AEPD - PS/00275/2019
|AEPD - PS/00275/2019|
|Relevant Law:||Article 5(1)(f) GDPR
Article 72 of the Spanish Data Protection Law (LOPDGDD)
|National Case Number:||PS/00278/2019|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The AEPD following a complaint imposed a fine of EUR 75,000 on the telecom company, Vodafone España. The data controller did not obtain the consent for the processing of the applicant’s data, as required by [Article 6 GDPR|Article 6 GDPR].
The AEPD examined a complaint submitted by a customer concerning the processing of his data by Vodafone España. The company kept sending him emails after he had expressly withdrawn his consent to the processing of his personal data, and then alleged that it was caused by a computer failure.
The AEPD had to assess whether the culpability constitutes a requirement for imposing an administrative sanction under the GDPR.
The AEPD ruled that by sending the customer/complainant company emails after he had asked them to erase his data file, VODAFONE had illegally processed the his data because of the lack of valid consent under Article 6(1)(a) GDPR. Thus, it imposed VODAFONE a fine of EUR 75,000 under Article 83(5) GDPR, being indecisive whether there was culpability or not in the company’s actions.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Spanish original for more details.
Procedure No.: PS/00278/2019938-051119PROCEDURE RESOLUTION of the procedure instructed by the Spanish Agency of Data Protection and based on the following FIRST: D. A.A.A. (hereinafter, the claimant) on 3 April 2019 filed a complaint with the Spanish Data Protection Agency. The claim is directed against Vodafone España, S.A.U. with NIF A80907397 (hereinafter, the claimant). The reasons on which the claim is based are that he requested the operator to delete his data, and they state: "that once the facts described by the claimant have been analysed, he does not maintain any active service in Vodafone, nor does he have any amounts pending payment". The following documents are attached to the claim: -Answer from the claimant to the Secretary of State for the Information Society and the Digital Agenda dated December 24, 2018.-Emails received by the claimant from the claimant dated November 28, 2018, February 27 and March 28, 2019.SECOND: After the reception of the complaint, the Subdirectorate General of Data Inspection proceeded to carry out previous investigation actions to clarify the denounced facts, having knowledge of the following extremes: On August 28, 2019, the claimant has sent this Agency the following information in relation to the denounced facts:He states that: "due to a computer error in its systems, the complainant's e-mail got "hooked" and continued to be recorded in the form of information communications regarding electronic invoices issued by Vodafone, and that is the reason why he has received these communications".They point out that: "this error has been resolved, so the claimant will not receive any further communication regarding electronic invoices from Vodafone or any other that has not previously consented". On the other hand, they provide a copy of the e-mail they have sent to the complainant to inform him of the above-mentioned aspects.THIRD: On October 4, 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the complainant, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of Article 6.Article 83.5 of the GDPR.FOURTH: Having been notified of the above-mentioned agreement to initiate proceedings, the defendant submitted a written statement of objections by letter dated October 16, 2019, in which it summarized the following allegations: "As he answered the request for information received from the Agency, the facts were due to an error in the process of deleting data from our systems. All the data were effectively deleted from all the company's systems with the exception of the mail account in the system for sending billing notices. On the other hand, it is important to emphasize that the fact that the claimant received these notices does not mean that the company I represent was billing him for any service. That did not happen. The sending of invoicing notices is an automatic process that is triggered a few days before the day of the month in which a client's invoicing cycle is fulfilled. This error has already been corrected and the claimant was notified by e-mail, which is attached. In this sense, it is relevant to highlight the repeal of Article 130 of Law 30/1992, of 26 November, on the Legal System of Public Administrations and Common Administrative Procedure. Its replacement by Article 28.1 of Law 40/2015 of 1 October, on the Legal System for the Public Sector, eliminates the reference to "simple non-observance", making the rule "nullum poena sine culpa" prevail.This only highlights the lack of room for liability without fault, a principle that governs or should govern in the administrative sphere, as it is a manifestation of the "ius puniendi" of the State, and therefore a liability regime without fault is inadmissible in our legal system. It may not be sanctioned for infringement of article 6.1. of the GDPR, without reference to the subjective element of the type, with neither intent nor fault nor negligence being demonstrated.Additionally, taking into account the special nature of the sanctioning Law that determines the impossibility of imposing sanctions without taking into account the will of the subject actor or the factors that could have determined the breach of a legal obligation, this party maintains the impropriety of the imposition of any sanction. Thus, the Supreme Court in its Judgment of December 21, 1998 (RJ1998/10226)(Appeal 9074/1991), January 27, 1996 (RJ 1996\926) (Appeal 640/1992) and January 20, 1997 (RJ 1997\257) (Appeal 2689/1992)". The Supreme Court also points out in its Judgment of July 20, 1990, Ar. 6163, that, as can be seen, the conduct described does not have any intention of being fraudulent, nor is it culpable. Therefore, in the absence of any culpability, it is inappropriate to impose a sanction on my client, since one of the essential requirements of the administrative law on sanctions is missing. In the alternative, and in the event that, despite the explanations given above, the Agency considers that it deserves a sanction for the commission of an infringement of Article 6.1 of the GDPR, the amount of said sanction should be moderated, and imposed in a minimum amount, taking into account the following circumstances set out in Article 83.2 of the GDPR. In the alternative, and in the event that, in spite of the explanations given above, the Agency should consider that the party I represent deserves to be penalised for committing an infringement of article 6.1 of the GDPR, the amount of said penalty should be moderated, being imposed as a minimum".FIFTH: On October 25, 2019, the trial period began, and it was agreed: (a) to consider the claim filed by the claimant and its documentation, the documents obtained and generated which form part of file E/05024/2019 and (b), as having been reproduced for the purposes of proof.- to consider as reproduced for evidential purposes, the allegations to the agreement of initiation of PS/00278/2019, presented by the denounced entity.SIXTH: On November 29, 2019, the Proposal for Resolution was issued and notified to Vodafone on December 3 of the same year, for alleged infringement of Article 6.Vodafone presented allegations to the Proposed Resolution, stating that it is reiterated in the allegations already made to the Initiating Agreement. Of the actions carried out in the present procedure, of the information and documentation presented by the parties, the following have been accredited:PROVEN FACTSOf the information and documentation provided by the parties in this procedure, the following facts are accredited: 91º On April 3, 2019, the claimant filed a complaint with the Spanish Data Protection Agency, stating that he had requested the deletion of his data, and they stated: "that once the facts described by the claimant have been analyzed, he does not maintain any active service in Vodafone, nor does he have any amounts pending payment". However, he continued to receive communications from that entity.2 The respondent's reply to the Secretariat of State for the Information Society and the Digital Agenda dated December 24, 2018, states that the claimant does not have any active service with Vodafone, nor does he have any amounts pending payment.3Emails received by the claimant from the claimed party dated 28 November 2018, 27 February and 28 March 2019.4 Dated 16 October 2019, the claimant provides, during the negotiation period, among others, an email sent to the claimant, where he indicates: "We are contacting you in relation to your claim that has been transferred to us by the Spanish Data Protection Agency within file E/05024/2019. By means of this letter, we would like to inform you that the sending of the e-mails to your e-mail account informing you that your electronic invoice is available, is due to a computer error since these communications do not correspond to any service that you have verified.We have corrected this error in order to prevent you from receiving these e-mails again". RIGHT FOUNDATIONS By virtue of the powers that Article 58.2 of the GDPR recognizes to each control authority, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to resolve this procedure.IISe accuses the defendant of committing an infringement of Article 6 of the GDPR, 'Lawfulness of processing', which states in paragraph 1 that the processing of data from third parties is considered lawful:'1. 1 The processing will only be lawful if at least one of the following conditions is met: a) the data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation, at his/her request, of pre-contractual measures; (...) "In article 4 of the GDPR, Definitions, in its paragraph 11, it states that: "11) "consent of the data subject" means any free, specific, informed and unequivocal expression of will by which the data subject accepts, either by a declaration or a clear affirmative action, the processing of personal data concerning him/her".Article 6, Processing based on the consent of the data subject, of the new Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), also states that: "1.11 of Regulation (EU)2016/679, the consent of the data subject means any freely given, specific, informed and unambiguous expression of his or her willingness to accept, either by declaration or by clear affirmative action, the processing of personal data concerning him or her.2When it is intended to base the processing of data on the consent of the data subject for a number of purposes, it must be specifically and unequivocally stated that such consent is granted for all of them.3The execution of the contract may not be made subject to the consent of the data subject to the processing of personal data for purposes unrelated to the maintenance, development or control of the contractual relationship".5 a) of the GDPR, considers that the violation of "the basic principles for the treatment, including the conditions for the consent according to the articles 5, 6, 7 and 9" is punishable, according to the paragraph 5 of the mentioned article 83 of the mentioned Regulation, "with administrative fines of 20.000,000 maximum or, in the case of a company, a fine equivalent to a maximum of 4% of the total annual turnover of the previous financial year, whichever is greater".5 of Regulation (EU) 2016/679 are considered very serious and shall be subject to a three-year limitation period for infringements that substantially infringe the articles mentioned therein, and in particular the following:(...) b) Processing of personal data without complying with any of the conditions for the lawfulness of processing set out in Article 6 of Regulation (EU) 2016/679.) "IIIThe documentation in the file offers clear indications that the claimant violated Article 6 of the GDPR, since the aforementioned entity treated the personal data of the claimant illegally, as there was no consent for the processing of his personal data, as evidenced by the reference to his e-mail address communications originating in "email@example.com" and whose subject is "you already have your electronic invoice available". The Contentious Administrative Chamber of the National Court of Justice, in similar cases, has considered that when the owner of the data denies consent, the burden of proof falls on the person who asserts its existence, and the person responsible for the processing of third party data must collect and keep the necessary documentation to prove the owner's consent. Thus, SAN of 31/05/2006 (Rec. 539/2004), Fundamento de Derecho Cuarto, the complainant has provided, among other documents, a copy of Vodafone's reply to the Secretary of State for the Information Society and the Digital Agenda, in which it is stated, "after analysing the facts described by the complainant, that it does not maintain any active service in Vodafone, nor any amounts pending payment", not having authorised that entity to use its electronic mail, as recognised by the complainant himself.In short, it must be pointed out that respect for the principle of legality of the data requires that it must be proven that the owner of the data consented to the processing of personal data and that reasonable diligence must be exercised to prove this. Failure to do so would render the principle of lawfulness null and void. In order to determine the administrative fine to be imposed, the provisions of Articles 83(1) and 83(2) of the Data Protection Regulation must be complied with, which state: '1. Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 5 and 6 is in each individual case effective, proportionate and dissuasive. Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. In deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of the circumstances of the case:(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage suffered(e) any previous infringements committed by the controller or processor; (f) the degree of cooperation with the supervisory authority in order to remedy the infringement and to mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, to what extent; i) when the measures indicated in Article 58(2) have been previously ordered against the person responsible or the person in charge in relation to the same matter, compliance with those measures; j) adherence to codes of conduct under Article 40 or to certification mechanisms approved under Article 42; and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.In relation to Article 83(2)(k) of the GDPR, the LOPDGDD, in its Article 76, "Sanctions and corrective measures", states that: "2. In accordance with the provisions of Article 83(2)(k) of Regulation (EU)2016/679, the following may also be taken into accountb) The link between the activity of the offender and the processing of personal data.c) The benefits obtained as a result of the commission of the infringement.d) The possibility that the conduct of the person concerned could have led to the commission of the infringement.e) The existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The effect on the rights of minors. g) The availability, when not mandatory, of a data protection representative.h) The submission by the person responsible or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases where there are disputes between them and any interested party".5.a) of the GDPR, for which the respondent is responsible, the following factors are considered to be concurrent: the merely local scope of the processing carried out by the entity being claimed; only one person has been affected by the infringing conduct; the damage caused to the claimant, since the Secretary of State for the Information Society and the Digital Agenda had to file a complaint, and on several occasions the entity was contacted to inform him of the facts without adopting any decision. There is no evidence that the entity had acted fraudulently, although the action reveals a lack of diligence, linking the activity of the offender with the processing of personal data and the number of people affected.In accordance with the indicated precepts, for the purposes of fixing the amount of the penalty to be imposed in the present case, it is considered that the penalty to be imposed should be graduated in accordance with the following criteria established in article 76.2 of theLOPDGDD:-The linking of the activity of the offender with the processing of personal data, (section b). The balance of the circumstances contemplated in article 83.2 of the GDPR, with respect to the infraction committed by violating that established in article 6.1 of the GDPR allows for a sanction of 75,000 euros (sixty-five thousand euros), considered as "very serious", for the purposes of the prescription of the same, in 72.1.a of the LOPDGDD. Therefore, in accordance with the applicable legislation and having assessed the criteria for the downgrading of the penalties whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO IMPOSE ON VODAFONE ESPAÑA, S.A.U, with NIF A80907397, for an infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR, a fine of 75,000.00 euros (seventy-five thousand euros).SECOND: TO NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U..THIRD: TO WARN the sanctioned party that it must make the sanction imposed effective once this resolution is enforceable, in accordance with the provisions of Article 6.1 of the GDPR. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the period for payment of volunteers established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the Tax Identification Number of the sanctioned party and the number of the procedure that appears in the heading of this document, in restricted account no. ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A. Otherwise, it shall be collected during the enforcement period.Once the notification has been received, and once it has been enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for voluntary payment will be the 20th of the following month or the next working month, and if it is between the 16th and last day of each month, inclusive, the deadline for payment will be the 5th of the second following month or the next working month.In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties..6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 de lareferida Ley. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. He will also have to send to the Agency the documentation that accredits the effective lodging of the contentious-administrative appeal. If the Agency were not aware of the lodging of the contentious-administrative appeal within the period of two months from the day following the notification of the present resolution, it would terminate the precautionary suspension.