AEPD (Spain) - PS/00365/2019: Difference between revisions

From GDPRhub
mNo edit summary
Line 50: Line 50:
}}
}}


The Spanish DPA (AEPD) imposed a penalty of € 20000 on XFERA MOVILES S.A. for failing to comply with its obligation to cooperate with the supervisory authority under Article 31 GDPR in conjunction with Article 58 (1) (e) GDPR.
The Spanish DPA (AEPD) imposed a penalty of € 20000 on XFERA MOVILES S.A. for failing to comply with its obligation to cooperate with the supervisory authority under Article 31 GDPR in conjunction with Article 58(1)(e) GDPR.


==English Summary==
==English Summary==
Line 64: Line 64:
Furthermore, the complainant argued that the events had taken place before the entry into force of the GDPR and the LOPDGDD and would therefore not be the applicable rules. On the other hand, it did not make any reference in its allegations to the breach of Article 31 GDPR in relation to its obligation to collaborate with the data protection supervisory authority.
Furthermore, the complainant argued that the events had taken place before the entry into force of the GDPR and the LOPDGDD and would therefore not be the applicable rules. On the other hand, it did not make any reference in its allegations to the breach of Article 31 GDPR in relation to its obligation to collaborate with the data protection supervisory authority.
===Dispute===
===Dispute===
Is the failure to cooperate with the data protection supervisory authority a breach of Article 31 GDPR in conjunction with Article 58 (1)(e) GDPR?
Is the failure to cooperate with the data protection supervisory authority a breach of Article 31 GDPR in conjunction with Article 58(1)(e) GDPR?


===Holding===
===Holding===

Revision as of 17:56, 17 November 2020

AEPD - PS/00365/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 31 GDPR
Article 58(1)(e) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.11.2020
Published:
Fine: 20000 EUR
Parties: XFERA MOVILES S.A. (YOIGO)
National Case Number/Name: PS/00365/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA (AEPD) imposed a penalty of € 20000 on XFERA MOVILES S.A. for failing to comply with its obligation to cooperate with the supervisory authority under Article 31 GDPR in conjunction with Article 58(1)(e) GDPR.

English Summary

Facts

A claimant, an individual, lodged a complaint with the AEPD because he/she found out from his/her bank account that a contract had been entered into in his/her name and with his/her personal data without his/her consent, and also because he/she had been included in a creditworthiness file for an unpaid debt related to the aforementioned contract.

The AEPD requested from YOIGO information on the contracts signed with the claimant, as well as information on the debt that led to its inclusion in a solvency list. In the contracts provided by the claimant, there is no signature of the claimant accepting the content of the contracts.

The AEPD first proposed a sanction for infringement of Article 6 (1) GDPR but withdrew these charges due to the non-existence of the infringement when the complainant responded with allegations and documents which this time, unlike those provided in the evidence phase, were signed by the complainant.

Furthermore, the complainant argued that the events had taken place before the entry into force of the GDPR and the LOPDGDD and would therefore not be the applicable rules. On the other hand, it did not make any reference in its allegations to the breach of Article 31 GDPR in relation to its obligation to collaborate with the data protection supervisory authority.

Dispute

Is the failure to cooperate with the data protection supervisory authority a breach of Article 31 GDPR in conjunction with Article 58(1)(e) GDPR?

Holding

Having assessed all the various documents provided by the complainant, it seems fair to conclude that, in view of the circumstances of the case, it exercised a minimum and reasonable diligence in identifying the person who signed the contracts and provided as her own the NIE and the name of the complainant.

Furthermore, as regards its duty to cooperate with the supervisory authority, the defendant did not comply with its obligation to cooperate and make allegations regarding the infringement of Article 31 GDPR in conjunction with Article 58(1)(e) GDPR.

The AEPD, therefore, agreed to impose a penalty of € 20000 under Article 83(5)(e) GDPR.

The fact that it acted with an extremely serious lack of diligence when it repeatedly refused to cooperate with the inspection function that the AEPD was carrying out (83(2)(b) GDPR) and the link between the activity of the respondent and the processing of personal data of customers or third parties (83(2)(k) GDPR) were taken into account as aggravating factors.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/26











     Procedure No.: PS / 00365/2019
938-300320


                RESOLUTION OF SANCTIONING PROCEDURE


      Of the procedure instructed by the Spanish Agency for Data Protection and in
based on the following

                                   BACKGROUND


FIRST: On 08/21/2018 has entry into the Spanish Protection Agency
of Data (AEPD) a letter from D.ª A.A.A. (hereinafter, the claimant) in which
states that XFERA MÓVILES, S.A., with NIF A82528548 (hereinafter, the claimed or
YOIGO) has processed her NIE linked to a mobile phone contract to which she is

alien.

      The claimant states that “I have learned from my bank that with my number
of dni there is a mobile phone service contract with the company Xfera Móviles-
Yoigo. I have made a claim to the service control department of this

company ... ”The documentation you provide reveals that your NIE was communicated by the
claimed from the BADEXCUG capital solvency file with registration date March
2014, for an unpaid debt of XXX euros.

      Annexes to the claim provide these documents: The copy of the "Certificate of

registry of citizens of the Union ”, issued by a Spanish authority, in which
Among other information are your name and surname, the NIE *** NIE.1 and your address at
Spain. A copy of an Ibercheck report according to which, linked to your NIE,
there is an annotation of non-payment in the BADEXCUG file, reported by the
claimed, with registration date 03/16/2014, for an amount of XXX euros, being the

Date of last update of the entry is 08/19/2018.


SECOND: In view of the facts presented in the claim, the AEPD carried out
actions aimed at its clarification.

      A. In the framework of file E / 6739/2018, by means of a document signed the
10/02/2018, the claim is transferred to the respondent and it is requested that in the
within one month, provide an explanation of the facts set forth therein and detail
the measures taken to prevent similar situations from occurring in the future.

      The writing is notified to the claimed electronically, being the date of placing
available on 02/10/2018 and the date of acceptance of the notification on 03/10/2018,
as certified by the FNMT certificate in the file.

      Likewise, in writing signed on 10/02/2018, the AEPD addresses the claimant
acknowledging receipt of your claim and communicating your transfer to the claimed.

      Once the period granted has elapsed without the respondent having responded to the
information request, in accordance with the provisions of article 65.2 of the Law

Organic 3/2018, Data Protection and Guarantee of Digital Rights
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 2/26








(LOPDGDD), on 02/19/2019 the agreement for admission to processing of the
present claim.


      B. Pursuant to article 67 of the LOPDGDD, in the framework of file number
E / 2053/2019, the Data Inspection of the AEPD carries out actions of
previous investigation.

      The certificates issued by the FNMT that
certify that the respondent received the electronic notifications from the two
informative requirements that were made to him in the course of the proceedings of
previous investigation; requirements of dates 07/17/2019 and 09/23/2019 to those who do not
answered. The notifications were accepted, respectively, on dates

07/17/2019 and 09/30/2019.
      The first of the requirements of the Data Inspection is signed on

07/17/2019. On the same date, the respondent is notified and she accepts the notification.
The requirement gave the respondent a period of 15 business days to respond;
indicated that the information was requested by the Data Inspection in use of the
powers conferred by articles 58.1 RGPD and 67 LOPDGDD; it was reminded of the
claimed the obligation imposed by Regulation (EU) 2016/679, General of
Data Protection, (RGPD) to collaborate in the performance of the inspection function and

He was informed that the breach of this obligation could lead to the
commission of an offense typified in article 83.5.e) RGPD.

      The respondent, in writing that had entry into the Agency's electronic headquarters on
08/07/2019, request an extension of the deadline to respond to the request
Information received on 07/17/2019. The AEPD responds on 08/12/2019 and grants the
extension of term requested. The Agency's response, notified electronically
on that same date, it is accepted on 08/19/2019. This is proven by the certificates of the

FNMT that are in the file.
      The second of the informational requirements that the Data Inspection sent
the one claimed was signed on 09/23/2019 and made available at the electronic headquarters

On the same date. In it, the defendant was granted a period of five business days
to respond and, as in the previous one, he was informed that the information was
requested in use of the powers conferred by articles 58.1 RGPD and 67
LOPDGDD, it was recalled the obligation imposed by the RGPD to collaborate to
perform the inspection function and that failure to comply with said obligation could

involve the commission of an offense typified in article 83.5.e) RGPD by
infringement of article 58.1. RGPD. The notification of this second requirement was
accepted by the claimed seven days after making it available, the
09/30/2019.

      No response to the claim from either of the two is received at this Agency
informative requirements made by the Data Inspection.

      On 10/10/2019 the Report of Preliminary Investigation Actions of which
we reproduce the following fragment:

<< 1. On the notification date of July 17, 2019, a request for
information to the claimed to provide the following documents:

           to. Service contract with the claimant.

           b. Channel and / or place of contracting. Procedure for accreditation
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 3/26








               of identity.

           c. Identification documentation in your possession.
           d. Prior payment requirement before the possible inclusion in the file

               BADEXCUG.
      On August 7, 2019, it is received at this Agency, with the number of

registration 039557/2019, written from the claimed requesting extension of
term, proceeding to grant an extension of 5 business days with the date of
notification of August 19, 2019.

      With the notification date of September 30, 2019, the
information request granting a new term of five days without
of completion of this report has been received in this Agency reply
from the claimed. >>


THIRD: On 11/19/2019, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure to the claimed in accordance with
provided in articles 63 and 64 of Law 39/2015, of October 1, on the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for two violations of the RGPD: The violation of article 6.1. RGPD,

typified in article 83.5.a), and article 31, in relation to article 58.1.e),
both of the RGPD, typified in article 83.5.e) of the aforementioned Regulation (EU)
2016/679.

FOURTH: Notified the initiation agreement -notification accepted by the claimed on

11/20/2019 - submitted allegations on 12/04/2019.

      The brief of allegations is specified in a previous allegation and two allegations,
with the following content: Request -previous allegation- to be transferred of a
copy of the file. He states -first allegation- that “... at this time only
It is given to state that YOIGO has regularly processed the data of the claimant in

under the service contract and, hence, likewise, the regular and ordinary treatment of
the relationship between the parties by virtue of the vicissitudes of the contract ”. By last
-second claim- states that “once the appropriate documentation has been gathered, it will be sent to the
AEPD ”.


FIFTH: Under article 53.1.a) LPACAP, the AEPD, in writing notified
electronically on 12/13/2019, gives the respondent the full copy of the
administrative file requested.

SIXTH: In accordance with article 77 LPACAP, dated 06/15/2020, a
trial period in which the claim and its

attached documentation; the documents obtained and generated by the Services of
Inspection of the AEPD before the claimed and the Report of previous actions of
Inspection. Likewise, the allegations of the
claimed to the agreement to initiate the sanctioning procedure.


      These procedures are carried out in the evidence process:
      A. The respondent is asked to provide the documents and prove the facts
which are detailed:
      1. The copy of the contract that the claimant had signed and the
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 4/26








claimed or, where appropriate, the entity to which the latter would have succeeded.
      2. The documentation that proves the existence of an outstanding debt of
Payment in the name of the claimant, requiring that she specify the amount owed and
the concepts from which the debt derives.
      3. Proof of having informed the claimant at the time of signing the

contract that, in the event of non-payment of debts, your data could be subject to
inclusion in credit and equity solvency files. Or, alternatively, that
certify having required the claimant to pay the outstanding debt before the
inclusion of your data in BADEXCUG associated with debit positions.


      The respondent responds to the request for evidence on 06/29/2020.

      to. To the question formulated in point 1, he answered that "the claimant subscribed"
three contracts with YOIGO on 11/21/2013 and that the hiring was carried out in a
face being the SFID of the seller *** VENDEDOR.1 which corresponds to "Store
ByMobil ”. He adds that the three contracts had a terminal acquired in installments and

commitment to stay. Provide a copy of the three contracts that correspond to
the numbers *** TELEPHONE.1, *** TELEPHONE.2 and *** TELEPHONE.3
      Provides copies of each of the three contracts and, in addition, regarding
each one of them sends three copies: for the client, for YOIGO and for the entity
financial The three copies are identical to each other, the only difference is that the two
The first ones include as an annex the document “Request for portability of

mobile numbering ”.
      The “Registration contract with a terminal financed by BBVA
Individuals ”focusing on its structure and most relevant content, but referring to the
contract 1. Regarding contracts 2 and 3 we limit ourselves to citing, only, their
differences with 1.
      In contract 1, under the heading “Registration contract with terminal financed by

BBVA Individuals ”appears the reference“ nº *** REFERENCIA.1 ”and below this
legend: "The data that have an asterisk" * "are essential for Yoigo
I can register you. Those with two asterisks "**" are essential for
BBVA can process the credit ”.
      Next, in the section “Point of sale data”, it appears “SFIF
***POINT 1". In the "Your data" section there are the data of the contract holder:

*** NAME.1 (first name) *** LAST NAME.1 (last name). Note that this last name is different
that of the claimant. The NIE, *** NIE.1, which matches that of the claimant. The date
of birth, 08/05/1985; nationality, *** NATIONALITY.1; sex, woman; the
address, *** ADDRESS.1 and contact telephone number *** TELEPHONE.3. Just the name,
*** NAME. 1, and the NIE match the data of the claimant. Does not match
surname or address, which is not the one that appears on the citizens' certificate

of the Union that the claimant has provided to the AEPD or in the form of its
claim. In the "Services and promotions" section, it is indicated: "Nº YOIGO"
***TELEPHONE 1; “SIM / ICC-ID card No.” *** SIM.1; "Type of contract", "La Infinita
25 ".
      In the "Product" section, it says: "With mobile / Modem: IMEI *** IMEI.1; "Mark and

model: Samsung Galaxy S4 White ”. In the section "Bank details", it appears
"Customer account code (IBAN)" and a customer account code that begins with the
digits *** XXX and ends with the digits *** XXX.
      The last of all the sections is "Signatures" and it indicates "Date * I **
11/21/2013 "and then" Signature * I ** ", which has a blank space, that is, without

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 5/26








fill in and "Distributor stamp * I **", which also has the space for this purpose
in white. Next, "Xfera Móviles, S.A.", which includes in the space for
for this purpose, a heading and "Banco Bilbao Vizcaya Argentaria, S.A.", which also incorporates
a rubric.
      The copies of the contract 1 intended for the client and YOIGO are accompanied by

an annex: The "Mobile Numbering Portability Application". This document includes
this legend: “Important: For your current operator to accept the request for
portability you must fill in all the sections ”. In the "Operators" section there is
"Date", "11/21/2013 10:43"; “Donor Operator: Vodafone” and “Receiving Operator:
YOIGO ”. The "Type of request" section includes, among other information, the "Telephone number

(MSISDN) *** PHONE. 1. In the "Customer data" section, the same as those listed
in the contract in the "Your data" section. Finally, in the "Signature" section, it appears
"Date 11/21/2013 10:43" and then the indication "Applicant's signature" without
that there is no signature on the document. None of the copies (for the customer and
for YOIGO) that are sent are signed by the applicant.


      Contract 2, “Registration contract with terminal financed by BBVA”, differs from
contract 1 in the following elements:
      The reference "Nº *** REFERENCE.2" corresponds to it. In the section "Services
and promotions ”appears as“ Nº Yoigo *** TELEPHONE.2 ”. While the remaining
Sections are identical to those of contract 1, described above, we must emphasize that in
the last section, "Signatures", after "Date * I ** 11/21/2013", the spaces

intended for the "Signature * I **" and the "Distributor Seal * I **" are blank, without
fill in.
      Regarding the document "Mobile number portability request",
annex to contract 2, of which the complainant sends us a copy for the client and for
YOIGO, the differences in relation to the same document annexed to contract 1 are the
following: In the heading "Operator", everything is the same except for the time, figure

"11:29". Under the heading "Type of request", among others, the "Telephone number (MSISDN)
*** PHONE. 2. It should be noted that in the "Signature" section, after
"Date: 11/21/2013 11:29", as happens in the same document attached to the
contract 1, the box for “Applicant's signature” is blank and without
fill in.


      Contract 3, "Registration contract with terminal financed by BBVA", differs from 1 and
the 2 in the following elements:
      The reference “Nº *** REFERENCE.3” corresponds to it. In the section "Services
and promotions ”appears as“ Nº Yoigo *** TELEPHONE.3 ”. While the remaining
sections are identical to those of contracts 1 and 2 described above, we must underline
that in the last section, "Signatures", after "Date * I ** 11/21/2013", the spaces

intended for the "Signature * I **" and the "Distributor Seal * I **" are blank, without
fill in.
      Annex to contract 3, the complainant sends us the document of "Request for
portability of mobile numbering ”, (copies for the client and for YOIGO). The
differences with respect to the same document annexed to contracts 1 and 2 are the

following: In the heading "Operator", everything is the same except for the time, figure
"19:00". In the heading "Type of request", among other elements, the "No. of
phone (MSISDN) *** PHONE. 3. It should be noted that in the "Signature" section, after
of "Date: 11/21/2013" "19:00", as well as the same document attached to the contracts
1 and 2, the "Applicant's signature" box appears blank and unfilled.

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 6/26









      b. The respondent answered the second question that was asked that the
Claimant had requested in December 2013 the portability to a third operator,

thereby breaching the commitments of permanence assumed, which implied the
early expiration of deferred payments for the amount stated on the invoice,
amount that comes essentially from the installment acquisition of three terminals
mobiles.

      Provide a copy of the invoice number *** FACTURA.1, issued on 01/01/2014,

which corresponds to December 2013. The amount invoiced amounts to 1,856.30
euros. The invoice includes the services and products linked to these lines:
*** TELEPHONE.1, *** TELEPHONE.2 and *** TELEPHONE.3.
      The invoice contains the data of the owner of the three contracts, that is, those that
They are included in the "Your data" section of the three contracts provided. Of the data

incorporated into the invoices only coincide with the name of the claimant,
*** NAME. 1. The last name does not match, nor does the address, which is different from the
that appears in the certificate of citizens of the Union that the claimant has
provided to the AEPD and in the complaint form submitted to this Agency.


      c. The respondent answered the third question asked in the test phase
that in the eighth clause of the general conditions of any of the three contracts
that he had provided, the client was informed that “in case of not attending
punctually their financial obligations to YOIGO, in accordance with
provided for in the contract, YOIGO may communicate your identification data, together with
all those related to debt pending payment, to entities dedicated to the

provision of information services on financial solvency and credit, .. "

      B. The Experian Bureau de Crédito, S.A. was requested (Experian) to forward the
information and documentation detailed:


      1. Printed copy of all the information that will appear in the solvency file
BADEXCUG, associated with the personal data of the claimant -name, two surnames
and NIF-, which had been informed by the claimed.
      2. Copy of the documentation regarding the rights of access and cancellation
that the claimant would eventually have exercised before her.


      Experian responds in writing dated 07/08/2020 that it has an entry in the
Agency registration on 07/13/2020. It states that on that date there is no
BADEXCUG, associated with the NIF, name and two surnames of the claimant, none
unpaid transaction. But he adds that, in the "History of Updates of the file
BADEXCUG ”contains this information regarding unpaid transactions associated with

Claimant's NIF: There is an operation, number 5658833, reported by YOIGO,
for a telecommunications service, whose debt was registered in BADEXCUG on
03/16/2014, for an unpaid amount of 1,856.30 euros and the
12/09/2018, the debit balance being the same amount on that date, as
consequence of the “automatic update of the data file sent by the

reporting entity ”.

SEVENTH: On 10/07/2020 the resolution proposal of the
sanctioning procedure PS / 00365/2019 formulated in these terms:

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 7/26









<< FIRST: That the Director of the Spanish Agency for Data Protection
sanction XFERA MÓVILES, S.A., with NIF A82528548, for two infractions of the
article 6.1. RGPD, letters b) and f), typified in article 83.5.a) RGPD, with a fine
administration of 100,000 euros (one hundred thousand euros).


SECOND: That the Director of the Spanish Agency for Data Protection
sanction XFERA MÓVILES, S.A., with NIF A82528548, for a violation of the
article 31 RGPD, in relation to article 58.1.e, RGPD, typified in article
83.5.e) of the RGPD, with an administrative fine of 20,000 euros (twenty thousand euros) >>


      The certificate issued by the FNMT, which is in the file, certifies that the
Proposal for a resolution was notified and accepted by the complainant on 10/07/2020.

EIGHTH: The respondent submits her brief of allegations to the proposal of
Resolution on 10/21/2020 in which it requests that the file be archived

sanctioner.

      Provides, attached to its brief of allegations, documentation of great relevance to
the effects that concern us that he claims to have received "from his logistics provider" "in the
time elapsed since the test phase ”. They are the following documents:


      1. A "Certificate of Registration of Citizens of the Union" that incorporates two
Sometimes, at the beginning and at the bottom of the text of the document and within a box, this note:
"Notice: Invalid document to prove the identity or nationality of the
carrier".
The text of the document is as follows: “The person in charge of the Central Registry of
Foreigners from the Provincial Police Station of *** LOCALITY. 1 CERTIFIES: That, of

in accordance with the provisions of articles 3.3 and 3.7 of Royal Decree 240/2007,
of February 16, and bearing in mind that this document only proves the registration
in the Central Registry of Foreigners if it is presented together with the passport or
valid identity document, the person indicated below, has
requested and obtained its registration in the Central Registry of Foreigners (...) as
Community resident in Spain, since 11/15/2010: Mr. *** NAME.1

***LASTNAME 1; born on 08/05/1985, in *** LOCALIDAD.2 (*** COUNTRY.1); son of
Gabriel and Viorica. Nationality: *** COUNTRY. 1. Address: street *** ADDRESS. 2. Number
Foreigner Identity (NIE) *** NIE. 1.

      2. A bank receipt issued by BBVA corresponding to a debt for
direct debit account in which the "payer" is Vodafone España, S.A.U., and the

"Owner" *** NAME.1 *** LAST NAME.1. The document indicates that it is a “Duplicate of
receipt dated 11/12/2013 ”,“ charged to Vodafone ***** XX account ”. It includes the
following personal data: “*** NAME.1 *** SURNAME.1. *** ADDRESS. 1, the
date 11/12/2013 and the XXX client current account finalized in the digits XXX.

      3. Copy of contracts with reference numbers *** REFERENCE.1,
*** REFERENCE.2 and *** REFERENCE.3 (which are identified in the Proven Facts,
respectively, as contracts number 1, 2 and 3) In all of them, the data of the

contracting parties, the object of the contract and the date of conclusion, as well as the
contractual stipulations, are identical to those that appear in the contracts that the
The complainant referred to the Agency in its response to the requested evidence.
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 8/26









      However, there are substantial and highly relevant differences between
those contractual documents sent by the claimed in the testing phase and the

contracts that he now contributes with his allegations to the resolution proposal. These, to
Unlike the previous ones, they are signed by the client and bear the seal
of the distributor with whom the contract was formalized. Signature and stamp appearing on
all copies that it contributes and with respect to each of the three contracts. Contributes
Also, with respect to each of the three contracts, the corresponding copy of the
Mobile Number Portability Request (copy for YOIGO) that, unlike

the one that had been sent in the test phase, it is signed by the applicant for the
portability.

      The defendant states that, "in view of the new documents provided," it has
it was proven that it had a legal basis that legitimized the treatment
of "the personal data of the person who hires" and who, in addition, has been able to
demonstrate that extreme, thus complying with the principle of responsibility

proactive.
      It concludes, on the one hand, that while it has provided the corresponding

signed contracts, a bank receipt and the certificate of registration of citizens of the
Union with the data of the person who appears as the owner of the contracts, there is no
infringement of article 6.1.b) RGPD. On the other, that "the existence of these contracts
properly formalized enables my client, in case of non-payment, to
communicate the data of the person who signed the contract and accrued invoices to the

capital solvency files based on their legitimate interest (article 6.1.f) ”. Add,
In addition, that it has complied with the provisions of article 20 LOPDGDD, since the debt
reported to BADEXCUG was true, expired and enforceable; the person was informed
contracting party in clause 8.5 of the General Conditions of the contract of the possibility
to include your data in solvency files and enter the expiration date of the

obligation (01/07/2014) and the date of withdrawal from BADEXCUG (12/18/2018) have not
after five years. In consideration of which it states that there is no
violation of article 6.1.f) RGPD.

      The third point invoked by the respondent in her allegations refers to the
accreditation of the identity of the contractor. He states that "In the light of
documentation provided, in combination with the events that occurred, it can be stated
that a correct identification of the person who hires was made ”.

      On the identification of the person who signed the three contracts with the

distributor, the complained party states that it has provided a Certificate from the
Citizens of the Union in which data such as NIE, date of birth,
the name and surname, among others. That, in addition, the data collected in the Certificate
of the Union Citizen Registry match those that appear on the receipt
bank domiciliary debt provided by the person who contracted the services with
object of proving that she was the owner of the direct debit bank account. What i know

adds that the information contained in the number portability request
mobile, of which he has sent copies to this Agency, coincides with the one that appears in the
alluded certificate. All this, he says, without losing sight of the fact that “the hiring was
face-to-face and the person in question had to provide the documentation in hand,
such as the handwritten signature of contracts ”.

      The last allegation (fourth) of the allegations to the motion for a resolution is

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 9/26








refers to the "violation of the principles of non-retroactivity and typicality" in which the
understanding of the claimed would incur to sanction it in the terms provided in the
initial agreement and in the resolution proposal. This extreme is, in his opinion, another of

the reasons that determine that the AEPD should proceed to file the file
sanctioner.

      After citing articles 2.3. of the Civil Code -retroactivity of the laws- and 99.2
of the RGPD -which provides that it will be applicable as of May 25, 2018- concludes
that “Therefore, the events that occurred prior to that date have no place
in the same". He then says that the “recruitment in which the
claim that initiates this procedure ”took place in November 2013 and the

communication by YOIGO of the contractor's data to the BADEXCUG file in March
of 2014. Dates on which “the RGPD had not even been approved and the
LOPDGDD. In other words, the LOPD would be applicable ”. Therefore, after invoking the
principle of non-retroactivity as the basic foundation of our legal system,
states that "any claim to assess some events that occurred in 2013 and 2014

under the prism of the RGPD approved in 2016 and applicable from May 25, 2018
it is completely contrary to the fundamental principles of our order
legal".

      It considers that, in the present case, it would be appropriate to apply Organic Law 15/1999,
Data Protection, because it is more favorable to that party and argues to this end that "in
sanctioning, criminal or administrative law, in the event of a collision of two norms
whose temporary validity has been different, being able to apply any of them, is a

basic principle of law that the one that is most favorable to the defendant applies ”. And the norm
more favorable is the LOPD "in force at the time of the events", since,
pursuant to it, “specifically to its article 47, the facts that are the object of this
procedure would be prescribed from 2017 ”. Reason for which, the respondent alleges,
"The filing of this procedure also proceeds under this reasoning."

      It is highlighted that the allegations to the proposed resolution presented do not
include no mention of the second of the offenses attributed to the claimed

in this sanctioning file, the violation of article 31 RGPD, in relation to
58.1.e) RGPD, typified in article 83.5.e).




NINTH: The suspension of administrative deadlines agreed by Royal Decree
463/2020 affected the sanctioning procedure PS / 365/2019 whose initiation agreement was
had signed on 11/19/2019. The calculation of terms was resumed, according to the Real
Decree 463/2020, dated 06/01/2020.

      Royal Decree 463/2020, “by which the state of alarm is declared for the
management of the health crisis caused by Covid 19 ”(BOE of 03/14/2020)

established in the third Additional Provision, "Suspension of administrative terms":

      "1. Terms are suspended and deadlines for processing the
procedures of public sector entities. The calculation of the terms is
will resume at the moment in which this royal decree loses force or, in its
case, the extensions thereof.


      2. The suspension of terms and the interruption of terms shall apply to the entire
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 10/26








public sector defined in Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations. "


      Royal Decree 537/2020 (BOE of 05/23/2020), establishes in article 9,
"Administrative periods suspended by virtue of Royal Decree 463/2020, of 14
March":


      “With effect from June 1, 2020, the calculation of the deadlines
administrative offices that have been suspended will be resumed, or restarted, if

envisaged in a norm with the force of law approved during the term of the
state of alarm and its extensions ”.


      Thus, the date of maximum duration of the procedure PS / 365/2019, as
provided in article 64.2 of the LOPDGDD and applied the rules of the Royals
Decrees 463/2020 and 537/2020, is on 11/05/2020.


      In view of everything that has been done, the Spanish Data Protection Agency will
consider, in the present sanctioning procedure, the following


                                PROVEN FACTS

1.-The claimant declares that she has heard from her financial institution that,
linked to your NIE, there is a contract with the claimed entity. Contribute with your

denounces the copy of an Ibercheck document that informs that in the file
BADEXCUG there is a non-payment annotation linked to your NIE, communicated by
YOIGO on 03/16/2014.

2. Work in the file, provided by the claimant, the copy on both sides of the

document, issued by a Spanish authority on 01/02/2017, called
"Certificate of registration of citizens of the Union." The certificate contains the name
of the claimant - *** NAME.1-; your last name - *** LAST NAME. 2-; your NIE, *** NIE.1; its
nationality, *** COUNTRY.1 and your address in Spain -plaza *** ADDRESS.3 -. The
document informs that the owner is a community resident in Spain since
04/09/2014.

The reverse of the document reads: “This certificate is issued in accordance with
the provisions of articles 3.3 and 7.1 of Royal Decree 240/2007, of February 16, and
taking into account that this document only proves the registration in the Registry
Foreigner Central of the General Directorate of the Police, if not presented in union
of the passport or identity document ”.


3.- The respondent states that the complainant signed with her on 11/21/2013, in a
in person at a distribution company - “Tienda Bymobil”, with SFID *** VENDEDOR.1- three
telephony contracts that each include the acquisition of a terminal
Samsung Galaxy s4. It has stated that “YOIGO has regularly processed the data

of the claimant under the service contract and, hence, also, the treatment
regular and ordinary relationship between the parties by virtue of the vicissitudes of the
contract".


C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 11/26








4.-The respondent has provided copies of each of the three contracts that
allegedly the claimant held with YOIGO, which deal with the service of
telephony, after portability of the numbering from VODAFONE, and on the

purchase in installments, for each of the three lines whose service is contracted, of a
mobile brand and model Samsung Galaxy S4, white color, being subject to the
financial advantages of acquiring the terminals for maintenance by the
contracting of the commitment of permanence.
Each contract is identified by a reference: The one we have called contract 1,
bears the reference *** REFERENCE. 1 and corresponds to the line number

***TELEPHONE 1. The one we have called contract 2, has the reference
*** REFERENCE. 2 and corresponds to the line *** PHONE. 2. The one we have
called contract 3 carries the reference *** REFERENCE. 3 and corresponds to the line
telephone number *** TELEPHONE. 3.


5.- In the three contracts, the owner's data is reflected in the “Your data” section.
The name of *** NAME.1 consists; surname *** SURNAME. 1 -different therefore
that of the claimant-; the NIF *** NIE.1; nationality, *** COUNTRY.1 and an address in
*** ADDRESS. 3, other than the one included in the Union Resident Certificate
of the claimant and the one who provided with their claim.


6.- All contracts include in the header, under “Contract for registration with
terminal financed by BBVA Particulares ”and the reference number that identifies it,
this legend:
"The data that have an asterisk" * "are essential for Yoigo to give you
high. Those with two asterisks "**" are essential for BBVA to be able to

process the credit ”.
In the three contracts, in the last of the sections, “Signature”, the following appears:
 "Signature * I **", the space is blank. "Distributor stamp * I **", the space is in
White; "Xfera Móviles, S.A.", in the three copies the same heading appears. "Bank
Bilbao Vizcaya Argentaria, S.A. ”, the same heading is incorporated in the three contracts.


7.- Experian Bureau de Crédito, S.A., has reported that in the History of
Updates to the BADEXCUG File is registered that the complainant communicated to the
said solvency file, associated with the NIE *** NIE.1, with registration date 03/16/2014,
an unpaid transaction for a debit balance of 1,856.30 euros from a

telecommunications service.
Experian Credit Bureau. S.A., has reported that this operation was canceled from
BADEXCUG on 12/09/2018, as a result of the “automatic update of the
data file sent by the reporting entity ”.

8.- During the information process prior to the agreement of admission for processing of the

claim that concerns us, the AEPD went to the claimed and requested its
collaboration. The request was communicated to him by writing dated 10/02/2018
notified electronically, the notification being accepted by the claimed on
10/03/2018. To evacuate this procedure, the respondent was granted a period of one month.
The defendant did not respond to the AEPD's request for information.


9.- The Data Inspection of the AEPD, within the framework of the actions of
prior investigation E / 2053/2019, made two requests for information to the
claimed on dates, respectively, 07/17/2019 and 09/23/2019. The certificates

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 12/26








issued by the Electronic Notifications and Electronic Address Service
Authorities of the FNMT that work in the file certify that both
requirements were received by the claimed electronically on 07/17/2019 and

09/30/2019, respectively. The respondent did not respond to any of them.


10.- The two informative requirements of the Data Inspection, dates
07/17/2019 and 09/23/2019, granted the respondent to evacuate this process,
respectively, a period of 15 days and five days and in both writings it was put in

your knowledge that the information was requested in use of the powers conferred on
the AEPD Data Inspection by articles 58.1 RGPD and 67 LOPDGDD and that,
the claimed being obliged by the RGPD to collaborate in the performance of the
inspection function of the AEPD, failure to comply with this obligation could entail
an infringement of the data protection regulations typified in article 83.5.e,

RGPD.



                           FOUNDATIONS OF LAW

                                            I
      By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48.1 of the LOPDGDD,

The Director of the Spanish Data Protection Agency is competent to
solve this procedure.

                                            II
      It is necessary to analyze, first, the argument invoked by the claimed in

the fourth section of his allegations to the motion for a resolution regarding the
"Violation of the principles of non-retroactivity and typicality" in which, in his opinion,
the AEPD would incur if it issued a sanctioning resolution in the terms of the agreement
of initiation and of the proposed resolution. It adds that the rule applicable to the facts
the claim is about the LOPD and that under the aforementioned Law
Organic the imputed infraction would be prescribed.


      To this end, the respondent states that the “contract in which it has its
origin of the claim that initiates this procedure ”took place in November of the year
2013 and the communication by YOIGO of the contractor's data to the BADEXCUG file
in March 2014. Based on these proven facts; from the beginning of

non-retroactivity of the laws established in article 2.3 of the Civil Code and, taking
considering that article 99.2 of the RGPD provides that the Regulation will be
applicable as of May 25, 2.018, reaches the conclusion that “Therefore, the
events that occurred prior to that date have no place in it ”.
On the basis of the principle of non-retroactivity, which would prevent the application of the GDPR and
LOPDGDD, warns that "any claim to assess some events that occurred in

2013 and 2014 under the prism of the RGPD approved in 2016 and applicable from 25
May 2018 is completely contrary to the fundamental principles of our
legal system".

      The respondent considers that, if any rule is applied to conduct that is
object of assessment in the sanctioning file, this should be the Organic Law

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 13/26








15/1999, on the Protection of Personal Data, LOPD, which - it says - is what
it was "in force at the time of the events." And the application of the LOPD, in the opinion of
the claimed, would determine the file of the file because, in his opinion, under

of article 47 LOPD the infraction would be prescribed from the year 2017.
      However, in addition to underlining that the preceding allegations of the

claimed refer only to one of the infractions of the regulations for the protection of
data attributed to it in the initiation agreement and in the proposed resolution
-that is, the violation of article 6.1, b) and f) of the RGPD- and they are not applicable to the
infringement of article 31, in relation to 58.1.e) RGPD that is also charged,
it seems necessary to make these clarifications:

      The legal argument used by the claimed to request the application of the

LOPD is that "in sanctioning, criminal or administrative law, in the event of a collision
of two norms whose temporary validity has been different, being able to apply
any of them, it is a basic principle of law that the one that is more
favorable to the prisoner ”. Reason why, he says, the LOPD should be applied as it is the norm
more favorable.


      This hypothesis, however, contemplates the assumption in which the behavior
offending is committed under the validity of a rule and the procedure through which
the existence of criminal or administrative sanctioning responsibility is clarified

develops while a different substantive rule is in force. In such a case, although under
of the principle of non-retroactivity of the rules, the substantive rule must be applied
in force when the events were committed, the principle of “retroactivity of the
more favorable sanctioning provisions ”-principle that the Constitutional Court
considers included, a sensu contrary, in article 9.3 of the Spanish Constitution-

allows the alleged perpetrator to choose the law that is later than the
made in time, whenever it is more favorable to you. Retroactivity of the standard
most favorable sanctioning procedure that includes article 26.2 of Law 40/2015 of the Regime
Public Sector Legal: “2. The sanctioning provisions will produce effect
retroactive insofar as they favor the alleged offender or the offender, both in terms of
the classification of the offense as well as the sanction and its limitation periods,

even with respect to the sanctions pending compliance when the
new layout."

       The argument invoked by the respondent cannot be extrapolated to the matter that we
occupies. The only substantive rule that should be applied in the present case is the
RGPD because this is the rule that is in force when the procedure begins
sanctioner and, at the same time, the rule in force at the time in which it is understood

committed the offense, according to the doctrine of the Supreme Court (for all, STS
04/17/2002. Rec. 466/2000)

      The claimed -which insistently affirms that LOPD was “in force in the
moment of the events ”; that the contract from which they bring causes the events that occurred
dates from November 2013 and that the inclusion in the BADEXCUG solvency file
was produced in 2014- forget to mention elements that are decisive in this
Question: That it will not be until 12/09/2018 when you cancel the BADEXCUG file

the incident reported to that solvency file associated with the claimant's NIF, which
which implies that until that date, at least, it would have continued to process the data
Claimant's personal information. End to be put in relation to the individual

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 14/26








operation of solvency files. So that the annotations communicated to
these files remain active, the reporting creditor must confirm the inclusion
periodically -periodicity which in the case of BADEXCUG is weekly- because, if not
If so, the annotation is removed from the file automatically. Maintenance in
the BADEXCUG file until 12/09/2018 of the annotation linked to the NIE of the

complainant that YOIGO had communicated in 2014, necessarily presupposes that
the claimed entity processed until that date, at least, the personal data of the
claimant.

      In short, although the treatment of the claimant's personal data by
the claim started before the LOPD and RGPD existed -in 2013 the
contracting and in 2014 the inclusion in BADEXCUG- and being in force the LOPD, the
alleged infringement attributed to the claimed -classified as a violation of article 6.1.,

Sections b) and f) RGPD- participates in the nature of the so-called
permanent infractions, in which the consummation is projected in the longest time
beyond the initial fact and extends, violating data protection regulations,
during the entire period of time in which the data is processed.

      Well, in offenses of this nature, the rule that
is in effect when the offending conduct ends, being that the date on which the
offense is understood to have been committed.

      The Supreme Court has ruled on which rule should be applied in
those cases in which the infractions are prolonged in time and there have been
a regulatory change while the offense was being committed. The STS of 04/17/2002 (Rec.
466/2000) deals with a case in which a provision was applied that was not

in force at the initial moment of commission of the offense, but in the subsequent ones,
in which the offending conduct continued to occur. The Judgment examined a
This course related to the sanction imposed on a Judge for breach of
their duty to abstain from preliminary proceedings. The sanctioned alleged no
effective when the events of article 417.8 of the LOPJ applied occurred. STS
considered that the offense had been committed since the date of initiation

of the Preliminary Proceedings until the moment when the Judge was suspended in the
exercise of their functions, in which the provision was already in force, so that
rule was applicable. In the same sense, the SAN of 09/16/2008 is pronounced
(Rec. 488/2006)

      Consequently, the date on which we must understand that the alleged
violation of article 6.1, sections b) and f) RGPD, attributed to the complained party, is that of the
moment in which it ends, which with the available information would be 12/09/2018.
On that date, the current data protection regulations were the RGPD and

the LOPDGDD (entered into force on 12/07/2018). And the Organic Law, regarding the
limitation periods, provides that very serious offenses have a period of
three-year prescription (article 72) Thus, the application of the RGPD to the facts
on which the claim is concerned in no case violates the principle of
non-retroactivity.

      On the other hand, since the RGPD is the applicable norm, the alleged infringement of the
article 6.1. RGPD attributed to the claimed in no case would have prescribed, so

the prescription could not serve as a legal basis for filing the file that
the complained party requests the proposed resolution in its allegations.

      At the same time, with regard to the violation of article 31, in relation to
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 15/26








article 58.1.e, both of the RGPD, typified in article 83.5.e) RGPD that also
was attributed to the defendant in the initiation agreement -imputation that was confirmed in the
motion for a resolution- it should be noted that the conduct in which such

infringement occurred during the year 2019, the RGPD in force. Remember that the
agreement to admit the claim to processing was signed on 02/19/2019 and that the
informative requirements of the Data Inspection to which the complainant does not
Responded are dated 07/17/2019 and 09/23/2019. In such a way that, regarding this
infringement, it is not appropriate to raise either the violation of the principle of
even less that of non-retroactivity of the rules.



                                            III

     In the agreement to initiate the disciplinary proceedings, the claimed
two violations of the GDPR. One of them, to which we will refer in this
Ground III, is the violation of article 6.1, sections b) and f), RGPD, in relation
with article 5.1.a) RGPD.

      Article 5.1.a) RGPD provides that “1. Personal data will be: a) processed
in a lawful, loyal and transparent manner with the interested party; "

      The principle of legality is developed, among other precepts, in article 6 RGPD
which, under the heading "Legality of the treatment", details in its section 1 the cases in
those that the processing of third party data is considered lawful:
      "1. The treatment will only be lawful if it meets at least one of the following
terms:

a) the interested party gave their consent for the processing of their personal data
for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;
(…)
f) the treatment is necessary for the satisfaction of legitimate interests pursued

by the person responsible for the treatment or by a third party, provided that on said
interests do not override the interests or fundamental rights and freedoms of the
interested party who require the protection of personal data, in particular when the
interested is a child. (...) "

      The violation of section f) of article 6.1 RGPD attributed to the claimed
was related to article 20 of the LOPDGDD - framed in Title IV,

"Provisions applicable to specific treatments" - related to "Systems of
credit information ”, standard that provides:
      "1. Unless proven otherwise, the data processing will be presumed lawful
personal related to the breach of monetary, financial or
credit by common credit information systems when the
following requirements:

      a) That the data have been provided by the creditor or by whoever acts on their behalf

account or interest.


      b) That the data refer to certain, past due and enforceable debts, whose
existence or amount had not been the subject of an administrative or judicial claim for
the debtor or through an alternative dispute resolution procedure
binding between the parties.
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 16/26








      c) That the creditor has informed the affected party in the contract or at the time
to require payment about the possibility of inclusion in said systems, with
indication of those in which it participates.


      The entity that maintains the credit information system with related data
the breach of monetary, financial or credit obligations must notify

the affected party the inclusion of such data and will inform them about the possibility of exercising
the rights established in articles 15 to 22 of Regulation (EU) 2016/679
within thirty days of the notification of the debt to the system,
the data remaining blocked during that period.


      d) That the data is only kept in the system as long as the
default, with a maximum limit of five years from the expiration date of
the monetary, financial or credit obligation.


      e) That the data referring to a specific debtor can only be
consulted when whoever consults the system maintains a contractual relationship

with the affected party that involves the payment of a pecuniary amount or this would have
requested the conclusion of a contract that involves financing, deferred payment or
periodic billing, as happens, among other cases, in those provided for in the
legislation on consumer credit contracts and real estate credit contracts.


      When the right to limit the
processing of data challenging its accuracy in accordance with the provisions of article
18.1.a) of Regulation (EU) 2016/679, the system will inform those who may

consult it in accordance with the previous paragraph about the mere existence of said
circumstance, without providing the specific data with respect to which
exercised the right, while it is resolved on the request of the affected.


      f) That, in the event that the request for the conclusion of the contract is denied, or
this will not be held, as a result of the consultation made, whoever has
After consulting the system, inform the affected party of the result of said consultation.


      (...) "

      The violation of article 6.1, sections b) and f) of the RGPD is found
typified in article 83.5.a) RGPD which establishes:

      "5. Violations of the following provisions will be sanctioned, in accordance
with section 2, with administrative fines of maximum 20,000,000 Eur or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
      a) The basic principles for the treatment, including the conditions for the

consent in accordance with articles 5,6,7 and 9. "


      In the proposed resolution of the sanctioning file, the
attribution to the claimed of each infraction of article 6.1. RGPD, sections b)
and f), typified in article 83.5.a) RGPD and it was proposed to impose a sanction of
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 17/26








fine of 100,000 euros.

      The proposed resolution confirmed the imputation to the claimed of the aforementioned
infringement of the RGPD in light of the documentation that was then in the
file and that was obtained, essentially, during the testing phase. In this sense
It must be remembered that the respondent had not responded to the request for information
from the agency; He did not respond either to the two informative requests that he made

the Data Inspection of the AEPD and that, in the processing of allegations to the agreement of
beginning, did not provide any document or make any other statement that was not declaring
that he had processed the claimant's data in the normal course of a relationship
contractual. Therefore, until the test, the only documents that
in the administrative file were those that the claimant provided with her complaint: The

copy of the Certificate card that proved to be included in the registry of
citizens of the Union in which their NIE and the Ibercheck document that
related to an inclusion in BADEXCUG for a debt of € 1,856.30 linked to
your NIE.

      In response to tests carried out during training, the
claimed provided abundant documentation, notwithstanding which the proposed
resolution appreciated the commission of the violation of article 6.1 RGPD.

      This documentation consisted of the copy of three contracts that according to
manifestation of the claimed had been held in person before one of the
their distributors in November 2013 and which were intended to provide telephone service

of three mobile lines carried from the operator VODAFONE and the acquisition
financed by three high-end mobile terminals. In the three contracts provided,
included the data of the owner, the name *** NAME.1, coinciding with the name of the
claimant; the surname, *** SURNAME.1, different from that of the claimant; the NIE, identical
that of the claimant and the street address *** ADDRESS.3, which differed from the one provided

by the claimant in her complaint.
      What was relevant in the documentation provided in the testing phase was that the three
contracts lacked signature and stamp of the distributor and that in the header of the

contractual documents it was warned that these would not be valid if it was not recorded in
them the signature of the customer and the stamp of the distributor.

      This circumstance, together with the fact that the respondent did not provide in its
response to the tests carried out any type of document related to identity
of the person who hired from which it could be inferred that, on the occasion of the
hiring, he had displayed minimal diligence to verify that the
person who provided personal data as their own was its owner, they forced
to assess the responsibility of the claimed in the commission of an infraction of the

Article 6.1., b) and f) of the RGPD.
      Thus, in the proposed resolution the following was argued regarding this

GDPR violation:
      << (...) In the case analyzed, the legal basis of the data processing

carried out by the claimed, taking into account the characteristics of these treatments,
should be articles 6.1.b) RGPD -which refers to the treatment necessary for the
execution of a contract in which the owner of the data is a party- and 6.1. f) RGPD
-foundation related to the satisfaction of the legitimate interest pursued by the
responsible for the treatment provided that the said interest does not prevail
fundamental rights and freedoms of the interested party that require the protection of

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 18/26








personal information-.
(...)
      The conducts in which the violation of article 6.1 is specified. GDPR of
those that the claimed person is responsible for were the following:


B. On the one hand, the treatment of the claimant's data - her NIE, *** NIE.1, and her
name, *** NAME.1- linked to three contracts - “Registration contract with terminal
financed by BBVA Particulares ”- identified with the references
*** REFERENCE.1, for line number *** PHONE.1; *** REFERENCE. 2, of the
line *** PHONE. 2; and number *** REFERENCE. 3, for the mobile phone line

*** PHONE. 3.
      The three contracts are dated 11/21/2013, which is when we estimate
initiated the illicit treatment for the claimed. The end of the illicit treatment is estimated
occurred on 12/09/2018, given that we are not aware that it had continued
after that date. (...)
      (....) in light of the documentation provided by the complainant, it does not exist in the

present case no evidence that the claimant had contracted with her
any of the services and products that were registered linked to your NIE and your
Name.
      Although the respondent has provided the AEPD in the testing phase with three copies
of the "Registration contract with a terminal financed by BBVA Particulares" - it has even
sent three copies for each of the contracts (copies for YOIGO, for the client

and for the financial institution) -, all of them dated 11/21/2013, in which they appear, in the
section relating to the data of the holder, the NIE and the name of the claimant, these
documents do not certify the fact that the claimant had contracted
with the claimed one.
      None of the three documents that the respondent has provided ... are found
signed by the owner of the data and alleged contractor. The document itself

contractual notice in its header that "The data that have an asterisk" * "are
Essential so that Yoigo can register you. Those with two asterisks "**"
they are essential for BBVA to be able to process the loan ”. In all three contracts
provided to this Agency, under the heading "Signature", the annotation "Signature * I **" appears,
preceding the space for the client's signature and the indication "Seal
distributor * I ** ”, preceding the space for the distributor's stamp before which

the alleged contract is celebrated in person. With such annotations the
contractual document is advising us that the client's signature and the seal of the
Distributor are essential for the operator to register a telephone service
and for BBVA -which is the one who intervenes financing the purchase in installments of the
mobile terminals, as detailed in the General Conditions of the contract- processes the
credit in favor of the client.

      (...)
      Another essential point is added to the above ... The respondent has not provided
this Agency any document that proves the identity of the person who,
supposedly, he contracted with her and provided as his own the NIE *** NIE.1, the name of
*** NAME.1, surname *** SURNAME.1 and address *** ADDRESS.3

      (...) the accreditation of the identity of the person who hires is part of the
evidential activity that is the responsibility of the controller (...) However,
has not provided any document related to the identity of the person who
allegedly signed the contracts that have given rise to the events that
occupy.

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 19/26








      (...)
      C. The second conduct of the claimed contrary to the principle of legality, for
violation in this case of article 6.1.f) RGPD, is the communication to the file of

BADEXCUG solvency of an incident related to the claimant's NIE for a
alleged debt of 1,856.30 euros.
      The incident was registered on 03/16/2014 and canceled on 12/09/2018 as
consequence of the “automatic update of the data file sent by the
reporting entity ”. This means that the annotation published by the
BADEXCUG credit information, the debtor status of the NIE holder

*** NIE.1, the claimant, remained active for more than four years.
      (...)
     Article 20 of the LOPDGDD contains a iuris tantum presumption of
prevalence of the legitimate interest of the data controller who communicates data
from third parties to credit information systems, popularly known as

solvency or delinquency files. For the aforementioned presumption to display its
effectiveness, all the requirements that the precept details in its
section 1, letters a) to f).
      The data processing in which the behavior of the claimed is specified now
examined -the communication of the claimant's data to the BADEXCUG file and its

maintenance in that file for more than four years - cannot be based on the
presumption of article 20 LOPDGDD as one of the requirements on
those that the Organic Law 5/2018 builds this presumption.
      (...)
      It is evident, based on the documentation in the file, that the
debt for the amount of XXX euros that the claimed reported to BADEXCUG linked

The NIF of the claimant did not meet the requirement of "certainty", since such debt was not true
in relation to the person to whom it was attributed and whose personal data were subject
treatment. (...). The core of the issue is that, while the respondent has not
proven that it was indeed the claimant who signed with her the
contracts from which the debts derive, the condition of

debtor of the claimant. >>


      In the processing of allegations to the proposed resolution, the complainant has
provided diverse and highly relevant documentation that directly affects the
legal assessment of the behaviors that until now we had qualified as
violation of article 6.1., letters b) and f), of the RGPD.

      Article 82 of the LPACAP, "Hearing procedure", establishes in section 2
that “The interested parties, within a period of no less than ten days or more than fifteen, may
allege and present the documents and justifications that they deem pertinent ”.

        The documents provided are, in summary, the following:

         (i) The “originals” of the three contracts that were entered into through a
YOIGO distributor in person. All three contracts are
duly signed by the customer and also bear the stamp of the distributor. He has
provided, with respect to each of the line numbers for which the
mobile phone service, the numbering portability request document

mobile from VODAFONE, duly signed by the applicant.
      The data contained in the contracts provided in this procedure -both the

relating to the identity of the contract holder (name, surname, NIE, address and account
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 20/26








bank), to the object of the contracts, to the date, the reference number or the line of
mobile telephony on which each one deals - they are identical to those that appeared in the
contractual documents that the respondent provided in the evidence process and that

they lacked signature and seal.
      (Ii) a debit receipt for direct debit has also been provided
issued by BBVA on 11/12/2013 in which the payer is the operator VODAFONE and the

holder of the charge account a person identified with the same name and surname
of the holder of the three contracts -that is, *** NAME.1 *** SURNAME.1-. Digits
of the charge account that appear on the bank receipt are the same as
included in the three contracts for the purposes of direct debit of invoices. On the receipt
bank provided the address of the account holder coincides with the one that appears in

the three contracts as the domicile of the contracting party, street *** ADDRESS. 3
      In addition, the bank account debit document shows that the payer

of the position is the telecommunications operator VODAFONE ESPAÑA, S.A.U., which
It is also the operator that appears as a donor of the three mobile phone lines
contracted with YOIGO.

      Another of the documentaries provided (iii) is a Certificate of Registration of
Citizens of the Union ”in which the person in charge of the Central Registry of Foreigners
of the Provincial Commissariat of *** LOCALIDAD.1 certifies that, in accordance with
established in articles 3.3 and 3.7 of Royal Decree 240/2007, of February 16, and
bearing in mind that this document only proves the registration in the Registry

Central de Extranjeros if it is presented together with the passport or
valid identity, the person indicated below, has requested and obtained their
registration in the Central Registry of Foreigners (...) as a community resident in
Spain, since 11/15/2010: D. *** NAME.1 *** LAST NAME.1; born him
08/05/1985, in *** LOCALIDAD.2 (*** COUNTRY.1); son of Gabriel and Viorica. Nationality:

*** COUNTRY 1. Address: street *** ADDRESS. 2. Foreigner Identity Number (NIE)
*** NIE. 1. The document includes on two occasions this "Notice: Invalid document
to prove the identity or nationality of the bearer ”.

      The conduct that was taken into consideration to attribute to the respondent a
infringement of the principle of legality was the processing of the personal data of the

claimant -NIE and name- without being accredited the legal basis that
protected. The treatment carried out by the claimed consisted of registering three
contracts in the name of a person identified with the NIE and name of the claimant
and to include the NIE in the BADEXCUG solvency file associated with a debt
unpaid derived from said contracts.

      The respondent has provided with her allegations to the proposed resolution the
documents that serve, in his opinion, as a basis for the causes of legality described in

sections b) and f) of article 6.1 RGPD. It has contributed three contracts signed with
her through a distributor in which the data of the contracting person coincide
with those of the claimant in the NIE and the name - *** NAME.1-, although not in the
surname -in the contract appears *** SURNAME. 1 and the claimant says her surname
*** LAST NAME. 2- nor at home. All three contracts are signed by the person
contractor. And in order to prove that the person who identified himself with the data that

appear in the contracts and provided them as his own was who he claimed to be, has provided the
document called Certificate of registration of citizens of the Union whose data
they coincide with those that appear in the three contracts to identify their owner.

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 21/26








      Now, the Certificate includes on two occasions a notice that informs that
This document is not valid to prove the identity or nationality of the bearer
and in the text of the document it is noted that “(..) this document only proves the
registration in the Central Registry of Foreigners if presented together with the passport
or valid identity document ”.

      The Certificate provided cannot be granted the power to prove the identity of
the contracting person, but having obtained that document shows, in

principle, that the claimed, on the occasion of the conclusion of the three contracts,
He deployed some diligence aimed at identifying the contracting person.
      The claimed, through its distributor, also obtained from the person who

contracted and provided as their own the data that appear in the contracts other
documents that reveal that he was identified with the same data before his entity
financial BBVA's receipt of the debit account proves that in November 2013
the contracting person was identified before said entity with the same name,
surname and address provided to the claimed in the hiring. Also, the account
bank owned, according to BBVA's receipt, is the one that appears in the

contracts as a direct debit account. Similarly, the payer of the
bank charge that appears on the receipt from BBVA, the operator VODAFONE, is
Also, according to the contracts, the donor operator in the portability of the lines
telephone whose services were contracted with the claimed.

      In short, although the Certificate of registration of citizens of the Union lacks
alone of force to prove the identity of the person who exhibits it, there is in the
procedure other documents that demonstrate that these data identified the
validly contracting person in other areas, such as in their relations with the

BBVA, of which he was a client, or with the VODAFONE operator, with whom he had
contracted services whose payment was domiciled in his bank account.
       Assessed as a whole the various documents that the complainant has provided

It seems fair to conclude that, given the circumstances of the case, he displayed a
minimum and reasonable diligence in identifying the person who signed the
contracts and provided the NIE and the name of the claimant as his own. And it is also
example of diligence in complying with the obligations imposed by the RGPD
that the respondent has kept the documentation regarding the hiring and the

identity of the contractor, which was obtained in 2013, the date of the
contracts, in order to be able to prove the legality of the data processing carried out.
      The diligence shown by the claimed person in identifying the person who

hired and provided as his own the personal data of the NIE and name of the claimed
prevents appreciating in the case under examination the concurrence of fault or negligence,
necessary to be able to demand administrative responsibility. As indicated by the SAN of
04/29/2010, (Sixth Legal Basis), “The question is not to determine whether the appellant
processed the personal data of the complainant without her consent, as if
did or did not use reasonable diligence in trying to identify the person with

the one that signed the contract ”. (The underlining is from the AEPD)
          The presence of the subjective element or guilt in the broad sense, such as

condition for the sanctioning responsibility to be born, has been confirmed by the
Constitutional Court, among others, in its STC 76/1999, in which it affirms that the
administrative sanctions are of the same nature as criminal penalties as they are
one of the manifestations of the ius puniendi of the State and that, as a requirement
derived from the principles of legal certainty and criminal legality enshrined in the
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 22/26








Articles 9.3 and 25.1 of the EC, its existence is essential to impose it.

         In the same sense, Law 40/2015 on the Legal Regime of the Public Sector
provided in article 28.1. that "They may only be sanctioned for acts constituting
of administrative infringement the natural and legal persons, as well as (...), which are
responsible for them by way of fraud or fault. "

        Consequently, the subjective element of the offense being absent - all
Once the documentation provided shows that the respondent acted with a
minimum and reasonable diligence to guarantee the identity of the person who hired and

provided as their own certain personal data- it corresponds to agree on the file
of the procedure regarding the infringement of article 6.1, sections b) and f) RGPD
which was attributed to the defendant in the agreement to initiate the disciplinary proceedings.


                                           IV

      A. Article 58 RGPD refers to the powers granted to the authorities of
control and refers in section 1 to its "powers of investigation", precept

which states:
      "1. Each supervisory authority will have all investigative powers

indicated below: (…)
e) obtain from the person in charge and the person in charge of the treatment access to all the data
personal and all the information necessary for the exercise of their functions;

f) obtain access to all the premises of the person in charge and the person in charge of the
treatment, including any equipment and means of data processing, of

conformity with the procedural law of the Union or of the Member States. "
      In turn, article 31 RGPD -relative to the general obligations of the

responsible and the person in charge of treatment, Section 1, of Chapter IV of the
Regulation (EU) 2016 / 679- states:
      "The person in charge and the person in charge of treatment, and where appropriate their representatives

cooperate with the supervisory authority that requests it in the performance of their
functions ”.

      On the other hand, the LOPDGDD, article 51.1, establishes that "The Spanish Agency
of Data Protection will develop its research activity through the
actions provided for in Title VIII and preventive audit plans ”. The
LOPDGDD includes article 67 in this Title, which deals with the actions of
previous investigation.

      In addition, article 53 of the LOPDGDD refers to the scope of the activity of
investigation and indicates in section 1 that “Those who develop the activity of
investigation will be able to gather the precise information for the fulfillment of their

functions, carry out inspections, require the exhibition or dispatch of documents and
necessary data, examine them in the place where they are deposited or in
where the treatments are carried out obtain a copy of them, inspect the
physical and logical equipment and require the execution of treatments and programs or
treatment management and support procedures subject to investigation ”.

      The breach by a person responsible for the treatment of the obligation that
imposes article 31 of the RGPD, in relation to the powers that in matters of

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 23/26








inspection is attributed to this Agency by article 58.1 e) of the aforementioned Regulation
(EU) 2016/679, is subsumed in the sanctioning type of article 83.5.e) RGPD that
He says:

      "Violations of the following provisions will be sanctioned, in accordance with
with paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

total annual global business volume of the previous financial year, opting for
the highest amount:

(…)
e) failure to comply with a resolution or a temporary or definitive limitation of the

treatment or suspension of data flows by the supervisory authority
in accordance with article 58, paragraph 2, or failure to provide access in breach of the
article 58, paragraph 1. (The underlining is from the AEPD)

      For the purposes of prescription, the LOPDGDD qualifies in its article 72.1. as
very serious offense: “o) Resistance or obstruction of the exercise of the function
inspector by the competent data protection authority ”. The term of
prescription for very serious offenses is three years.



      B. The documentation in the administrative record certifies that the
claimed refused to collaborate with the inspection action carried out by the
Inspection Service of the AEPD within the framework of E / 2053/2019 and that when taking the
decision not to collaborate with the investigation carried out by the supervisory authority
was fully aware of the consequences that could result from his behavior

omisive.
      Regardless of the information request that the Agency made to the claimed

before the initiation of the preliminary investigation actions - that is, before the
had agreed to admit the claim to processing-, information request to the
that did not respond either, and focusing on the previous investigation actions,
because according to article 51.1 LOPDGDD these are framed in the function
investigator recognized by the control authorities and who develops the

Article 58.1 RGPD, these circumstances stand out:
      The defendant did not give any response to the AEPD. The only letter received from
in the course of the preliminary investigation actions is dated 08/07/2019 and in

he requests that the deadline be extended to respond to the information request that is
had done on 07/17/2019 and received on that same date. In that requirement
It gave him a period of fifteen business days to evacuate the process. The AEPD
Responds in writing of 08/12/2019 and grants the requested extension of the deadline. The
The response of this Agency, which is notified electronically on the same date, is

accepted by the claimed seven days later, on 08/19/2019. None is received
reply. The Data Inspection sent the claimed a second request
informative dated 09/23/2019, which was made available on the website on
same day and whose notification was accepted by the claimed on 09/30/2019. The
The complainant did not respond to this second request either. In short, despite

that the receipt by the respondent of both information requirements of the
Inspection of Data is accredited, did not respond to any of them.
      The second relevant circumstance is that in the two requirements

C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 24/26








sent, the respondent was informed in detail of the consequences that could
derive from not meeting the request for collaboration with the AEPD. He was reminded of the
obligation imposed by the RGPD to collaborate in the development of the function

inspector and that failure to comply with said obligation could lead to the commission
of an infringement typified in article 83.5.e, RGPD for infringement of article 58.1.
RGPD.

       In consideration of the proven facts, it is estimated that the defendant incurred
an infringement of article 31 RGPD, in relation to article 58.1.e, of the same
standard, typified in article 83.5.e) RGPD and qualified by the LOPDGDD for the purposes
prescription, as a very serious offense (article 72.1.,)



      C. In determining the administrative fine to be imposed for the infraction of the
Article 31, in relation to Article 58.1.e), RGPD, the
provisions of articles 83.1 and 83.2 of the RGPD.

      In accordance with the RGPD requirement that administrative fines be
“Effective, proportionate and dissuasive” and to the provisions of articles 83.4 and
83.5 RGPD, the total annual global volume of the financial year must be taken into account
previous financial statement of the claimed. Well understood that, as the Recital

150 of the RGPD, “If administrative fines are imposed on a company, for such it must
be understood as a company according to article 101 and 102 of the TFEU ”. The group
MASMOVIL to which the claimed belongs obtained in 2018 income
of 1,451 million euros and a net profit of 71 million euros.

      After analyzing the circumstances that preside over the offending conduct, in order to
specify the amount of the fine that must be imposed on the person responsible,
considers that the following elements are present that involve an aggravation of
the guilt of the offending subject and / or the unlawfulness of his conduct.

- The respondent acted with an extremely serious lack of diligence when
repeatedly refused to collaborate with the inspection function that the AEPD was

exercising. Negative that cannot be justified even in the existence of any incident
in the notifications of the informative requirements, since they received
correctly by the claimed, nor in the course of the terms granted for
reply. The AEPD acted with total flexibility and provided all kinds of facilities to the
claimed so that it could provide the requested collaboration. Deadlines were extended

to respond at the time the respondent requested it - despite the time
elapsed between the receipt of the information request and the request for
deadline extension - and considerable time was allowed to pass after the
deadlines expire and before repeating the information request. It was also not obtained
no response to the second request for collaboration. Circumstance
aggravating factor that is framed in article 83.2.b, RGPD.

- The link between the activity of the claimed and the processing of personal data
from clients or third parties (article 83.2.k, of the RGPD in relation to article 76.2.b,

of the LOPDGDD)
      In view of the foregoing considerations, it is agreed to sanction the

claimed for the violation of article 31, in relation to 58.1.e, RGPD, typified
in article 83.5.e) RGPD and qualified by the LOPDGDD for prescription purposes
as a very serious offense (article72.1.o,), with an administrative fine of 20,000
euros.
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 25/26










      Therefore, in accordance with the applicable legislation, the Director of the Agency
Spanish Data Protection RESOLVES:

FIRST: REGARDING the alleged violation of article 6.1. letters b) and f) of
RGPD, which was attributed to XFERA MÓVILES, S.A., with NIF A82528548, in the agreement

of initiation of this sanctioning file, AGREE to the FILE of the procedure
sanctioner for INEXISTENCE OF INFRINGEMENT, as the claimed person has provided the
documents that prove it.

SECOND: MPONER to XFERA MÓVILES, S.A., with NIF A82528548, for a

infringement of article 31 of the RGPD, in relation to article 58.1.e, typified in the
Article 83.5.e) of the RGPD, a penalty of twenty thousand euros (€ 20,000).

THIRD: NOTIFY this resolution to XFERA MÓVILES, S.A.

FOURTH: Warn the sanctioned person that the sanction imposed a

Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,

of December 17, by means of their entry, indicating the NIF of the sanctioned and the
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the bank CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.


Notification received and once executive, if the execution date is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
C / Jorge Juan, 6 www.aepd.es

28001 - Madrid sedeagpd.gob.es 26/26









may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.


Mar Spain Martí
Director of the Spanish Agency for Data Protection















































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es