AEPD (Spain) - PS/00356/2020

From GDPRhub
Revision as of 12:00, 24 November 2020 by Francesc Julve (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00356/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 16.11.2020
Published:
Fine: 42000 EUR
Parties: VODAFONE ESPAÑA S.A.U.
National Case Number/Name: PS/00356/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish Data Protection Authority (AEPD) has terminated a sanctioning procedure against VODAFONE ESPAÑA S.A.U. for the advance payment of 42,000 EUR, recognizing its responsibility in an infringement of Article 6 (1) GDPR.

English Summary

Facts

On 9 July 2019, a citizen filed a complaint with the AEPD because he continued to receive emails from Vodafone regarding payments despite the existence of an Arbitration Award prohibiting him from continuing with these communications.

On April 2, 2018, the Galician Institute of Consumer Affairs issued an Arbitration Award stating that Vodafone must stop issuing invoices and that the complainant had caused the definitive cancellation of any type of activated service and that Vodafone must eliminate the complainant's data from any type of database.

On 25 September 2019, the claimant once again sent a letter to the AEPD stating that Vodafone continued to violate its rights by failing to comply with the arbitration award and the order of execution of the arbitration award dated 25 March 2019, issued by the Court of First Instance No. 3 of Pontevedra.

On February 24, 2020, the respondent (Vodafone) stated that the measures set forth in the Arbitration Award were fully executed. Nevertheless, due to a computer error, they continued to send invoice notifications.


Dispute

Is it a breach of Article 6 (1) GDPR to send out invoice mails when the obligation to cease this conduct has been laid down in an Arbitration Award?

Holding

The AEDP considered that the documentation provides evidence that Vodafone infringed Article 6 (1) GDPR since it processed the complainant's personal data without having any legitimacy to do so.

Aggravating circumstances were taken into account when setting the amount of the penalty: -this is an unintentional but significant negligent action identified (Art. 83 (2) (b) GDPR). -basic personal affected (Art. 83 (2) (g) GDPR). -Actions previously committed, as this is not an isolated case as Vodafone had committed similar offences previously (Art. 83 (2) (e) GDPR) -The continuous nature of the infringement attributed to the defendant (Art. 76 (2) (k) LOPDGDD)

For all the circumstances described, the amount of the penalty was set at EUR 70 000.


Comment

Vodafone acknowledged the error and admitted that the reason for sending the emails was a computer error. However, it did not prove that it was entitled to process the complainant's data.

Vodafone acknowledged its responsibility (Art. 85 LPACAP) which resulted in a 20% reduction of the penalty. Furthermore, it carried out the voluntary payment of the proposed penalty before the resolution, so it favoured an additional reduction of 20%.

Therefore, favoured by the two 20% reductions, VODAFONE paid EUR 42000 instead of the initial EUR 70000 in the draft resolution.



Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/12











     Procedure No.: PS / 00356/2020

RESOLUTION R / 00564/2020 OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY


In the sanctioning procedure PS / 00356/2020, instructed by the Spanish Agency for
Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed
by A.A.A., and based on the following,

                                 BACKGROUND


FIRST: On October 26, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against VODAFONE
SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed:


<<




Procedure Nº: PS / 00356/2020




           AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE




Of the actions carried out by the Spanish Agency for Data Protection and in
based on the following:




                                     ACTS



FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated July 9, 2019

filed a claim with the Spanish Agency for Data Protection. The
claim is directed against Vodafone España, S.A.U. with NIF A80907397 (in

forward, the claimed or Vodafone).



       The reasons on which you base the claim are that you continue to receive in the

your email address Vodafone emails regarding billing. Yes
On April 2, 2018, the Galician Consumer Institute issued an Arbitration Award
by which it provided, among others, that Vodafone stop issuing invoices and that the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12








claimant causes permanent cancellation of any type of activated service and Vodafone

delete the data of the claimant from any type of database.



        And, among other things, it provides the following documentation:

        1. Estimated arbitration award in favor of the claimant of April 2, 2018 in

            the one that is required from Vodafone:



        a) Proceed to definitively cancel any type of service / s that, in its

            case, had activated with the effects of the date of issuance of this
            Award




        a) Exclude the claimant from any third collection management company and / or
            patrimonial solvency record in which it could have been included

            Vodafone instance.



        b) Delete the personal data of the consumer of any kind

            hiring database. disclosure, advertising or others.




        1. Demand for enforcement of the Arbitration Award filed on June 22, 2018
            before the Court of First Instance nº3 of Pontevedra.




        2. Order to enforce the Award dated March 25, 2019 of the
            Court of First Instance nº3 of Pontevedra.




        3. Copy of the invoice notification emails available

        On September 25, 2019, this Agency received a new
Claimant's brief stating that the respondent continues to violate her

rights by breaching the Arbitration Award of April 2, 2018 as well as the order of
execution of the same dated March 25, 2019.

        And attach the following documentation:





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3








        New emails dated June 26, July 25,
    August and September 13, 2019 invoice notice available.




        On August 29, 2019, the claim was transferred to the
claimed by requesting information on the facts claimed, and the causes that

have been able to motivate the claim.
        Subsequently, on December 16, 2019, without having received a letter from

allegations submitted by the claimed to the transfer of the claim, it is agreed
admit this claim for processing, and the claimant is notified on January 23,

this year.



SECOND: In view of the facts reported in the claim and the
documents provided by the claimant, the Subdirectorate General for Inspection of

Data proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation
granted to the control authorities in article 57.1 of the Regulation (EU)

2016/679 (General Data Protection Regulation, hereinafter RGPD), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).




        As a result of the investigation actions carried out, it is verified
that the person responsible for the treatment is the one claimed.




        Likewise, the following points are found:



        On February 24, 2020, the respondent stated that the measures issued in

the Award were fully enforced, canceling all contracted services and
removing the personal data of the claimant from their systems.




        They add that due to a computer error they continued to send invoice notices
available at zero cost between June 2017 and September 2019.






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12








                            FOUNDATIONS OF LAW




                                              I



        By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate

and to solve this procedure.



                                             II




        The defendant is charged with committing an infraction for violation of the
Article 6 of the RGPD, "Legality of the treatment", which indicates in its section 1 the
cases in which the processing of third party data is considered lawful:



        "1. The treatment will only be lawful if at least one of the following is met
terms:


      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;

      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures
      pre-contractual;

      (…) "


       The offense is typified in Article 83.5 of the RGPD, which considers as such:



      "5. Violations of the following provisions will be sanctioned, in accordance
with paragraph 2, with administrative fines of maximum EUR 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:




      a) The basic principles for the treatment, including the conditions for the
      consent in accordance with articles 5,6,7 and 9. "


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12








       Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions

considered very serious ”provides:



      "1. In accordance with the provisions of article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:




        (…)

        a) The processing of personal data without the concurrence of any of the
           conditions of legality of the treatment established in article 6 of the
           Regulation (EU) 2016/679. "




                                            III



      The documentation in the file provides evidence that the
claimed, violated article 6.1 of the RGPD, since it processed the
Claimant's personal data without having any legitimacy to do so.




      The respondent has recognized this error and has indicated as the cause that motivated the
sending the emails the one of a computer error and therefore they continued
sending notifications of invoices available at zero cost between June 2017 and

September 2019.



      Well, it is especially important that the respondent continued to send invoices

to the claimant after the estimated arbitration award of April 2, 2018 and the Order of
enforcement of the Award of March 25, 2019, that is, the

personal data of the claimant and communications ceased once the
claimed received the transfer of the claim sent by this Agency on 29
August 2019, which contained the notification emails of new

invoice received by the claimant.

      In any case, and this is the essential thing, the defendant does not prove the legitimacy
for the treatment of the claimant's data.



                                            IV

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12










      The determination of the sanction to be imposed in the present case requires

observe the provisions of articles 83.1 and 83.2 of the RGPD, precepts that,
respectively, provide the following:




           "Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this

Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "




        "Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the
        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and

        damages they have suffered;

        b) intentionality or negligence in the infringement;

        c) any measure taken by the controller or processor
        to mitigate the damages suffered by the interested parties;

        d) the degree of responsibility of the person in charge of the

        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;

        e) any previous infringement committed by the person in charge or the person in charge of the
        treatment;

         f) the degree of cooperation with the supervisory authority in order to
        remedy the violation and mitigate the possible adverse effects of the violation;


        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infraction and, in such
        case, to what extent;

        i) when the measures indicated in Article 58 (2) have been

        previously ordered against the person in charge or the person in charge
        in relation to the same matter, compliance with said measures;



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12








        j) adherence to codes of conduct under Article 40 or to mechanisms
        certification approved in accordance with Article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the

        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement. " (The underlining is from the AEPD)



      In order to specify the amount of the penalty to be imposed on the one claimed by

violation of article 83.5.a) of the RGPD, it is essential to examine and assess whether
The circumstances described in article 83.2 of the RGPD concur and if they intervene
mitigating or aggravating the responsibility of the responsible entity.



      In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the fine to impose
in the present case, the claimed party is considered responsible for an infringement
typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent
the following factors.


      As aggravating factors the following:

        -In the present case we are facing an unintentional negligent action, but
        identified significant (article 83.2 b).


        -Basic personal identifiers are affected (name, a number of
        identification, the line identifier) (article 83.2 g).



         -Any offense previously committed (article 83.2 e).



         -Section k), in relation to article 76.2 of Organic Law 3/2018, in which

         the continued nature of the offense attributed to the
         claimed.


     That is why it is considered appropriate to graduate the sanction to impose on the claimed and
set it at the amount of € 70,000 for the violation of article 6 of the RGPD.


        Therefore, based on the foregoing,



        By the Director of the Spanish Agency for Data Protection,



        HE REMEMBERS:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/8













    1. INITIATE SANCTIONING PROCEDURE for VODAFONE ESPAÑA, S.A.U.,
        with NIF A80907397, for the alleged violation of article 6 of the RGPD

        typified in article 83.5.a) of the aforementioned RGPD.



    2. APPOINT D. B.B.B. as instructor. and as secretary to Dña. C.C.C.,

       indicating that any of them may be challenged, where appropriate, in accordance with
       what is established in articles 23 and 24 of Law 40/2015, of October 1, of
       Legal Regime of the Public Sector (LRJSP).




    3. INCORPORATE to the sanctioning file, for evidentiary purposes, the
       claim filed by the claimant and its attached documentation, the

       informative requirements that the Subdirectorate General for Inspection of
       Data sent to the claimed entity in the preliminary investigation phase and its
       respective acknowledgments of receipt.




    4. THAT, for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1,

       bre, of the Common Administrative Procedure of Public Administrations,
       the corresponding penalty would be 70,000 euros (seventy thousand euros),
       without prejudice to what results from the instruction.




    5. NOTIFY this agreement to Vodafone España, S.A.U., with NIF
       A80907397, granting you a hearing period of ten business days so that

       formulate the allegations and present the evidence it deems appropriate. In
       your statement of allegations must provide your NIF and the procedure number
       at the top of this document.




If within the stipulated period it does not make allegations to this initiation agreement, the same
It may be considered a resolution proposal, as established in article

64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12








In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the

term granted for the formulation of allegations to the present initiation agreement; the
which will entail a reduction of 20% of the sanction to be imposed in

this procedure. With the application of this reduction, the sanction would be
established at 56,000 euros, resolving the procedure with the imposition of this
sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 56,000 euros and its payment will imply the termination of the

process.



The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for the recognition of responsibility, provided that this recognition
of responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the previous paragraph it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be
set at 42,000 euros.




In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in

administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts

indicated above, 56,000 euros or 42,000 euros, you must make it effective
by entering the account number ES00 0000 0000 0000 0000 0000 open to

name of the Spanish Data Protection Agency in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the cause of reduction of the amount to which

welcomes.







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12








Likewise, you must send proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity

entered.




The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.



Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.



Mar Spain Martí


Director of the Spanish Agency for Data Protection








>>

SECOND: On November 12, 2020, the defendant has proceeded to pay

the penalty in the amount of 42,000 euros making use of the two reductions
provided for in the Initiation Agreement transcribed above, which implies the
acknowledgment of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to

the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.

                            FOUNDATIONS OF LAW


                                            I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12








of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the

information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.

                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction, but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offense.


3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation

of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased
regulations.


In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00356/2020, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U ..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12











day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                                936-031219
Mar Spain Martí

Director of the Spanish Agency for Data Protection































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es