AEPD - PS/00415/2019
|AEPD - PS/00415/2019|
|Relevant Law:||Article 6(1) GDPR|
|National Case Number/Name:||PS/00415/2019|
|European Case Law Identifier:||n/a|
|Original Source:||Spanish DPA (in ES)|
The Spanish data protection authority ('AEPD') issued a resolution against Xfera Móviles S.A., a debt recovery company, with a fine of €75,000 for sending communication to the complainant who was not a client of the company since 2017.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant argued that he had received a communication from a debt recovery company claiming payments in relation to Xfera Móviles' services, although the claimant had not been a client of Xfera Móviles since September 2017.
Dispute[edit | edit source]
Holding[edit | edit source]
The Spanish data protection authority ('AEPD') concluded that Xfera Móviles carried out the processing of the claimant's personal data without his/her consent, in violation of Article 6 of the GDPR.
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Product No.: PS/00415/2019 938-051119 DECISION ON DISCIPLINARY PROCEEDINGS From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: D. A.A.A. (hereinafter, the claimant) on 20 September 2018 filed a complaint with the Spanish Data Protection Agency. The claim is directed against XFERA MÓVILES, S.A. with NIF A82528548 (hereinafter, the claimant). The claimant states that he has not been a customer of the claimed company since September 2017 and that for this reason, he filed two complaints with the Municipal Office of Consumer Information of the Town Hall of Vinaròs, both of which were favourable. Subsequently, in September 2018, she received emails from the respondent, in which she was claimed by a company for the recovery of the debt generated in a fraudulent manner since July 2018. And, among other things, it provides the following documentation: • Answer received at the Municipal Office of Consumer Information (hereinafter OMIC) on March 12, 2018 from the claim corresponding to the complaint made in March 2018, informing that the complaint has been accepted and the cancellation of the telephone line has been made on March 3, 2018. Likewise, the payments corresponding to the periods not enjoyed are made. • Claim made before the OMIC on May 8, 2018 showing its disagreement indicating (i) that on this date its active data continue in the company and requesting the deletion of the same and (ii) that the reimbursement AB0086485 has not been made as informed by the claimed in its response of March 12, 2018. • Answer received by the OMIC on June 28, 2018 from the claimed party stating that the AB0086485 credit note had not been paid because it was offset against an existing debt that was outstanding. It adds that a credit note corresponding to invoice MC181742695 has also been paid and that as soon as the debt is cancelled in full, its company details will be deleted. • Notification dated September 7, 2018 from the claimed requiring the payment of an invoice for the amount of XX,XX euros and informing the claimant that his data could be reported to the credit and equity solvency files. SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant and the facts and documents of which this Agency has become aware, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigative actions for the clarification of the facts in question, by virtue of the investigative powers granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two of Organic Law 3/2018 of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD). As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the party complained of. The following points are also noted: • On June 28, 2019, within the framework of file E00413/2019, the respondent was requested to provide information on the aspects expressed by the claimant, and the date of acceptance was recorded as the same date without any response to the request. • Under file E/07400/2018, dated 17 October 2018, the claim was transferred to the respondent. No reply to this transfer was received by the Agency, but a new deadline for the submission of arguments was granted on 29 November 2018. On both occasions no reply was received by this Agency from the respondent. For this reason, this claim is admitted for processing the claimant's data without legitimacy without the entity having given a response to the Spanish Data Protection Agency. THIRD: On November 28, 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the defendant, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, 2011, on Common Administrative Procedure for Public Administrations (hereinafter referred to as LPACAP), for the alleged infringement of Article 6.1 of the RGPD, as defined in Article 83.5 of the RGPD. FOURTH: Upon notification of the aforementioned agreement, the respondent presented a brief of allegations in which, in summary, it stated that: "there was a contract between the claimant and the administration in such a way that it had the legitimacy of contractual compliance in accordance with the provisions of Article 6 where it deals with the legality of the treatment. This is why the actions of this company were always in accordance with the law, since it carried out the relevant management operations in accordance with the vicissitudes produced in the course of a contract in force. The competent body should decide to close the file without a penalty, or, if appropriate, incorporate the corresponding extenuating circumstances in its assessment. FIFTH: On January 10, 2020, the period for the practice of evidence began, and it was agreed: 1. to consider the complaint filed by the complainant and its documentation, the documents obtained and generated that form part of the file, as reproduced for evidential purposes, and 2. to consider the allegations to the agreement to initiate PS/00415/2019, presented by the denounced entity, as reproduced for evidential purposes. SIXTH: On February 5, 2020, the Motion for Resolution was issued and notified to Xfera Móviles on the 7th of the same month and year, for an alleged infringement of Article 6.1 of the RGPD, typified in Article 83.5 a) of the RGPD, proposing a fine of 75,000 euros. Xfera Móviles made no allegations to the Motion for Resolution. PROVEN FACTS FIRST: It is recorded that the claimant is not a client of the claimed company since September 2017 and that for this reason, he filed two complaints at the Municipal Office of Consumer Information of the Town Hall of Vinaròs, both of them being favourable. SECOND: In September 2018, the company received e-mails from the victim, in which she was asked by a company to recover the debt generated in a fraudulent manner since July 2018. THIRD - Answer received at the Municipal Consumer Information Office (hereinafter OMIC) on March 12, 2018 from the claim made in March 2018, informing that the claim has been accepted and the cancellation of the telephone line has been made on March 3, 2018. Likewise, the payments corresponding to the periods not enjoyed are made. FOURTH - Claim made before the OMIC on 8 May 2018 showing its disagreement indicating (i) that on this date its active data continue to be held by the company and requesting their deletion and (ii) that the reimbursement AB0086485 has not been made as informed by the claimed in its reply of 12 March 2018. FIFTH - Answer received by the OMIC on June 28, 2018 from the claimed one stating that the AB0086485 credit note had not been paid because it was offset against an existing unpaid debt. It adds that a credit note corresponding to invoice MC181742695 has also been paid and that as soon as the debt is cancelled in full, its company details will be deleted. SIXTH - Notification dated September 7, 2018 from the claimed requiring the payment of an invoice for the amount of XX,XX ? and informing the claimant that his data could be reported to the files of creditworthiness and credit. LEGAL FOUNDATIONS I The Director of the Spanish Data Protection Agency is competent to resolve this procedure, in accordance with the provisions of Article 58.2 of the RGPD and Articles 47 and 48.1 of the LOPDGDD. II The defendant is accused of committing an infringement for breach of Article 6 of the RGPD, "Legality of processing", which indicates in its paragraph 1 the cases in which the processing of third party data is considered to be lawful: "1. Treatment shall be lawful only if at least one of the following conditions is met: a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract to which the person concerned is a party or for the implementation at his request of pre-contractual measures; (…)” The infringement is defined in Article 83.5 of the RGPD, which considers it as such: "“5. Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, of up to 4% of its total annual turnover in the preceding business year, whichever is the greater a) The basic principles for treatment, including conditions for consent under Articles 5, 6, 7 and 9. Article 72 of the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), under the heading "Infringements considered very serious" provides: "1. In accordance with the provisions of Article 83(5) of the Rules of Procedure (E.U.) 2016/679 are considered very serious and shall be subject to a three-year limitation period for offences involving a substantial breach of the Articles mentioned therein, and in particular the following: (…) b) The processing of personal data without meeting any of the conditions for the lawfulness of processing laid down in Article 6 of Regulation (EU)2016/679. III The documentation in the file offers evidence that the respondent violated Article 6.1 of the RGPD, since he processed the complainant's personal data without legitimacy. The claimant's personal data were incorporated into the company's information systems, without the claimant proving that he had his consent to the collection and subsequent processing of his personal data. The Contentious-Administrative Chamber of the National Court, in cases such as the one described here, has considered that when the owner of the data denies the hiring, the burden of proof falls on the person who affirms its existence, and the person responsible for the processing of third party data must collect and keep the necessary documentation to prove the owner's consent. We cite, for all of them, the SAN of 31/05/2006 (Rec. 539/2004), Fundamento de Derecho Cuarto. The claimant's personal data were recorded in the files of the claimed and were processed for the issuance of emails. As a result, he has processed the personal data without proving that he has the consent of the complainant for their processing, or that he has the legal authorization to do so. However, and this is the essential point, the respondent does not prove the legitimacy of the processing of the claimant's data. In short, the Respondent has not provided any document or evidence to show that the entity, in such a situation, would have shown the minimum diligence required to verify that its interlocutor was indeed the one he claimed to have. Respect for the principle of lawfulness, which is at the heart of the fundamental right to protection of personal data, requires evidence that the controller has taken the necessary steps to prove this. If this is not done - and if this Agency, which is responsible for ensuring compliance with the regulations governing the right to protection of personal data, does not demand it - the result would be to empty the principle of lawfulness of its content. With regard to the facts that are the subject of this complaint, we must emphasize that the respondent, despite repeated requests from the AEPD to explain the facts on which it is based, never responded or provided any evidence that would allow us to consider that the processing of the complainant's data was legitimate. It is clear that on 28 June, 17 October and 29 November 2018, information was requested from the entity in question. However, no response was received. The lack of diligence displayed by the entity in complying with the obligations imposed by personal data protection regulations is therefore evident. Diligent compliance with the principle of lawfulness in the processing of third party data requires that the data controller be in a position to prove it (principle of proactive liability). IV In accordance with the provisions of Article 83.1 and 83.2 of the RGPD, in deciding whether to impose an administrative fine and the amount thereof in each individual case, account shall be taken of the aggravating and mitigating factors listed in the aforementioned article, as well as of any other factor that may be applicable to the circumstances of the case. "Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive. "Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. In deciding whether to impose an administrative fine and the amount of the fine in each individual case, due account shall be taken of the circumstances of the case: a) the nature, seriousness and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damages they have suffered b) the intentionality or negligence of the infringement; c) any measure taken by the controller or processor to mitigate the damages suffered by the data subjects; d) the degree of responsibility of the person responsible or the processor, taking into account the technical or organisational measures they have implemented under Articles 25 and 32; e) any previous offence committed by the person responsible for or in charge of the processing; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and to mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the person responsible for or in charge of the infringement notified it; i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible for or in charge of the same case, compliance with those measures; j) adherence to codes of conduct pursuant to Article 40 or to certification schemes approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement. With regard to Article 83.2 (k) of the RGPD, the LOPDGDD, Article 76, "Sanctions and corrective measures", provides: "2. In accordance with Article 83(2)(k) of Regulation (EU) 2016/679, they may also be taken into account: a) The continuing nature of the infringement. b) Linking the offender's activity to the processing of data personal. c) The benefits obtained as a result of the commission of the infringement. d) The possibility that the conduct of the person concerned could have led to the commission of the infraction. e) The existence of a merger by absorption process after the infringement, which cannot be attributed to the acquiring entity. f) Affecting the rights of minors. g) To have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, of alternative dispute resolution mechanisms, in those cases where there are disputes between them and any interested party". Consequently, they have been taken into account as aggravating factors: - The duration of the illegitimate processing of the data subject's data by the complainant (article 83.2.a, RGPD). - No cooperation with the AEPD in order to remedy the infringement and mitigate its effects (Article 83.2.f, RGPD). - The obvious link between the business activity of the respondent and the processing of personal data of customers or third parties (Article 83.2.k of the RGPD in relation to Article 76.2.b of the LOPDGDD) The balance of the circumstances referred to in Article 83.2 of the RGPD, with respect to the infringement committed by violating the provisions of Article 6 thereof, allows for the imposition of a penalty of 75,000 euros (seventy-five thousand euros), classified as "very serious", for the purposes of the prescription of the same, in Article 72.1.b) of the LOPDGDD. Therefore, in accordance with the applicable legislation and assessed the criteria for the graduation of the sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: : FIRST: TO IMPOSE on XFERA MÓVILES, S.A. with NIF A82528548, for an infringement of Article 6 of the RGPD, typified in Article 83.5 of the RGPD, a fine of 75,000.00 Euros (seventy-five thousand Euros). SECOND: NOTICE this resolution to XFERA MÓVILES, S.A. with NIF A82528548. THIRD: To warn the sanctioned party that he/she must make the sanction imposed effective once this resolution becomes enforceable, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in article 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of July 29, in relation to article 62 of Law 58/2003, of December 17, by means of its payment, indicating the tax identification number of the sanctioned party and the procedure number that appears in the heading of this document, into the restricted account no. ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period. Once the notification has been received and once it has been executed, if the date of execution is between the 1st and 15th of each month, inclusive, the period for making the voluntary payment will be up to the 20th of the following month or the immediately following working month, and if it is between the 16th and last day of each month, inclusive, the period for payment will be up to the 5th of the second following month or the immediately following working month. In accordance with the provisions of Article 50 of the LOPDPGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with Article 48.6 of the LOPDPGDD, and in accordance with the provisions of Article 123 of the LPACAP, data subjects may, optionally, file an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly file an administrative appeal with the Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015 of 1 October. It must also send the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it will terminate the precautionary suspension. Mar Spain Marti Director of the Spanish Data Protection Agency