communications do not correspond to any service that you have verified.We have corrected this error in order to prevent you from receiving these e-mails again". RIGHT FOUNDATIONS By virtue of the powers that Article 58.2 of the GDPR recognizes to each control authority, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to resolve this procedure.IISe accuses the defendant of committing an infringement of Article 6 of the GDPR, 'Lawfulness of processing', which states in paragraph 1 that the processing of data from third parties is considered lawful:'1. 1 The processing will only be lawful if at least one of the following conditions is met: a) the data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation, at his/her request, of pre-contractual measures;
FIRST CURRENTS: Ms. A.A.A. (hereinafter, the claimant) on March 12, 2019 filed a complaint with the Spanish Data Protection Agency, the same agency is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (hereinafter, the claimant), in which he states that the operator sends his bills with his personal data to the address of his neighbor. On one hand, the letterhead of the letterhead contains the claimant's full name and address, but the invoice corresponds to the name, ID card, address, etc. of the claimant.  With the letter of complaint, a copy of the letter sent by the complainant is provided.  
(...) "In article 4 of the GDPR, Definitions, in its paragraph 11, it states that: "11) "consent of the data subject" means any free, specific, informed and unequivocal expression of will by which the data subject accepts, either by a declaration or a clear affirmative action, the processing of personal data concerning him/her".Article 6, Processing based on the consent of the data subject, of the new Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), also states that: "1.11 of Regulation (EU)2016/679, the consent of the data subject means any freely given, specific, informed and unambiguous expression of his or her willingness to accept, either by declaration or by clear affirmative action, the processing of personal data concerning him or her.2When it is intended to base the processing of data on the consent of the data subject for a number of purposes, it must be specifically and unequivocally stated that such consent is granted for all of them.3The execution of the contract may not be made subject to the consent of the data subject to the processing of personal data for purposes unrelated to the maintenance, development or control of the contractual relationship".5 a) of the GDPR, considers that the violation of "the basic principles for the treatment, including the conditions for the consent according to the articles 5, 6, 7 and 9" is punishable, according to the paragraph 5 of the mentioned article 83 of the mentioned Regulation, "with administrative fines of 20.000,000 maximum or, in the case of a company, a fine equivalent to a maximum of 4% of the total annual turnover of the previous financial year, whichever is greater".5 of Regulation (EU) 2016/679 are considered very serious and shall be subject to a three-year limitation period for infringements that substantially infringe the articles mentioned therein, and in particular the following:(...) b) Processing of personal data without complying with any of the conditions for the lawfulness of processing set out in Article 6 of Regulation (EU) 2016/679.) "IIIThe documentation in the file offers clear indications that the claimant violated Article 6 of the GDPR, since the aforementioned entity treated the personal data of the claimant illegally, as there was no consent for the processing of his personal data, as evidenced by the reference to his e-mail address communications originating in "vodafone@corp.vodafone.es" and whose subject is "you already have your electronic invoice available".
 
The Contentious Administrative Chamber of the National Court of Justice, in similar cases, has considered that when the owner of the data denies consent, the burden of proof falls on the person who asserts its existence, and the person responsible for the processing of third party data must collect and keep the necessary documentation to prove the owner's consent. Thus, SAN of 31/05/2006 (Rec. 539/2004), Fundamento de Derecho Cuarto, the complainant has provided, among other documents, a copy of Vodafone's reply to the Secretary of State for the Information Society and the Digital Agenda, in which it is stated, "after analysing the facts described by the complainant, that it does not maintain any active service in Vodafone, nor any amounts pending payment", not having authorised that entity to use its electronic mail, as recognised by the complainant himself.In short, it must be pointed out that respect for the principle of legality of the data requires that it must be proven that the owner of the data consented to the processing of personal data and that reasonable diligence must be exercised to prove this. Failure to do so would render the principle of lawfulness null and void. In order to determine the administrative fine to be imposed, the provisions of Articles 83(1) and 83(2) of the Data Protection Regulation must be complied with, which state: '1. Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 5 and 6 is in each individual case effective, proportionate and dissuasive. Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. In deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of the circumstances of the case:(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage suffered(e) any previous infringements committed by the controller or processor; (f) the degree of cooperation with the supervisory authority in order to remedy the infringement and to mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, to what extent;
SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, by virtue of the powers of investigation granted to the supervisory authorities in Article 57.1 of Regulation (EU)2016/679 (General Data Protection Regulation, hereinafter referred to as the GDPR), and in accordance with the provisions of Title VII, Chapter I, Section Two, of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter referred to as the LOPDGDD).As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been complained about. Likewise, the following points have been established: This Agency has transferred the present complaint to the one complained about by electronic means, granting him a period of one month for his reply and it is recorded as the date of acceptance by the latter on 20 May 2019. Once this period of time has elapsed, it has not responded to the request made by this body, and for this reason this claim is admitted for processing with regard to the security measures adopted, and without the entity having responded to the Spanish Data Protection Agency.
i) when the measures indicated in Article 58(2) have been previously ordered against the person responsible or the person in charge in relation to the same matter, compliance with those measures; j) adherence to codes of conduct under Article 40 or to certification mechanisms approved under Article 42; and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.In relation to Article 83(2)(k) of the GDPR, the LOPDGDD, in its Article 76, "Sanctions and corrective measures", states that: "2. In accordance with the provisions of Article 83(2)(k) of Regulation (EU)2016/679, the following may also be taken into accountb) The link between the activity of the offender and the processing of personal data.c) The benefits obtained as a result of the commission of the infringement.d) The possibility that the conduct of the person concerned could have led to the commission of the infringement.e) The existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The effect on the rights of minors. g) The availability, when not mandatory, of a data protection representative.h) The submission by the person responsible or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases where there are disputes between them and any interested party".5.a) of the GDPR, for which the respondent is responsible, the following factors are considered to be concurrent: the merely local scope of the processing carried out by the entity being claimed; only one person has been affected by the infringing conduct; the damage caused to the claimant, since the Secretary of State for the Information Society and the Digital Agenda had to file a complaint, and on several occasions the entity was contacted to inform him of the facts without adopting any decision. There is no evidence that the entity had acted fraudulently, although the action reveals a lack of diligence, linking the activity of the offender with the processing of personal data and the number of people affected.In accordance with the indicated precepts, for the purposes of fixing the amount of the penalty to be imposed in the present case, it is considered that the penalty to be imposed should be graduated in accordance with the following criteria established in article 76.2 of theLOPDGDD:-The linking of the activity of the offender with the processing of personal data, (section b).
 
The balance of the circumstances contemplated in article 83.2 of the GDPR, with respect to the infraction committed by violating that established in article 6.1 of the GDPR allows for a sanction of 75,000 euros (sixty-five thousand euros), considered as "very serious", for the purposes of the prescription of the same, in 72.1.a of the LOPDGDD. Therefore, in accordance with the applicable legislation and having assessed the criteria for the downgrading of the penalties whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO IMPOSE ON VODAFONE ESPAÑA, S.A.U, with NIF A80907397, for an infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR, a fine of 75,000.00 euros (seventy-five thousand euros).SECOND: TO NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U..THIRD: TO WARN the sanctioned party that it must make the sanction imposed effective once this resolution is enforceable, in accordance with the provisions of Article 6.1 of the GDPR.  98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the period for payment of volunteers established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the Tax Identification Number of the sanctioned party and the number of the procedure that appears in the heading of this document, in restricted account no. ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A. Otherwise, it shall be collected during the enforcement period.Once the notification has been received, and once it has been enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for voluntary payment will be the 20th of the following month or the next working month, and if it is between the 16th and last day of each month, inclusive, the deadline for payment will be the 5th of the second following month or the next working month.In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties..6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 de lareferida Ley.
THIRD: On 26 September 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of Article 5.1(f) of the GDPR, as defined in Article 83.5(a) of the GDPR.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. He will also have to send to the Agency the documentation that accredits the effective lodging of the contentious-administrative appeal.  If the Agency were not aware of the lodging of the contentious-administrative appeal within the period of two months from the day following the notification of the present resolution, it would terminate the precautionary suspension.
 
FOURTH: Having been notified of the above-mentioned agreement to initiate proceedings, the respondent presented written negotiations by letter dated 11 October 2019, and formulated the following allegations in summary: "the complainant states in its complaint that Vodafone sends its invoices to the address of its neighbour, with the details of the neighbour appearing on the letterhead of the letter, but the details of the neighbour appearing on the invoice. The AEPD states in the Agreement to Initiate Proceedings that the company I represent has not responded to the request for information notified to it.Vodafone, in the first place, wishes to state that after receiving the information request E/5008/2019, Vodafone analysed the complaint and began the necessary steps to solve the problem that had been brought to our attention.It was verified that, in fact, in the contract of the claimant the address that she had consigned was already her correct one, with the floor 3ºC, but we verified that under the same client ID there was a card that contained both the data of the claimant and those of her neighbor. It is possible that the facts have had some problem in the migration of the data contained in one system to another different system. In this sense, it is relevant to highlight the repeal of Article 130 of Law 30/1992, of 26 November, on the Legal System of Public Administrations and Common Administrative Procedure. Its replacement by Article 28.1 of Law 40/2015 of 1 October, on the Legal System for the Public Sector, eliminates the mention of "simple failure to comply", making the rule "nullum poena sine culpa" prevail.This only highlights the lack of room for liability without fault, a principle that governs or should govern in the administrative sphere, as it is a manifestation of the "ius puniendi" of the State, and therefore a liability regime without fault is inadmissible in our legal system. It may not be sanctioned for infringement of article 6.1. of the GDPR, without reference to the subjective element of the type, with neither intent nor fault nor negligence being demonstrated.Additionally, taking into account the special nature of the sanctioning Law that determines the impossibility of imposing sanctions without taking into account the will of the subject actor or the factors that could have determined the breach of a legal obligation, this party maintains the impropriety of the imposition of any sanction. Thus, the Supreme Court in Judgment of December 21, 1998 (RJ1998/10226)(Appeal 9074/1991), January 27, 1996 (RJ 1996\926) (Appeal 640/1992) and January 20, 1997 (RJ 1997\257) (Appeal 2689/1992)". The Supreme Court also points out in its Judgment of July 20, 1990, Ar. 6163, that, as can be seen, the conduct described does not have any intention of being fraudulent, nor is it culpable. Therefore, in the absence of any culpability, it is inappropriate to impose a sanction on my client, since one of the essential requirements of the administrative law on sanctions is missing. In the alternative, and in the event that, despite the explanations given above, the Agency considers that it deserves a sanction for the commission of an infringement of Article 6.1 of the GDPR, the amount of said sanction should be moderated, and imposed in a minimum amount, taking into account the following circumstances set out in Article 83.2 of the GDPR. In the alternative, and in the event that, in spite of the explanations given above, the Agency should consider that the party I represent deserves to be penalised for committing an infringement of article 6.1 of the GDPR, the amount of said penalty should be moderated, being imposed as a minimum".
 
FIFTH: On October 28, 2019, the trial period began, and it was agreed: (a) to consider the claim filed by the claimant and its documentation, the documents obtained and generated which form part of file E/05008/2019, and (b) as having been reproduced for the purposes of proof.- to consider as reproduced for evidential purposes, the allegations to the agreement of initiation of PS/00275/2019, presented by the denounced entity.
 
SIXTH: On November 29, 2019, the Proposal for Resolution was issued and notified to Vodafone on December 3 of the same year, for alleged infringement of Article 5.1.f) of the GDPR, typified in article 83.5 of the GDPR, proposing a fine of 50,000 euros. Vodafone presented allegations to the Proposed Resolution, stating that it is reiterated in the allegations already made to the Initiating Agreement.  Of the proceedings carried out in the present procedure, of the information and documentation presented by the parties, the following have been accredited:PROVEN FACTS Of the information and documentation provided by the parties in this procedure, the following facts are accredited.
On March 12, 2019, the claimant filed a complaint with the Spanish Data Protection Agency, stating that the operator was sending his bills with his personal details to his neighbour's address. On one hand, the letterhead of the letter contains the details of the neighbour (full name and address), but the invoice corresponds to the name, ID card, address, etc. of the claimant.2 The AEPD notified the claim, stating the date of acceptance as 20 May 2019, and the entity has not responded to the AEPD.3Dated 11 October 2019, the entity complained of during the negotiation period states that the facts are the result of a specific error, that this error has now been corrected and that the data on the complainant's neighbors have been disassociated. It provides a screenshot with the corrected data. RIGHT FOUNDATIONS I By virtue of the powers that article 58.2 of the GDPRrecognizes to each control authority, and in accordance with the provisions of articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.IISe accuses the defendant of committing an infringement for violation of Article 5.1.f) of the GDPR, which states that: "1:  (...) f) processed in such a way as to ensure adequate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures" The infringement of Article 5.1.f) of the GDPR, for which VODAFONE is responsible, is defined in Article 83 of the aforementioned legal text, which, under the heading "General conditions for the imposition of administrative fines", states: "5. Violations of the following provisions shall be punished, in accordance with paragraph 2, with administrative fines of a maximum of 20,000,000 Euros or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, whichever is greater: a) The basic principles for treatment, including the conditions for consent under Articles 5, 6, 7 and 9."La Ley Orgánica 3/2018, de Protección de Datos Personales y Garantía de los Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements considered very serious" provides: "1.)2016/679 are considered very serious and shall be subject to a three-year limitation period for infringements that substantially violate the articles mentioned therein, and in particular the following: a) The processing of personal data in breach of the principles and guarantees set out in Article 5 of Regulation (EU)2016/679.         It is important to note that the complainant has provided a copy of the letterhead on which the details of his neighbour (full name and address) appear, but the invoice corresponds to the name, ID card, address etc., of the complainant.  Therefore, there is no doubt, given the regulation that violates the duty of secrecy of Article 5.1.f) of the GDPR.  It does not comply with the security measures that give rise to the violation of confidentiality in article 5 LOPDGDD. In order to determine the administrative fine to be imposed in this case, it is necessary to comply with the provisions of Articles 83(1) and 83(2) of the GDPR, which state that 'Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive'. "Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case.
 
In deciding whether to impose an administrative fine and the amount of such fine in each individual case, due account shall be taken:(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage and injury they have suffered(d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures implemented pursuant to Articles 25 and 32 (f) the degree of cooperation with the supervisory authority for the purpose of remedying the infringement and mitigating the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement(i) where the measures referred to in Article 58(2) have been ordered against the operator or processor concerned with the same case, compliance with those measures; (j) adherence to codes of conduct under Article 40 or to certification schemes approved under Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial gains or losses avoided, directly or indirectly, through the infringement."With regard to paragraph (k) of Article 83.2 of the GDPR, the LOPDGDD, Article 76, 'Sanctions and corrective measures', provides: '2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continuous nature of the infringement.b) The link between the activity of the offender and the processing of personal data.c) The benefits obtained as a result of the commission of the infringement.d) The possibility that the conduct of the affected party could have led to the commission of the infringement.e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity.f) The effect on the rights of minors.g) The availability, when not mandatory, of a data protection representative. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative dispute resolution mechanisms in those cases where there are disputes between them and any interested party."In accordance with the precepts transcribed, for the purposes of determining the amount of the fine that should be imposed on the person claimed to be responsible for an infringement classified in article 83.5.a) of the GDPR, it is estimated that the following factors are present: - Only two persons have been affected by the conduct of the person claimed. - The damage caused to those affected by the breach of confidentiality of their data cannot be considered significant. - The lack of diligence demonstrated by the respondent can be considered significant. There is an evident link between the processing of personal data and the activity carried out by the Respondent.  - The respondent is considered a large company. For the purposes of setting the amount of the penalty to be imposed in this case, it is considered that the penalty to be imposed should be graduated in accordance with the following criteria established in article 76.2 of the LOPDGDD:-The link between the activity of the offender and the processing of personal data, (section b).The balance of the circumstances contemplated in Article 83.2 of the GDPR, with respect to the infringement committed by violating the provisions of Article 5.1.f) of the GDPR, allows for a sanction of 50,000 (fifty thousand euros), considered as "very serious", for the purposes of the prescription of the same, in 72.1. a) of the LOPDGDD. Therefore, in accordance with the applicable legislation and having assessed the criteria for the downgrading of the penalties whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO IMPOSE ON VODAFONE ESPAÑA, S.A.U, with NIF A80907397, for an infringement of Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR, a fine of 50,000.00 euros (fifty thousand euros).SECOND: TO NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U..THIRD: TO WARN the sanctioned party that it must make the sanction imposed effective once this resolution is enforceable, in accordance with the provisions of Article 5.1.f) of the RGPD.  98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the period for payment of volunteers established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the Tax Identification Number of the sanctioned party and the number of the procedure that appears in the heading of this document, in restricted account no. ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A. Otherwise, it shall be collected during the enforcement period.Once the notification has been received, and once it has been enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for voluntary payment will be the 20th of the following month or the next working month, and if it is between the 16th and last day of each month, inclusive, the deadline for payment will be the 5th of the second following month or the next working month.In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties..6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month as from the day following notification of this decision or directly with the Contentious Administrative Court of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.Finally, it is noted that in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution may be suspended in administrative proceedings if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. He will also have to send to the Agency the documentation that accredits the effective lodging of the contentious-administrative appeal.  If the Agency were not aware of the lodging of the contentious-administrative appeal within the period of two months from the day following the notification of the present resolution, it would terminate the precautionary suspension.
</pre>
</pre>

Latest revision as of 14:25, 13 December 2023

AEPD (Spain) - PS/00275/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 83(5) GDPR
Article 72 Spanish Data Protection Law (LOPDGDD)
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 03.02.2020
Fine: 50,000 EUR
Parties: VODAFONE ESPAÑA
National Case Number/Name: PS/00275/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The AEPD imposed a fine of EUR 50,000 on Vodafone España, S.A.U. (data controller), due to the breach of its duty of processing personal data according to the principle of confidentiality, as required by Article 5(1)(f) GDPR.

English Summary

Facts

The fine followed a complaint submitted by a Spanish citizen who claimed that the data controller had sent some services invoices to her neighbour, and that, although the letters were clearly addressed to that neighbour on the envelope (name and address), the content included personal data of the complainant (name, national ID number, address, etc).

The data controller did not answer to AEPD's first requirement, but it finally did so during the allegations phase and admitted a technical “mistake” on the wrong delivery. It also specified that the technical mistake had been fixed, and that, although the data controller may be responsible for its commission, it was no guilty nor was there any intention.

Dispute

The AEPD had to assess whether the data controller's culpability is determining for finding a violation and for imposing a fine.

Holding

Based on Article 83(5) GDPR and Article of 72 the Spanish Data Protection Law (LOPDGDD), the AEPD found that the confidentiality principle has been breached and decided to impose the fine of EUR 50,000. The fine was calculated after the consideration of the following facts: (1) the breach only affected two individuals and (2) the breach was no significantly harmful, but (3) the data controller is a big company, (4) it showed a significant lack of diligence, and (5) its business is clearly related to personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

RESOLUTION OF THE PENALTIARY PROCEDURE 

The procedure instructed by the Spanish Data Protection Agency and based on the following 

FIRST CURRENTS: Ms. A.A.A. (hereinafter, the claimant) on March 12, 2019 filed a complaint with the Spanish Data Protection Agency, the same agency is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (hereinafter, the claimant), in which he states that the operator sends his bills with his personal data to the address of his neighbor. On one hand, the letterhead of the letterhead contains the claimant's full name and address, but the invoice corresponds to the name, ID card, address, etc. of the claimant.  With the letter of complaint, a copy of the letter sent by the complainant is provided. 

SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, by virtue of the powers of investigation granted to the supervisory authorities in Article 57.1 of Regulation (EU)2016/679 (General Data Protection Regulation, hereinafter referred to as the GDPR), and in accordance with the provisions of Title VII, Chapter I, Section Two, of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter referred to as the LOPDGDD).As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been complained about. Likewise, the following points have been established: This Agency has transferred the present complaint to the one complained about by electronic means, granting him a period of one month for his reply and it is recorded as the date of acceptance by the latter on 20 May 2019. Once this period of time has elapsed, it has not responded to the request made by this body, and for this reason this claim is admitted for processing with regard to the security measures adopted, and without the entity having responded to the Spanish Data Protection Agency. 

THIRD: On 26 September 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of Article 5.1(f) of the GDPR, as defined in Article 83.5(a) of the GDPR.

FOURTH: Having been notified of the above-mentioned agreement to initiate proceedings, the respondent presented written negotiations by letter dated 11 October 2019, and formulated the following allegations in summary: "the complainant states in its complaint that Vodafone sends its invoices to the address of its neighbour, with the details of the neighbour appearing on the letterhead of the letter, but the details of the neighbour appearing on the invoice. The AEPD states in the Agreement to Initiate Proceedings that the company I represent has not responded to the request for information notified to it.Vodafone, in the first place, wishes to state that after receiving the information request E/5008/2019, Vodafone analysed the complaint and began the necessary steps to solve the problem that had been brought to our attention.It was verified that, in fact, in the contract of the claimant the address that she had consigned was already her correct one, with the floor 3ºC, but we verified that under the same client ID there was a card that contained both the data of the claimant and those of her neighbor. It is possible that the facts have had some problem in the migration of the data contained in one system to another different system. In this sense, it is relevant to highlight the repeal of Article 130 of Law 30/1992, of 26 November, on the Legal System of Public Administrations and Common Administrative Procedure. Its replacement by Article 28.1 of Law 40/2015 of 1 October, on the Legal System for the Public Sector, eliminates the mention of "simple failure to comply", making the rule "nullum poena sine culpa" prevail.This only highlights the lack of room for liability without fault, a principle that governs or should govern in the administrative sphere, as it is a manifestation of the "ius puniendi" of the State, and therefore a liability regime without fault is inadmissible in our legal system. It may not be sanctioned for infringement of article 6.1. of the GDPR, without reference to the subjective element of the type, with neither intent nor fault nor negligence being demonstrated.Additionally, taking into account the special nature of the sanctioning Law that determines the impossibility of imposing sanctions without taking into account the will of the subject actor or the factors that could have determined the breach of a legal obligation, this party maintains the impropriety of the imposition of any sanction. Thus, the Supreme Court in Judgment of December 21, 1998 (RJ1998/10226)(Appeal 9074/1991), January 27, 1996 (RJ 1996\926) (Appeal 640/1992) and January 20, 1997 (RJ 1997\257) (Appeal 2689/1992)". The Supreme Court also points out in its Judgment of July 20, 1990, Ar. 6163, that, as can be seen, the conduct described does not have any intention of being fraudulent, nor is it culpable. Therefore, in the absence of any culpability, it is inappropriate to impose a sanction on my client, since one of the essential requirements of the administrative law on sanctions is missing. In the alternative, and in the event that, despite the explanations given above, the Agency considers that it deserves a sanction for the commission of an infringement of Article 6.1 of the GDPR, the amount of said sanction should be moderated, and imposed in a minimum amount, taking into account the following circumstances set out in Article 83.2 of the GDPR. In the alternative, and in the event that, in spite of the explanations given above, the Agency should consider that the party I represent deserves to be penalised for committing an infringement of article 6.1 of the GDPR, the amount of said penalty should be moderated, being imposed as a minimum".

FIFTH: On October 28, 2019, the trial period began, and it was agreed: (a) to consider the claim filed by the claimant and its documentation, the documents obtained and generated which form part of file E/05008/2019, and (b) as having been reproduced for the purposes of proof.- to consider as reproduced for evidential purposes, the allegations to the agreement of initiation of PS/00275/2019, presented by the denounced entity.

SIXTH: On November 29, 2019, the Proposal for Resolution was issued and notified to Vodafone on December 3 of the same year, for alleged infringement of Article 5.1.f) of the GDPR, typified in article 83.5 of the GDPR, proposing a fine of 50,000 euros. Vodafone presented allegations to the Proposed Resolution, stating that it is reiterated in the allegations already made to the Initiating Agreement.  Of the proceedings carried out in the present procedure, of the information and documentation presented by the parties, the following have been accredited:PROVEN FACTS Of the information and documentation provided by the parties in this procedure, the following facts are accredited. 
On March 12, 2019, the claimant filed a complaint with the Spanish Data Protection Agency, stating that the operator was sending his bills with his personal details to his neighbour's address. On one hand, the letterhead of the letter contains the details of the neighbour (full name and address), but the invoice corresponds to the name, ID card, address, etc. of the claimant.2 The AEPD notified the claim, stating the date of acceptance as 20 May 2019, and the entity has not responded to the AEPD.3Dated 11 October 2019, the entity complained of during the negotiation period states that the facts are the result of a specific error, that this error has now been corrected and that the data on the complainant's neighbors have been disassociated. It provides a screenshot with the corrected data. RIGHT FOUNDATIONS I By virtue of the powers that article 58.2 of the GDPRrecognizes to each control authority, and in accordance with the provisions of articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.IISe accuses the defendant of committing an infringement for violation of Article 5.1.f) of the GDPR, which states that: "1:  (...) f) processed in such a way as to ensure adequate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures" The infringement of Article 5.1.f) of the GDPR, for which VODAFONE is responsible, is defined in Article 83 of the aforementioned legal text, which, under the heading "General conditions for the imposition of administrative fines", states: "5. Violations of the following provisions shall be punished, in accordance with paragraph 2, with administrative fines of a maximum of 20,000,000 Euros or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, whichever is greater: a) The basic principles for treatment, including the conditions for consent under Articles 5, 6, 7 and 9."La Ley Orgánica 3/2018, de Protección de Datos Personales y Garantía de los Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements considered very serious" provides: "1.)2016/679 are considered very serious and shall be subject to a three-year limitation period for infringements that substantially violate the articles mentioned therein, and in particular the following: a) The processing of personal data in breach of the principles and guarantees set out in Article 5 of Regulation (EU)2016/679.          It is important to note that the complainant has provided a copy of the letterhead on which the details of his neighbour (full name and address) appear, but the invoice corresponds to the name, ID card, address etc., of the complainant.  Therefore, there is no doubt, given the regulation that violates the duty of secrecy of Article 5.1.f) of the GDPR.   It does not comply with the security measures that give rise to the violation of confidentiality in article 5 LOPDGDD. In order to determine the administrative fine to be imposed in this case, it is necessary to comply with the provisions of Articles 83(1) and 83(2) of the GDPR, which state that 'Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive'. "Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. 

In deciding whether to impose an administrative fine and the amount of such fine in each individual case, due account shall be taken:(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage and injury they have suffered(d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures implemented pursuant to Articles 25 and 32 (f) the degree of cooperation with the supervisory authority for the purpose of remedying the infringement and mitigating the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement(i) where the measures referred to in Article 58(2) have been ordered against the operator or processor concerned with the same case, compliance with those measures; (j) adherence to codes of conduct under Article 40 or to certification schemes approved under Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial gains or losses avoided, directly or indirectly, through the infringement."With regard to paragraph (k) of Article 83.2 of the GDPR, the LOPDGDD, Article 76, 'Sanctions and corrective measures', provides: '2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continuous nature of the infringement.b) The link between the activity of the offender and the processing of personal data.c) The benefits obtained as a result of the commission of the infringement.d) The possibility that the conduct of the affected party could have led to the commission of the infringement.e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity.f) The effect on the rights of minors.g) The availability, when not mandatory, of a data protection representative. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative dispute resolution mechanisms in those cases where there are disputes between them and any interested party."In accordance with the precepts transcribed, for the purposes of determining the amount of the fine that should be imposed on the person claimed to be responsible for an infringement classified in article 83.5.a) of the GDPR, it is estimated that the following factors are present: - Only two persons have been affected by the conduct of the person claimed. - The damage caused to those affected by the breach of confidentiality of their data cannot be considered significant. - The lack of diligence demonstrated by the respondent can be considered significant. There is an evident link between the processing of personal data and the activity carried out by the Respondent.  - The respondent is considered a large company. For the purposes of setting the amount of the penalty to be imposed in this case, it is considered that the penalty to be imposed should be graduated in accordance with the following criteria established in article 76.2 of the LOPDGDD:-The link between the activity of the offender and the processing of personal data, (section b).The balance of the circumstances contemplated in Article 83.2 of the GDPR, with respect to the infringement committed by violating the provisions of Article 5.1.f) of the GDPR, allows for a sanction of 50,000 (fifty thousand euros), considered as "very serious", for the purposes of the prescription of the same, in 72.1. a) of the LOPDGDD. Therefore, in accordance with the applicable legislation and having assessed the criteria for the downgrading of the penalties whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO IMPOSE ON VODAFONE ESPAÑA, S.A.U, with NIF A80907397, for an infringement of Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR, a fine of 50,000.00 euros (fifty thousand euros).SECOND: TO NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U..THIRD: TO WARN the sanctioned party that it must make the sanction imposed effective once this resolution is enforceable, in accordance with the provisions of Article 5.1.f) of the RGPD.   98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the period for payment of volunteers established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the Tax Identification Number of the sanctioned party and the number of the procedure that appears in the heading of this document, in restricted account no. ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A. Otherwise, it shall be collected during the enforcement period.Once the notification has been received, and once it has been enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for voluntary payment will be the 20th of the following month or the next working month, and if it is between the 16th and last day of each month, inclusive, the deadline for payment will be the 5th of the second following month or the next working month.In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties..6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month as from the day following notification of this decision or directly with the Contentious Administrative Court of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.Finally, it is noted that in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution may be suspended in administrative proceedings if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. He will also have to send to the Agency the documentation that accredits the effective lodging of the contentious-administrative appeal.   If the Agency were not aware of the lodging of the contentious-administrative appeal within the period of two months from the day following the notification of the present resolution, it would terminate the precautionary suspension.