AEPD - PS/00348/2020

From GDPRhub
AEPD - PS/00348/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 58(2)(i) GDPR
Article 83(2)(b) GDPR
Article 83(2)(g) GDPR
Article 83(5)(a) GDPR
Type: Complaint
Outcome: Upheld
Decided:
Published:
Fine: 70000 EUR
Parties: Vodafone Espana
National Case Number/Name: PS/00348/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) fined Vodafone €70000 for transferring a woman’s telephone number to another customer without her knowledge, and without a lawful basis under Article 6(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Vodafone transferred the claimant’s telephone number to another customer, despite the claimant not making a request for Vodafone to do this. In examining the contract for the transfer, the AEPD discovered that the claimant’s signature was missing from the section “signature of old owner”.

Dispute[edit | edit source]

Did Vodafone’s failure to get the claimant’s signature constitute a breach under the GDPR?

Holding[edit | edit source]

The AEPD held that Vodafone violated Article 6(1) GDPR, as they had processed the claimant’s data without a lawful basis.

When setting the amount of the fine, the AEPD considered the negligent nature of the infringement - Article 83(2)(b) - and the fact that the infringement involved the “basic identifiers” of the claimant - Article 83(2)(g) - to be aggravating factors. The fine was reduced to €42000 by Vodafone’s early voluntary payment of the fine, and their waiver of any right to appeal the fine.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/18











     Procedure No.: PS / 00348/2020

RESOLUTION R / 00552/2020 OF TERMINATION OF THE PROCEDURE BY PAYMENT
                                   VOLUNTARY


In the sanctioning procedure PS / 00348/2020, instructed by the Spanish Agency for
Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed
by A.A.A., and based on the following,


                                 BACKGROUND

FIRST: On October 15, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against VODAFONE

SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed:

<<





Procedure Nº: PS / 00348/2020

935-200320




           AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE



       Of the actions carried out by the Spanish Agency for the Protection of

Data and based on the following:




                                     ACTS



FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated May 31, 2019

filed a claim with the Spanish Agency for Data Protection. The
claim is directed against Vodafone España, S.A.U. with NIF A80907397 (in
forward, the claimed or Vodafone).




       The reasons on which the claim is based are that a portability of the

telephone *** TELEPHONE 1 from Movistar to Vodafone. That the claimant warned
both companies that it was a fraudulent act since she had not done
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/18








that request, but that someone had usurped his data to process said
portability.


       However, portability was implemented on April 4, 2019 and has not
gotten response from the aforementioned operators.

       Request that the telephone number be returned to Movistar and that Vodafone cancel the

data of the claimant, and that the person who usurped their data is punished
processed the portability through the Vodafone office located on the street
***ADDRESS 1.


    And, among other things, it provides the following documentation:

     Copy of the claim sheet against Vodafone.

     Copy of "Claim form to fraud team" signed and dated

       04/12/2019 where the Vodafone logo appears, the facts mentioned and
       the following manifestations:

           o That you are not a Vodafone customer.


           o That the line belonged to the husband.

           o That the claimant requests that her line *** TELEPHONE 1 return to

               Movistar.

     Copy of letter addressed to Vodafone sent by the claimant dated 10
       April 2019 where it appears, among others:


           o That he appeared at the Vodafone store at *** DIRECCIÓN.2 on the 3rd of
               April. That he did not receive any collaboration or clarification and portability

               It was carried out as planned, on April 4, 2019.

           o That they annul the portability and erase their data.

           o That he is not and has not been a Vodafone customer.


     Copy of claim in OMIC dated 04/08/2019 being the claimed
       Vodafone.

     Copy of claim in OMIC dated 04/08/2019 being the claimed

       Movistar requesting that they correct the error and carry out a retroportability.

     Copy of attestation no. *** ATESTADO.1 dated April 12, 2019 and signed

       by the complainant.

     Copy of Vodafone's answer to the claim presented before the
       OMIC where it is stated that “Once the facts that it presents in

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/18








        name of Ms. A.A.A., we inform you that a request for
        portability on April 2, 2019 with change of owner through store

        *** SHOP.1, for more information you can contact them directly. "

     Copy of the Claim filed with the Secretary of State of

        Telecommunications and its resolution.

     Copy of the Vodafone Resolution of 12/10/2019.

     Resolution of the Secretary of State for Digital Advancement of 11/15/2019.




SECOND: In view of the facts reported in the claim and the

documents provided by the claimant / of the facts and documents of which he has
this Agency, the Subdirectorate General for Data Inspection
proceeded to carry out preliminary investigation actions for the

clarification of the facts in question, by virtue of the powers of investigation
granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and

in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter LOPDGDD).



       As a result of the investigation actions carried out, it is verified

that the person responsible for the treatment is the one claimed.



       Likewise, the following points are found:


       On July 9, 2019, the complaint was transferred to Vodafone
España, S.A.U., in the proceedings with reference E / 06764/2019. The notification is
done electronically through notific @. No reply received.


       On July 9, 2019, the complaint was transferred to Telefónica
Moviles España, S.A.U., in the proceedings with reference E / 06764/2019. The
Notification is done electronically through notific @.


       On July 24, 2019, Telefónica Móviles España, S.A.U. refer to this
Agency the following information and statements:


    1. That on April 2, 2019 they receive a portability request from Vodafone
        as receiving operator with respect to the line *** TELEPHONE.1



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/18








    2. That as a consequence, they send a notification by SMS to the
       complainant indicating that the portability will be carried out on April 4,
       2019 offering you the possibility of contacting the

       *** PHONE. 2 if you do not want to change company.

    3. That the complainant states that she has not requested portability by providing
       a contact number to request the cancellation being the receiving operator,

       in this case Vodafone, who has to cancel it.

    4. That they did not receive any communication from the receiving operator
       informing of the cancellation of the portability so that on April 4

       carried out portability.

    5. That the complainant contacted them to request retroportability
       indicating that the change of operator had been made without their consent.


    6. That, according to the portability operation, the cancellation process must be
       set up by the receiving operator upon customer request. What
       This procedure was requested repeatedly, but was denied by

       Vodafone as the line did not appear, in the aforementioned company, in the name
       whistleblower, consequently appearing as a cause for denial of the
       retroportability, that the tax identifier does not correspond to the MSISIDN

       entered (IDENT).

       It provides a screenshot where it appears:

            The title "Portability Consultation"


            A record with the data:

                  o Application date: 04/04/2019 11:06:00

                  o MSISDN: *** PHONE. 1


                  o The fields corresponding to name and surname include the
                      of the complainant.

                  o Status Code: Registration denied.


                  o Cause Status: IDENT

    1. That the complainant filed a claim with the OMIC of the City Council of

       *** LOCALITY. 1 dated April 8, 2019 for which the
       Response by letter dated June 20, 2019.

    2. That the portability request was made from Vodafone as operator
       recipient, not from TME as donor operator, so in the assumption of


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/18








        have suffered an identity theft, it is in the receiving operator where
        understand the incident has occurred.


    On November 25, 2019, Vodafone España, S.A.U. refer to this
Agency the following information and statements:

    1. That there is a contract dated April 4, 2019, the date of portability,

        made with Vodafone together with a request for change of ownership, including
        currently said line on the systems in someone else's name.

    2. That the operation was carried out in compliance with all the requirements

        timely and security measures to be considered correct portability and
        not fraudulent.

    3. That the complainant must ensure the security of her personal data and

        take precautions so that a third party does not have access to them.

    4. That currently there are no data related to the complainant in the
        Vodafone systems and databases.


        A copy of the letter addressed to the complainant dated November 21 is provided
        of 2019.

        Screenshots of Vodafone systems are provided where it consists

        among other data:

            ticket *** TICKET. 1

                   or creation date: 08/27/2019


                   or the text “Comments: As of 04/04/2019 it is requested
                       service portability *** PHONE. 1 in the name of A.A.A.

                       with DNI *** NIF. 1 (claimant and former owner of the service)
                       but with change of holder in favor of B.B.B. *** Current NIF.2
                       service owner.


                       The headline A.A.A. indicates that it has been without your consent and
                       requests that your number be returned to you to be able to port it to
                       your previous operator.


                       We check that the service contract appears in docuweb
                       with the data for the request for the portability of the claimant
                       A.A.A .. "


            “Vodafone Customer Interaction Manager” screen where the
               DNI number of the complainant in the NIF section within the sub-window
               of "Search Criteria" which also contains the message "There is no

               results for those search criteria "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/18









       On February 5, 2020, Vodafone España, S.A.U. refer to this
Agency the following information and statements:


    1. That the contract was signed through the distributor *** SHOP.1

       A copy of the contract signed by the client and dated April 2,
       2019 where it consists, among other data:


            Name of the point of sale: *** TIENDA.1 with CIF B76640135

            In the "Client / Company that hires" section:


                  o NIF: *** NIF.2

                  o Name: B.B.B.

                  o Surname: B.B.B.


            In the "Change of Holder" section:

                  o Name and surname former owner: the name and surname are recorded

                      of the complainant.

                  o NIF: the NIF of the complainant appears.

                  o Contact phone: *** PHONE. 1


                      There is no signature in the box titled "Old owner's signature *"

            In the “Portability” section:

                  o Mobile number: *** PHONE. 1


                  o Donor operator: Movistar

            There is a footnote to the contract with the text:


               “The data marked with an asterisk (*) are mandatory. The client
               declares that the data provided is correct and that you have read, know and
               accepts in full the rates that have been delivered, the

               information of the service that has been provided, as well as the
               conditions contained in this document, which govern your

               relationship with Vodafone. "

    1. That, at all times, the person who completed the information that allowed the
       portability was identified as Mrs. A.A.A., being contributed in that sense the

       identity document that allowed the portability process.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/18








    2. That Vodafone acted under the guidelines stipulated in the Security Policy
        internal for the contracting of lines in the contracting modality through

        distributor.

        A copy of the Security Policy is provided in which:

             It consists, among others, of the following text:


               "When by process it corresponds to refer the client to a store
               Vodafone and the owner cannot attend personally, a
               person on your behalf.


               If the management to be carried out requires passing the Security Policy, the
               non-owner person who attends, must provide the access code of
               customer service or all the following data of the owner:


               DNI

               Billing Address

               Last 4 digits of the bank account (if you have a direct debit invoice)


               Except SIM changes. In the sim changes in store is
               mandatory for the holder to come with the Identity Document (DNI-
               NIE) original to be able to change the SIM. "


             There is a table of “When” scenarios to apply Security Policies
               Security and what Security Policy is needed in each scenario.

    1. That when asked in the request for information for the "documentation

        collected in the hiring to prove the identity of the new owner of the
        line and to prove the identity of the claimant. " Vodafone answers:

        "The Agency requests Vodafone" Copy of documentation collected in the

        hiring to prove the identity of the new owner of the line and to
        prove the identity of the claimant. "According to the documentation that
        has been able to collect my represented in terms of portability object of

        analysis in this requirement, it corresponds to the contract the
        which has been previously provided in this document as Document I. "


    2. That they have verified that there are no requests for cancellation of portability
        by the complainant prior to it occurring on date 4
        April 2019. However, they have verified that there is an interaction of the

        April 4, 2019, which contains an attempt to carry out a portability of the
        which is canceled because the data does not match. That the reason for the rejection is "NIF
        of the Portability Request does not coincide with the one that appears in the

        Client"

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/18








    3. That on August 20, 2019 they received a claim filed by the
       complainant before the SETSI body. Who proceeded to reply to the SETSI

       stating that the portability of the service claimed had been carried out
       complying with the current security filters and that notwithstanding the complainant
       could request again the portability of the service claimed to the operator

       as desired.

       A letter is provided addressed to the User Service Office of
       Telecommunications dated August 27, 2019 stating as

       claim *** CLAIM.1

    4. That on December 3, 2019 they received a new claim
       filed by the complainant before the SETSI body. Who proceeded to

       answer the complainant.

       A copy of the letter dated December 10, 2019 and addressed to the
       whistleblower stating:


       "We are writing to you in compliance with the resolution estimated in your favor,
       with file number *** CLAIM. 1

       We wish to inform you that, as established in said resolution, the

       Ms. Peña can request the portability of the service claimed to the operator that
       wishes, you must provide the owner's data in Vodafone B.B.B.
       with DNI NIF.2 which are those that appear in the contract that we attach


       At the time of portability to another operator, you may request the change of
       desired headline.

       On the other hand, we indicate that there is no billing issued in the name of Ms.

       A.A.A. so there is no type of adjustment in this regard. "

       Resolution of the SETSI, dated November 15, 2019, where
   recognizes the right of the claimant to obtain immediate withdrawal from the service not

   requested, as well as not to pay the invoices that Vodafone may have issued.

       Likewise, the right of the claimant to return to the operator is recognized.
   of origin, and regarding the change of ownership, not carried out by the operator,

   estimate the claim, and the operator must proceed to definitively manage
   the change of ownership allowing the claimant to return to their operator of

   origin.








C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/18








FOUNDATIONS OF LAW




I



        By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate

and to solve this procedure.



II




      Article 58 of the RGPD, "Powers", says:



           “2 Each supervisory authority shall have all the following powers
corrective measures listed below:

(…)

b) sanction any person responsible or in charge of the treatment with warning

when the treatment operations have infringed the provisions of this
Regulation;

(...)

d) order the person in charge of the treatment that the operations of
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time frame.


(…)

i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, depending on the circumstances of the case
particular

(…) "



III




      The RGPD deals in its article 5 with the principles that must govern the
treatment of personal data and mentions among them that of "legality, loyalty and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/18








transparency". The precept provides:



      "1. The personal data will be:


         a) Treaties in a lawful, loyal and transparent manner in relation to the
             interested (<< legality, loyalty and transparency >>); "



        Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
cases in which the processing of third party data is considered lawful:




        "1. The treatment will only be lawful if at least one of the following is met
terms:

      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;

      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures

      pre-contractual;

      (…) "



      The infringement for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading "General conditions for

the imposition of administrative fines ”, it states:



      "5. Violations of the following provisions will be sanctioned, in accordance
with paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for

the highest amount:



      a) The basic principles for the treatment, including the conditions for the
      consent in accordance with articles 5,6,7 and 9. "



       Organic Law 3/2018, on the Protection of Personal Data and Guarantee of

Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious ”provides:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/18








      "1. In accordance with the provisions of article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that

suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:




        (…)

       b) The processing of personal data without the concurrence of any of the
       conditions of legality of the treatment established in article 6 of the
       Regulation (EU) 2016/679. "






IV




      The documentation in the file provides evidence that the
claimed, violated article 6.1 of the RGPD, since it processed the
personal data of the claimant without having any legitimacy to do so.



      The operator Vodafone has carried out the portability of the line of the

claimant, without standing for it.



      The owner of the line, the claimant, warned Vodafone that it was a
made fraudulent, since she had not made the request for portability, but rather
someone had usurped his data to process said portability.




      Despite warning that it was a fraudulent act on several occasions, the
portability was carried out on April 4, 2019.



      Well, in the contract provided by Vodafone, it was found in the
“Change of Holder” section: Name, surname and NIF of the claimant (old

headline). However, and this is essential, there is no signature in the box entitled
"Old owner signature." That is, it is not duly signed and therefore the
claimant has not given consent.



       Based on the foregoing, in the case analyzed, it remains in

the diligence employed by the claimed party questioned.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/18










      Respect for the principle of legality that is in the essence of fundamental right

protection of personal data requires that it be proven that the
responsible for the treatment displayed the essential diligence to prove that
extreme. If this Agency does not act in this way - and if this Agency does not demand it, it is incumbent upon
for compliance with the regulations governing the data protection right of
personal character - the result would be to empty the content of the principle of legality.




V



        In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:




           "Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "



       "Administrative fines will be imposed, depending on the circumstances of

each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the
        nature, scope or purpose of the processing operation in question

        as well as the number of affected stakeholders and the level of damage and
        damages they have suffered;

        b) intentionality or negligence in the infringement;

        c) any measure taken by the controller or processor
        to mitigate the damages suffered by the interested parties;

        d) the degree of responsibility of the person in charge of the

        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;

        e) any previous infringement committed by the person in charge or the person in charge of the
        treatment;

         f) the degree of cooperation with the supervisory authority in order to

        remedy the violation and mitigate the possible adverse effects of the violation;

        g) the categories of personal data affected by the infringement;

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/18








        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infraction and, in such
        case, to what extent;

        i) when the measures indicated in Article 58 (2) have been

        previously ordered against the person in charge or the person in charge
        in relation to the same matter, compliance with said measures;

        j) adherence to codes of conduct under Article 40 or to mechanisms
        certification approved in accordance with Article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct

        or indirectly, through the infringement. "


      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:

      "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:


  a) The continuing nature of the offense.

  b) The linking of the offender's activity with the performance of treatment of
personal information.

  c) The benefits obtained as a result of the commission of the offense.


  d) The possibility that the affected person's conduct could have led to the
commission of the offense.

  e) The existence of a process of merger by absorption after the commission of the
infringement, which cannot be attributed to the absorbing entity.


  f) Affecting the rights of minors.

  g) Have, when not mandatory, a data protection officer.

  h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which

there are controversies between those and any interested party. "

      In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the fine sanction to
impose in the present case, the claimed party is considered responsible for
an offense typified in article 83.5.a) of the RGPD, in an initial assessment,

estimate the following factors concurrent.

      As aggravating factors the following:

     - The intentionality or negligence in the offense (article 83.2 b).

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/18








     - Basic personal identifiers are affected (name, data
         bank, the line identifier) (article 83.2 g).


     This is why it is considered appropriate to graduate the sanction to be imposed on the
claimed and set it at the amount of € 70,000 for the violation of article 6.1 of the
RGPD.

       Therefore, based on the foregoing,



       By the Director of the Spanish Agency for Data Protection,




       HE REMEMBERS:






        1. INITIATE SANCTIONING PROCEDURE for Vodafone España, S.A.U.,
           with NIF A80907397, for the alleged violation of article 6.1. of the RGPD

           typified in article 83.5.a) of the aforementioned RGPD.



        2. APPOINT D. C.C.C. as instructor. and as secretary to Mrs. D.D.D.,

           indicating that any of them may be challenged, if applicable,
           in accordance with the provisions of articles 23 and 24 of Law 40/2015, of 1
           October, of the Legal Regime of the Public Sector (LRJSP).




        3. INCORPORATE to the sanctioning file, for evidentiary purposes, the

           claim filed by the claimant and its attached documentation, the
           informative requirements that the Subdirectorate General for Inspection of
           Data sent to the claimed entity in the preliminary investigation phase and

           their respective acknowledgments of receipt.



        4. THAT, for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1

           October, of the Common Administrative Procedure of the Administrations
           Public, the penalty that may correspond would be 70,000 euros
           (sixty thousand euros), without prejudice to what results from the instruction.






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/18








        5. NOTIFY this agreement to Vodafone España, S.A.U., with NIF
           A80907397, granting a hearing period of ten business days to

           to make the allegations and present the evidence that it considers
           convenient. In your statement of allegations you must provide your NIF and the

           procedure number in the heading of this
           document.




If within the stipulated period it does not make allegations to this initiation agreement, the same
It may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

the Public Administrations (hereinafter, LPACAP).



In accordance with the provisions of article 85 of the LPACAP, in the event that the

penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; the

which will entail a reduction of 20% of the sanction to be imposed in
this procedure. With the application of this reduction, the sanction would be
established at 56,000 euros, resolving the procedure with the imposition of this

sanction.



In the same way, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 56,000 euros and its payment will imply the termination of the

process.




The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the recognition of responsibility, provided that this recognition
of responsibility is made manifest within the period granted to formulate

allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be

set at 42,000 euros.



In any case, the effectiveness of either of the two mentioned reductions will be

conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/18










In case you choose to proceed to the voluntary payment of any of the amounts


indicated above, 56,000 euros or 42,000 euros, you must make it effective
by entering the account number ES00 0000 0000 0000 0000 0000 open to

name of the Spanish Data Protection Agency in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the cause of reduction of the amount to which

welcomes.



Likewise, you must send proof of admission to the Subdirectorate General of

Inspection to continue the procedure according to the quantity
entered.




The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.




Mar Spain Martí

Director of the Spanish Agency for Data Protection




>>

SECOND: On November 4, 2020, the defendant has proceeded to pay
the sanction in the amount of 42,000 euros making use of the two reductions
provided for in the Initiation Agreement transcribed above, which implies the

acknowledgment of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to

the facts to which the Initiation Agreement refers.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/18








FOUNDATIONS OF LAW

I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said

Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article

43.1 of said Law.

II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric

"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a

pecuniary sanction and other non-pecuniary sanction, but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offense.


3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of

any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased
regulations.


In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00348/2020, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U ..



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/18









In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection












































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es