AEPD (Spain) - PS/00405/2019: Difference between revisions

From GDPRhub
No edit summary
No edit summary
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
! colspan="2" |AEPD - PS/00268/2019
! colspan="2" |AEPD - PS/00405/2019
|-
|-
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:logoES.jpg|center|250px]]
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:logoES.jpg|center|250px]]
Line 10: Line 10:
[[Category: Spain]]
[[Category: Spain]]
|-
|-
|Relevant Law:||[[Article 13 GDPR]]  
|Relevant Law:||[[Article 6 GDPR#1|Article 6(1) GDPR]][[Category:Article 6(1) GDPR]]
[[Category:Article 13 GDPR]]
|-
|-
|Type:||Complaint
|Type:||Complaint
Line 17: Line 16:
|Outcome:||Upheld
|Outcome:||Upheld
|-
|-
|Decided:||06.11.2019
|Decided:||28.11.2019  
[[Category:2019]]
[[Category: 2019]]
|-
|-
|Published:||n/a
|Published:||n/a
|-
|-
|Fine:||900 EUR
|Fine:||EUR 100,000
|-
|-
|Parties:||Todotecnicos24h S.L
|Parties:||Vodafone España, S.A.U A.A.A.
|-
|-
|National Case Number:||PS/00268/2019
|National Case Number:||PS/00405/2019
|-
|-
|European Case Law Identifier
|European Case Law Identifier
Line 33: Line 32:
|Appeal:||n/a
|Appeal:||n/a
|-
|-
|Original Language:||[[Category:Spanish]] Spanish
|Original Language:||[[Category:Spanish]]
Spanish
|-
|-
|Original Source:||[https://www.aepd.es/es/documento/ps-00268-2019.pdf AEPD (in ES)]
|Original Source:||[https://www.aepd.es/es/documento/ps-00405-2019.pdf AEPD (in ES)]
|}  
|}  


The AEPD imposed a fine of € 900 to Todotecnicos24h S.L for violation of Article 13 GDPR.  
The AEPD decided to initiate disciplinary proceedings against Vodafone España, S.A.U. and impose a fine of € 100.000 for the alleged infringement of Article 6(1) GDPR.  


==English Summary==
==English Summary==


===Facts===
===Facts===
The Consumer Institute of Madrid brought a complaint before the AEPD because Todotecnicos24h S.L's privacy policy was  not specific enough and did not comply with Article 13 GDPR.  
The complainant filed a complaint against Vodafone España, S.A.U. (respondent) with the Spanish Data Protection Agency (AEPD) on 16 May 2019. On 20 February 2019 the complainant received an email with an invoice for an alleged contracted telephone line from Vodafone España, S.A.U. Despite the efforts to clarify the situation, the claimant had not received a response from the respondent.
 
===Dispute===
===Dispute===
Does the lack of precision enough to infrige Article 13 GDPR?
In view of the facts denounced in the complaint and the documents provided by the complainant, the AEPD initiated an investigation pursuant to Article 57(1) GDPR to clarify the facts.
 
Th AEPD has transferred the complaint to the respondent, but the latter had not responded to the requests.
 
===Holding===
===Holding===
The AEPD found that the information related to data collection in the privacy policy were insufficiently precise and that is violated Article 13 GDPR.
As a result of the investigation, the AEPD found that that the person responsible for the processing is the one who is being claimed. 
 
According to the documentation in the file, the AEPD decided that Vodafone España, S.A.U. processed the personal data of the claimant without their consent. The claimant's personal data were recorded in the files and were treated for the issuance of invoices for services associated with the person claimed. 
 
When making a decision in this case, the AEPD considered the following aggravating factors: 
 
- the present case is dealing with an unintentional negligent action, but was identified as significant (Article 83(2)(b) GDPR).
 
- basic personal identifiers were affected (name, identification number, the line identifier) (Article 83(2)(g) GDPR).
 
The fine was therefore set to the amount of 100.000 euros for the infringement of Article 6(1) GDPR.


==Comment==
==Comment==
''Share your comments here!''
''Share your comments here!''


Line 61: Line 74:


<pre>
<pre>
936-150719
1/12
Product No.: PS/00268/2019
936-031219
 
Product No.: PS/00405/2019
 
DECISION R/00011/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT
RESOLUTION R/00578/2019 ON THE TERMINATION OF THE PROCEDURE BY VOLUNTARY PAYMENT
VOLUNTEER
 
In sanction procedure PS/00405/2019, conducted by the Agency
In the sanctioning procedure PS/00268/2019, instructed by the Spanish Agency of Data Protection to TODOTECNICOS24H S.L., having regard to the complaint presented by INSTITUTO MUNICIPAL DE CONSUMO DE MADRID, and based on the following
Spanish Data Protection Agency to VODAFONE ESPAÑA, S.A.U., in view of the complaint
 
presented by A.A.A., and based on the following,
BACKGROUND
BACKGROUND
 
FIRST: On November 28, 2019, the Director of the Spanish
FIRST: On 23 October 2019, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against TODOTECNICOS24H
of Data Protection agreed to initiate sanctioning proceedings against VODAFONE
S.L. (hereinafter, the claimed), by means of the Agreement which is transcribed:
SPAIN, S.A.U. (hereinafter, the claimed), by means of the Agreement which is transcribed:
 
<<
<<
Product No.: PS/00268/2019
Procedure No.: PS/00405/2019
 
935-240719
 
AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS
AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS
 
Of the actions carried out by the Spanish Agency for the Protection of
 
Data and based on the following:
 
Of the actions carried out by the Spanish Data Protection Agency and based on the following
 
 
FACTS
FACTS
 
FIRST: Mrs. A.A.A. (hereinafter, the Claimant) dated May 16, 2019
 
filed a complaint with the Spanish Data Protection Agency. The
 
claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in
FIRST: MADRID MUNICIPAL CONSUMPTION INSTITUTE (hereinafter referred to as
go ahead, the one claimed). The grounds on which the claim is based are that on
On January 22, 2019, he filed a complaint with the Spanish Data Protection Agency against TODOTECNICOS24H S.L. with NIF B86558533 (hereinafter, the claimed).
February 2019 received an e-mail from the respondent informing about the billing of a
 
line that claims not to have hired. In spite of the steps taken, he has not
 
received adequate response to the situation of the alleged recruitment.
The reasons on which the claim is based are the collection of personal data by the claimed party, without providing the precise information to the interested parties in accordance with the current regulations on personal data protection.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
 
2/12
 
The complainant provides the messages sent to the respondent and received from
 
this one.
 
It provides receipts for bank charges.
 
SECOND: In view of the facts denounced in the complaint and the
SECOND: It is verified that in the "Privacy Policy" of the mentioned website, it is indicated:
documents provided by the complainant, the Subdirectorate General for the Inspection of
 
Data proceeded to the realization of previous research actions for the
 
clarification of the facts in question under the powers of investigation
- That the claimed party "operates the website hosted under the domain name www.todotecnicos24h.com/".
granted to the inspection authorities in Article 57(1) of the Regulation (EU)
 
2016/679 (General Data Protection Regulations, hereinafter referred to as GPRD), and
 
in accordance with the provisions of Title VII, Chapter I, Section Two of the Act
- That this policy states that "TODOTECNICOS24H S.L. as responsible for this website and in accordance with the provisions of current legislation on the Protection of Personal Data, the new European Regulation 679/2016 and the Law on Information Society and Electronic Commerce (LSSI-CE 34/2002 of June 11) has implemented policies, means and procedures to ensure and protect the privacy of personal data of its users. You can exercise your rights of access, rectification, suppression and portability of your data, of limitation and opposition to their treatment, as well as not to be subject to decisions based solely on the automated processing of your data, when appropriate, before the company TODOTECNICOS24H S.L. C/Embajadores
Organic 3/2018 of 5 December on the Protection of Personal Data and Guarantee of
190 local, 28045 - Madrid or at the e-mail address todotecnicos24h@gmail.com".
digital rights (hereinafter LOPDGDD).
 
As a result of the investigation carried out, it was found that
 
that the person responsible for the processing is the one who is being claimed.
SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, by virtue of the powers of investigation granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two of Organic Law 3/2018 of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD).
The following points are also noted:
 
This body has transferred this complaint to the defendant, with
 
dates July 15 and October 4, 2019, it is stated that July 18 and October 7
As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been claimed.
of the same year, not having responded to the requirements of this Agency.
 
In the messages sent by the complaining party to the complainant, the
 
he notes:
Likewise, the following points are noted:
That the respondent sent an e-mail to the complainant stating that
you would receive an invoice for your line.
 
Charges to your bank account in connection with that line.
 
Answer to the claimant in which he states that at the time
 
a line was active in the same address where he lived
This complaint was brought to the attention of the complainant on 27 May 2019, requesting that he send this Agency, within a period of one month, information on the response given to the complainant regarding the facts complained of, as well as the reasons for the incident and the measures adopted to adapt his "Privacy Policy" to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (RGPD).
previously the claimant, but under the ownership of another person.
 
THIRD: According to the documentation in the file, it is accredited
 
that the respondent carried out the processing of the personal data of the claimant without her
After the given deadline, no response has been obtained from the respondent.
consent. The claimant's personal data were recorded in the
 
files and were treated for the issuance of invoices for services
 
associated with the person claimed.
 
C/ Jorge Juan, 6 www.aepd.es
LEGAL GROUNDS
28001 - Madrid sedeagpd.gob.es
 
3/12
 
LEGAL FOUNDATIONS
 
I
I
 
By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the
By virtue of the powers conferred on each supervisory authority by Article 58(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as GDPR), and as set out in Articles 47, 642 and 68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate this procedure.
supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD,
Article 63(2) of the LOPDGDD states that: 'The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, in this Organic Law, by the regulatory provisions issued in its implementation and, insofar as they do not contradict them, in the alternative, by the general rules on administrative procedures'.
the Director of the Spanish Data Protection Agency is competent to initiate
 
and to resolve this procedure.
 
II
II
Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as GDPR), under the heading "Definitions", provides that
Article 58 of the RGPD, "Powers", says:
"For the purposes of this Regulation
"2 Each supervisory authority shall have all the following powers
personal data' means any information relating to an identified or identifiable natural person ('the data subject'); an identifiable natural person is one who
corrections indicated below:
(…)
 
(b) sanction any person responsible for or in charge of the processing with a warning
 
where processing operations have infringed the provisions of this
 
Regulations;
whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
(...)
processing' means any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
(d) instruct the controller or processor to ensure that the processing operations
Therefore, in accordance with these definitions, the collection of personal data through forms included on a website constitutes data processing, for which the data controller must comply with the provisions of Article 13 of the RGPD, a provision that has been moved from 25 May 2018 to Article 5 of Organic Law 15/1999 of 13 December on the Protection of Personal Data.
treatment are in accordance with the provisions of this Regulation, where applicable,
In relation to this matter, it is noted that the Spanish Data Protection Agency has at the disposal of citizens the Guide for the fulfilment of the duty to inform (https://www.aepd.es/media/guias/guia-modelo- clausula-informativa.pdf) and, in the case of low risk data processing, the free tool Facilita (https://www.aepd.es/herramientas/facilita.html).
in a certain way and within a specified time frame.
 
(…)
(i) to impose an administrative fine pursuant to Article 83, in addition to or in place of
measures referred to in this paragraph, depending on the circumstances of the case
particular
()
III
III
Article 13 of the RGPD, which determines the information to be provided to the data subject at the time of collection of the data, provides that
Article 5 of the RGPD deals with the principles that should govern the
"1. Where personal data are obtained from a data subject, the data controller shall, at the time of collection, provide the data subject with all the following information
processing of personal data and mentions among them that of "lawfulness, loyalty and
(a) the identity and contact details of the controller and, where appropriate, of his representative
C/ Jorge Juan, 6 www.aepd.es
(b) the contact details of the Data Protection Officer, if any;
28001 - Madrid sedeagpd.gob.es
(c) the purposes of the processing for which the personal data are intended and the legal basis of the processing;
4/12
(d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party;
transparency". The precept states:
(e) the recipients or categories of recipient of the personal data, if any;
"1. Personal data shall be:
(f) where appropriate, the controller's intention to transfer personal data to a third country or international organisation and the existence or otherwise of a decision to
(a) processed in a lawful, fair and transparent manner in connection with
interested (<<lawfulness, loyalty and transparency>>);"
 
Article 6 of the RGPD, "Lawfulness of processing", details in its paragraph 1 the
 
cases in which the processing of third party data is considered lawful:
 
"1. Processing shall be lawful only if at least one of the following conditions is met
adequacy of the Commission, or, in the case of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and the means of obtaining a copy thereof or the fact that they have been provided.
conditions:
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time when the personal data are collected, with the following information necessary to ensure fair and transparent processing of the data
(a) the data subject has given his consent to the processing of his data
(a) the period for which the personal data are held or, where this is not possible, the criteria used to determine this period;
personal for one or more specific purposes;
(b) the existence of the right to request the controller to have access to the personal data concerning the data subject and to have them corrected, erased or restricted and the right to object to the processing, as well as the right to the portability of the data;
(b) processing is necessary for the performance of a contract in which the
(c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent prior to withdrawal;
interested is a party to or for the application at his request of measures
(d) the right to lodge a complaint with a supervisory authority;
pre-contractual;
(e) whether the communication of personal data is a legal or contractual requirement, or a requirement for entering into a contract, and whether the data subject is under an obligation to supply the personal data and is informed of the possible consequences of not supplying such data;
()
(f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic involved and the significance and the expected impact of the processing on the data subject.
The infringement for which the claimed entity is held responsible is
3. Where the controller plans to further process personal data for a purpose other than that for which they were collected, he shall provide the data subject, prior to such further processing, with information on that other purpose and with any relevant additional information within the meaning of paragraph 2.
Article 83 of the RGPD which, under the heading "General conditions for
4. The provisions of paragraphs 1, 2 and 3 shall not apply where and insofar as the information is already available to the data subject.
the imposition of administrative fines," he says:
Article 11 of the LOPDGDD provides as follows
“5. Infringements of the following provisions shall be penalised, in accordance with
"Where personal data are obtained from the data subject, the controller may fulfil the duty of information laid down in Article 13 of Regulation (EU) 2016/679 by providing the data subject with the basic information referred to in the following paragraph and by indicating an electronic address or other means that allows the remaining information to be accessed easily and immediately.
with paragraph 2, with administrative fines of up to EUR 20 000 000 or,
in the case of a company, for an amount equivalent to a maximum of 4% of
 
total annual turnover for the previous financial year, opting for
 
the largest:
 
(a) The basic principles for treatment, including the conditions for
2. The basic information referred to in the previous paragraph shall contain at least
consent under Articles 5, 6, 7 and 9.
(a) the identity of the controller and of his representative, in his
The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements
case.
considered to be very serious," he says:
C/ Jorge Juan, 6 www.aepd.es
 
28001 - Madrid sedeagpd.gob.es
b) The purpose of the processing.
5/12
(c) The possibility of exercising the rights set out in Articles 15 to 22
"1. In accordance with the provisions of Article 83(5) of the Rules of Procedure (E.U.)
2016/679 are considered very serious and will prescribe after three years the infringements that
of Regulation (EU) 2016/679.
constitute a substantial infringement of the articles mentioned in that
If the data obtained from the data subject are to be processed for profiling purposes, the basic information will also include this circumstance. In this case, the data subject must be informed of his right to oppose the adoption of automated individual decisions which produce legal effects concerning him or significantly affect him in a similar way, where this right exists in accordance with Article 22 of Regulation (EU) 2016/679.
In particular, the following:
()
b) The processing of personal data without any
conditions for the lawfulness of processing laid down in Article 6 of
Regulation (EU)2016/679.
IV
IV
By virtue of the provisions of Article 58.2 of the RGPD, the Spanish Data Protection Agency, as the supervisory authority, has a set of corrective powers in the event of a breach of the precepts of the RGPD.
The documentation in the file provides evidence that the
Article 58.2 of the RGPD provides the following:
Article 6.1 of the RGPD, since it dealt with the
"2 Each supervisory authority shall have all the following corrective powers as set out below:
personal data of the claimant without her consent. The personal data of the
(…)
were incorporated into the company's information systems, without
(b) sanction any controller or processor with a warning where processing operations have infringed the provisions of this Regulation
has provided evidence that it had his consent to the collection and processing
(...)
of your personal data.
"(d) to instruct the controller or processor to ensure that processing operations are carried out in accordance with this Regulation, where appropriate, in a particular manner and within a specified time limit;".
The Contentious-Administrative Chamber of the National Court, in cases
"(i) to impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the individual case;".
like the one here, has considered that when the data owner denies
Article 83(5)(b) of the GPRS states that
the burden of proof is on the person claiming its existence
"'Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of not more than EUR 20 000 000 or, in the case of an undertaking, of not more than 4 % of the total annual turnover in the preceding business year, whichever is the greater
the data controller of third parties must collect and keep the
documentation necessary to prove the consent of the owner. We quote, for
 
All, SAN of 31/05/2006 (Rec. 539/2004), Fundamento de Derecho Cuarto.
 
The complainant's personal data were recorded in the files of the
 
claimed and were treated for the issuance of invoices for services associated with the
(b) the rights of the persons concerned within the meaning of Articles 12 to 22
complainant. Consequently, it has carried out a processing of the data
In turn, Article 74.a) of the LOPDGDD, under the heading "Offences considered minor" provides:
personal without proof of consent
 
for treatment, not to mention legal authorization.
"The remaining infringements of a purely formal nature of the articles mentioned in Article 83(4) and (5) of Regulation (EU) 2016/679, and in particular the following, are considered minor and shall be subject to the statute of limitations for one year:
However, and this is the essential point, the claimed does not prove the legitimacy to
(a) Failure to comply with the principle of transparency of information or the right to information of the person concerned by not providing all the information required by Articles 13 and 14 of Regulation (EU) 2016/679.
the processing of the claimant's data.
In this case, it is taken into account that the claimant collects personal data from users who fill in the form included on the website https://www.todotecnicos24h.com/ without providing them, prior to collection, all the information on data protection provided for in Article 13 of the aforementioned RGPD.
In short, the respondent has not provided any document or evidence
 
any evidence that the entity, in such a situation, would have deployed the
 
minimum diligence required to verify that your interlocutor was indeed the one
In accordance with the evidence available at the present time in agreement to the initiation of the sanctioning procedure, and without prejudice to what may result from the investigation, the facts set out could constitute, on the part of the defendant, an infringement of the provisions of Article 13 of the RGPD.
C/ Jorge Juan, 6 www.aepd.es
 
28001 - Madrid sedeagpd.gob.es
Likewise, if the existence of an infringement is confirmed, in accordance with the provisions of the aforementioned Article 58.2.d) of the RGPD, the resolution may order the respondent, as the person responsible for the processing, to adapt the information offered to the users whose personal data is collected from them to the requirements set forth in Article 13 of the RGPD, as well as to provide means of proof of compliance with the requirements.
6/12
 
he claimed to hold.
 
Respect for the principle of legality which is at the heart of the fundamental right
 
of personal data protection requires proof that the
The controller took the necessary steps to prove that the
extreme. If this is not done - and if it is not demanded by this Agency, which is responsible for ensuring
for the compliance with the regulations of the data protection law of
personal nature - the result would be to empty the principle of legality of its content.
V
V
 
In order to determine the administrative fine to be imposed, the
 
provisions of articles 83.1 and 83.2 of the RGPD, which are the provisions that indicate:
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the RGPD must be observed, which are the provisions that they indicate:
"Each supervisory authority shall ensure that the imposition of fines
 
administrative offences under this Article for violations of this
 
Regulation referred to in paragraphs 4, 9 and 6 are in each individual case
"Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive".
effective, proportionate and dissuasive.
"Administrative fines shall be imposed, depending on the circumstances of
 
each individual case, in addition to or instead of the measures referred to in
 
Article 58(2)(a) to (h) and (j) In deciding to impose a fine
 
and its amount in each individual case will be duly taken into account:
"Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. In deciding whether to impose an administrative fine and the amount of the fine in each individual case, due account shall be taken of the circumstances of the case:
(a) the nature, gravity and duration of the infringement, taking into account the
(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage they have suffered;
nature, scope or purpose of the processing operation concerned
(b) whether the infringement was intentional or negligent;
as well as the number of stakeholders affected and the level of damage and
(c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
damages they have suffered;
(d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures they have implemented pursuant to Articles 25 and 32;
(b) the intentional or negligent nature of the infringement;
(e) any previous breach committed by the controller or processor;
(c) any action taken by the controller or processor
(f) the degree of cooperation with the supervisory authority with a view to remedying the breach and mitigating the possible adverse effects of the breach;
to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of the
treatment, taking into account any technical or organisational measures
applied under Articles 25 and 32;
(e) any previous offence committed by the person responsible for or in charge of the
treatment;
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
7/12
(f) the degree of cooperation with the supervisory authority in order to put
remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the controller or processor notified the infringement;
(h) the manner in which the supervisory authority became aware of the infringement,
(i) where the measures referred to in Article 58(2) were previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
in particular whether the person responsible or the person in charge notified the infringement and, in such
(j) adherence to codes of conduct pursuant to Article 40 or to certification schemes approved in accordance with Article 42; and
case, to what extent;
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains obtained or losses avoided, directly or indirectly, through the infringement.
(i) where the measures referred to in Article 58(2) have been
 
ordered in advance against the person responsible or the person in charge
With regard to article 83.2 (k) of the RGPD, the LOPDGDD, article 76, "Sanctions and corrective measures", provides:
in relation to the same matter, compliance with those measures;
 
(j) adherence to codes of conduct under Article 40 or to mechanisms
"In accordance with the provisions of Article 83(2)(k) of Regulation (EU) 2016/679, the following may also be taken into account
of certification approved in accordance with Article 42, and
 
(k) any other aggravating or mitigating factor applicable to the circumstances of the
(a) The continuing nature of the infringement.
case, such as the financial benefits obtained or the losses avoided, directly
 
or indirectly, through the infringement."
(b) The link between the activity of the offender and the processing of personal data
With respect to section 83.2 (k) of the RGPD, the LOPDGDD, section 76,
"Sanctions and corrective measures," he says:
 
"In accordance with Article 83(2)(k) of Regulation (EU) 2016/679
 
may also be taken into account:
 
(a) the continuing nature of the infringement
(c) The benefits obtained as a result of the commission of the infringement.
(b) The link between the activity of the offender and the processing of data
 
personal.
(d) the possibility that the conduct of the data subject may have led to the commission of the infringement
(c) The profits obtained as a result of the commission of the offence.
 
(d) the possibility that the conduct of the person concerned might have led to the commission of
(e) the existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity
the infraction.
 
(e) The existence of a merger by absorption process subsequent to the commission of the
(f) The effect on the rights of minors.
infringement, which cannot be attributed to the acquiring entity.
 
(f) Affecting the rights of minors.
g) The availability, when it is not compulsory, of a data protection representative.
g) To have, when it is not compulsory, a data protection delegate.
 
h) The submission by the person responsible or in charge, on a voluntary basis, to
h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested party.
alternative dispute resolution mechanisms, in those cases where
 
there are disputes between them and any interested party."
In accordance with the provisions transcribed above, and without prejudice to the outcome of the proceedings, for the purposes of setting the amount of the fine to be imposed in the present case on the entity claimed to be responsible for an infringement classified in Article 83.5.b) of the RGPD, in an initial assessment, the following mitigating factors are deemed to be present:
In accordance with the precepts transcribed, and without prejudice to what may result from the
 
proceedings, for the purpose of setting the amount of the fine to be imposed
- The claimed entity has no previous infractions (83.2 e) RGPD).
in the present case, the party complained of is considered to be responsible for an infringement
 
C/ Jorge Juan, 6 www.aepd.es
- She has not obtained direct benefits (83.2 k) RGPD and 76.2.c) LOPDGDD).
28001 - Madrid sedeagpd.gob.es
 
8/12
- The Respondent is not considered a large company.
As defined in article 83.5.a) of the RGPD, in an initial evaluation, the following are considered to be concurrent
 
the following factors.
The sanction to be imposed on the respondent should be graduated and set at the amount of 1,500
As aggravating factors the following:
for the infringement of Article 58.2 of the RGPD.
- In the present case we are dealing with an unintentional negligent action, but
 
identified significant (Article 83(2)(b)).
 
- Basic personal identifiers are affected (name, a number of
identification, the line identifier) (Article 83(2)(g)).
Therefore, it is considered appropriate to graduate the penalty to be imposed on the defendant and
set it at the amount of 100,000 euros for the infringement of Article 6.1 of the RGPD.
Therefore, in view of the above,
Therefore, in view of the above,
By the Director of the Spanish Data Protection Agency,
By the Director of the Spanish Data Protection Agency,
AGREED:
AGREED:
 
1. Initiate disciplinary proceedings against VODAFONE ESPAÑA, S.A.U,
 
with NIF A80907397, for the alleged infringement of Article 6.1. of the RGPD
 
as defined in article 83.5.a) of the aforementioned RGPD.
FIRST: TO START PENALTY PROCEEDINGS against TODOTECNICOS24H S.L.
To appoint Mr. B.B.B. as instructor and Ms. C.C.C. as secretary,
with NIF B86558533, in accordance with the provisions of article 58.2.b) of the RGPD, for the alleged infringement of article 13 of the RGPD, typified in article 83.5.b) of the RGPD
indicating that either of them may be challenged, if appropriate, in accordance with
The provisions of Articles 23 and 24 of Law 40/2015 of 1 October on
 
Public Sector Legal System (LRJSP).
 
1. INCORPORATE into the sanctioning file, for evidentiary purposes, the
 
claimant and its accompanying documentation, the
SECOND: To appoint R.R.R. as Instructor and S.S.S. as Secretary, indicating that either of them may be challenged, if appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of 1 October, on the Legal System of the Public Sector (LRJSP).
information requirements that the Subdirectorate General for the Inspection of
THIRD: TO INCORPORATE into the sanctioning file, for evidential purposes, the claim filed by the claimant and the documents obtained and generated by the Subdirectorate General of Data Inspection in relation to said claim; all of them are part of the file.
Data was sent to the complained entity in the preliminary investigation phase and its
 
respective acknowledgements of receipt.
FOURTH: THAT for the purposes set forth in article 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the sanction that may correspond would be 1,500 Euros (one thousand five hundred Euros), without prejudice to the results of the investigation.
2. THAT for the purposes of Article 64.2 b) of Law 39/2015, of 1
 
October, of the Common Administrative Procedure of the Administrations
 
C/ Jorge Juan, 6 www.aepd.es
FIFTH: TO NOTIFY the present agreement to TODOTECNICOS24H S.L. with NIF B86558533, granting it a period of ten working days to make the allegations and present the evidence it considers appropriate. In your pleading you must provide your NIF and the procedure number in the heading of this document.
28001 - Madrid sedeagpd.gob.es
 
9/12
 
100,000 (one hundred thousand euros), which would be a fine of
If within the stipulated period you do not make any allegations to this agreement to initiate, it may be considered a proposal for resolution, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).
euros), without prejudice to the outcome of the investigation.
 
3. NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF
 
A80907397, giving you a hearing period of ten working days to
In accordance with the provisions of Article 85 of the LPACAP, if the penalty to be imposed is a fine, it may acknowledge its responsibility within the period granted for the formulation of arguments to the present agreement of initiation; this will be accompanied by a reduction of 20% of the penalty to be imposed in the present procedure. With the application of this reduction, the penalty would be set at EUR 1 200, and the proceedings would be resolved with the imposition of this penalty.
make the allegations and submit the evidence he deems appropriate.
 
In your pleading, you must provide your tax identification number and the number of
 
procedure set out in the heading of this document.
Similarly, at any time prior to the resolution of the present procedure, it may carry out the voluntary payment of the proposed penalty, which will entail a reduction of 20% of its amount. With the application of this
If you do not make representations to this initiating agreement within the stipulated time limit, it
may be considered as a motion for resolution, as set out in Article
 
64.2(f) of Law 39/2015 of 1 October on the Common Administrative Procedure of
 
the Public Administration (hereinafter LPACAP).
 
In accordance with Article 85 of the LPACAP, if the
reduction, the penalty would be set at EUR 1200 and its payment would imply the termination of the procedure.
penalty to be imposed other than a fine, may acknowledge its responsibility within the
 
period granted for the formulation of arguments to the present agreement of beginning; the
 
which will be accompanied by a 20% reduction in the penalty to be imposed in
The reduction for the voluntary payment of the penalty is cumulative with that for the recognition of liability, provided that this recognition of liability is evidenced within the time allowed for making representations at the opening of the proceedings. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the decision. In this case, if both reductions are to be applied, the amount of the penalty shall be set at EUR 900.
the present procedure. With the application of this reduction, the sanction would be
 
80,000, with the procedure being resolved by the imposition of this
 
sanction.
In any case, the effectiveness of either of the two above-mentioned reductions shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction.
Similarly, at any time prior to the resolution of this
 
procedure, carry out the voluntary payment of the proposed penalty, which
 
will result in a 20% reduction in its amount. With the application of this reduction,
In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above, 1200 or 900 euros, you must make it effective by paying it into account number ES00 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at the CAIXABANK, S.A. Bank, indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of the reduction of the amount that you are using.
80,000 and its payment will result in the termination of the
 
procedure.
 
The reduction for the voluntary payment of the penalty is cumulative with that for
Likewise, you must send the proof of payment to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid.
apply for recognition of liability, provided that this recognition
 
of the responsibility becomes apparent within the time allowed for formulating
 
allegations to the opening of the procedure. The voluntary payment of the amount referred to
The procedure shall have a maximum duration of nine months as of the date of the starting agreement or, where appropriate, of the draft starting agreement. Once this period has elapsed, it will expire and, consequently, the proceedings will be closed; in accordance with the provisions of article 64 of the LOPDGDD.
in the preceding paragraph may be made at any time prior to the resolution. At
in this case, if both reductions were to be applied, the amount of the penalty would be
 
set at 60,000 euros.
 
C/ Jorge Juan, 6 www.aepd.es
 
28001 - Madrid sedeagpd.gob.es
Finally, it is noted that in accordance with Article 112.1 of the LPACAP, there is no administrative appeal against this act.
10/12
 
In any case, the effectiveness of either of the two above-mentioned reductions will be
 
conditional upon the withdrawal or waiver of any action or remedy in the
administrative sanction against the sanction.
If you choose to proceed with the voluntary payment of any of the amounts
80,000 or 60,000 euros, you must pay it
by depositing it in the account ES00 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure in
the heading of this document and the reason for the reduction in the amount to which
welcomes.
Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure in accordance with the quantity
admitted.
The procedure will last a maximum of nine months from the
date of the agreement to initiate or, where appropriate, the draft agreement to initiate.
Once this period has elapsed, the agreement will expire and, consequently, the
actions; in accordance with the provisions of Article 64 of the LOPDGDD.
Finally, it is noted that in accordance with Article 112.1 of the LPACAP,
No administrative appeal is possible against this act.
Mar Spain Martí
Mar Spain Martí
Director of the Spanish Data Protection Agency
Director of the Spanish Data Protection Agency
>>
>>
 
SECOND : On December 24, 2019, the claimant has proceeded to the payment of
SECOND: On November 6, 2019, the claimant has proceeded to pay the penalty in the amount of 900 euros making use of the two reductions provided in the Agreement of initiation transcribed above, which implies the recognition of the responsibility.
the penalty in the amount of 60 000 euros by making use of the two reductions
THIRD: The payment made, within the period granted for making allegations on the opening of the proceedings, implies the waiver of any action or appeal in administrative proceedings against the penalty and the acknowledgement of liability in relation to the facts referred to in the Agreement of Initiation.
provided for in the above transcribed Agreement, which implies the
 
recognition of responsibility.
LEGAL GROUNDS
THIRD: The payment made, within the period granted for making allegations to
 
the opening of the procedure, entails the waiver of any action or appeal in
administrative sanctioning and acknowledgement of responsibility in relation to
the facts referred to in the Agreement to Initiate.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
11/12
LEGAL FOUNDATIONS
I
I
 
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the
By virtue of the powers that Article 58.2 of the RGPD grants to each control authority, and as established in Article 47 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to sanction any infringements committed against those Regulations; infringements of Article 48 of Law 9/2014, of May 9, General Telecommunications Law (hereinafter LGT), in accordance with the provisions of Article 84.3 of the GLT, and the infringements defined in articles 38.3 c), d) and i) and
control, and in accordance with Article 47 of Organic Law 3/2018, of 5
38.4 d), g) and h) of Law 34/2002 of 11 July on information society services and electronic commerce (hereinafter referred to as the ISESA), as provided for in Article
December, Protection of Personal Data and Guarantee of Digital Rights (in
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
is competent to penalise infringements committed against it
Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General
of Telecommunications (hereinafter referred to as LGT), in accordance with the
Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the
information and electronic commerce (hereinafter referred to as the ISESA), as provided for in
43.1 of the said Act.
43.1 of the said Act.
II
II
 
Article 85 of Law 39/2015 of 1 October on Administrative Procedure
Article 85 of Law 39/2015 of 1 October 1995 on the Common Administrative Procedure for Public Administrations (LPACAP), under the heading 'Termination in penalty proceedings', provides as follows
Commonwealth of Independent States (hereinafter LPACAP), under the heading
"Termination in sanctioning proceedings" provides the following:
 
"1. Penalty proceedings are initiated if the offender acknowledges his
 
responsibility, the procedure may be resolved with the imposition of the penalty
 
as appropriate.
"1. If a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be terminated with the imposition of the appropriate sanction.
2. Where the penalty is solely pecuniary in nature or where it is
2. When the penalty is only pecuniary in nature or when it is possible to impose a pecuniary penalty and a non-pecuniary penalty but the latter has been justified, voluntary payment by the alleged offender, at any time prior to the decision, shall entail the termination of the proceedings, except as regards the reinstatement of the altered situation or the determination of compensation for damages caused by the commission of the offence.
impose a financial penalty and a non-pecuniary penalty but has been justified
3. In both cases, where the penalty is purely financial in nature, the body responsible for deciding the procedure shall apply reductions of at least 20 % to the amount of the penalty proposed, which may be cumulative. Such reductions shall be determined in the notification of initiation of the procedure and their effectiveness shall be conditional upon the withdrawal or waiver of any administrative action or appeal against the penalty.
the impropriety of the second, voluntary payment by the alleged perpetrator, in
The percentage of reduction provided for in this paragraph may be increased by regulation.
any time before the resolution, will imply the termination of the procedure,
 
except as regards the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the penalty is solely of a pecuniary nature,
the body competent to decide on the procedure shall apply reductions of, at
at least 20 % of the amount of the proposed penalty, which may be cumulated
with each other. These reductions shall be determined in the notification of
initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this paragraph may be increased
by regulation.
In accordance with the above,
In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:
the Director of the Spanish Data Protection Agency RESOLVES:
 
FIRST: TO DECLARE the termination of procedure PS/00405/2019, of
FIRST: TO DECLARE the termination of procedure PS/00268/2019, in accordance with the provisions of Article 85 of the LPACAP
in accordance with Article 85 of the LPACAP.
 
SECOND: TO NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U.
SECOND: TO NOTIFY the present resolution to TODOTECNICOS24H S.L.
In accordance with the provisions of article 50 of the LOPDGDD, this
 
The decision will be made public once it has been notified to the interested parties.
In accordance with the provisions of Article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties.
C/ Jorge Juan, 6 www.aepd.es
Against this resolution, which puts an end to the administrative proceedings as provided by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, the interested parties may file a contentious-administrative appeal with the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in Article 46.1 of the aforementioned Act.
28001 - Madrid sedeagpd.gob.es
 
12/12
Against this resolution, which puts an end to the administrative procedure as prescribed by
Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure
The interested parties may lodge an appeal with the
administrative litigation before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months of
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
Mar Spain Martí
Mar Spain Martí
Director of the Spanish Data Protection Agency
Director of the Spanish Data Protection Agency
 
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
</pre>
</pre>

Revision as of 16:42, 12 February 2020

AEPD - PS/00405/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Decided: 28.11.2019
Published: n/a
Fine: EUR 100,000
Parties: Vodafone España, S.A.U A.A.A.
National Case Number: PS/00405/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD decided to initiate disciplinary proceedings against Vodafone España, S.A.U. and impose a fine of € 100.000 for the alleged infringement of Article 6(1) GDPR.

English Summary

Facts

The complainant filed a complaint against Vodafone España, S.A.U. (respondent) with the Spanish Data Protection Agency (AEPD) on 16 May 2019. On 20 February 2019 the complainant received an email with an invoice for an alleged contracted telephone line from Vodafone España, S.A.U. Despite the efforts to clarify the situation, the claimant had not received a response from the respondent.

Dispute

In view of the facts denounced in the complaint and the documents provided by the complainant, the AEPD initiated an investigation pursuant to Article 57(1) GDPR to clarify the facts.

Th AEPD has transferred the complaint to the respondent, but the latter had not responded to the requests.

Holding

As a result of the investigation, the AEPD found that that the person responsible for the processing is the one who is being claimed.

According to the documentation in the file, the AEPD decided that Vodafone España, S.A.U. processed the personal data of the claimant without their consent. The claimant's personal data were recorded in the files and were treated for the issuance of invoices for services associated with the person claimed.

When making a decision in this case, the AEPD considered the following aggravating factors:

- the present case is dealing with an unintentional negligent action, but was identified as significant (Article 83(2)(b) GDPR).

- basic personal identifiers were affected (name, identification number, the line identifier) (Article 83(2)(g) GDPR).

The fine was therefore set to the amount of 100.000 euros for the infringement of Article 6(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

1/12
936-031219
Product No.: PS/00405/2019
DECISION R/00011/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT
VOLUNTEER
In sanction procedure PS/00405/2019, conducted by the Agency
Spanish Data Protection Agency to VODAFONE ESPAÑA, S.A.U., in view of the complaint
presented by A.A.A., and based on the following,
BACKGROUND
FIRST: On November 28, 2019, the Director of the Spanish
of Data Protection agreed to initiate sanctioning proceedings against VODAFONE
SPAIN, S.A.U. (hereinafter, the claimed), by means of the Agreement which is transcribed:
<<
Procedure No.: PS/00405/2019
935-240719
AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS
Of the actions carried out by the Spanish Agency for the Protection of
Data and based on the following:
FACTS
FIRST: Mrs. A.A.A. (hereinafter, the Claimant) dated May 16, 2019
filed a complaint with the Spanish Data Protection Agency. The
claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in
go ahead, the one claimed). The grounds on which the claim is based are that on
February 2019 received an e-mail from the respondent informing about the billing of a
line that claims not to have hired. In spite of the steps taken, he has not
received adequate response to the situation of the alleged recruitment.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/12
The complainant provides the messages sent to the respondent and received from
this one.
It provides receipts for bank charges.
SECOND: In view of the facts denounced in the complaint and the
documents provided by the complainant, the Subdirectorate General for the Inspection of
Data proceeded to the realization of previous research actions for the
clarification of the facts in question under the powers of investigation
granted to the inspection authorities in Article 57(1) of the Regulation (EU)
2016/679 (General Data Protection Regulations, hereinafter referred to as GPRD), and
in accordance with the provisions of Title VII, Chapter I, Section Two of the Act
Organic 3/2018 of 5 December on the Protection of Personal Data and Guarantee of
digital rights (hereinafter LOPDGDD).
As a result of the investigation carried out, it was found that
that the person responsible for the processing is the one who is being claimed.
The following points are also noted:
This body has transferred this complaint to the defendant, with
dates July 15 and October 4, 2019, it is stated that July 18 and October 7
of the same year, not having responded to the requirements of this Agency.
In the messages sent by the complaining party to the complainant, the
he notes:
That the respondent sent an e-mail to the complainant stating that
you would receive an invoice for your line.
Charges to your bank account in connection with that line.
Answer to the claimant in which he states that at the time
a line was active in the same address where he lived
previously the claimant, but under the ownership of another person.
THIRD: According to the documentation in the file, it is accredited
that the respondent carried out the processing of the personal data of the claimant without her
consent. The claimant's personal data were recorded in the
files and were treated for the issuance of invoices for services
associated with the person claimed.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
3/12
LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the
supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to resolve this procedure.
II
Article 58 of the RGPD, "Powers", says:
"2 Each supervisory authority shall have all the following powers
corrections indicated below:
(…)
(b) sanction any person responsible for or in charge of the processing with a warning
where processing operations have infringed the provisions of this
Regulations;
(...)
(d) instruct the controller or processor to ensure that the processing operations
treatment are in accordance with the provisions of this Regulation, where applicable,
in a certain way and within a specified time frame.
(…)
(i) to impose an administrative fine pursuant to Article 83, in addition to or in place of
measures referred to in this paragraph, depending on the circumstances of the case
particular
(…)”
III
Article 5 of the RGPD deals with the principles that should govern the
processing of personal data and mentions among them that of "lawfulness, loyalty and
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
4/12
transparency". The precept states:
"1. Personal data shall be:
(a) processed in a lawful, fair and transparent manner in connection with
interested (<<lawfulness, loyalty and transparency>>);"
Article 6 of the RGPD, "Lawfulness of processing", details in its paragraph 1 the
cases in which the processing of third party data is considered lawful:
"1. Processing shall be lawful only if at least one of the following conditions is met
conditions:
(a) the data subject has given his consent to the processing of his data
personal for one or more specific purposes;
(b) processing is necessary for the performance of a contract in which the
interested is a party to or for the application at his request of measures
pre-contractual;
(…)”
The infringement for which the claimed entity is held responsible is
Article 83 of the RGPD which, under the heading "General conditions for
the imposition of administrative fines," he says:
“5. Infringements of the following provisions shall be penalised, in accordance with
with paragraph 2, with administrative fines of up to EUR 20 000 000 or,
in the case of a company, for an amount equivalent to a maximum of 4% of
total annual turnover for the previous financial year, opting for
the largest:
(a) The basic principles for treatment, including the conditions for
consent under Articles 5, 6, 7 and 9.
The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements
considered to be very serious," he says:
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
5/12
"1. In accordance with the provisions of Article 83(5) of the Rules of Procedure (E.U.)
2016/679 are considered very serious and will prescribe after three years the infringements that
constitute a substantial infringement of the articles mentioned in that
In particular, the following:
(…)
b) The processing of personal data without any
conditions for the lawfulness of processing laid down in Article 6 of
Regulation (EU)2016/679.
IV
The documentation in the file provides evidence that the
Article 6.1 of the RGPD, since it dealt with the
personal data of the claimant without her consent. The personal data of the
were incorporated into the company's information systems, without
has provided evidence that it had his consent to the collection and processing
of your personal data.
The Contentious-Administrative Chamber of the National Court, in cases
like the one here, has considered that when the data owner denies
the burden of proof is on the person claiming its existence
the data controller of third parties must collect and keep the
documentation necessary to prove the consent of the owner. We quote, for
All, SAN of 31/05/2006 (Rec. 539/2004), Fundamento de Derecho Cuarto.
The complainant's personal data were recorded in the files of the
claimed and were treated for the issuance of invoices for services associated with the
complainant. Consequently, it has carried out a processing of the data
personal without proof of consent
for treatment, not to mention legal authorization.
However, and this is the essential point, the claimed does not prove the legitimacy to
the processing of the claimant's data.
In short, the respondent has not provided any document or evidence
any evidence that the entity, in such a situation, would have deployed the
minimum diligence required to verify that your interlocutor was indeed the one
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/12
he claimed to hold.
Respect for the principle of legality which is at the heart of the fundamental right
of personal data protection requires proof that the
The controller took the necessary steps to prove that the
extreme. If this is not done - and if it is not demanded by this Agency, which is responsible for ensuring
for the compliance with the regulations of the data protection law of
personal nature - the result would be to empty the principle of legality of its content.
V
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, which are the provisions that indicate:
"Each supervisory authority shall ensure that the imposition of fines
administrative offences under this Article for violations of this
Regulation referred to in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.
"Administrative fines shall be imposed, depending on the circumstances of
each individual case, in addition to or instead of the measures referred to in
Article 58(2)(a) to (h) and (j) In deciding to impose a fine
and its amount in each individual case will be duly taken into account:
(a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation concerned
as well as the number of stakeholders affected and the level of damage and
damages they have suffered;
(b) the intentional or negligent nature of the infringement;
(c) any action taken by the controller or processor
to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of the
treatment, taking into account any technical or organisational measures
applied under Articles 25 and 32;
(e) any previous offence committed by the person responsible for or in charge of the
treatment;
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
7/12
(f) the degree of cooperation with the supervisory authority in order to put
remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement,
in particular whether the person responsible or the person in charge notified the infringement and, in such
case, to what extent;
(i) where the measures referred to in Article 58(2) have been
ordered in advance against the person responsible or the person in charge
in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to mechanisms
of certification approved in accordance with Article 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as the financial benefits obtained or the losses avoided, directly
or indirectly, through the infringement."
With respect to section 83.2 (k) of the RGPD, the LOPDGDD, section 76,
"Sanctions and corrective measures," he says:
"In accordance with Article 83(2)(k) of Regulation (EU) 2016/679
may also be taken into account:
(a) the continuing nature of the infringement
(b) The link between the activity of the offender and the processing of data
personal.
(c) The profits obtained as a result of the commission of the offence.
(d) the possibility that the conduct of the person concerned might have led to the commission of
the infraction.
(e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the acquiring entity.
(f) Affecting the rights of minors.
g) To have, when it is not compulsory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases where
there are disputes between them and any interested party."
In accordance with the precepts transcribed, and without prejudice to what may result from the
proceedings, for the purpose of setting the amount of the fine to be imposed
in the present case, the party complained of is considered to be responsible for an infringement
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
8/12
As defined in article 83.5.a) of the RGPD, in an initial evaluation, the following are considered to be concurrent
the following factors.
As aggravating factors the following:
- In the present case we are dealing with an unintentional negligent action, but
identified significant (Article 83(2)(b)).
- Basic personal identifiers are affected (name, a number of
identification, the line identifier) (Article 83(2)(g)).
Therefore, it is considered appropriate to graduate the penalty to be imposed on the defendant and
set it at the amount of 100,000 euros for the infringement of Article 6.1 of the RGPD.
Therefore, in view of the above,
By the Director of the Spanish Data Protection Agency,
AGREED:
1. Initiate disciplinary proceedings against VODAFONE ESPAÑA, S.A.U,
with NIF A80907397, for the alleged infringement of Article 6.1. of the RGPD
as defined in article 83.5.a) of the aforementioned RGPD.
To appoint Mr. B.B.B. as instructor and Ms. C.C.C. as secretary,
indicating that either of them may be challenged, if appropriate, in accordance with
The provisions of Articles 23 and 24 of Law 40/2015 of 1 October on
Public Sector Legal System (LRJSP).
1. INCORPORATE into the sanctioning file, for evidentiary purposes, the
claimant and its accompanying documentation, the
information requirements that the Subdirectorate General for the Inspection of
Data was sent to the complained entity in the preliminary investigation phase and its
respective acknowledgements of receipt.
2. THAT for the purposes of Article 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of the Administrations
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
9/12
100,000 (one hundred thousand euros), which would be a fine of
euros), without prejudice to the outcome of the investigation.
3. NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF
A80907397, giving you a hearing period of ten working days to
make the allegations and submit the evidence he deems appropriate.
In your pleading, you must provide your tax identification number and the number of
procedure set out in the heading of this document.
If you do not make representations to this initiating agreement within the stipulated time limit, it
may be considered as a motion for resolution, as set out in Article
64.2(f) of Law 39/2015 of 1 October on the Common Administrative Procedure of
the Public Administration (hereinafter LPACAP).
In accordance with Article 85 of the LPACAP, if the
penalty to be imposed other than a fine, may acknowledge its responsibility within the
period granted for the formulation of arguments to the present agreement of beginning; the
which will be accompanied by a 20% reduction in the penalty to be imposed in
the present procedure. With the application of this reduction, the sanction would be
80,000, with the procedure being resolved by the imposition of this
sanction.
Similarly, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed penalty, which
will result in a 20% reduction in its amount. With the application of this reduction,
80,000 and its payment will result in the termination of the
procedure.
The reduction for the voluntary payment of the penalty is cumulative with that for
apply for recognition of liability, provided that this recognition
of the responsibility becomes apparent within the time allowed for formulating
allegations to the opening of the procedure. The voluntary payment of the amount referred to
in the preceding paragraph may be made at any time prior to the resolution. At
in this case, if both reductions were to be applied, the amount of the penalty would be
set at 60,000 euros.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
10/12
In any case, the effectiveness of either of the two above-mentioned reductions will be
conditional upon the withdrawal or waiver of any action or remedy in the
administrative sanction against the sanction.
If you choose to proceed with the voluntary payment of any of the amounts
80,000 or 60,000 euros, you must pay it
by depositing it in the account nº ES00 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure in
the heading of this document and the reason for the reduction in the amount to which
welcomes.
Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure in accordance with the quantity
admitted.
The procedure will last a maximum of nine months from the
date of the agreement to initiate or, where appropriate, the draft agreement to initiate.
Once this period has elapsed, the agreement will expire and, consequently, the
actions; in accordance with the provisions of Article 64 of the LOPDGDD.
Finally, it is noted that in accordance with Article 112.1 of the LPACAP,
No administrative appeal is possible against this act.
Mar Spain Martí
Director of the Spanish Data Protection Agency
>>
SECOND : On December 24, 2019, the claimant has proceeded to the payment of
the penalty in the amount of 60 000 euros by making use of the two reductions
provided for in the above transcribed Agreement, which implies the
recognition of responsibility.
THIRD: The payment made, within the period granted for making allegations to
the opening of the procedure, entails the waiver of any action or appeal in
administrative sanctioning and acknowledgement of responsibility in relation to
the facts referred to in the Agreement to Initiate.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
11/12
LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the
control, and in accordance with Article 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights (in
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
is competent to penalise infringements committed against it
Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General
of Telecommunications (hereinafter referred to as LGT), in accordance with the
Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the
information and electronic commerce (hereinafter referred to as the ISESA), as provided for in
43.1 of the said Act.
II
Article 85 of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), under the heading
"Termination in sanctioning proceedings" provides the following:
"1. Penalty proceedings are initiated if the offender acknowledges his
responsibility, the procedure may be resolved with the imposition of the penalty
as appropriate.
2. Where the penalty is solely pecuniary in nature or where it is
impose a financial penalty and a non-pecuniary penalty but has been justified
the impropriety of the second, voluntary payment by the alleged perpetrator, in
any time before the resolution, will imply the termination of the procedure,
except as regards the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the penalty is solely of a pecuniary nature,
the body competent to decide on the procedure shall apply reductions of, at
at least 20 % of the amount of the proposed penalty, which may be cumulated
with each other. These reductions shall be determined in the notification of
initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this paragraph may be increased
by regulation.
In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure PS/00405/2019, of
in accordance with Article 85 of the LPACAP.
SECOND: TO NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U.
In accordance with the provisions of article 50 of the LOPDGDD, this
The decision will be made public once it has been notified to the interested parties.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
12/12
Against this resolution, which puts an end to the administrative procedure as prescribed by
Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure
The interested parties may lodge an appeal with the
administrative litigation before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months of
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
Mar Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es