AEPD - PS/00365/2019
|AEPD - PS/00365/2019|
|Relevant Law:||Article 31 GDPR|
Article 58(1)(e) GDPR
|Parties:||XFERA MOVILES S.A. (YOIGO)|
|National Case Number/Name:||PS/00365/2019|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Francesc Julve Falcó|
The Spanish DPA (AEPD) imposed a penalty of € 20000 on XFERA MOVILES S.A. for failing to comply with its obligation to cooperate with the supervisory authority under Article 31 GDPR in conjunction with Article 58(1)(e) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
A claimant, an individual, lodged a complaint with the AEPD because he/she found out from his/her bank account that a contract had been entered into in his/her name and with his/her personal data without his/her consent, and also because he/she had been included in a creditworthiness file for an unpaid debt related to the aforementioned contract.
The AEPD requested from YOIGO information on the contracts signed with the claimant, as well as information on the debt that led to its inclusion in a solvency list. In the contracts provided by the claimant, there is no signature of the claimant accepting the content of the contracts.
The AEPD first proposed a sanction for infringement of Article 6 (1) GDPR but withdrew these charges due to the non-existence of the infringement when the complainant responded with allegations and documents which this time, unlike those provided in the evidence phase, were signed by the complainant.
Furthermore, the complainant argued that the events had taken place before the entry into force of the GDPR and the LOPDGDD and would therefore not be the applicable rules. On the other hand, it did not make any reference in its allegations to the breach of Article 31 GDPR in relation to its obligation to collaborate with the data protection supervisory authority.
Dispute[edit | edit source]
Is the failure to cooperate with the data protection supervisory authority a breach of Article 31 GDPR in conjunction with Article 58(1)(e) GDPR?
Holding[edit | edit source]
Having assessed all the various documents provided by the complainant, it seems fair to conclude that, in view of the circumstances of the case, it exercised a minimum and reasonable diligence in identifying the person who signed the contracts and provided as her own the NIE and the name of the complainant.
Furthermore, as regards its duty to cooperate with the supervisory authority, the defendant did not comply with its obligation to cooperate and make allegations regarding the infringement of Article 31 GDPR in conjunction with Article 58(1)(e) GDPR.
The AEPD, therefore, agreed to impose a penalty of € 20000 under Article 83(5)(e) GDPR.
The fact that it acted with an extremely serious lack of diligence when it repeatedly refused to cooperate with the inspection function that the AEPD was carrying out (83(2)(b) GDPR) and the link between the activity of the respondent and the processing of personal data of customers or third parties (83(2)(k) GDPR) were taken into account as aggravating factors.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/26 Procedure No.: PS / 00365/2019 938-300320 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and in based on the following BACKGROUND FIRST: On 08/21/2018 has entry into the Spanish Protection Agency of Data (AEPD) a letter from D.ª A.A.A. (hereinafter, the claimant) in which states that XFERA MÓVILES, S.A., with NIF A82528548 (hereinafter, the claimed or YOIGO) has processed her NIE linked to a mobile phone contract to which she is alien. The claimant states that “I have learned from my bank that with my number of dni there is a mobile phone service contract with the company Xfera Móviles- Yoigo. I have made a claim to the service control department of this company ... ”The documentation you provide reveals that your NIE was communicated by the claimed from the BADEXCUG capital solvency file with registration date March 2014, for an unpaid debt of XXX euros. Annexes to the claim provide these documents: The copy of the "Certificate of registry of citizens of the Union ”, issued by a Spanish authority, in which Among other information are your name and surname, the NIE *** NIE.1 and your address at Spain. A copy of an Ibercheck report according to which, linked to your NIE, there is an annotation of non-payment in the BADEXCUG file, reported by the claimed, with registration date 03/16/2014, for an amount of XXX euros, being the Date of last update of the entry is 08/19/2018. SECOND: In view of the facts presented in the claim, the AEPD carried out actions aimed at its clarification. A. In the framework of file E / 6739/2018, by means of a document signed the 10/02/2018, the claim is transferred to the respondent and it is requested that in the within one month, provide an explanation of the facts set forth therein and detail the measures taken to prevent similar situations from occurring in the future. The writing is notified to the claimed electronically, being the date of placing available on 02/10/2018 and the date of acceptance of the notification on 03/10/2018, as certified by the FNMT certificate in the file. Likewise, in writing signed on 10/02/2018, the AEPD addresses the claimant acknowledging receipt of your claim and communicating your transfer to the claimed. Once the period granted has elapsed without the respondent having responded to the information request, in accordance with the provisions of article 65.2 of the Law Organic 3/2018, Data Protection and Guarantee of Digital Rights C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/26 (LOPDGDD), on 02/19/2019 the agreement for admission to processing of the present claim. B. Pursuant to article 67 of the LOPDGDD, in the framework of file number E / 2053/2019, the Data Inspection of the AEPD carries out actions of previous investigation. The certificates issued by the FNMT that certify that the respondent received the electronic notifications from the two informative requirements that were made to him in the course of the proceedings of previous investigation; requirements of dates 07/17/2019 and 09/23/2019 to those who do not answered. The notifications were accepted, respectively, on dates 07/17/2019 and 09/30/2019. The first of the requirements of the Data Inspection is signed on 07/17/2019. On the same date, the respondent is notified and she accepts the notification. The requirement gave the respondent a period of 15 business days to respond; indicated that the information was requested by the Data Inspection in use of the powers conferred by articles 58.1 RGPD and 67 LOPDGDD; it was reminded of the claimed the obligation imposed by Regulation (EU) 2016/679, General of Data Protection, (RGPD) to collaborate in the performance of the inspection function and He was informed that the breach of this obligation could lead to the commission of an offense typified in article 83.5.e) RGPD. The respondent, in writing that had entry into the Agency's electronic headquarters on 08/07/2019, request an extension of the deadline to respond to the request Information received on 07/17/2019. The AEPD responds on 08/12/2019 and grants the extension of term requested. The Agency's response, notified electronically on that same date, it is accepted on 08/19/2019. This is proven by the certificates of the FNMT that are in the file. The second of the informational requirements that the Data Inspection sent the one claimed was signed on 09/23/2019 and made available at the electronic headquarters On the same date. In it, the defendant was granted a period of five business days to respond and, as in the previous one, he was informed that the information was requested in use of the powers conferred by articles 58.1 RGPD and 67 LOPDGDD, it was recalled the obligation imposed by the RGPD to collaborate to perform the inspection function and that failure to comply with said obligation could involve the commission of an offense typified in article 83.5.e) RGPD by infringement of article 58.1. RGPD. The notification of this second requirement was accepted by the claimed seven days after making it available, the 09/30/2019. No response to the claim from either of the two is received at this Agency informative requirements made by the Data Inspection. On 10/10/2019 the Report of Preliminary Investigation Actions of which we reproduce the following fragment: << 1. On the notification date of July 17, 2019, a request for information to the claimed to provide the following documents: to. Service contract with the claimant. b. Channel and / or place of contracting. Procedure for accreditation C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/26 of identity. c. Identification documentation in your possession. d. Prior payment requirement before the possible inclusion in the file BADEXCUG. On August 7, 2019, it is received at this Agency, with the number of registration 039557/2019, written from the claimed requesting extension of term, proceeding to grant an extension of 5 business days with the date of notification of August 19, 2019. With the notification date of September 30, 2019, the information request granting a new term of five days without of completion of this report has been received in this Agency reply from the claimed. >> THIRD: On 11/19/2019, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure to the claimed in accordance with provided in articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for two violations of the RGPD: The violation of article 6.1. RGPD, typified in article 83.5.a), and article 31, in relation to article 58.1.e), both of the RGPD, typified in article 83.5.e) of the aforementioned Regulation (EU) 2016/679. FOURTH: Notified the initiation agreement -notification accepted by the claimed on 11/20/2019 - submitted allegations on 12/04/2019. The brief of allegations is specified in a previous allegation and two allegations, with the following content: Request -previous allegation- to be transferred of a copy of the file. He states -first allegation- that “... at this time only It is given to state that YOIGO has regularly processed the data of the claimant in under the service contract and, hence, likewise, the regular and ordinary treatment of the relationship between the parties by virtue of the vicissitudes of the contract ”. By last -second claim- states that “once the appropriate documentation has been gathered, it will be sent to the AEPD ”. FIFTH: Under article 53.1.a) LPACAP, the AEPD, in writing notified electronically on 12/13/2019, gives the respondent the full copy of the administrative file requested. SIXTH: In accordance with article 77 LPACAP, dated 06/15/2020, a trial period in which the claim and its attached documentation; the documents obtained and generated by the Services of Inspection of the AEPD before the claimed and the Report of previous actions of Inspection. Likewise, the allegations of the claimed to the agreement to initiate the sanctioning procedure. These procedures are carried out in the evidence process: A. The respondent is asked to provide the documents and prove the facts which are detailed: 1. The copy of the contract that the claimant had signed and the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/26 claimed or, where appropriate, the entity to which the latter would have succeeded. 2. The documentation that proves the existence of an outstanding debt of Payment in the name of the claimant, requiring that she specify the amount owed and the concepts from which the debt derives. 3. Proof of having informed the claimant at the time of signing the contract that, in the event of non-payment of debts, your data could be subject to inclusion in credit and equity solvency files. Or, alternatively, that certify having required the claimant to pay the outstanding debt before the inclusion of your data in BADEXCUG associated with debit positions. The respondent responds to the request for evidence on 06/29/2020. to. To the question formulated in point 1, he answered that "the claimant subscribed" three contracts with YOIGO on 11/21/2013 and that the hiring was carried out in a face being the SFID of the seller *** VENDEDOR.1 which corresponds to "Store ByMobil ”. He adds that the three contracts had a terminal acquired in installments and commitment to stay. Provide a copy of the three contracts that correspond to the numbers *** TELEPHONE.1, *** TELEPHONE.2 and *** TELEPHONE.3 Provides copies of each of the three contracts and, in addition, regarding each one of them sends three copies: for the client, for YOIGO and for the entity financial The three copies are identical to each other, the only difference is that the two The first ones include as an annex the document “Request for portability of mobile numbering ”. The “Registration contract with a terminal financed by BBVA Individuals ”focusing on its structure and most relevant content, but referring to the contract 1. Regarding contracts 2 and 3 we limit ourselves to citing, only, their differences with 1. In contract 1, under the heading “Registration contract with terminal financed by BBVA Individuals ”appears the reference“ nº *** REFERENCIA.1 ”and below this legend: "The data that have an asterisk" * "are essential for Yoigo I can register you. Those with two asterisks "**" are essential for BBVA can process the credit ”. Next, in the section “Point of sale data”, it appears “SFIF ***POINT 1". In the "Your data" section there are the data of the contract holder: *** NAME.1 (first name) *** LAST NAME.1 (last name). Note that this last name is different that of the claimant. The NIE, *** NIE.1, which matches that of the claimant. The date of birth, 08/05/1985; nationality, *** NATIONALITY.1; sex, woman; the address, *** ADDRESS.1 and contact telephone number *** TELEPHONE.3. Just the name, *** NAME. 1, and the NIE match the data of the claimant. Does not match surname or address, which is not the one that appears on the citizens' certificate of the Union that the claimant has provided to the AEPD or in the form of its claim. In the "Services and promotions" section, it is indicated: "Nº YOIGO" ***TELEPHONE 1; “SIM / ICC-ID card No.” *** SIM.1; "Type of contract", "La Infinita 25 ". In the "Product" section, it says: "With mobile / Modem: IMEI *** IMEI.1; "Mark and model: Samsung Galaxy S4 White ”. In the section "Bank details", it appears "Customer account code (IBAN)" and a customer account code that begins with the digits *** XXX and ends with the digits *** XXX. The last of all the sections is "Signatures" and it indicates "Date * I ** 11/21/2013 "and then" Signature * I ** ", which has a blank space, that is, without C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/26 fill in and "Distributor stamp * I **", which also has the space for this purpose in white. Next, "Xfera Móviles, S.A.", which includes in the space for for this purpose, a heading and "Banco Bilbao Vizcaya Argentaria, S.A.", which also incorporates a rubric. The copies of the contract 1 intended for the client and YOIGO are accompanied by an annex: The "Mobile Numbering Portability Application". This document includes this legend: “Important: For your current operator to accept the request for portability you must fill in all the sections ”. In the "Operators" section there is "Date", "11/21/2013 10:43"; “Donor Operator: Vodafone” and “Receiving Operator: YOIGO ”. The "Type of request" section includes, among other information, the "Telephone number (MSISDN) *** PHONE. 1. In the "Customer data" section, the same as those listed in the contract in the "Your data" section. Finally, in the "Signature" section, it appears "Date 11/21/2013 10:43" and then the indication "Applicant's signature" without that there is no signature on the document. None of the copies (for the customer and for YOIGO) that are sent are signed by the applicant. Contract 2, “Registration contract with terminal financed by BBVA”, differs from contract 1 in the following elements: The reference "Nº *** REFERENCE.2" corresponds to it. In the section "Services and promotions ”appears as“ Nº Yoigo *** TELEPHONE.2 ”. While the remaining Sections are identical to those of contract 1, described above, we must emphasize that in the last section, "Signatures", after "Date * I ** 11/21/2013", the spaces intended for the "Signature * I **" and the "Distributor Seal * I **" are blank, without fill in. Regarding the document "Mobile number portability request", annex to contract 2, of which the complainant sends us a copy for the client and for YOIGO, the differences in relation to the same document annexed to contract 1 are the following: In the heading "Operator", everything is the same except for the time, figure "11:29". Under the heading "Type of request", among others, the "Telephone number (MSISDN) *** PHONE. 2. It should be noted that in the "Signature" section, after "Date: 11/21/2013 11:29", as happens in the same document attached to the contract 1, the box for “Applicant's signature” is blank and without fill in. Contract 3, "Registration contract with terminal financed by BBVA", differs from 1 and the 2 in the following elements: The reference “Nº *** REFERENCE.3” corresponds to it. In the section "Services and promotions ”appears as“ Nº Yoigo *** TELEPHONE.3 ”. While the remaining sections are identical to those of contracts 1 and 2 described above, we must underline that in the last section, "Signatures", after "Date * I ** 11/21/2013", the spaces intended for the "Signature * I **" and the "Distributor Seal * I **" are blank, without fill in. Annex to contract 3, the complainant sends us the document of "Request for portability of mobile numbering ”, (copies for the client and for YOIGO). The differences with respect to the same document annexed to contracts 1 and 2 are the following: In the heading "Operator", everything is the same except for the time, figure "19:00". In the heading "Type of request", among other elements, the "No. of phone (MSISDN) *** PHONE. 3. It should be noted that in the "Signature" section, after of "Date: 11/21/2013" "19:00", as well as the same document attached to the contracts 1 and 2, the "Applicant's signature" box appears blank and unfilled. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/26 b. The respondent answered the second question that was asked that the Claimant had requested in December 2013 the portability to a third operator, thereby breaching the commitments of permanence assumed, which implied the early expiration of deferred payments for the amount stated on the invoice, amount that comes essentially from the installment acquisition of three terminals mobiles. Provide a copy of the invoice number *** FACTURA.1, issued on 01/01/2014, which corresponds to December 2013. The amount invoiced amounts to 1,856.30 euros. The invoice includes the services and products linked to these lines: *** TELEPHONE.1, *** TELEPHONE.2 and *** TELEPHONE.3. The invoice contains the data of the owner of the three contracts, that is, those that They are included in the "Your data" section of the three contracts provided. Of the data incorporated into the invoices only coincide with the name of the claimant, *** NAME. 1. The last name does not match, nor does the address, which is different from the that appears in the certificate of citizens of the Union that the claimant has provided to the AEPD and in the complaint form submitted to this Agency. c. The respondent answered the third question asked in the test phase that in the eighth clause of the general conditions of any of the three contracts that he had provided, the client was informed that “in case of not attending punctually their financial obligations to YOIGO, in accordance with provided for in the contract, YOIGO may communicate your identification data, together with all those related to debt pending payment, to entities dedicated to the provision of information services on financial solvency and credit, .. " B. The Experian Bureau de Crédito, S.A. was requested (Experian) to forward the information and documentation detailed: 1. Printed copy of all the information that will appear in the solvency file BADEXCUG, associated with the personal data of the claimant -name, two surnames and NIF-, which had been informed by the claimed. 2. Copy of the documentation regarding the rights of access and cancellation that the claimant would eventually have exercised before her. Experian responds in writing dated 07/08/2020 that it has an entry in the Agency registration on 07/13/2020. It states that on that date there is no BADEXCUG, associated with the NIF, name and two surnames of the claimant, none unpaid transaction. But he adds that, in the "History of Updates of the file BADEXCUG ”contains this information regarding unpaid transactions associated with Claimant's NIF: There is an operation, number 5658833, reported by YOIGO, for a telecommunications service, whose debt was registered in BADEXCUG on 03/16/2014, for an unpaid amount of 1,856.30 euros and the 12/09/2018, the debit balance being the same amount on that date, as consequence of the “automatic update of the data file sent by the reporting entity ”. SEVENTH: On 10/07/2020 the resolution proposal of the sanctioning procedure PS / 00365/2019 formulated in these terms: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/26 << FIRST: That the Director of the Spanish Agency for Data Protection sanction XFERA MÓVILES, S.A., with NIF A82528548, for two infractions of the article 6.1. RGPD, letters b) and f), typified in article 83.5.a) RGPD, with a fine administration of 100,000 euros (one hundred thousand euros). SECOND: That the Director of the Spanish Agency for Data Protection sanction XFERA MÓVILES, S.A., with NIF A82528548, for a violation of the article 31 RGPD, in relation to article 58.1.e, RGPD, typified in article 83.5.e) of the RGPD, with an administrative fine of 20,000 euros (twenty thousand euros) >> The certificate issued by the FNMT, which is in the file, certifies that the Proposal for a resolution was notified and accepted by the complainant on 10/07/2020. EIGHTH: The respondent submits her brief of allegations to the proposal of Resolution on 10/21/2020 in which it requests that the file be archived sanctioner. Provides, attached to its brief of allegations, documentation of great relevance to the effects that concern us that he claims to have received "from his logistics provider" "in the time elapsed since the test phase ”. They are the following documents: 1. A "Certificate of Registration of Citizens of the Union" that incorporates two Sometimes, at the beginning and at the bottom of the text of the document and within a box, this note: "Notice: Invalid document to prove the identity or nationality of the carrier". The text of the document is as follows: “The person in charge of the Central Registry of Foreigners from the Provincial Police Station of *** LOCALITY. 1 CERTIFIES: That, of in accordance with the provisions of articles 3.3 and 3.7 of Royal Decree 240/2007, of February 16, and bearing in mind that this document only proves the registration in the Central Registry of Foreigners if it is presented together with the passport or valid identity document, the person indicated below, has requested and obtained its registration in the Central Registry of Foreigners (...) as Community resident in Spain, since 11/15/2010: Mr. *** NAME.1 ***LASTNAME 1; born on 08/05/1985, in *** LOCALIDAD.2 (*** COUNTRY.1); son of Gabriel and Viorica. Nationality: *** COUNTRY. 1. Address: street *** ADDRESS. 2. Number Foreigner Identity (NIE) *** NIE. 1. 2. A bank receipt issued by BBVA corresponding to a debt for direct debit account in which the "payer" is Vodafone España, S.A.U., and the "Owner" *** NAME.1 *** LAST NAME.1. The document indicates that it is a “Duplicate of receipt dated 11/12/2013 ”,“ charged to Vodafone ***** XX account ”. It includes the following personal data: “*** NAME.1 *** SURNAME.1. *** ADDRESS. 1, the date 11/12/2013 and the XXX client current account finalized in the digits XXX. 3. Copy of contracts with reference numbers *** REFERENCE.1, *** REFERENCE.2 and *** REFERENCE.3 (which are identified in the Proven Facts, respectively, as contracts number 1, 2 and 3) In all of them, the data of the contracting parties, the object of the contract and the date of conclusion, as well as the contractual stipulations, are identical to those that appear in the contracts that the The complainant referred to the Agency in its response to the requested evidence. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/26 However, there are substantial and highly relevant differences between those contractual documents sent by the claimed in the testing phase and the contracts that he now contributes with his allegations to the resolution proposal. These, to Unlike the previous ones, they are signed by the client and bear the seal of the distributor with whom the contract was formalized. Signature and stamp appearing on all copies that it contributes and with respect to each of the three contracts. Contributes Also, with respect to each of the three contracts, the corresponding copy of the Mobile Number Portability Request (copy for YOIGO) that, unlike the one that had been sent in the test phase, it is signed by the applicant for the portability. The defendant states that, "in view of the new documents provided," it has it was proven that it had a legal basis that legitimized the treatment of "the personal data of the person who hires" and who, in addition, has been able to demonstrate that extreme, thus complying with the principle of responsibility proactive. It concludes, on the one hand, that while it has provided the corresponding signed contracts, a bank receipt and the certificate of registration of citizens of the Union with the data of the person who appears as the owner of the contracts, there is no infringement of article 6.1.b) RGPD. On the other, that "the existence of these contracts properly formalized enables my client, in case of non-payment, to communicate the data of the person who signed the contract and accrued invoices to the capital solvency files based on their legitimate interest (article 6.1.f) ”. Add, In addition, that it has complied with the provisions of article 20 LOPDGDD, since the debt reported to BADEXCUG was true, expired and enforceable; the person was informed contracting party in clause 8.5 of the General Conditions of the contract of the possibility to include your data in solvency files and enter the expiration date of the obligation (01/07/2014) and the date of withdrawal from BADEXCUG (12/18/2018) have not after five years. In consideration of which it states that there is no violation of article 6.1.f) RGPD. The third point invoked by the respondent in her allegations refers to the accreditation of the identity of the contractor. He states that "In the light of documentation provided, in combination with the events that occurred, it can be stated that a correct identification of the person who hires was made ”. On the identification of the person who signed the three contracts with the distributor, the complained party states that it has provided a Certificate from the Citizens of the Union in which data such as NIE, date of birth, the name and surname, among others. That, in addition, the data collected in the Certificate of the Union Citizen Registry match those that appear on the receipt bank domiciliary debt provided by the person who contracted the services with object of proving that she was the owner of the direct debit bank account. What i know adds that the information contained in the number portability request mobile, of which he has sent copies to this Agency, coincides with the one that appears in the alluded certificate. All this, he says, without losing sight of the fact that “the hiring was face-to-face and the person in question had to provide the documentation in hand, such as the handwritten signature of contracts ”. The last allegation (fourth) of the allegations to the motion for a resolution is C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/26 refers to the "violation of the principles of non-retroactivity and typicality" in which the understanding of the claimed would incur to sanction it in the terms provided in the initial agreement and in the resolution proposal. This extreme is, in his opinion, another of the reasons that determine that the AEPD should proceed to file the file sanctioner. After citing articles 2.3. of the Civil Code -retroactivity of the laws- and 99.2 of the RGPD -which provides that it will be applicable as of May 25, 2018- concludes that “Therefore, the events that occurred prior to that date have no place in the same". He then says that the “recruitment in which the claim that initiates this procedure ”took place in November 2013 and the communication by YOIGO of the contractor's data to the BADEXCUG file in March of 2014. Dates on which “the RGPD had not even been approved and the LOPDGDD. In other words, the LOPD would be applicable ”. Therefore, after invoking the principle of non-retroactivity as the basic foundation of our legal system, states that "any claim to assess some events that occurred in 2013 and 2014 under the prism of the RGPD approved in 2016 and applicable from May 25, 2018 it is completely contrary to the fundamental principles of our order legal". It considers that, in the present case, it would be appropriate to apply Organic Law 15/1999, Data Protection, because it is more favorable to that party and argues to this end that "in sanctioning, criminal or administrative law, in the event of a collision of two norms whose temporary validity has been different, being able to apply any of them, is a basic principle of law that the one that is most favorable to the defendant applies ”. And the norm more favorable is the LOPD "in force at the time of the events", since, pursuant to it, “specifically to its article 47, the facts that are the object of this procedure would be prescribed from 2017 ”. Reason for which, the respondent alleges, "The filing of this procedure also proceeds under this reasoning." It is highlighted that the allegations to the proposed resolution presented do not include no mention of the second of the offenses attributed to the claimed in this sanctioning file, the violation of article 31 RGPD, in relation to 58.1.e) RGPD, typified in article 83.5.e). NINTH: The suspension of administrative deadlines agreed by Royal Decree 463/2020 affected the sanctioning procedure PS / 365/2019 whose initiation agreement was had signed on 11/19/2019. The calculation of terms was resumed, according to the Real Decree 463/2020, dated 06/01/2020. Royal Decree 463/2020, “by which the state of alarm is declared for the management of the health crisis caused by Covid 19 ”(BOE of 03/14/2020) established in the third Additional Provision, "Suspension of administrative terms": "1. Terms are suspended and deadlines for processing the procedures of public sector entities. The calculation of the terms is will resume at the moment in which this royal decree loses force or, in its case, the extensions thereof. 2. The suspension of terms and the interruption of terms shall apply to the entire C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/26 public sector defined in Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations. " Royal Decree 537/2020 (BOE of 05/23/2020), establishes in article 9, "Administrative periods suspended by virtue of Royal Decree 463/2020, of 14 March": “With effect from June 1, 2020, the calculation of the deadlines administrative offices that have been suspended will be resumed, or restarted, if envisaged in a norm with the force of law approved during the term of the state of alarm and its extensions ”. Thus, the date of maximum duration of the procedure PS / 365/2019, as provided in article 64.2 of the LOPDGDD and applied the rules of the Royals Decrees 463/2020 and 537/2020, is on 11/05/2020. In view of everything that has been done, the Spanish Data Protection Agency will consider, in the present sanctioning procedure, the following PROVEN FACTS 1.-The claimant declares that she has heard from her financial institution that, linked to your NIE, there is a contract with the claimed entity. Contribute with your denounces the copy of an Ibercheck document that informs that in the file BADEXCUG there is a non-payment annotation linked to your NIE, communicated by YOIGO on 03/16/2014. 2. Work in the file, provided by the claimant, the copy on both sides of the document, issued by a Spanish authority on 01/02/2017, called "Certificate of registration of citizens of the Union." The certificate contains the name of the claimant - *** NAME.1-; your last name - *** LAST NAME. 2-; your NIE, *** NIE.1; its nationality, *** COUNTRY.1 and your address in Spain -plaza *** ADDRESS.3 -. The document informs that the owner is a community resident in Spain since 04/09/2014. The reverse of the document reads: “This certificate is issued in accordance with the provisions of articles 3.3 and 7.1 of Royal Decree 240/2007, of February 16, and taking into account that this document only proves the registration in the Registry Foreigner Central of the General Directorate of the Police, if not presented in union of the passport or identity document ”. 3.- The respondent states that the complainant signed with her on 11/21/2013, in a in person at a distribution company - “Tienda Bymobil”, with SFID *** VENDEDOR.1- three telephony contracts that each include the acquisition of a terminal Samsung Galaxy s4. It has stated that “YOIGO has regularly processed the data of the claimant under the service contract and, hence, also, the treatment regular and ordinary relationship between the parties by virtue of the vicissitudes of the contract". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/26 4.-The respondent has provided copies of each of the three contracts that allegedly the claimant held with YOIGO, which deal with the service of telephony, after portability of the numbering from VODAFONE, and on the purchase in installments, for each of the three lines whose service is contracted, of a mobile brand and model Samsung Galaxy S4, white color, being subject to the financial advantages of acquiring the terminals for maintenance by the contracting of the commitment of permanence. Each contract is identified by a reference: The one we have called contract 1, bears the reference *** REFERENCE. 1 and corresponds to the line number ***TELEPHONE 1. The one we have called contract 2, has the reference *** REFERENCE. 2 and corresponds to the line *** PHONE. 2. The one we have called contract 3 carries the reference *** REFERENCE. 3 and corresponds to the line telephone number *** TELEPHONE. 3. 5.- In the three contracts, the owner's data is reflected in the “Your data” section. The name of *** NAME.1 consists; surname *** SURNAME. 1 -different therefore that of the claimant-; the NIF *** NIE.1; nationality, *** COUNTRY.1 and an address in *** ADDRESS. 3, other than the one included in the Union Resident Certificate of the claimant and the one who provided with their claim. 6.- All contracts include in the header, under “Contract for registration with terminal financed by BBVA Particulares ”and the reference number that identifies it, this legend: "The data that have an asterisk" * "are essential for Yoigo to give you high. Those with two asterisks "**" are essential for BBVA to be able to process the credit ”. In the three contracts, in the last of the sections, “Signature”, the following appears: "Signature * I **", the space is blank. "Distributor stamp * I **", the space is in White; "Xfera Móviles, S.A.", in the three copies the same heading appears. "Bank Bilbao Vizcaya Argentaria, S.A. ”, the same heading is incorporated in the three contracts. 7.- Experian Bureau de Crédito, S.A., has reported that in the History of Updates to the BADEXCUG File is registered that the complainant communicated to the said solvency file, associated with the NIE *** NIE.1, with registration date 03/16/2014, an unpaid transaction for a debit balance of 1,856.30 euros from a telecommunications service. Experian Credit Bureau. S.A., has reported that this operation was canceled from BADEXCUG on 12/09/2018, as a result of the “automatic update of the data file sent by the reporting entity ”. 8.- During the information process prior to the agreement of admission for processing of the claim that concerns us, the AEPD went to the claimed and requested its collaboration. The request was communicated to him by writing dated 10/02/2018 notified electronically, the notification being accepted by the claimed on 10/03/2018. To evacuate this procedure, the respondent was granted a period of one month. The defendant did not respond to the AEPD's request for information. 9.- The Data Inspection of the AEPD, within the framework of the actions of prior investigation E / 2053/2019, made two requests for information to the claimed on dates, respectively, 07/17/2019 and 09/23/2019. The certificates C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/26 issued by the Electronic Notifications and Electronic Address Service Authorities of the FNMT that work in the file certify that both requirements were received by the claimed electronically on 07/17/2019 and 09/30/2019, respectively. The respondent did not respond to any of them. 10.- The two informative requirements of the Data Inspection, dates 07/17/2019 and 09/23/2019, granted the respondent to evacuate this process, respectively, a period of 15 days and five days and in both writings it was put in your knowledge that the information was requested in use of the powers conferred on the AEPD Data Inspection by articles 58.1 RGPD and 67 LOPDGDD and that, the claimed being obliged by the RGPD to collaborate in the performance of the inspection function of the AEPD, failure to comply with this obligation could entail an infringement of the data protection regulations typified in article 83.5.e, RGPD. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48.1 of the LOPDGDD, The Director of the Spanish Data Protection Agency is competent to solve this procedure. II It is necessary to analyze, first, the argument invoked by the claimed in the fourth section of his allegations to the motion for a resolution regarding the "Violation of the principles of non-retroactivity and typicality" in which, in his opinion, the AEPD would incur if it issued a sanctioning resolution in the terms of the agreement of initiation and of the proposed resolution. It adds that the rule applicable to the facts the claim is about the LOPD and that under the aforementioned Law Organic the imputed infraction would be prescribed. To this end, the respondent states that the “contract in which it has its origin of the claim that initiates this procedure ”took place in November of the year 2013 and the communication by YOIGO of the contractor's data to the BADEXCUG file in March 2014. Based on these proven facts; from the beginning of non-retroactivity of the laws established in article 2.3 of the Civil Code and, taking considering that article 99.2 of the RGPD provides that the Regulation will be applicable as of May 25, 2.018, reaches the conclusion that “Therefore, the events that occurred prior to that date have no place in it ”. On the basis of the principle of non-retroactivity, which would prevent the application of the GDPR and LOPDGDD, warns that "any claim to assess some events that occurred in 2013 and 2014 under the prism of the RGPD approved in 2016 and applicable from 25 May 2018 is completely contrary to the fundamental principles of our legal system". The respondent considers that, if any rule is applied to conduct that is object of assessment in the sanctioning file, this should be the Organic Law C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/26 15/1999, on the Protection of Personal Data, LOPD, which - it says - is what it was "in force at the time of the events." And the application of the LOPD, in the opinion of the claimed, would determine the file of the file because, in his opinion, under of article 47 LOPD the infraction would be prescribed from the year 2017. However, in addition to underlining that the preceding allegations of the claimed refer only to one of the infractions of the regulations for the protection of data attributed to it in the initiation agreement and in the proposed resolution -that is, the violation of article 6.1, b) and f) of the RGPD- and they are not applicable to the infringement of article 31, in relation to 58.1.e) RGPD that is also charged, it seems necessary to make these clarifications: The legal argument used by the claimed to request the application of the LOPD is that "in sanctioning, criminal or administrative law, in the event of a collision of two norms whose temporary validity has been different, being able to apply any of them, it is a basic principle of law that the one that is more favorable to the prisoner ”. Reason why, he says, the LOPD should be applied as it is the norm more favorable. This hypothesis, however, contemplates the assumption in which the behavior offending is committed under the validity of a rule and the procedure through which the existence of criminal or administrative sanctioning responsibility is clarified develops while a different substantive rule is in force. In such a case, although under of the principle of non-retroactivity of the rules, the substantive rule must be applied in force when the events were committed, the principle of “retroactivity of the more favorable sanctioning provisions ”-principle that the Constitutional Court considers included, a sensu contrary, in article 9.3 of the Spanish Constitution- allows the alleged perpetrator to choose the law that is later than the made in time, whenever it is more favorable to you. Retroactivity of the standard most favorable sanctioning procedure that includes article 26.2 of Law 40/2015 of the Regime Public Sector Legal: “2. The sanctioning provisions will produce effect retroactive insofar as they favor the alleged offender or the offender, both in terms of the classification of the offense as well as the sanction and its limitation periods, even with respect to the sanctions pending compliance when the new layout." The argument invoked by the respondent cannot be extrapolated to the matter that we occupies. The only substantive rule that should be applied in the present case is the RGPD because this is the rule that is in force when the procedure begins sanctioner and, at the same time, the rule in force at the time in which it is understood committed the offense, according to the doctrine of the Supreme Court (for all, STS 04/17/2002. Rec. 466/2000) The claimed -which insistently affirms that LOPD was “in force in the moment of the events ”; that the contract from which they bring causes the events that occurred dates from November 2013 and that the inclusion in the BADEXCUG solvency file was produced in 2014- forget to mention elements that are decisive in this Question: That it will not be until 12/09/2018 when you cancel the BADEXCUG file the incident reported to that solvency file associated with the claimant's NIF, which which implies that until that date, at least, it would have continued to process the data Claimant's personal information. End to be put in relation to the individual C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/26 operation of solvency files. So that the annotations communicated to these files remain active, the reporting creditor must confirm the inclusion periodically -periodicity which in the case of BADEXCUG is weekly- because, if not If so, the annotation is removed from the file automatically. Maintenance in the BADEXCUG file until 12/09/2018 of the annotation linked to the NIE of the complainant that YOIGO had communicated in 2014, necessarily presupposes that the claimed entity processed until that date, at least, the personal data of the claimant. In short, although the treatment of the claimant's personal data by the claim started before the LOPD and RGPD existed -in 2013 the contracting and in 2014 the inclusion in BADEXCUG- and being in force the LOPD, the alleged infringement attributed to the claimed -classified as a violation of article 6.1., Sections b) and f) RGPD- participates in the nature of the so-called permanent infractions, in which the consummation is projected in the longest time beyond the initial fact and extends, violating data protection regulations, during the entire period of time in which the data is processed. Well, in offenses of this nature, the rule that is in effect when the offending conduct ends, being that the date on which the offense is understood to have been committed. The Supreme Court has ruled on which rule should be applied in those cases in which the infractions are prolonged in time and there have been a regulatory change while the offense was being committed. The STS of 04/17/2002 (Rec. 466/2000) deals with a case in which a provision was applied that was not in force at the initial moment of commission of the offense, but in the subsequent ones, in which the offending conduct continued to occur. The Judgment examined a This course related to the sanction imposed on a Judge for breach of their duty to abstain from preliminary proceedings. The sanctioned alleged no effective when the events of article 417.8 of the LOPJ applied occurred. STS considered that the offense had been committed since the date of initiation of the Preliminary Proceedings until the moment when the Judge was suspended in the exercise of their functions, in which the provision was already in force, so that rule was applicable. In the same sense, the SAN of 09/16/2008 is pronounced (Rec. 488/2006) Consequently, the date on which we must understand that the alleged violation of article 6.1, sections b) and f) RGPD, attributed to the complained party, is that of the moment in which it ends, which with the available information would be 12/09/2018. On that date, the current data protection regulations were the RGPD and the LOPDGDD (entered into force on 12/07/2018). And the Organic Law, regarding the limitation periods, provides that very serious offenses have a period of three-year prescription (article 72) Thus, the application of the RGPD to the facts on which the claim is concerned in no case violates the principle of non-retroactivity. On the other hand, since the RGPD is the applicable norm, the alleged infringement of the article 6.1. RGPD attributed to the claimed in no case would have prescribed, so the prescription could not serve as a legal basis for filing the file that the complained party requests the proposed resolution in its allegations. At the same time, with regard to the violation of article 31, in relation to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/26 article 58.1.e, both of the RGPD, typified in article 83.5.e) RGPD that also was attributed to the defendant in the initiation agreement -imputation that was confirmed in the motion for a resolution- it should be noted that the conduct in which such infringement occurred during the year 2019, the RGPD in force. Remember that the agreement to admit the claim to processing was signed on 02/19/2019 and that the informative requirements of the Data Inspection to which the complainant does not Responded are dated 07/17/2019 and 09/23/2019. In such a way that, regarding this infringement, it is not appropriate to raise either the violation of the principle of even less that of non-retroactivity of the rules. III In the agreement to initiate the disciplinary proceedings, the claimed two violations of the GDPR. One of them, to which we will refer in this Ground III, is the violation of article 6.1, sections b) and f), RGPD, in relation with article 5.1.a) RGPD. Article 5.1.a) RGPD provides that “1. Personal data will be: a) processed in a lawful, loyal and transparent manner with the interested party; " The principle of legality is developed, among other precepts, in article 6 RGPD which, under the heading "Legality of the treatment", details in its section 1 the cases in those that the processing of third party data is considered lawful: "1. The treatment will only be lawful if it meets at least one of the following terms: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; (…) f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that on said interests do not override the interests or fundamental rights and freedoms of the interested party who require the protection of personal data, in particular when the interested is a child. (...) " The violation of section f) of article 6.1 RGPD attributed to the claimed was related to article 20 of the LOPDGDD - framed in Title IV, "Provisions applicable to specific treatments" - related to "Systems of credit information ”, standard that provides: "1. Unless proven otherwise, the data processing will be presumed lawful personal related to the breach of monetary, financial or credit by common credit information systems when the following requirements: a) That the data have been provided by the creditor or by whoever acts on their behalf account or interest. b) That the data refer to certain, past due and enforceable debts, whose existence or amount had not been the subject of an administrative or judicial claim for the debtor or through an alternative dispute resolution procedure binding between the parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/26 c) That the creditor has informed the affected party in the contract or at the time to require payment about the possibility of inclusion in said systems, with indication of those in which it participates. The entity that maintains the credit information system with related data the breach of monetary, financial or credit obligations must notify the affected party the inclusion of such data and will inform them about the possibility of exercising the rights established in articles 15 to 22 of Regulation (EU) 2016/679 within thirty days of the notification of the debt to the system, the data remaining blocked during that period. d) That the data is only kept in the system as long as the default, with a maximum limit of five years from the expiration date of the monetary, financial or credit obligation. e) That the data referring to a specific debtor can only be consulted when whoever consults the system maintains a contractual relationship with the affected party that involves the payment of a pecuniary amount or this would have requested the conclusion of a contract that involves financing, deferred payment or periodic billing, as happens, among other cases, in those provided for in the legislation on consumer credit contracts and real estate credit contracts. When the right to limit the processing of data challenging its accuracy in accordance with the provisions of article 18.1.a) of Regulation (EU) 2016/679, the system will inform those who may consult it in accordance with the previous paragraph about the mere existence of said circumstance, without providing the specific data with respect to which exercised the right, while it is resolved on the request of the affected. f) That, in the event that the request for the conclusion of the contract is denied, or this will not be held, as a result of the consultation made, whoever has After consulting the system, inform the affected party of the result of said consultation. (...) " The violation of article 6.1, sections b) and f) of the RGPD is found typified in article 83.5.a) RGPD which establishes: "5. Violations of the following provisions will be sanctioned, in accordance with section 2, with administrative fines of maximum 20,000,000 Eur or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The basic principles for the treatment, including the conditions for the consent in accordance with articles 5,6,7 and 9. " In the proposed resolution of the sanctioning file, the attribution to the claimed of each infraction of article 6.1. RGPD, sections b) and f), typified in article 83.5.a) RGPD and it was proposed to impose a sanction of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/26 fine of 100,000 euros. The proposed resolution confirmed the imputation to the claimed of the aforementioned infringement of the RGPD in light of the documentation that was then in the file and that was obtained, essentially, during the testing phase. In this sense It must be remembered that the respondent had not responded to the request for information from the agency; He did not respond either to the two informative requests that he made the Data Inspection of the AEPD and that, in the processing of allegations to the agreement of beginning, did not provide any document or make any other statement that was not declaring that he had processed the claimant's data in the normal course of a relationship contractual. Therefore, until the test, the only documents that in the administrative file were those that the claimant provided with her complaint: The copy of the Certificate card that proved to be included in the registry of citizens of the Union in which their NIE and the Ibercheck document that related to an inclusion in BADEXCUG for a debt of € 1,856.30 linked to your NIE. In response to tests carried out during training, the claimed provided abundant documentation, notwithstanding which the proposed resolution appreciated the commission of the violation of article 6.1 RGPD. This documentation consisted of the copy of three contracts that according to manifestation of the claimed had been held in person before one of the their distributors in November 2013 and which were intended to provide telephone service of three mobile lines carried from the operator VODAFONE and the acquisition financed by three high-end mobile terminals. In the three contracts provided, included the data of the owner, the name *** NAME.1, coinciding with the name of the claimant; the surname, *** SURNAME.1, different from that of the claimant; the NIE, identical that of the claimant and the street address *** ADDRESS.3, which differed from the one provided by the claimant in her complaint. What was relevant in the documentation provided in the testing phase was that the three contracts lacked signature and stamp of the distributor and that in the header of the contractual documents it was warned that these would not be valid if it was not recorded in them the signature of the customer and the stamp of the distributor. This circumstance, together with the fact that the respondent did not provide in its response to the tests carried out any type of document related to identity of the person who hired from which it could be inferred that, on the occasion of the hiring, he had displayed minimal diligence to verify that the person who provided personal data as their own was its owner, they forced to assess the responsibility of the claimed in the commission of an infraction of the Article 6.1., b) and f) of the RGPD. Thus, in the proposed resolution the following was argued regarding this GDPR violation: << (...) In the case analyzed, the legal basis of the data processing carried out by the claimed, taking into account the characteristics of these treatments, should be articles 6.1.b) RGPD -which refers to the treatment necessary for the execution of a contract in which the owner of the data is a party- and 6.1. f) RGPD -foundation related to the satisfaction of the legitimate interest pursued by the responsible for the treatment provided that the said interest does not prevail fundamental rights and freedoms of the interested party that require the protection of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/26 personal information-. (...) The conducts in which the violation of article 6.1 is specified. GDPR of those that the claimed person is responsible for were the following: B. On the one hand, the treatment of the claimant's data - her NIE, *** NIE.1, and her name, *** NAME.1- linked to three contracts - “Registration contract with terminal financed by BBVA Particulares ”- identified with the references *** REFERENCE.1, for line number *** PHONE.1; *** REFERENCE. 2, of the line *** PHONE. 2; and number *** REFERENCE. 3, for the mobile phone line *** PHONE. 3. The three contracts are dated 11/21/2013, which is when we estimate initiated the illicit treatment for the claimed. The end of the illicit treatment is estimated occurred on 12/09/2018, given that we are not aware that it had continued after that date. (...) (....) in light of the documentation provided by the complainant, it does not exist in the present case no evidence that the claimant had contracted with her any of the services and products that were registered linked to your NIE and your Name. Although the respondent has provided the AEPD in the testing phase with three copies of the "Registration contract with a terminal financed by BBVA Particulares" - it has even sent three copies for each of the contracts (copies for YOIGO, for the client and for the financial institution) -, all of them dated 11/21/2013, in which they appear, in the section relating to the data of the holder, the NIE and the name of the claimant, these documents do not certify the fact that the claimant had contracted with the claimed one. None of the three documents that the respondent has provided ... are found signed by the owner of the data and alleged contractor. The document itself contractual notice in its header that "The data that have an asterisk" * "are Essential so that Yoigo can register you. Those with two asterisks "**" they are essential for BBVA to be able to process the loan ”. In all three contracts provided to this Agency, under the heading "Signature", the annotation "Signature * I **" appears, preceding the space for the client's signature and the indication "Seal distributor * I ** ”, preceding the space for the distributor's stamp before which the alleged contract is celebrated in person. With such annotations the contractual document is advising us that the client's signature and the seal of the Distributor are essential for the operator to register a telephone service and for BBVA -which is the one who intervenes financing the purchase in installments of the mobile terminals, as detailed in the General Conditions of the contract- processes the credit in favor of the client. (...) Another essential point is added to the above ... The respondent has not provided this Agency any document that proves the identity of the person who, supposedly, he contracted with her and provided as his own the NIE *** NIE.1, the name of *** NAME.1, surname *** SURNAME.1 and address *** ADDRESS.3 (...) the accreditation of the identity of the person who hires is part of the evidential activity that is the responsibility of the controller (...) However, has not provided any document related to the identity of the person who allegedly signed the contracts that have given rise to the events that occupy. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 19/26 (...) C. The second conduct of the claimed contrary to the principle of legality, for violation in this case of article 6.1.f) RGPD, is the communication to the file of BADEXCUG solvency of an incident related to the claimant's NIE for a alleged debt of 1,856.30 euros. The incident was registered on 03/16/2014 and canceled on 12/09/2018 as consequence of the “automatic update of the data file sent by the reporting entity ”. This means that the annotation published by the BADEXCUG credit information, the debtor status of the NIE holder *** NIE.1, the claimant, remained active for more than four years. (...) Article 20 of the LOPDGDD contains a iuris tantum presumption of prevalence of the legitimate interest of the data controller who communicates data from third parties to credit information systems, popularly known as solvency or delinquency files. For the aforementioned presumption to display its effectiveness, all the requirements that the precept details in its section 1, letters a) to f). The data processing in which the behavior of the claimed is specified now examined -the communication of the claimant's data to the BADEXCUG file and its maintenance in that file for more than four years - cannot be based on the presumption of article 20 LOPDGDD as one of the requirements on those that the Organic Law 5/2018 builds this presumption. (...) It is evident, based on the documentation in the file, that the debt for the amount of XXX euros that the claimed reported to BADEXCUG linked The NIF of the claimant did not meet the requirement of "certainty", since such debt was not true in relation to the person to whom it was attributed and whose personal data were subject treatment. (...). The core of the issue is that, while the respondent has not proven that it was indeed the claimant who signed with her the contracts from which the debts derive, the condition of debtor of the claimant. >> In the processing of allegations to the proposed resolution, the complainant has provided diverse and highly relevant documentation that directly affects the legal assessment of the behaviors that until now we had qualified as violation of article 6.1., letters b) and f), of the RGPD. Article 82 of the LPACAP, "Hearing procedure", establishes in section 2 that “The interested parties, within a period of no less than ten days or more than fifteen, may allege and present the documents and justifications that they deem pertinent ”. The documents provided are, in summary, the following: (i) The “originals” of the three contracts that were entered into through a YOIGO distributor in person. All three contracts are duly signed by the customer and also bear the stamp of the distributor. He has provided, with respect to each of the line numbers for which the mobile phone service, the numbering portability request document mobile from VODAFONE, duly signed by the applicant. The data contained in the contracts provided in this procedure -both the relating to the identity of the contract holder (name, surname, NIE, address and account C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 20/26 bank), to the object of the contracts, to the date, the reference number or the line of mobile telephony on which each one deals - they are identical to those that appeared in the contractual documents that the respondent provided in the evidence process and that they lacked signature and seal. (Ii) a debit receipt for direct debit has also been provided issued by BBVA on 11/12/2013 in which the payer is the operator VODAFONE and the holder of the charge account a person identified with the same name and surname of the holder of the three contracts -that is, *** NAME.1 *** SURNAME.1-. Digits of the charge account that appear on the bank receipt are the same as included in the three contracts for the purposes of direct debit of invoices. On the receipt bank provided the address of the account holder coincides with the one that appears in the three contracts as the domicile of the contracting party, street *** ADDRESS. 3 In addition, the bank account debit document shows that the payer of the position is the telecommunications operator VODAFONE ESPAÑA, S.A.U., which It is also the operator that appears as a donor of the three mobile phone lines contracted with YOIGO. Another of the documentaries provided (iii) is a Certificate of Registration of Citizens of the Union ”in which the person in charge of the Central Registry of Foreigners of the Provincial Commissariat of *** LOCALIDAD.1 certifies that, in accordance with established in articles 3.3 and 3.7 of Royal Decree 240/2007, of February 16, and bearing in mind that this document only proves the registration in the Registry Central de Extranjeros if it is presented together with the passport or valid identity, the person indicated below, has requested and obtained their registration in the Central Registry of Foreigners (...) as a community resident in Spain, since 11/15/2010: D. *** NAME.1 *** LAST NAME.1; born him 08/05/1985, in *** LOCALIDAD.2 (*** COUNTRY.1); son of Gabriel and Viorica. Nationality: *** COUNTRY 1. Address: street *** ADDRESS. 2. Foreigner Identity Number (NIE) *** NIE. 1. The document includes on two occasions this "Notice: Invalid document to prove the identity or nationality of the bearer ”. The conduct that was taken into consideration to attribute to the respondent a infringement of the principle of legality was the processing of the personal data of the claimant -NIE and name- without being accredited the legal basis that protected. The treatment carried out by the claimed consisted of registering three contracts in the name of a person identified with the NIE and name of the claimant and to include the NIE in the BADEXCUG solvency file associated with a debt unpaid derived from said contracts. The respondent has provided with her allegations to the proposed resolution the documents that serve, in his opinion, as a basis for the causes of legality described in sections b) and f) of article 6.1 RGPD. It has contributed three contracts signed with her through a distributor in which the data of the contracting person coincide with those of the claimant in the NIE and the name - *** NAME.1-, although not in the surname -in the contract appears *** SURNAME. 1 and the claimant says her surname *** LAST NAME. 2- nor at home. All three contracts are signed by the person contractor. And in order to prove that the person who identified himself with the data that appear in the contracts and provided them as his own was who he claimed to be, has provided the document called Certificate of registration of citizens of the Union whose data they coincide with those that appear in the three contracts to identify their owner. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 21/26 Now, the Certificate includes on two occasions a notice that informs that This document is not valid to prove the identity or nationality of the bearer and in the text of the document it is noted that “(..) this document only proves the registration in the Central Registry of Foreigners if presented together with the passport or valid identity document ”. The Certificate provided cannot be granted the power to prove the identity of the contracting person, but having obtained that document shows, in principle, that the claimed, on the occasion of the conclusion of the three contracts, He deployed some diligence aimed at identifying the contracting person. The claimed, through its distributor, also obtained from the person who contracted and provided as their own the data that appear in the contracts other documents that reveal that he was identified with the same data before his entity financial BBVA's receipt of the debit account proves that in November 2013 the contracting person was identified before said entity with the same name, surname and address provided to the claimed in the hiring. Also, the account bank owned, according to BBVA's receipt, is the one that appears in the contracts as a direct debit account. Similarly, the payer of the bank charge that appears on the receipt from BBVA, the operator VODAFONE, is Also, according to the contracts, the donor operator in the portability of the lines telephone whose services were contracted with the claimed. In short, although the Certificate of registration of citizens of the Union lacks alone of force to prove the identity of the person who exhibits it, there is in the procedure other documents that demonstrate that these data identified the validly contracting person in other areas, such as in their relations with the BBVA, of which he was a client, or with the VODAFONE operator, with whom he had contracted services whose payment was domiciled in his bank account. Assessed as a whole the various documents that the complainant has provided It seems fair to conclude that, given the circumstances of the case, he displayed a minimum and reasonable diligence in identifying the person who signed the contracts and provided the NIE and the name of the claimant as his own. And it is also example of diligence in complying with the obligations imposed by the RGPD that the respondent has kept the documentation regarding the hiring and the identity of the contractor, which was obtained in 2013, the date of the contracts, in order to be able to prove the legality of the data processing carried out. The diligence shown by the claimed person in identifying the person who hired and provided as his own the personal data of the NIE and name of the claimed prevents appreciating in the case under examination the concurrence of fault or negligence, necessary to be able to demand administrative responsibility. As indicated by the SAN of 04/29/2010, (Sixth Legal Basis), “The question is not to determine whether the appellant processed the personal data of the complainant without her consent, as if did or did not use reasonable diligence in trying to identify the person with the one that signed the contract ”. (The underlining is from the AEPD) The presence of the subjective element or guilt in the broad sense, such as condition for the sanctioning responsibility to be born, has been confirmed by the Constitutional Court, among others, in its STC 76/1999, in which it affirms that the administrative sanctions are of the same nature as criminal penalties as they are one of the manifestations of the ius puniendi of the State and that, as a requirement derived from the principles of legal certainty and criminal legality enshrined in the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 22/26 Articles 9.3 and 25.1 of the EC, its existence is essential to impose it. In the same sense, Law 40/2015 on the Legal Regime of the Public Sector provided in article 28.1. that "They may only be sanctioned for acts constituting of administrative infringement the natural and legal persons, as well as (...), which are responsible for them by way of fraud or fault. " Consequently, the subjective element of the offense being absent - all Once the documentation provided shows that the respondent acted with a minimum and reasonable diligence to guarantee the identity of the person who hired and provided as their own certain personal data- it corresponds to agree on the file of the procedure regarding the infringement of article 6.1, sections b) and f) RGPD which was attributed to the defendant in the agreement to initiate the disciplinary proceedings. IV A. Article 58 RGPD refers to the powers granted to the authorities of control and refers in section 1 to its "powers of investigation", precept which states: "1. Each supervisory authority will have all investigative powers indicated below: (…) e) obtain from the person in charge and the person in charge of the treatment access to all the data personal and all the information necessary for the exercise of their functions; f) obtain access to all the premises of the person in charge and the person in charge of the treatment, including any equipment and means of data processing, of conformity with the procedural law of the Union or of the Member States. " In turn, article 31 RGPD -relative to the general obligations of the responsible and the person in charge of treatment, Section 1, of Chapter IV of the Regulation (EU) 2016 / 679- states: "The person in charge and the person in charge of treatment, and where appropriate their representatives cooperate with the supervisory authority that requests it in the performance of their functions ”. On the other hand, the LOPDGDD, article 51.1, establishes that "The Spanish Agency of Data Protection will develop its research activity through the actions provided for in Title VIII and preventive audit plans ”. The LOPDGDD includes article 67 in this Title, which deals with the actions of previous investigation. In addition, article 53 of the LOPDGDD refers to the scope of the activity of investigation and indicates in section 1 that “Those who develop the activity of investigation will be able to gather the precise information for the fulfillment of their functions, carry out inspections, require the exhibition or dispatch of documents and necessary data, examine them in the place where they are deposited or in where the treatments are carried out obtain a copy of them, inspect the physical and logical equipment and require the execution of treatments and programs or treatment management and support procedures subject to investigation ”. The breach by a person responsible for the treatment of the obligation that imposes article 31 of the RGPD, in relation to the powers that in matters of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 23/26 inspection is attributed to this Agency by article 58.1 e) of the aforementioned Regulation (EU) 2016/679, is subsumed in the sanctioning type of article 83.5.e) RGPD that He says: "Violations of the following provisions will be sanctioned, in accordance with with paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: (…) e) failure to comply with a resolution or a temporary or definitive limitation of the treatment or suspension of data flows by the supervisory authority in accordance with article 58, paragraph 2, or failure to provide access in breach of the article 58, paragraph 1. (The underlining is from the AEPD) For the purposes of prescription, the LOPDGDD qualifies in its article 72.1. as very serious offense: “o) Resistance or obstruction of the exercise of the function inspector by the competent data protection authority ”. The term of prescription for very serious offenses is three years. B. The documentation in the administrative record certifies that the claimed refused to collaborate with the inspection action carried out by the Inspection Service of the AEPD within the framework of E / 2053/2019 and that when taking the decision not to collaborate with the investigation carried out by the supervisory authority was fully aware of the consequences that could result from his behavior omisive. Regardless of the information request that the Agency made to the claimed before the initiation of the preliminary investigation actions - that is, before the had agreed to admit the claim to processing-, information request to the that did not respond either, and focusing on the previous investigation actions, because according to article 51.1 LOPDGDD these are framed in the function investigator recognized by the control authorities and who develops the Article 58.1 RGPD, these circumstances stand out: The defendant did not give any response to the AEPD. The only letter received from in the course of the preliminary investigation actions is dated 08/07/2019 and in he requests that the deadline be extended to respond to the information request that is had done on 07/17/2019 and received on that same date. In that requirement It gave him a period of fifteen business days to evacuate the process. The AEPD Responds in writing of 08/12/2019 and grants the requested extension of the deadline. The The response of this Agency, which is notified electronically on the same date, is accepted by the claimed seven days later, on 08/19/2019. None is received reply. The Data Inspection sent the claimed a second request informative dated 09/23/2019, which was made available on the website on same day and whose notification was accepted by the claimed on 09/30/2019. The The complainant did not respond to this second request either. In short, despite that the receipt by the respondent of both information requirements of the Inspection of Data is accredited, did not respond to any of them. The second relevant circumstance is that in the two requirements C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 24/26 sent, the respondent was informed in detail of the consequences that could derive from not meeting the request for collaboration with the AEPD. He was reminded of the obligation imposed by the RGPD to collaborate in the development of the function inspector and that failure to comply with said obligation could lead to the commission of an infringement typified in article 83.5.e, RGPD for infringement of article 58.1. RGPD. In consideration of the proven facts, it is estimated that the defendant incurred an infringement of article 31 RGPD, in relation to article 58.1.e, of the same standard, typified in article 83.5.e) RGPD and qualified by the LOPDGDD for the purposes prescription, as a very serious offense (article 72.1.,) C. In determining the administrative fine to be imposed for the infraction of the Article 31, in relation to Article 58.1.e), RGPD, the provisions of articles 83.1 and 83.2 of the RGPD. In accordance with the RGPD requirement that administrative fines be “Effective, proportionate and dissuasive” and to the provisions of articles 83.4 and 83.5 RGPD, the total annual global volume of the financial year must be taken into account previous financial statement of the claimed. Well understood that, as the Recital 150 of the RGPD, “If administrative fines are imposed on a company, for such it must be understood as a company according to article 101 and 102 of the TFEU ”. The group MASMOVIL to which the claimed belongs obtained in 2018 income of 1,451 million euros and a net profit of 71 million euros. After analyzing the circumstances that preside over the offending conduct, in order to specify the amount of the fine that must be imposed on the person responsible, considers that the following elements are present that involve an aggravation of the guilt of the offending subject and / or the unlawfulness of his conduct. - The respondent acted with an extremely serious lack of diligence when repeatedly refused to collaborate with the inspection function that the AEPD was exercising. Negative that cannot be justified even in the existence of any incident in the notifications of the informative requirements, since they received correctly by the claimed, nor in the course of the terms granted for reply. The AEPD acted with total flexibility and provided all kinds of facilities to the claimed so that it could provide the requested collaboration. Deadlines were extended to respond at the time the respondent requested it - despite the time elapsed between the receipt of the information request and the request for deadline extension - and considerable time was allowed to pass after the deadlines expire and before repeating the information request. It was also not obtained no response to the second request for collaboration. Circumstance aggravating factor that is framed in article 83.2.b, RGPD. - The link between the activity of the claimed and the processing of personal data from clients or third parties (article 83.2.k, of the RGPD in relation to article 76.2.b, of the LOPDGDD) In view of the foregoing considerations, it is agreed to sanction the claimed for the violation of article 31, in relation to 58.1.e, RGPD, typified in article 83.5.e) RGPD and qualified by the LOPDGDD for prescription purposes as a very serious offense (article72.1.o,), with an administrative fine of 20,000 euros. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 25/26 Therefore, in accordance with the applicable legislation, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: REGARDING the alleged violation of article 6.1. letters b) and f) of RGPD, which was attributed to XFERA MÓVILES, S.A., with NIF A82528548, in the agreement of initiation of this sanctioning file, AGREE to the FILE of the procedure sanctioner for INEXISTENCE OF INFRINGEMENT, as the claimed person has provided the documents that prove it. SECOND: MPONER to XFERA MÓVILES, S.A., with NIF A82528548, for a infringement of article 31 of the RGPD, in relation to article 58.1.e, typified in the Article 83.5.e) of the RGPD, a penalty of twenty thousand euros (€ 20,000). THIRD: NOTIFY this resolution to XFERA MÓVILES, S.A. FOURTH: Warn the sanctioned person that the sanction imposed a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned and the of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the bank CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Notification received and once executive, if the execution date is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 26/26 may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es