AEPD - PS/00415/2020
|AEPD - PS/00415/2020|
|Relevant Law:||Article 5 GDPR|
Article 5(1)(d) GDPR
Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 83(5)(a) GDPR
|National Case Number/Name:||PS/00415/2020|
|European Case Law Identifier:||n/a|
|Original Source:||The AEPD (in ES)|
|Initial Contributor:||Paola L.|
The Spanish DPA (AEPD) sanctioned Vodafone España, S.A.U. for non-compliance with general data processing principles. The initial proposed fine was €90,000 however, it was reduced to €54,000 for recognition of responsibility and making an early payment of the fine.
English Summary[edit | edit source]
Facts[edit | edit source]
On 9 July 2019, a data subject ("complainant") submitted a complaint to the AEPD stating that the products contracted with Vodafone España ("defendant") were not delivered in the name of the data subject, but in the name of a third party. The complainant updated the complaint on 13 September 2019 advising that they contacted Data Protection Officer of Vodafone via email requesting them to restore the accuracy of their data. However, no response was received to this request.
Subsequently, the complainant was contacted by Vodafone and was advised that the issue had been corrected and that the products purchased had been put in their name. However, in September 2019, the complainant contacted the Vodafone's customer service and was addressed in the name of the third party.
The complainant also advised that on 11 September 2019, the Municipal Consumer Information Office (“OMIC”) informed them that they had a response to their complaint, and it turned out that Vodafone had responded with the complaint resolution of another customer as well as provided supporting evidence in the name of the third party.
Based on the evidence provided by the complainant, the AEPD decided to initiate an investigation into the matter and was able to confirm that:
- The defendant was aware of this incident since 03/07/2019 when the data subject complaint about the accuracy of their data.
- The incident was caused by an error in their system due to a system migration.
- The incident had been resolved on 15/07/2019 when a crossover of information in Vodafone’s system had occurred and Vodafone deactivated the third party who appeared to be named on the client ID associated with the complainant. Vodafone provided proof to have resolved the incident on 15/07/2019 and that the complainant's records are currently in the correct name. Vodafone confirmed that it had not disclosed the complainant's personal data to any third party.
- In relation to the response provided to the OMIC, Vodafone confirmed that due to a human error during the complaint response process they had provided the OMIC with the correspondence intended for another individual. Vodafone clarified that the information about the complainant was not shared with an unauthorised third party.
Dispute[edit | edit source]
Were the actions of the defendant a violation of the principles relating to the processing of personal data contained in Articles 5(d) and 5(f) of the GDPR?
Holding[edit | edit source]
Based on the facts presented, the AEPD held that the actions of the defendant infringed the following principles of processing pf personal data:
- Article 5(1)(d) GDPR – Accuracy principle, as it was proven that in Vodafone’s systems, the products contracted by the complainant were in the name of a third party.
- Article 5(1)(f) GDPR – Confidentiality principle, as Vodafone responded to the complaint with the response that was intended for another individual not for the complainant, meaning that Vodafone does not have appropriate security measures in place to protect the confidentiality personal data.
The AEPD held that this offense is considered ‘grave’ in accordance with Article 72(1)(a) LOPDGDD and falls under the criteria defined in article 83(5)(a) GDPR where a company can be fined up to €2 million, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The AEPD imposed a fine of €60000 for the violating Article 5(1)(d) GDPR and €30000 for violating Article 5(1)(f) GDPR.
In imposing the fine, the AEPD factored in that the infringement was considered negligent not intentional but significant and that the records affected corresponded to complainant ’s basic personal data such as name and address.
Vodafone España, S.A.U. acknowledged its responsibility in accordance with Article 85 (1) LPACAP which resulted in a 20% reduction of the penalty. Furthermore, it carried out the voluntary payment of the proposed fine before the resolution, so it benefited from an additional reduction of 20% (Article 85 (2) LPACAP). Therefore, Vodafone España, S.A.U benefited by the two 20% reductions and paid € 54000 instead of the initial € 90000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13 Procedure No.: PS / 00415/2020 RESOLUTION R / 00649/2020 TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTARY In the sanctioning procedure PS / 00415/2020, instructed by the Spanish Agency for Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed by A.A.A., and based on the following, BACKGROUND FIRST: On December 2, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against VODAFONE SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure Nº: PS / 00415/2020 AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection and in based on the following: ACTS FIRST: D. A.A.A. (hereinafter, the claimant) dated July 9, 2019 filed a claim with the Spanish Agency for Data Protection. The claim is directed against Vodafone España, S.A.U. with NIF A80907397 (in forward, the claimed). The claimant states that the products contracted with the claimed, the have put in the name of a third party, who has your personal data from the month May 2019. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/13 And, among other things, it provides the following documentation: Screenshot of the application "My VODAFONE" where it appears "B.B.B. *** NIF.1 ”associated with the postal address of the same. Vodafone purchase summary where the name and surname of the claimant associated with your postal address. On September 13, 2019, the claimant expands his claim stating that you sent an email to the data protection officer of the claimed person, receiving no response. Subsequently, they tell you that the products you purchased are back at your name, but it happens that in the client area it continues to appear as authorized. Thus, in the month of September he called customer service and They addressed him by the name of the third. Well, on September 11, 2019, the OMIC told you that they had the response to your claim, but it turns out that they responded with the resolution of a third. Accompany the following documentation: Screenshot of the application "My VODAFONE" where the CIF of the complainant and that of a third party. Copy of letter sent by OMIC of *** LOCALIDAD.1 dated August 19 of 2019 where the defendant communicates to the OMIC his response in relation to the question raised by D. C.C.C .. Copy of 2 invoices of the claimed in the name of D. C.C.C. with issue dates March 22 and May 22, 2019 respectively. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/13 SECOND: In view of the facts reported in the claim and the documents provided by the claimant, the Subdirectorate General for Inspection of Data proceeded to carry out preliminary investigation actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigation actions carried out, it is verified that the person responsible for the treatment is the one claimed. On July 29, 2020, the respondent declares to this Agency the following: 1. That he was aware for the first time of what happened on July 3, 2019 when the claimant contacted the defendant to report the incident. 1. It adds that the claim was due to an error in Vodafone's systems derived from the migration of their systems to Smart-Amdocs. That there was a data crossing in the ID *** ID.1 associated with the claimant. 2. That they have been able to verify that the incident complained of was duly resolved on July 15, 2019, after having been solved the crossing of data that occurred in the Vodafone systems and effectively process the deactivation of the third party that was listed as Customer ID holder associated with the claimant. Provide a copy of the letter of July 29, 2020 with the Vodafone logo addressed to the claimant where it is established that the incident has been duly resolved on July 15, 2019, that the services associated with the account ID *** ID.1 are currently only linked to your personal data. It also appears that no copy of your answer has been sent to any third. Provides a screenshot of their systems where the third person appears in “disconnected” status associated with ID *** ID.1. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/13 3. On the other hand, they point out that, with respect to the response to the OMIC of August 2019, they have been able to verify that due to an error in the answering process The complainant was sent a copy of an answer that was not related with the claim of the complainant before the OMIC and not the answer destined to it, which had its origin in a specific error of character human rights and that in no case has the answer been sent intended for the claimant to a third party. They provide a copy of the letter of August 19, 2019 with the Vodafone logo addressed to OMIC in relation to the issue raised by the claimant. On October 16, 2020, a request for information was sent to the reclaimed. The notification is delivered on October 19, 2020. receives reply. 48-220920 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in arts. 47 and 48.1 of the LOPDPGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. II Article 6.1 of the RGPD establishes the assumptions that allow considering lawful processing of personal data. For its part, article 5 of the RGPD establishes that personal data will be: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/13 “A) treated in a lawful, loyal and transparent manner in relation to the interested party ("Lawfulness, fairness and transparency"); b) collected for specific, explicit and legitimate purposes, and will not be processed subsequently in a manner incompatible with said purposes; in accordance with article 89, section 1, the subsequent processing of personal data for archiving purposes in public interest, scientific and historical research purposes or statistical purposes are not deemed incompatible with the original purposes ("purpose limitation"); c) adequate, relevant and limited to what is necessary in relation to the purposes for those who are processed ("data minimization"); d) accurate and, if necessary, updated; all measures will be taken reasonable so that the personal data that are inaccurate with respect to the purposes for which they are processed ("accuracy"); e) maintained in a way that allows the identification of the interested parties for no longer than is necessary for the purposes of data processing personal; personal data may be kept for longer periods provided that they are treated exclusively for archival purposes in the public interest, scientific or historical research or statistical purposes, in accordance with article 89, paragraph 1, without prejudice to the application of technical and organizational measures appropriate measures imposed by this Regulation in order to protect the rights and freedoms of the interested party ("limitation of the conservation period"); f) treated in such a way as to guarantee adequate security for the personal data, including protection against unauthorized or illegal processing and against their loss, destruction or accidental damage, by applying measures appropriate technical or organizational ("integrity and confidentiality"). The person responsible for the treatment will be responsible for compliance with provided for in section 1 and capable of demonstrating it ("proactive responsibility"). " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/13 III In accordance with the evidence available in the present moment, and without prejudice to the results of the instruction, it is considered proven that in the systems of the complainant, he appeared as the owner of the services contracted by the claimant a third party. In this way, it is fully proven that the defendant violated the principle of accuracy, included in article 5.1 d) of the RGPD, as recognized in his answer in which he states: "after the crossing of data occurred in Vodafone systems and effectively process the deactivation of the third party that was listed as the owner of the client ID associated with the claimant ”. On the other hand, the documentation in the file shows that the defendant also violated the principle of confidentiality article 5.1 f) of the RGPD. In this sense, it is important to highlight that the complainant provided the answer to his claim, and it was found that the defendant answered him with the resolution of a third. It should also be borne in mind that the defendant acknowledges said error and states that: “in the response process, the claimant was sent a copy of a answer that were not related to the claim of the complainant before the OMIC and not the reply addressed to it, which had its origin in an error punctual of a human nature and that in no case has the answer addressed to the claimant to a third party ”. Therefore, there is no doubt, given the regulation that violates the duty of secrecy of the Article 5.1.f) of the RGPD. Does not comply with security measures that result in breach of confidentiality article 5.1 LOPDGDD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/13 Ultimately, a third party could access the claimant's data, that is, had access to the information associated with the services contracted by the claimant which could constitute, on the part of the defendant, two infractions, one against provided in article 5.1 d) of the RGPD, in relation to article 4.1 of the LOPDGDD, and another against the provisions of article 5.1 f) of the RGPD, in relation to the Article 5.1 of the LOPDGDD that governs the principles of accuracy and confidentiality of Personal information. IV Article 72.1.a) of the LOPDGDD states that “depending on what is established Article 83.5 of Regulation (EU) 2016/679 are considered very serious and The infractions that suppose a substantial violation will prescribe after three years of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679 V Article 58.2 of the RGPD provides the following: “Each control authority will have all of the following corrective powers listed below: b) sanction any person responsible or in charge of the treatment with warning when the processing operations have violated the provisions of these Regulations; d) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/13 i) impose an administrative fine in accordance with article 83, in addition or in place of the measures mentioned in this section, depending on the circumstances of each particular case; SAW These infractions can be sanctioned with a fine of € 20,000,000 as maximum or, in the case of a company, an amount equivalent to 4% as maximum total annual global business volume of the previous financial year, opting for the highest amount, in accordance with article 83.5 of the RGPD. Likewise, it is considered that the sanctions to be imposed should be in accordance with the following criteria established in article 83.2 of the RGPD: As aggravating factors the following: In the present case we are dealing with unintentional negligent action, but it signifies cativa (article 83.2 b). Basic personal identifiers are affected, (name, surname, two, domicile) (according to article 83.2g). Therefore, based on the foregoing, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/13 By the Director of the Spanish Agency for Data Protection, HE REMEMBERS: FIRST: INITIATE SANCTIONING PROCEDURE against VODAFONE ESPAÑA, S.A.U. with NIF A80907397, for the alleged infractions of articles 5.1.d) and 5.1. f) of the RGPD typified in article 83.5.a) of the aforementioned RGPD. SECOND: APPOINT D. *** INSTRUCTOR 1 as instructor and as secretary to Ms. *** SECRETARY. 2, indicating that any of them may be challenged, where appropriate, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of October 1, of the Legal Regime of the Public Sector (LRJSP). THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and his documentation, the documents obtained and generated by the General Subdirectorate for Data Inspection during the investigation phase, as well as the report of previous actions of Inspection. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of the Administrations Public, the corresponding sanctions would be the following: for the violation of article 5.1 d) of the RGPD, typified in article 83.5 a) of the RGPD the corresponding sanction would be a fine for an amount of 60,000 euros (sixty thousand euros) without prejudice to what results from the instruction. for the violation of article 5.1 f) of the RGPD, typified in article 83.5 a) of the RGPD the corresponding sanction would be a fine for an amount of 30,000 euros (thirty thousand euros) without prejudice to what results from the instruction. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/13 FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with NIF A80907397 giving you a hearing period of ten business days to formulate the allegations and present the evidence it deems appropriate. In its statement of allegations must provide your NIF and the procedure number that it appears at the top of this document. If, within the stipulated period, no allegations are made to this initiation agreement, the It may be considered a resolution proposal, as established in the Article 64.2.f) of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within of the term granted for the formulation of allegations to the present start; which will entail a reduction of 20% for each of the sanctions to be imposed in this procedure, equivalent in this case at twelve thousand euros (€ 12,000), for the first offense charged and six thousand euros (€ 6,000) for the second offense charged, that is, a total reduction for this reason, eighteen thousand euros (€ 18,000). With the application of this reduction, the total amount of both sanctions would be established in seventy-two thousand euros (€ 72,000), resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of the present procedure, carry out the voluntary payment of the proposed sanction, in accordance with the provisions of article 85.2 LPACAP, which will mean a reduction of 20% of the amount thereof, equivalent in this case to twelve thousand euros (€ 12,000), for the first offense charged and six thousand euros (€ 6,000), that is, a total reduction for this reason of eighteen thousand euros (€ 18,000). With the application of this reduction, the total amount of both sanctions would be established at seventy-two thousand euros (€ 72,000) and their payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to that corresponds to apply for the recognition of responsibility, provided that this acknowledgment of responsibility is revealed within the term granted to formulate allegations at the opening of the procedure. The pay Voluntary amount of the amount referred to in the previous paragraph may be done at any time before resolution. In this case, if applicable, apply both reductions, the amount of the penalty would be set at fifty-four thousand euros (€ 54,000). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/13 In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or resource in administrative procedure against the sanction. In the event that you choose to proceed to the voluntary payment of any of the amounts indicated above, 72,000 euros or 54,000 euros, you must do so cash by depositing into account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for Data Protection in the Bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure at the top of this document and the cause of reduction of the amount to which it is accepted. Likewise, you must send proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; In accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, against this act there is no administrative appeal. Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On December 21, 2020, the defendant has proceeded to pay the sanction in the amount of 54,000 euros making use of the two reductions provided for in the Initiation Agreement transcribed above, which implies the acknowledgment of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts to which the Initiation Agreement refers. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/13 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction, but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00415/2020, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U .. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/13 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-031219 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es