AEPD - PS/00415/2020

From GDPRhub
AEPD - PS/00415/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5 GDPR
Article 5(1)(d) GDPR
Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 83(5)(a) GDPR
4(1) LOPDGDD
72(1)(a) LOPDGDD
Type: Complaint
Outcome: Upheld
Decided: 04.01.2021
Published: 30.12.2020
Fine: 90000 EUR
Parties: n/a
National Case Number/Name: PS/00415/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: The AEPD (in ES)
Initial Contributor: Paola L.

The Spanish DPA (AEPD) sanctioned Vodafone España, S.A.U. for non-compliance with general data processing principles. The initial proposed fine was €90,000 however, it was reduced to €54,000 for recognition of responsibility and making an early payment of the fine.

English Summary[edit | edit source]

Facts[edit | edit source]

On 9 July 2019, a data subject ("complainant") submitted a complaint to the AEPD stating that the products contracted with Vodafone España ("defendant") were not delivered in the name of the data subject, but in the name of a third party. The complainant updated the complaint on 13 September 2019 advising that they contacted Data Protection Officer of Vodafone via email requesting them to restore the accuracy of their data. However, no response was received to this request.

Subsequently, the complainant was contacted by Vodafone and was advised that the issue had been corrected and that the products purchased had been put in their name. However, in September 2019, the complainant contacted the Vodafone's customer service and was addressed in the name of the third party.

The complainant also advised that on 11 September 2019, the Municipal Consumer Information Office (“OMIC”) informed them that they had a response to their complaint, and it turned out that Vodafone had responded with the complaint resolution of another customer as well as provided supporting evidence in the name of the third party.

Based on the evidence provided by the complainant, the AEPD decided to initiate an investigation into the matter and was able to confirm that:

  1. The defendant was aware of this incident since 03/07/2019 when the data subject complaint about the accuracy of their data.
  2. The incident was caused by an error in their system due to a system migration.
  3. The incident had been resolved on 15/07/2019 when a crossover of information in Vodafone’s system had occurred and Vodafone deactivated the third party who appeared to be named on the client ID associated with the complainant. Vodafone provided proof to have resolved the incident on 15/07/2019 and that the complainant's records are currently in the correct name. Vodafone confirmed that it had not disclosed the complainant's personal data to any third party.
  4. In relation to the response provided to the OMIC, Vodafone confirmed that due to a human error during the complaint response process they had provided the OMIC with the correspondence intended for another individual. Vodafone clarified that the information about the complainant was not shared with an unauthorised third party.

Dispute[edit | edit source]

Were the actions of the defendant a violation of the principles relating to the processing of personal data contained in Articles 5(d) and 5(f) of the GDPR?

Holding[edit | edit source]

Based on the facts presented, the AEPD held that the actions of the defendant infringed the following principles of processing pf personal data:

  • Article 5(1)(d) GDPR – Accuracy principle, as it was proven that in Vodafone’s systems, the products contracted by the complainant were in the name of a third party.
  • Article 5(1)(f) GDPR – Confidentiality principle, as Vodafone responded to the complaint with the response that was intended for another individual not for the complainant, meaning that Vodafone does not have appropriate security measures in place to protect the confidentiality personal data.

The AEPD held that this offense is considered ‘grave’ in accordance with Article 72(1)(a) LOPDGDD and falls under the criteria defined in article 83(5)(a) GDPR where a company can be fined up to €2 million, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The AEPD imposed a fine of €60000 for the violating Article 5(1)(d) GDPR and €30000 for violating Article 5(1)(f) GDPR.

In imposing the fine, the AEPD factored in that the infringement was considered negligent not intentional but significant and that the records affected corresponded to complainant ’s basic personal data such as name and address.

Vodafone España, S.A.U. acknowledged its responsibility in accordance with Article 85 (1) LPACAP which resulted in a 20% reduction of the penalty. Furthermore, it carried out the voluntary payment of the proposed fine before the resolution, so it benefited from an additional reduction of 20% (Article 85 (2) LPACAP). Therefore, Vodafone España, S.A.U benefited by the two 20% reductions and paid € 54000 instead of the initial € 90000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/13








     Procedure No.: PS / 00415/2020


RESOLUTION R / 00649/2020 TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY

In the sanctioning procedure PS / 00415/2020, instructed by the Spanish Agency for

Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed
by A.A.A., and based on the following,

                                 BACKGROUND


FIRST: On December 2, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against VODAFONE
SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed:


<<





Procedure Nº: PS / 00415/2020



           AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE




Of the actions carried out by the Spanish Agency for Data Protection and in
based on the following:




                                     ACTS




FIRST: D. A.A.A. (hereinafter, the claimant) dated July 9, 2019
filed a claim with the Spanish Agency for Data Protection. The

claim is directed against Vodafone España, S.A.U. with NIF A80907397 (in
forward, the claimed).




       The claimant states that the products contracted with the claimed, the
have put in the name of a third party, who has your personal data from the month
May 2019.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/13








        And, among other things, it provides the following documentation:


        Screenshot of the application "My VODAFONE" where it appears "B.B.B.
        *** NIF.1 ”associated with the postal address of the same.




        Vodafone purchase summary where the name and surname of the
        claimant associated with your postal address.




        On September 13, 2019, the claimant expands his claim
stating that you sent an email to the data protection officer of the claimed person,

receiving no response.



        Subsequently, they tell you that the products you purchased are back at your

name, but it happens that in the client area it continues to appear as
authorized.




        Thus, in the month of September he called customer service and
They addressed him by the name of the third.




        Well, on September 11, 2019, the OMIC told you that they had the
response to your claim, but it turns out that they responded with the resolution of a

third.



        Accompany the following documentation:




        Screenshot of the application "My VODAFONE" where the CIF of the

        complainant and that of a third party.

    Copy of letter sent by OMIC of *** LOCALIDAD.1 dated August 19
    of 2019 where the defendant communicates to the OMIC his response in relation to the

    question raised by D. C.C.C ..



    Copy of 2 invoices of the claimed in the name of D. C.C.C. with issue dates

    March 22 and May 22, 2019 respectively.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/13








SECOND: In view of the facts reported in the claim and the
documents provided by the claimant, the Subdirectorate General for Inspection of

Data proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation

granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).




       As a result of the investigation actions carried out, it is verified
that the person responsible for the treatment is the one claimed.




       On July 29, 2020, the respondent declares to this Agency the following:



    1. That he was aware for the first time of what happened on July 3, 2019

        when the claimant contacted the defendant to report the incident.




    1. It adds that the claim was due to an error in Vodafone's systems
        derived from the migration of their systems to Smart-Amdocs. That there was a
        data crossing in the ID *** ID.1 associated with the claimant.




    2. That they have been able to verify that the incident complained of was
        duly resolved on July 15, 2019, after having been

        solved the crossing of data that occurred in the Vodafone systems and
        effectively process the deactivation of the third party that was listed as
        Customer ID holder associated with the claimant.


        Provide a copy of the letter of July 29, 2020 with the Vodafone logo
        addressed to the claimant where it is established that the incident has been duly

        resolved on July 15, 2019, that the services associated with the account
        ID *** ID.1 are currently only linked to your personal data.
        It also appears that no copy of your answer has been sent to any

        third.

        Provides a screenshot of their systems where the third person appears in
        “disconnected” status associated with ID *** ID.1.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/13











    3. On the other hand, they point out that, with respect to the response to the OMIC of August
        2019, they have been able to verify that due to an error in the answering process

        The complainant was sent a copy of an answer that was not related
        with the claim of the complainant before the OMIC and not the answer
        destined to it, which had its origin in a specific error of character

        human rights and that in no case has the answer been sent
        intended for the claimant to a third party.




        They provide a copy of the letter of August 19, 2019 with the Vodafone logo
        addressed to OMIC in relation to the issue raised by the claimant.




        On October 16, 2020, a request for information was sent to the

        reclaimed. The notification is delivered on October 19, 2020.
        receives reply.


                                                                                      48-220920


                             FOUNDATIONS OF LAW



                                              I




        By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in arts. 47 and 48.1 of the LOPDPGDD, the
Director of the Spanish Data Protection Agency is competent to resolve
this procedure.




                                              II




        Article 6.1 of the RGPD establishes the assumptions that allow considering
lawful processing of personal data.




        For its part, article 5 of the RGPD establishes that personal data will be:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/13










        “A) treated in a lawful, loyal and transparent manner in relation to the interested party

("Lawfulness, fairness and transparency");



        b) collected for specific, explicit and legitimate purposes, and will not be processed

subsequently in a manner incompatible with said purposes; in accordance with article 89,
section 1, the subsequent processing of personal data for archiving purposes in

public interest, scientific and historical research purposes or statistical purposes are not
deemed incompatible with the original purposes ("purpose limitation");




        c) adequate, relevant and limited to what is necessary in relation to the purposes
for those who are processed ("data minimization");




        d) accurate and, if necessary, updated; all measures will be taken
reasonable so that the personal data that
are inaccurate with respect to the purposes for which they are processed ("accuracy");




        e) maintained in a way that allows the identification of the interested parties
for no longer than is necessary for the purposes of data processing

personal; personal data may be kept for longer periods
provided that they are treated exclusively for archival purposes in the public interest,

scientific or historical research or statistical purposes, in accordance with article
89, paragraph 1, without prejudice to the application of technical and organizational measures
appropriate measures imposed by this Regulation in order to protect the rights and

freedoms of the interested party ("limitation of the conservation period");



        f) treated in such a way as to guarantee adequate security for the

personal data, including protection against unauthorized or illegal processing and
against their loss, destruction or accidental damage, by applying measures

appropriate technical or organizational ("integrity and confidentiality").



        The person responsible for the treatment will be responsible for compliance with

provided for in section 1 and capable of demonstrating it ("proactive responsibility"). "



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/13










                                            III




       In accordance with the evidence available in the present
moment, and without prejudice to the results of the instruction, it is considered proven that

in the systems of the complainant, he appeared as the owner of the services contracted by the
claimant a third party.




       In this way, it is fully proven that the defendant violated the
principle of accuracy, included in article 5.1 d) of the RGPD, as recognized in

his answer in which he states: "after the crossing of
data occurred in Vodafone systems and effectively process the
deactivation of the third party that was listed as the owner of the client ID associated with the

claimant ”.



       On the other hand, the documentation in the file shows

that the defendant also violated the principle of confidentiality article 5.1 f) of the
RGPD.




        In this sense, it is important to highlight that the complainant provided the answer to
his claim, and it was found that the defendant answered him with the resolution of a

third.



       It should also be borne in mind that the defendant acknowledges said error and

states that: “in the response process, the claimant was sent a copy of a
answer that were not related to the claim of the complainant before the
OMIC and not the reply addressed to it, which had its origin in an error

punctual of a human nature and that in no case has the
answer addressed to the claimant to a third party ”.




       Therefore, there is no doubt, given the regulation that violates the duty of secrecy of the
Article 5.1.f) of the RGPD. Does not comply with security measures that result in

breach of confidentiality article 5.1 LOPDGDD.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/13








       Ultimately, a third party could access the claimant's data, that is,
had access to the information associated with the services contracted by the claimant

which could constitute, on the part of the defendant, two infractions, one against
provided in article 5.1 d) of the RGPD, in relation to article 4.1 of the

LOPDGDD, and another against the provisions of article 5.1 f) of the RGPD, in relation to the
Article 5.1 of the LOPDGDD that governs the principles of accuracy and confidentiality of
Personal information.




                                           IV




       Article 72.1.a) of the LOPDGDD states that “depending on what is established
Article 83.5 of Regulation (EU) 2016/679 are considered very serious and
The infractions that suppose a substantial violation will prescribe after three years

of the articles mentioned therein and, in particular, the following:



       a) The processing of personal data violating the principles and guarantees

established in article 5 of Regulation (EU) 2016/679




                                           V



       Article 58.2 of the RGPD provides the following: “Each control authority

will have all of the following corrective powers listed below:



       b) sanction any person responsible or in charge of the treatment with

warning when the processing operations have violated the provisions of
these Regulations;




       d) order the person in charge of the treatment that the operations of
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time;







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/13








        i) impose an administrative fine in accordance with article 83, in addition or in

place of the measures mentioned in this section, depending on the circumstances
of each particular case;




                                              SAW




        These infractions can be sanctioned with a fine of € 20,000,000 as
maximum or, in the case of a company, an amount equivalent to 4% as

maximum total annual global business volume of the previous financial year,
opting for the highest amount, in accordance with article 83.5 of the RGPD.




        Likewise, it is considered that the sanctions to be imposed should be
in accordance with the following criteria established in article 83.2 of the RGPD:




        As aggravating factors the following:




     In the present case we are dealing with unintentional negligent action, but it signifies
        cativa (article 83.2 b).




     Basic personal identifiers are affected, (name, surname,

        two, domicile) (according to article 83.2g).



        Therefore, based on the foregoing,

















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/13








       By the Director of the Spanish Agency for Data Protection,




       HE REMEMBERS:



    FIRST: INITIATE SANCTIONING PROCEDURE against VODAFONE ESPAÑA,

    S.A.U. with NIF A80907397, for the alleged infractions of articles 5.1.d) and
    5.1. f) of the RGPD typified in article 83.5.a) of the aforementioned RGPD.




    SECOND: APPOINT D. *** INSTRUCTOR 1 as instructor and as secretary
    to Ms. *** SECRETARY. 2, indicating that any of them may be challenged,

    where appropriate, in accordance with the provisions of articles 23 and 24 of Law 40/2015,
    of October 1, of the Legal Regime of the Public Sector (LRJSP).




    THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the
    claim filed by the claimant and his documentation, the documents
    obtained and generated by the General Subdirectorate for Data Inspection

    during the investigation phase, as well as the report of previous actions of
    Inspection.




    FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
    October, of the Common Administrative Procedure of the Administrations

    Public, the corresponding sanctions would be the following:



     for the violation of article 5.1 d) of the RGPD, typified in article 83.5 a)

        of the RGPD the corresponding sanction would be a fine for an amount of
        60,000 euros (sixty thousand euros) without prejudice to what results from the
        instruction.




     for the violation of article 5.1 f) of the RGPD, typified in article 83.5 a) of the

        RGPD the corresponding sanction would be a fine for an amount of
        30,000 euros (thirty thousand euros) without prejudice to what results from the instruction.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/13








    FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with
    NIF A80907397 giving you a hearing period of ten business days to

    formulate the allegations and present the evidence it deems appropriate. In its
    statement of allegations must provide your NIF and the procedure number that
    it appears at the top of this document.




    If, within the stipulated period, no allegations are made to this initiation agreement, the
    It may be considered a resolution proposal, as established in the

    Article 64.2.f) of Law 39/2015, of October 1, on the Procedure
    Common Administrative of Public Administrations (hereinafter, LPACAP).




    In accordance with the provisions of article 85 of the LPACAP, in the event that
    the penalty to be imposed would be a fine, you may recognize your responsibility within
    of the term granted for the formulation of allegations to the present

    start; which will entail a reduction of 20% for each of the
    sanctions to be imposed in this procedure, equivalent in this
    case at twelve thousand euros (€ 12,000), for the first offense charged and six thousand

    euros (€ 6,000) for the second offense charged, that is, a total reduction
    for this reason, eighteen thousand euros (€ 18,000). With the application of this

    reduction, the total amount of both sanctions would be established in
    seventy-two thousand euros (€ 72,000), resolving the procedure with the
    imposition of this sanction.



    In the same way, you may, at any time prior to the resolution of the

    present procedure, carry out the voluntary payment of the proposed sanction,
    in accordance with the provisions of article 85.2 LPACAP, which will mean

    a reduction of 20% of the amount thereof, equivalent in this case to
    twelve thousand euros (€ 12,000), for the first offense charged and six thousand euros
    (€ 6,000), that is, a total reduction for this reason of eighteen thousand euros

    (€ 18,000). With the application of this reduction, the total amount of both
    sanctions would be established at seventy-two thousand euros (€ 72,000) and their payment
    will imply the termination of the procedure.

    The reduction for the voluntary payment of the penalty is cumulative to that

    corresponds to apply for the recognition of responsibility, provided that this
    acknowledgment of responsibility is revealed within the term
    granted to formulate allegations at the opening of the procedure. The pay

    Voluntary amount of the amount referred to in the previous paragraph may be done at any
    time before resolution. In this case, if applicable, apply both
    reductions, the amount of the penalty would be set at fifty-four

    thousand euros (€ 54,000).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/13








    In any case, the effectiveness of either of the two mentioned reductions
    will be conditioned to the withdrawal or resignation of any action or resource in

    administrative procedure against the sanction.

    In the event that you choose to proceed to the voluntary payment of any of the
    amounts indicated above, 72,000 euros or 54,000 euros, you must do so

    cash by depositing into account number ES00 0000 0000 0000 0000 0000
    opened in the name of the Spanish Agency for Data Protection in the Bank
    CAIXABANK, S.A., indicating in the concept the reference number of the

    procedure at the top of this document and the cause of
    reduction of the amount to which it is accepted.




    Likewise, you must send proof of admission to the Subdirectorate General of
    Inspection to continue the procedure according to the quantity
    entered.


    The procedure will have a maximum duration of nine months from the date of
    date of the initiation agreement or, where appropriate, the draft initiation agreement.

    After this period, its expiration will occur and, consequently, the file
    of performances; In accordance with the provisions of article 64 of the
    LOPDGDD.




    Finally, it is pointed out that in accordance with the provisions of article 112.1 of the
    LPACAP, against this act there is no administrative appeal.




    Mar Spain Martí

    Director of the Spanish Agency for Data Protection


>>

SECOND: On December 21, 2020, the defendant has proceeded to pay
the sanction in the amount of 54,000 euros making use of the two reductions
provided for in the Initiation Agreement transcribed above, which implies the

acknowledgment of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to

the facts to which the Initiation Agreement refers.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/13








                            FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said

Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article

43.1 of said Law.

                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric

"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a

pecuniary sanction and other non-pecuniary sanction, but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offense.


3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of

any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased
regulations.


In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00415/2020, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U ..



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/13









In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                       936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection












































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es