AEPD - PS/00405/2019
|AEPD - PS/00405/2019|
|Relevant Law:||Article 6(1) GDPR|
|Parties:||Vodafone España, S.A.U A.A.A.|
|National Case Number:||PS/00405/2019|
|European Case Law Identifier||n/a|
|Original Source:||AEPD (in ES)|
The AEPD decided to initiate disciplinary proceedings against Vodafone España, S.A.U. and impose a fine of € 100.000 for the alleged infringement of Article 6(1) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant filed a complaint against Vodafone España, S.A.U. (respondent) with the Spanish Data Protection Agency (AEPD) on 16 May 2019. On 20 February 2019 the complainant received an email with an invoice for an alleged contracted telephone line from Vodafone España, S.A.U. Despite the efforts to clarify the situation, the claimant had not received a response from the respondent.
Dispute[edit | edit source]
In view of the facts denounced in the complaint and the documents provided by the complainant, the AEPD initiated an investigation pursuant to Article 57(1) GDPR to clarify the facts.
Th AEPD has transferred the complaint to the respondent, but the latter had not responded to the requests.
Holding[edit | edit source]
As a result of the investigation, the AEPD found that that the person responsible for the processing is the one who is being claimed.
According to the documentation in the file, the AEPD decided that Vodafone España, S.A.U. processed the personal data of the claimant without their consent. The claimant's personal data were recorded in the files and were treated for the issuance of invoices for services associated with the person claimed.
When making a decision in this case, the AEPD considered the following aggravating factors:
- the present case is dealing with an unintentional negligent action, but was identified as significant (Article 83(2)(b) GDPR).
- basic personal identifiers were affected (name, identification number, the line identifier) (Article 83(2)(g) GDPR).
The fine was therefore set to the amount of 100.000 euros for the infringement of Article 6(1) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. Please refer to the Spanish original for more details.
1/12 936-031219 Product No.: PS/00405/2019 DECISION R/00011/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT VOLUNTEER In sanction procedure PS/00405/2019, conducted by the Agency Spanish Data Protection Agency to VODAFONE ESPAÑA, S.A.U., in view of the complaint presented by A.A.A., and based on the following, BACKGROUND FIRST: On November 28, 2019, the Director of the Spanish of Data Protection agreed to initiate sanctioning proceedings against VODAFONE SPAIN, S.A.U. (hereinafter, the claimed), by means of the Agreement which is transcribed: << Procedure No.: PS/00405/2019 935-240719 AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS Of the actions carried out by the Spanish Agency for the Protection of Data and based on the following: FACTS FIRST: Mrs. A.A.A. (hereinafter, the Claimant) dated May 16, 2019 filed a complaint with the Spanish Data Protection Agency. The claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in go ahead, the one claimed). The grounds on which the claim is based are that on February 2019 received an e-mail from the respondent informing about the billing of a line that claims not to have hired. In spite of the steps taken, he has not received adequate response to the situation of the alleged recruitment. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/12 The complainant provides the messages sent to the respondent and received from this one. It provides receipts for bank charges. SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant, the Subdirectorate General for the Inspection of Data proceeded to the realization of previous research actions for the clarification of the facts in question under the powers of investigation granted to the inspection authorities in Article 57(1) of the Regulation (EU) 2016/679 (General Data Protection Regulations, hereinafter referred to as GPRD), and in accordance with the provisions of Title VII, Chapter I, Section Two of the Act Organic 3/2018 of 5 December on the Protection of Personal Data and Guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigation carried out, it was found that that the person responsible for the processing is the one who is being claimed. The following points are also noted: This body has transferred this complaint to the defendant, with dates July 15 and October 4, 2019, it is stated that July 18 and October 7 of the same year, not having responded to the requirements of this Agency. In the messages sent by the complaining party to the complainant, the he notes: That the respondent sent an e-mail to the complainant stating that you would receive an invoice for your line. Charges to your bank account in connection with that line. Answer to the claimant in which he states that at the time a line was active in the same address where he lived previously the claimant, but under the ownership of another person. THIRD: According to the documentation in the file, it is accredited that the respondent carried out the processing of the personal data of the claimant without her consent. The claimant's personal data were recorded in the files and were treated for the issuance of invoices for services associated with the person claimed. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/12 LEGAL FOUNDATIONS I By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to resolve this procedure. II Article 58 of the RGPD, "Powers", says: "2 Each supervisory authority shall have all the following powers corrections indicated below: (…) (b) sanction any person responsible for or in charge of the processing with a warning where processing operations have infringed the provisions of this Regulations; (...) (d) instruct the controller or processor to ensure that the processing operations treatment are in accordance with the provisions of this Regulation, where applicable, in a certain way and within a specified time frame. (…) (i) to impose an administrative fine pursuant to Article 83, in addition to or in place of measures referred to in this paragraph, depending on the circumstances of the case particular (…)” III Article 5 of the RGPD deals with the principles that should govern the processing of personal data and mentions among them that of "lawfulness, loyalty and C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/12 transparency". The precept states: "1. Personal data shall be: (a) processed in a lawful, fair and transparent manner in connection with interested (<<lawfulness, loyalty and transparency>>);" Article 6 of the RGPD, "Lawfulness of processing", details in its paragraph 1 the cases in which the processing of third party data is considered lawful: "1. Processing shall be lawful only if at least one of the following conditions is met conditions: (a) the data subject has given his consent to the processing of his data personal for one or more specific purposes; (b) processing is necessary for the performance of a contract in which the interested is a party to or for the application at his request of measures pre-contractual; (…)” The infringement for which the claimed entity is held responsible is Article 83 of the RGPD which, under the heading "General conditions for the imposition of administrative fines," he says: “5. Infringements of the following provisions shall be penalised, in accordance with with paragraph 2, with administrative fines of up to EUR 20 000 000 or, in the case of a company, for an amount equivalent to a maximum of 4% of total annual turnover for the previous financial year, opting for the largest: (a) The basic principles for treatment, including the conditions for consent under Articles 5, 6, 7 and 9. The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements considered to be very serious," he says: C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/12 "1. In accordance with the provisions of Article 83(5) of the Rules of Procedure (E.U.) 2016/679 are considered very serious and will prescribe after three years the infringements that constitute a substantial infringement of the articles mentioned in that In particular, the following: (…) b) The processing of personal data without any conditions for the lawfulness of processing laid down in Article 6 of Regulation (EU)2016/679. IV The documentation in the file provides evidence that the Article 6.1 of the RGPD, since it dealt with the personal data of the claimant without her consent. The personal data of the were incorporated into the company's information systems, without has provided evidence that it had his consent to the collection and processing of your personal data. The Contentious-Administrative Chamber of the National Court, in cases like the one here, has considered that when the data owner denies the burden of proof is on the person claiming its existence the data controller of third parties must collect and keep the documentation necessary to prove the consent of the owner. We quote, for All, SAN of 31/05/2006 (Rec. 539/2004), Fundamento de Derecho Cuarto. The complainant's personal data were recorded in the files of the claimed and were treated for the issuance of invoices for services associated with the complainant. Consequently, it has carried out a processing of the data personal without proof of consent for treatment, not to mention legal authorization. However, and this is the essential point, the claimed does not prove the legitimacy to the processing of the claimant's data. In short, the respondent has not provided any document or evidence any evidence that the entity, in such a situation, would have deployed the minimum diligence required to verify that your interlocutor was indeed the one C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/12 he claimed to hold. Respect for the principle of legality which is at the heart of the fundamental right of personal data protection requires proof that the The controller took the necessary steps to prove that the extreme. If this is not done - and if it is not demanded by this Agency, which is responsible for ensuring for the compliance with the regulations of the data protection law of personal nature - the result would be to empty the principle of legality of its content. V In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, which are the provisions that indicate: "Each supervisory authority shall ensure that the imposition of fines administrative offences under this Article for violations of this Regulation referred to in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. "Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j) In deciding to impose a fine and its amount in each individual case will be duly taken into account: (a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of stakeholders affected and the level of damage and damages they have suffered; (b) the intentional or negligent nature of the infringement; (c) any action taken by the controller or processor to mitigate the damages suffered by those concerned; (d) the degree of responsibility of the person responsible for or in charge of the treatment, taking into account any technical or organisational measures applied under Articles 25 and 32; (e) any previous offence committed by the person responsible for or in charge of the treatment; C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/12 (f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the person responsible or the person in charge notified the infringement and, in such case, to what extent; (i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible or the person in charge in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement." With respect to section 83.2 (k) of the RGPD, the LOPDGDD, section 76, "Sanctions and corrective measures," he says: "In accordance with Article 83(2)(k) of Regulation (EU) 2016/679 may also be taken into account: (a) the continuing nature of the infringement (b) The link between the activity of the offender and the processing of data personal. (c) The profits obtained as a result of the commission of the offence. (d) the possibility that the conduct of the person concerned might have led to the commission of the infraction. (e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the acquiring entity. (f) Affecting the rights of minors. g) To have, when it is not compulsory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases where there are disputes between them and any interested party." In accordance with the precepts transcribed, and without prejudice to what may result from the proceedings, for the purpose of setting the amount of the fine to be imposed in the present case, the party complained of is considered to be responsible for an infringement C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/12 As defined in article 83.5.a) of the RGPD, in an initial evaluation, the following are considered to be concurrent the following factors. As aggravating factors the following: - In the present case we are dealing with an unintentional negligent action, but identified significant (Article 83(2)(b)). - Basic personal identifiers are affected (name, a number of identification, the line identifier) (Article 83(2)(g)). Therefore, it is considered appropriate to graduate the penalty to be imposed on the defendant and set it at the amount of 100,000 euros for the infringement of Article 6.1 of the RGPD. Therefore, in view of the above, By the Director of the Spanish Data Protection Agency, AGREED: 1. Initiate disciplinary proceedings against VODAFONE ESPAÑA, S.A.U, with NIF A80907397, for the alleged infringement of Article 6.1. of the RGPD as defined in article 83.5.a) of the aforementioned RGPD. To appoint Mr. B.B.B. as instructor and Ms. C.C.C. as secretary, indicating that either of them may be challenged, if appropriate, in accordance with The provisions of Articles 23 and 24 of Law 40/2015 of 1 October on Public Sector Legal System (LRJSP). 1. INCORPORATE into the sanctioning file, for evidentiary purposes, the claimant and its accompanying documentation, the information requirements that the Subdirectorate General for the Inspection of Data was sent to the complained entity in the preliminary investigation phase and its respective acknowledgements of receipt. 2. THAT for the purposes of Article 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of the Administrations C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/12 100,000 (one hundred thousand euros), which would be a fine of euros), without prejudice to the outcome of the investigation. 3. NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF A80907397, giving you a hearing period of ten working days to make the allegations and submit the evidence he deems appropriate. In your pleading, you must provide your tax identification number and the number of procedure set out in the heading of this document. If you do not make representations to this initiating agreement within the stipulated time limit, it may be considered as a motion for resolution, as set out in Article 64.2(f) of Law 39/2015 of 1 October on the Common Administrative Procedure of the Public Administration (hereinafter LPACAP). In accordance with Article 85 of the LPACAP, if the penalty to be imposed other than a fine, may acknowledge its responsibility within the period granted for the formulation of arguments to the present agreement of beginning; the which will be accompanied by a 20% reduction in the penalty to be imposed in the present procedure. With the application of this reduction, the sanction would be 80,000, with the procedure being resolved by the imposition of this sanction. Similarly, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed penalty, which will result in a 20% reduction in its amount. With the application of this reduction, 80,000 and its payment will result in the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with that for apply for recognition of liability, provided that this recognition of the responsibility becomes apparent within the time allowed for formulating allegations to the opening of the procedure. The voluntary payment of the amount referred to in the preceding paragraph may be made at any time prior to the resolution. At in this case, if both reductions were to be applied, the amount of the penalty would be set at 60,000 euros. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/12 In any case, the effectiveness of either of the two above-mentioned reductions will be conditional upon the withdrawal or waiver of any action or remedy in the administrative sanction against the sanction. If you choose to proceed with the voluntary payment of any of the amounts 80,000 or 60,000 euros, you must pay it by depositing it in the account nº ES00 0000 0000 0000 0000 open to name of the Spanish Data Protection Agency at CAIXABANK Bank, S.A., indicating in the concept the reference number of the procedure in the heading of this document and the reason for the reduction in the amount to which welcomes. Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure in accordance with the quantity admitted. The procedure will last a maximum of nine months from the date of the agreement to initiate or, where appropriate, the draft agreement to initiate. Once this period has elapsed, the agreement will expire and, consequently, the actions; in accordance with the provisions of Article 64 of the LOPDGDD. Finally, it is noted that in accordance with Article 112.1 of the LPACAP, No administrative appeal is possible against this act. Mar Spain Martí Director of the Spanish Data Protection Agency >> SECOND : On December 24, 2019, the claimant has proceeded to the payment of the penalty in the amount of 60 000 euros by making use of the two reductions provided for in the above transcribed Agreement, which implies the recognition of responsibility. THIRD: The payment made, within the period granted for making allegations to the opening of the procedure, entails the waiver of any action or appeal in administrative sanctioning and acknowledgement of responsibility in relation to the facts referred to in the Agreement to Initiate. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/12 LEGAL FOUNDATIONS I By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the control, and in accordance with Article 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and Guarantee of Digital Rights (in (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to penalise infringements committed against it Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General of Telecommunications (hereinafter referred to as LGT), in accordance with the Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the information and electronic commerce (hereinafter referred to as the ISESA), as provided for in 43.1 of the said Act. II Article 85 of Law 39/2015 of 1 October on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), under the heading "Termination in sanctioning proceedings" provides the following: "1. Penalty proceedings are initiated if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the penalty as appropriate. 2. Where the penalty is solely pecuniary in nature or where it is impose a financial penalty and a non-pecuniary penalty but has been justified the impropriety of the second, voluntary payment by the alleged perpetrator, in any time before the resolution, will imply the termination of the procedure, except as regards the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the penalty is solely of a pecuniary nature, the body competent to decide on the procedure shall apply reductions of, at at least 20 % of the amount of the proposed penalty, which may be cumulated with each other. These reductions shall be determined in the notification of initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this paragraph may be increased by regulation. In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00405/2019, of in accordance with Article 85 of the LPACAP. SECOND: TO NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U. In accordance with the provisions of article 50 of the LOPDGDD, this The decision will be made public once it has been notified to the interested parties. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/12 Against this resolution, which puts an end to the administrative procedure as prescribed by Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure The interested parties may lodge an appeal with the administrative litigation before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within two months of day following notification of this act, as provided for in Article 46(1) of referred to Law. Mar Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es