AEPD (Spain) - PS/00308/2020

From GDPRhub
Revision as of 10:12, 20 November 2020 by Mh (talk | contribs)
AEPD - PS/00308/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 16.11.2020
Published: 19.11.2020
Fine: 36000
Parties: Vodafone España, S.A.U
National Case Number/Name: PS/00308/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) fined Vodafone for concluding a contract made fraudulently in the complainant's name. This was illegal processing of the complainant's personal data in breach of Article 6(1) GDPR. Vodafone payed the fine of €36000 (guilty, voluntary and early payment).

English Summary

Facts

The complainant filed a complaint before the Spanish DPA (AEPD) against Vodafone España, S.A.U. The complaint was based on the fact that a contract was concluded with Vodafone by someone impersonating the complainant.

The contract bills were in her name but the address and bank account were not hers. The contract with Vodafone did not have the claimant's signature. However, when the bills were left unpaid, Vodafone assigned a debt in the claimant's name.

Once aware of this alleged debt, the complainant notified Vodafone's Customer Service of the potential error. Vodafone was also warned by the OMIC (consumer association) that the complainant had alleged (to OMIC) that this could be a case of identity theft.

Dispute

Does the creation of a contract in the complainant's name, despite it being initiated by a third party, breach Article 6(1) GDPR?

Holding

The Spanish DPA (AEPD) referred to the principle of lawfulness, fairness and transparency (Article 5(1)(a)), as well as Article 6(1) on the obligation to process data with a legal basis. With these Articles in mind, the DPA held that Vodafone processed the complainant's personal data (name, surname and NIF) without taking necessary measures to ensure the legitimacy of the contract. The contract in question was not signed by the claimant. There was therefore no legal basis for the processing, in violation of Article 6(1) GDPR.

The DPA also mentioned that Vodafone had failed to comply with its obligation to be diligent when identifying a legal basis for the processing in line with the principle of accountability (although not directly quoted by the DPA, this passage refers to Article 5(2)).

The Spanish DPA therefore proposed a fine of €60000 on Vodafone for infringing Article 6(1) GDPR. This was then reduced to €36000 as Vodafone accepted responsibility and made a voluntary early payment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


Page 1
1/12
 Procedure No.: PS / 00308/2020
RESOLUTION R / 00568/2020 OF TERMINATION OF THE PROCEDURE BY PAYMENT
VOLUNTARY
In the sanctioning procedure PS / 00308/2020, instructed by the Spanish Agency for
Data Protection to VODAFONE ESPAÑA, SAU , considering the complaint filed
by AAA , and based on the following,
BACKGROUND
FIRST: On October 8, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against VODAFONE
ESPAÑA, SAU (hereinafter, the claimed), through the Agreement that is transcribed:
<<
Procedure Nº: PS / 00308/2020
935-200320
AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Agency for the Protection of
Data and based on the following:
ACTS
FIRST: Ms. AAA (hereinafter, the claimant) dated March 3, 2020
filed a claim with the Spanish Agency for Data Protection. The
The claim is directed against Vodafone Spain, SAU with NIF A80907397 (in
ahead, the claimed one).
The reasons on which your claim is based are that a
contracting with the claimed entity impersonating its identity.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/12
Provide the following documentation:
Invoices in your name, but addressed to an address other than yours and different
Bank account.
Claim before the OMIC of Madrid dated February 11, 2020.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(LOPDGDD), which has provided a mechanism, prior to the admission for processing of the
claims made before the Spanish Agency for Data Protection,
consisting of transferring them to the Data Protection Delegates designated by
those responsible or in charge of the treatment, for the purposes provided in article 37
of the aforementioned norm, or to these when they have not been designated, the
claim presented by the claimant to the claimed, so that it could proceed to its
analysis and respond to this Agency within a month.
It is clear that on July 6, 2020, the complained party answered the
transfer of the claim, stating the following:
On the one hand, it indicates that the origin of the claim is the activation of a
series of services in December 2018 that the claimant indicates not knowing. Such
services are associated in the entity's systems to the data of the
claimant.
In turn, it indicates that the fixed line, mobile line, two
mobile plans, with financed terminal, DTV products and Internet products and
television. Provide a copy of the contracts on the lines and the purchase of the terminals
financed without the signature of the claimant.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/12
He adds that after the activation of the lines they began to generate debt due to
the non-payment of the invoices, until on August 12, 2019 they proceeded to the
deactivation of services due to non-payment of these.
On the other hand, they point out that on February 13, 2020, the claimant filed
complaint form before the Customer Service, claiming that it did not have the
hired lines and you are informed, since they have been deactivated since August 12, that no
the existence of active lines was confirmed.
That on March 13, 2020 the OMIC notified the entity of the claim
filed by the claimant alleging a possible identity theft and on 17
March 2020, through the OMIC itself, asked the claimant, before the
absence of a police report, the provision of a series of documentation by
of the claimant in order to be able to carry out the appropriate investigations in the
Fraud Department and to be able to verify if there was fraud in the hiring, without
to date it has been contributed.
Finally, they state that since the hiring has been processed and
consumption on the aforementioned lines until deactivation by the entity, and
As long as the claimant does not provide the required documentation through the OMIC,
understand that hiring is lawful, real and truthful. That on July 6, 2020 they have
The claimant was once again required to provide said documentation.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/12
II
The RGPD deals in its article 5 with the principles that must govern the
treatment of personal data and mentions among them that of " legality, loyalty and
transparency". The precept provides:
"1 . The personal data will be:
a) Treaties in a lawful, loyal and transparent manner with the interested party; "
Article 6 of the RGPD, " Legality of the treatment ", details in its section 1 the
cases in which the processing of third party data is considered lawful:
"1. The treatment will only be lawful if it meets at least one of the following
terms:
a) the interested party gave their consent for the processing of their data
personal for one or more specific purposes;
b) the treatment is necessary for the performance of a contract in which the
interested is part or for the application at the request of this of measures
pre-contractual;
(…) "
The infringement for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading " General conditions for
the imposition of administrative fines ”, it states:
"5 . Violations of the following provisions will be sanctioned, in accordance
with section 2, with administrative fines of a maximum of 20,000,000 Eur or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) The basic principles for the treatment, including the conditions for the
consent in accordance with articles 5,6,7 and 9. "
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
5/12
Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading " Infractions
considered very serious ” provides:
"1. Based on what is established in article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:
(…)
a) The processing of personal data without the concurrence of any of the
conditions of legality of the treatment established in article 6 of the
Regulation (EU) 2016/679. "
On the one hand, it is proven that the defendant processed the personal data
of the claimant (name, surname and NIF). Thus, the claimed, when hiring did not have
the necessary precautions to prove the legitimacy of the contractor .
The documentation provided does not certify the contracting by the
claimant, is not signed and did not verify the identity of the claimant.
They also confirm the absence of legitimacy for the treatment, as
they show that there was no contract between the two.
It must be taken into account that the documentation in the file
provides evidence that the complained party violated article 6.1 of the RGPD, whenever
that processed the personal data of the claimant without legitimacy.
The lack of diligence displayed by the entity in complying with the
Obligations imposed by the regulations on the protection of personal data
It is thus obvious. A diligent compliance with the principle of legality in the treatment
third-party data requires that the person responsible for the treatment is in conditions
to prove it (principle of proactive responsibility).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/12
In accordance with the evidence available at this time
procedural, and without prejudice to what results from the instruction of the procedure, it is estimated
that the conduct of the complained party could violate article 6.1 of the RGPD
may be constitutive of the offense typified in article 83.5.a) of the aforementioned
Regulation 2016/679.
In this sense, Recital 40 of the RGPD states:
" (40) For the treatment to be lawful, personal data must be processed
with the consent of the interested party or on some other legitimate basis established
in accordance with Law, either in this Regulation or by virtue of another Law
of the Union or the Member States referred to in this Regulation,
including the need to comply with the legal obligation applicable to the person responsible for the
treatment or the need to perform a contract to which the interested party or
in order to take measures at the request of the interested party prior to the
conclusion of a contract. "
III
In order to determine the administrative fine to be imposed, the provisions
visions of articles 83.1 and 83.2 of the RGPD, precepts that indicate :
"Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "
" Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question
as well as the number of affected stakeholders and the level of damage and
damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor
to alleviate the damages suffered by the interested parties;
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 7
7/12
d) the degree of responsibility of the person in charge of the
treatment, taking into account the technical or organizational measures that have
applied by virtue of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the
treatment;
f) the degree of cooperation with the supervisory authority in order to
remedy the violation and mitigate the possible adverse effects of the violation;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement,
in particular if the person in charge or the person in charge notified the infraction and, in such
case, to what extent;
i) when the measures indicated in article 58 (2) have been
previously ordered against the person in charge or the person in charge
in relation to the same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or to mechanisms
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct
or indirectly, through the infringement. "
Regarding section k) of article 83.2 of the RGPD, the LOPDGDD,
Article 76, " Sanctions and corrective measures", provides:
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the offender's activity with the performance of treatments
of personal data.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have led to the
commission of the offense.
e) The existence of a process of merger by absorption subsequent to the commission of
the infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, with character
voluntary, to alternative dispute resolution mechanisms, in those
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 8
8/12
assumptions in which there are controversies between those and any interested party. "
In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the fine sanction to
impose the claimed entity as responsible for an infraction typified in
Article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent in
the present case the following factors:
As aggravating factors:
- That the facts that are the subject of the claim are attributable to a lack of
diligence of the claimed party (article 83.2.b, RGPD).
- Basic personal identifiers are affected (personal data
(art.83.2. g) of the RGPD).
- The evident link between the business activity of the claimed and the
processing of personal data of clients or third parties (article 83.2.k, of the
RGPD in relation to article 76.2.b, of the LOPDGDD)
Therefore, based on the foregoing,
By the Director of the Spanish Agency for Data Protection,
HE REMEMBERS:
FIRST: INITIATE SANCTIONING PROCEDURE against VODAFONE ESPAÑA,
SAU with NIF A80907397, for the alleged violation of article 6.1. of the RGPD
typified in article 83.5.a) of the aforementioned RGPD.
SECOND: APPOINT Mr. BBB as instructor and Ms. CCC as secretary ,
indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Public Sector Legal (LRJSP).
THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and his documentation, the documents
obtained and generated by the General Subdirectorate for Data Inspection.
FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 9
9/12
The corresponding penalty would be 60,000 euros (sixty thousand euros), without
detriment of what results from the instruction.
FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, SAU with NIF
A80907397, granting him a hearing period of ten business days to formulate
the allegations and present the evidence that it deems appropriate. In his writing of
allegations, you must provide your NIF and the procedure number that appears in the
heading of this document.
If within the stipulated period it does not make allegations to this initiation agreement, the same
It may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to this initiation agreement; the
which will entail a reduction of 20% of the sanction to be imposed in
this procedure. With the application of this reduction, the sanction would be
established at 48,000 euros, resolving the procedure with the imposition of this
sanction.
In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the penalty would be established at 48,000 euros and its payment will imply the termination of the
process.
The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the recognition of responsibility, provided that this recognition
of responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be
set at 36,000 euros.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 10
10/12
In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.
In case you choose to proceed to the voluntary payment of any of the amounts
indicated above, 48,000 euros or 36,000 euros, you must make it effective
by entering the account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency in Banco CAIXABANK,
SA, indicating in the concept the reference number of the procedure that appears in
the heading of this document and the cause of reduction of the amount to which
welcomes.
Likewise, you must send proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity
entered.
The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 11
11/12
>>
SECOND : On November 4, 2020, the defendant has proceeded to pay
the sanction in the amount of 36,000 euros making use of the two reductions
provided for in the Initiation Agreement transcribed above, which implies the
acknowledgment of responsibility.
THIRD : The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.
II
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
" Termination in sanctioning procedures " provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction , but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except for the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offense.
3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 12
12/12
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.
The percentage of reduction foreseen in this section may be increased
regulations.
In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES :
FIRST: DECLARE the termination of procedure PS / 00308/2020 , of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, SAU .
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es