AEPD (Spain) - PS/00416/2019

From GDPRhub
AEPD - PS/00416/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Article 13 GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 25.11.2020
Fine: 40.000 EUR
Parties: Miraclia Telecomunicaciones, S.L.
National Case Number/Name: PS/00416/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish Data Protection Agency (AEPD) decided to impose two fines (20,000€ each) on Miraclia Telecomunicaciones, S.L. (the defendant): one of them for the infringement of the lawfulness of processing principle (Article 6 GDPR), and the other for the infringement of the transparency principle (Articles 13 and 14 GDPR), both due the unconsented use, record and assignment of personal data in the context of telephone jokes.

English Summary

Facts

The decision is the consequence of two complaints submitted by different subjects. One of them (the claimant A) stated that he had received a telephone joke made with an app (the App) according to which an alleged policeman was calling him, but he had never given any consent to such processing of his personal data, nor received any information on the same; besides, the call was assigned to third parties, and had been made from a hidden number that, in order to allow claimant A to get back, required him an additional charge. The other (the claimant B) stated that he also received a telephone joke with the App, according to which an alleged politician was thanking him for his vote, but he had never given any consent to such processing of his personal data, nor received any information on the same, and that the recorded file of the call had been uploaded to the social networks even tagging claimant B by his name; besides, the audio file contained xenophobic messages.

Dispute

The defendant answered the first requirements of the AEPD stating that: (i) after receiving a joke, data subjects can avoid the creation of the file by pressing a button; (ii) once the joke is made, in case the joking subject decided to record it and the affected subject decides not to avoid it, the defendant does not keep any kind of personal data, which is entirely managed and stored by the joking subject in his/her phone; (iii) the joking subjects are warned that their personal data, containing the files of the jokes they have made, will be deleted in six months in case they do not use the App. The AEPD made its technical and legal research, and then started the corresponding sanction procedure, informing the defendant that the proposed fine for the conduct would amount to 50,000€ for each infringement (so 100,000€ in all); to such proposal, the defendant requested a reduction, considering, among other reasons, that: (i) it was not processing personal data, as the App worked as a telephone line, a surprise gifts company or Instagram/Twitter, in which the companies are not responsible for the use and the content the users make of the network; (ii) it had no possibility to identify the affected subject nor to link his/her number/voice with any personal data without using disproportionate efforts, so the telephone number and voice of the affected subject would not be considered personal data; (iii) despite the fact that the defendant considered that no personal data were involved in his activity, it had adopted some information measures "ad cautelam"; (iv) the defendant considered that, even in case personal data were considered to this case, the legal basis for its processing would be the legitimate interest of the defendant, and not the consent of the data subjects; (v) the joke happened in a leisure context in which no real harm was made to the affected data subjects; (vi) the only personal data affected is the telephone number, as the recorded file of the call is directly made by the joking subject and cannot be linked to the number; (vii) the defendant intention has always been to respect the legislation and to collaborate with the AEPD, and so it has facilitated the right to erasure whenever it has been requested to do so. Additionally, the AEPD also received a third complaint against the defendant submitted by a European citizen before the Slovenian data protection authority, so the situation became a cross-border case; once determined the AEPD would be the lead authority, it made the corresponding legal and technical research, and considered that this third complaint was essentially very similar to the other two, so it did not open a new procedure, but was added to the existing one in Spain. Finally, the AEPD considered that: (i) the data processing activity carried out by a company in the framework of its commercial activity cannot be excluded from its data protection obligations on the basis of being considered an exclusively personal or domestic activity, even if the service provided by the company consists of providing a relationship between natural persons; (ii) the recording of the human voice, associated with other data such as the telephone number, must be considered personal data, and the fact of making it available to third parties who can identify who such voice belongs to, must be clearly considered an automated personal data processing activity; and (iii) the commercial interests of a data controller must yield to the legitimate data protection interests of the owner of such personal data.

Holding

Thus, the AEPD understood that the defendant has infringed not only the lawfulness principle included at Article 6 GDPR (as there is no consent by the data subject receiving the joke, nor any other valid legal basis to process his/her personal data), but also the transparency principle at Articles 13 and 14 GDPR (as the data subject is never informed nor knows in any manner that his/her personal data are used in the App and that they will be assigned to a third party). Consequently, after considering some circumstances [(i) the nature, severity and duration of the infringement; (ii) the serious and wilful misconduct of the defendant, specially taking into account that the App did not take into consideration any data protection requirements even after the defendant being fined in the past due to a similar infringement; (iii) the continued nature of the infraction; (iv) the evident connection between the activity of the defendant and the processing of personal data, and the advantages obtained from such; (v) the amount of personal data processed by the defendant and the amount of affected data subjects; (vi) the unpredictable nature of the damages caused to the data subjects due to the assignment of personal data without any safety measure being adopted by the defendant; (vii) the lack of any internal procedures by the defendant regarding obtainment and processing of personal data; (viii) the defendant requested a reduction on the predicted fine, estimated 100,000€, as it would suppose 25% of its yearly turnover, which finished with economic losses], the AEPD decided to impose a fine of 40,000 € to the defendant (20,000€ for each infringement), and required it to solve all the data protection problems herein mentioned within the period of three (3) months since the decision.

Comment

It is relevant to bear in mind that the defendant had been already fined in the past with 7,500€ for a similar infringement also related to the App (that was even confirmed by the Spanish Supreme Court recently).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Page 1
1/61 Procedure No.: PS / 00416/2019RESOLUTION OF SANCTIONING PROCEDUREOf the procedure instructed by the Spanish Agency for Data Protection and inbased on the followingBACKGROUNDFIRST: On 09/03/2018, a claim had entered this Agencyfiled by AAA (hereinafter claimant 1), against the entity MIRACLIATELECOMUNICACIONES, SL , with NIF B85623775 (hereinafter MIRACLIA or theclaimed), for the use of your personal data to make a joke by usingFor this, from the application " *** APPLICATION.1 ", by phone call to your mobile line*** PHONE. 1 in which a person pretended to be a police officer, which took place onday *** DATE 1 . For this reason, he denounces the recording made without his knowledge orconsent, the dissemination of said recording to third parties, also without their consent, andthat the call is made from a hidden number. Add that the enabled line ascontact by that company is additional pricing, which entails a cost for theinterested party who intends to contact it. You state that you have a copy of therecording, which was provided by the person who used MIRACLIA's services and requeststhat your data be canceled, as well as the opening of a sanctioning procedure.This claim was transferred to the entity MIRACLIA. In response to whatmanifested by complainant 1, MIRACLIA informs this Agency that the joke to whichthe claimant refers to is outside the application "*** APPLICATION.1", in whose catalog ofThere are no jokes that have to do with policemen.Regarding the processing of personal data, it indicates that it does not store data fromabromado (hereinafter also interested or person who receives the prank call):neither recordings nor phone, which will be on the joker's mobile device (hereinafter referred to asalso, user of the application or person who orders the prank call); limitingto provide a service to the user of the application (the joker) who chooses the joke, enters therecipient's phone number and, after accepting the terms and conditions, generates therecording. MIRACLIA, therefore, has no way of knowing whether the claimant has received a"*** APPLICATION.1" joke (warns that there are other similar applications),and you can only block the phone line number of the abbreviated, even without knowing ifyou have actually received the joke, or delete the URL of the recording if they have it,This is not the case in this case as it was not provided by the claimant 1.According to MIRACLIA, it is the joker who can erase the recording, so theThe claimant's request must be addressed to him. The performance of the entity, which does not identifyabused people, consists of preventing the person receiving the joke from receivingmore calls in the future, locking the phone, or deleting the recordingusing the URL of the joke, which does not have an associated phone number, and provided that thejoker has not previously done so.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/61The app user or prankster is warned twice about theresponsibility involved in making the recording.Finally, MIRACLIA informs that since the full application of the Regulation (EU)2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection ofNatural Persons with regard to the Processing of Personal and Free DataCirculation of this Data (hereinafter RGPD), has modified its operations with the purposenot to keep any type of data, leaving these on the users' phones,being impossible to identify the abbreviated. In the event that the latter, theabused, provide their line number, it could be blocked so that they do notreceive calls in the future.SECOND: On 07/04/2019, a claim had entered this Agencyfiled by BBB (hereinafter claimant 2), against the entity MIRACLIA,pointing out, like complainant 1, that he has been the subject of a joke (thanksfor his vote to XXXXX ) that was recorded and disseminated on social networks with the mention of hisname, carried out using the application " *** APPLICATION.1 " (provides the link to theaudio object of the complaint - " *** ENLACE.1 ", which allows access to audiocorresponding to the call). Request removal of your phone line numbermobile phone in which you received the call from the database of the responsible company and theremoval of audio from the network. Also denounce xenophobic messagesof the supposed "association of friends of XXXXX ".THIRD: The claims to which the proceedings refer were admitted toprocessing through resolutions dated 11/20/2018 (the one relating to claimant 1) and 08/09/2019(the one related to claimant 2).FOURTH: In view of the facts reported in the claim and the documentsprovided by claimant 1, the Subdirectorate General for Data Inspection proceeded toconducting preliminary investigation actions to clarify the factsin question, by virtue of the investigative powers granted to the control authoritiesin article 57.1 of the RGPD Regulation, and in accordance with the provisions of TitleVII, Chapter I, Second Section, of Organic Law 3/2018, of December 5, ofProtection of Personal Data and guarantee of digital rights (hereinafterLOPDGDD), to which the claim made by the claimant was also linked 2.As a result of these actions, the report prepared by the inspectionacting reveals the following:1. Made a request for information to MIRACLIA on various aspects, withOn 06/25/2019 a letter from said company was received at this Agencyin which he makes the following statements:to. At the end of the prank call, the receiver hears an announcement offeringthe possibility of not allowing the generation of the file with the recording of thejoke. The locution is as follows:"A friend of yours has played a prank on you. In case you don't want yourfriend can listen, download or spread the joke, or in case they don'twant to receive more jokes, press 5 on your keyboard after the signal.Beeep "C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/61They add that additionally, you can eliminate the joke knowing the url ofrecording the joke and sending an email to *** EMAIL.1 indicating thaturl.b. Among other technical aspects, they indicate that, once the joke is programmed, theThe call is initiated from the Voice over IP servers of the claimed in thespecified date and time.The joker user downloads the application and accepts the terms andconditions of it. At that moment your user profile is generatedto use a Voice over IP service and is assigned a numbering, thewhich is rented to you while you are a user of the application and make each call.To use the application, choose a joke from the catalog and enter thephone of the recipient of the prank and schedules a date and time, and theVoice over IP call leaves the cloud servers at that time that hasprogrammed the joker user.If the joking user selects to record the call (and the recipient of the call,when receiving the call, do not choose the option of not recording as indicated inthe previous point), an audio file will be generated with the content of theherself. The generated audio file is available at a URL to whichonly the prankster user of the application has access and only thejoker on your own device where you have the application installed hasassociated that content to the phone number of the recipient of the call, since*** APPLICATION.1 servers do not store any personal data from therecipient of the call.c. In the terms and conditions of use of the application, theJoking users that the company could remove their profiles (includingcontents / recordings) after 6 months of non-use of the application.2. In order to determine the exact operation of the application and the possiblevariations incorporated into the application since the last claim, the inspectorinstalled the application "*** APPLICATION.1" on your mobile terminal. The application consists of3 tabs: “List” (of available jokes), “Examples” and “My jokes”. In thislast tab is where jokes made by joker will be saved if notare eliminated.It is verified that in the list of available jokes there are jokesrelated to claimant 1 and claimant 2.3. On September 6, 9 and 12, 2019, the Inspection Services of theAgency carried out some tests consistent in downloading the application"*** APPLICATION.1" in a mobile terminal and proceed to use it. As a result ofthese tests were obtained the findings that are outlined in the FactTested Second.4. It has been found that the website “*** APLICACIÓN.1.es” offers a systemfree and immediate to include a phone number in the phone listblocked. According to MIRACLIA's statement, the phone number is storedencrypted on their systems.A test was carried out by registering the telephone number corresponding to thesecond SIM from the inspector terminal, and then an attempt was made to perform ajoke to this phone number. The application did not allow the execution of the joke.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/615. Regarding the issue of spreading the joke, which is present in theclaims, it must be clarified that MIRACLIA does not have any public sitewhere they are published or any platform for the dissemination of jokes. Jokes onlyThey can be spread by the joker user by sending the link to the file ofaudio: in the list of jokes made by the joker, next to each of thejokes not removed by the receiver of the joke following the procedureindicated, an icon appears to download the audio file of the recording from thephone conversation of the prank, another to listen to it and a third toshare it (the link to the audio file of the recording is sent through the mediumchosen to share it - this is the only time when thejoker knows the link to the audio file).6. On 08/26/2019, the Inspection Services access the web" *** WEB.1 ", to the URL corresponding to the recording of the joke made to theclaimant 2. It is verified that using the right button differentoptions, including playback and download of the recording.The acting inspection includes in its report a review of the evidence ofoperation of the application "*** APPLICATION.1" made on the occasion of someprevious action developed by the Agency (file E / 02003/2018). With respect totreatment by the claimed party of the recipient's personal data, in saidreport indicates the following:I.Recipient's phone storage. The phone of therecipient in the systems of the claimed until the moment of making thecall. Prank calls can be instant or scheduledspecifying date and time of execution.I.Recording the joke. It remains in the claimed systems until thejoker decides to delete it, the recipient of the joke decides to exercise his right todeletion, for which you must know the web link to the joke, or as a ruleIn general, a period of 6 months of non-use of the application established bythe claimed one.I.There are no other personal data of the recipient in the systems of the claimedof the joke additional to those reflected in the previous points I and II.FIFTH: On 11/19/2019, the Director of the Spanish Agency for the Protection ofData agreed to initiate a sanctioning procedure to the entity MIRACLIA, in accordance withthe provisions of article 58.2 of the RGPD, for the alleged violation of articles 13 and 14of the RGPD, typified in article 83.5.b) of the aforementioned Regulation; and for the alleged infringementof article 6 of the RGPD, typified in article 83.5.a) of the aforementioned Regulation;determining that the penalty that may correspond would amount to a total of 100,000.00euros (50,000.00 euros for each of the offenses charged), without prejudice to whatresult of the instruction.Likewise, for the purposes provided for in article 58.2.d) of the RGPD, in said agreementAt the beginning, it was warned that the imputed infractions, if confirmed, may lead to theimposition on the MIRACLIA entity of the obligation to adopt the necessary measures toadapt processing operations to the personal data protection regulationscarried out, the information offered to its clients and the procedure by which theThey give their consent for the collection and processing of their personal data;C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/61all this with the scope expressed in the Fundamentals of Law of the repeated agreement ofinitiation of the procedure and without prejudice to what results from the instruction.SIXTH: Once the aforementioned initiation agreement was notified, MIRACLIA presented a brief of allegations inthe one requesting the reduction of the sanction referred to in theinitiation of the procedure, taking into account the allegations made and the measuresimmediate adopted. It bases its claim on the following considerations:1. As a preliminary matter, the aforementioned entity notes that it has been the subject of severalsanctioning procedures in advance (due to the absence of consentonly), which are being reviewed before the Supreme Court, three of them alreadyformally admitted for processing and pending oral hearing. In these proceduresdiscusses MIRACLIA's position on the personal relationship between Prankster and Abromado alfacilitate a means of leisure between individuals, as well as the existence or not of personal dataand the legal basis of the treatment (the legitimate interest, depending on the entity), since otherwise theplaying a joke would not be possible. Accompany a copy of one of the resources ofCassation, which summarizes, according to MIRACLIA, their arguments.As a result of these cases, and the entry into force of the RGPD, it made a modification of itssystems to prevent data from being stored on MIRACLIA servers,moving away from the idea of ​​"processing personal data" and betting, according to theirdemonstrations, for being a means of communication such as a telephone line. It isan intermediary in a relationship between individuals, being the user who plays the joke theresponsible for the information. He is also the one who enters the phone.MIRACLIA indicates that it only provides security to the process, but is not able to identify theabbreviated or to link you with any other data; does not keep the phone to which thejoke does not associate it with the audio file, which is encrypted with a code. Add thatlocks the phone of the recipient of the prank when they request not to receive them, deletes therecording when requested and does not have lists of telephone numbers of abomados,listings of recordings or similar.It is something similar, says MIRACLIA, to what happens with Instagram or Twitter when an individualtakes a photo and uploads it to these social networks, which are not responsible for thesefacts and, at most, enable means to request the withdrawal of the content. Neithera company dedicated to sending surprise gifts has to request permission prior toaddressee. Otherwise, the activity would not be possible.2. In relation to the claim made by claimant 1, reiterates that the joke to thereferenced is not listed in the prank catalog of *** APP.1.Regarding the second claim, she states that the interested party did not contact the entity torequest the deletion of your data and that this request could be made from the momentsame of the call or later, when having the URL with the recording. AccordingMIRACLIA, this complaint shows that what is usually requested is the suppression of thejoke. In this case, almost three months elapsed, when on the same day you couldhave satisfied the right.3. About the tests carried out by the inspector:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/61- The recording is not materialized in an audio file with its correspondingURL until the calling user confirms that they have accepted the Terms andConditions a second time and generates the audio file.- Clearing jokes occurs when a DTMF tone is sent during thecall, that operators must guarantee its operation. Unfortunately inthe VoIP world (which is the technology with which operators provide the service ofsending phone calls from the servers of *** APPLICATION. 1), this does notthis is always the case depending on the path the call followed, which is behindof the instability that the system may have.- The usability of deleting after pressing is something that MIRACLIA considersintuitive because many messaging apps do it in the same way. It is alreadyof a smartphone usability standard.- The phone number for the programmed pranks is stuck with the call toperform. When this is done, it disappears from the systems. In any momentthe phone number and the recording are saved at the same time and place, withwhich is impossible that there is association between both data. The recording fileis generated when the joker accepts his generation, which only occurs when theThe call has ended and the abuser has not pressed the 5 key. If the joker does not acceptthe generation of the recording, there is no conversion of the audio into a file accessible viaURL and, therefore, not even the user could access the file. The audio would be a few bitsin temporary memory without generating a closed audio file.4. On the operation of the application: the information and legal basis that legitimizes thedata treatment.He questions that the information can be considered personal data, since MIRACLIA isunable to identify the abused in a simple way and without disproportionate means,from the mobile phone number or voice files (STS 2484/2019: “anatural person is not considered identifiable if such identification requires deadlines ordisproportionate activities ” ). In this case, the only one who can identify the abusedis the user and for MIRACLIA the recipient is anonymous.Regarding the duty of information, it states the following:MIRACLIA adopted additional measures to ensure information securityprocessed and that the phone number will be stored on the user's device and not on theservers of the entity. Initially, the abromado's phone was stored to facilitateany request for information from the affected party, although, according to MIRACLIA,irreversible encryption with sha-2 algorithm avoiding the use of the number for any actionthat was not to give that support, since it could only be recovered if someone (ex: the ownabromado) facilitated it.At the same time, an information note on the treatment of children was included at the end of the joke.data that, although it is true that the current locution does not report everything required in theArticle 14 of the RGPD, if it is indicated how to oppose the processing of the data and its deletion(He insists that he considers that he does not process personal data, but, "ad cautelam", informs andoffers guarantees).Likewise, in the privacy policy inserted on the web and in the Terms and Conditionsthe app reports the following:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
7/61“Miraclia does not collect data from the recipients of the jokes. Miraclia's activity is theto provide a means of telecommunications so that the owner of the phone being downloadedthe app, choose a joke and record it, leaving the data related to the recipient of the callstored in the user's own terminal without Miraclia keeping information on therecipient's phone number. Miraclia provides a storage service in thecloud of the client's audio files and at no time does it disseminate or share withnobody that information, since it is private information of the user of the application " .On the other hand, on the occasion of the present proceedings, the imputation madefor the first time in relation to information defects, has immediately proceeded to itscorrection by completing the information provided at the end of the prank conversationas follows:- That someone has played a joke to have a good time.- That for the same you have used the application *** APPLICATION.1 property ofMIRACLIA TELECOMUNICACIONES, SL- That to oppose said joke reaching the joker and to suppress it he canpress key 5.- You have more information by pressing key 1.And by pressing the 1 key, the detailed explanation is offered, also included on the web. Of thisThus, from the information that was not provided to the interested party, it has now included:- The identity of MIRACLIA- The contact details of the Data Protection Officer- The conservation period- The basis of legitimation- The exercise of the rights in full that, although those of opposition anddeletion (and also the access when requested) are now specifiedformally.This is layered information included at the end of the conversation, in the Terms andConditions of the app, on the entity's website and in the frequently asked questions section. Contributesthe detail corresponding to the information inserted in the "Frequently Asked Questions" sectionfrom the web:“12.- I don't want to receive any more jokes. What should I do?If you do not want any acquaintances to send you jokes again, just go toBlock my number and include the phone number. The phone number thatenter will be blocked on the platforms so that no one will ever be able tosend a joke from this application (or of course, any other type of action). TheNo. is stored encrypted in the systems, so that nobody can recover thatnumber for future use ”.“16.- How can I delete a joke?The jokes are erased by holding down your finger for a few seconds on the joke inquestion".He clarifies, then, that the foregoing does not imply his agreement with the infraction or with thesanction, but since this is not an aspect that has been neglected in bad faith or withIn order to avoid any compliance, “ad cautelam” is again included in aimmediate for its correction.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
8/61On the legal basis of the data processing, it states the following:Consent cannot be the legal basis for playing a joke because it iswould detract from the very act of joking or the surprise effect, as well asoccurs in countless cases, such as sending flowers or uploading photos of friends to networkssocial. In the latter case, the rights of suppression and opposition are guaranteed, but theresponsible for the social network does not request the consent of the people whose data isuploaded to it by other users.For this reason, MIRACLIA defends the origin of the legitimate interest as a basis for legitimationex article 6.1.f) of the RGPD. For these purposes, the corresponding test ofbalancing required, following the recommendations of the defunct Working Group of theArticle 29.Furthermore, it has been assessed that the legal basis is the execution of the contract between the user andMIRACLIA, but the abromado is not a party to that contract.For these purposes, it includes a report that justifies the origin of the legitimate interest asbasis that legitimizes the data processing and in which it concludes that, beyond casesspecific points in which the abused feels annoying (which are testimonial cases), there is norisk to people because all the security measures have been adopted toguarantee the safety of the process, because the erasure of the joke is guaranteed if theabromado requests it, the lock of your phone and because now it has also included thecomplete information.He adds that the recording of a conversation between individuals, when the person recording is oneof the participants in the conversation, it is not illegal, according to the Constitutional Courtin its judgment of November 29, 1984, STC 11/1984, when it establishes, among othersconsiderations that "Whoever records a conversation of others attentive, regardlessfrom any other consideration, to the right recognized in art. 18.3 CE; on the contrary, whorecord a conversation with another does not incur, by this fact alone, in conduct contrary to thecited constitutional provision " .In the case of *** APPLICATION.1, the calling party is aware of therecording of it. The user could record the conversation with a recorder, with theown mobile or using applications that record conversations. Instead usea medium (*** APPLICATION.1, which provides the service). That call occurs on adomestic environment between individuals to whom data protection legislation does notit affects.If MIRACLIA, as she had been doing until recently and now she takes up thispractice informs of the recording, it is providing greater guarantees (the abromadoYou can choose to erase the recording, erase it later, lock your phone and preventspreading the joke by the user)5. On the measures adopted and the graduation of the sanctionMIRACLIA emphasizes that the claims presented to the Agency represent anegligible percentage (0.00002%), compared to the hundreds of users who have served throughC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 9
9/61in different ways (web, final speech after the call and customer service); whathas corrected the lack of information by completing the terms provided in article 14of the RGPD, although it considers essential that it did offer the possibility of opposing anddeletion of data; and that the proposed sanction would force the closure of the company, forhow much it represents 25% of its turnover, which amounted to 476,000 euros in 2018,in which there were losses.It requests a downward revision of the proposed sanction and, for this purpose, considers that it mustthe following should be taken into account:. That we are in a leisure environment that does not harm the abused, nor does itmisuses your personal data.. The only data at stake is the telephone number, which MIRACLIA does not keep and a recordingthat only the user can generate and distribute, which the entity cannot join by notno file exist with phone and recording.. That the intention has always been to comply with the standard, guarantee the security of the data andminimize the information.. That it has never stopped responding to deletion requests.. Until the present proceeding, the infringement has focused exclusively on theabsence of consent, without the imputation for breach of article 14, which seemsexcessive considering that it has been reporting and has proceeded to its correction.. It has been willing to cooperate with the Agency at all times and has facilitated theinformation that has been requested.. In the process being analyzed, the abromado is always chosen by the user of theapplication, who is responsible for making good use of it.. That the question about the legal basis of the treatment is being discussed in the CourtSupreme Court, who will decide if the treatment is anonymous for the entity, if thesecurity guarantees and if it is a means that individuals use in their lifeprivate.MIRACLIA provides a copy of one of the appeals filed before theSupreme Court in 2019, which is based on the following reasons:1. Play a joke through an application or a medium in which the user issovereign of the information that is provided is an act developed in the domestic orpersonal and therefore is excluded from the scope of protection of the regulations ofData Protection.2. The voice is not a personal data if it does not allow to identify its owner or if it is necessarymake disproportionate efforts to identify it.3. The legal basis for data processing (if it is estimated that we are dealing with datapersonal) by an application that provides a means of leisure in the personal fieldor people's domestic is based is legitimate interest.SEVENTH: On the other hand, through the “Internal Market Information System” (assuccessive IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of theCouncil, of October 25, 2012 (IMI Regulation), whose objective is to promote thecross-border administrative cooperation, mutual assistance between Member States andthe exchange of information was received in this Spanish Agency for Data Protection(AEPD) a claim dated 07/17/2019, made by an interested party before the authoritySlovenian Data Protection Officer (Information Commissioner). The transfer of thisclaim to the AEPD is made in accordance with the provisions of article 56 of theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 10
10/61RGPD, taking into account its cross-border nature and that this Agency is competentto act as the primary supervisory authority.The aforementioned claim is made against the entity MIRACLIA, with registered office andunique establishment in Spain, in relation to the mobile application for Adroidcalled “*** APPLICATION.1”, which allows users to make jokestelephone calls to third parties. The user selects a joke and a "victim", who is contactedby phone by MIRACLIA from your own system through a hidden number(prank call), making a recording of the conversation that is put intoavailable to the application user.The claim reveals a possible violation of the regulations ofprotection of personal data, considering that the interested party is not informed about therecording of the prank call and there is no possibility for him to exercise theright of erasure. It is also noted that the application itself describes theconflicting elements.The data processing carried out affects interested parties in variousMember states. According to the information incorporated into the IMI System, in accordancewith the provisions of article 60 of the RGPD, they have declared themselves interested in thisprocedure the control authorities of Belgium, Greece, Cyprus, Denmark, Saxony,Norway, Sweden, France, Hungary, Poland, Berlin, Lower Saxony, Slovakia, Ireland andMecklenburg-Western Pomerania.In view of the facts presented, the General Subdirectorate for Data Inspectionproceeded to carry out actions for its clarification, under the powers ofinvestigation granted to the control authorities in article 57.1 of the RGPD:. On 12/02/19 it is verified that through the link *** LINK.1 , it can be changedthe country in which the application operates. These countries include bothto the European Union (Austria, Belgium, Germany, etc.) and outside it (China, UnitedStates, Argentina, Brazil, South Korea, etc.). It is also verified that the terms andTerms of use of the service are written in Spanish, Italian, French, English andGerman.. On 12/03/2019 a new installation of the application is carried out, verifying thatIn the process, it does not give the option to configure another country or another language, although the terms andTerms of use of the service are written in Spanish, Italian, French, English andGerman the same as those that can be accessed online.By the acting inspection, the documents are incorporated into the proceedingscalled "Terms and conditions of use of the service" and "Privacy Policy". Inthe latter indicates the following:"1. INTRODUCTIONThis privacy policy applies to information that we may obtain from or aboutyou when you use the mobile application *** APPLICATION.1 (the “Mobile APP” or the “Service”) ”.“Miraclia does not collect data from the recipients of the jokes. Miraclia's activity is theto provide a means of telecommunications so that the owner of the phone being downloadedC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 11
11/61the app, choose a joke and record it, leaving the data related to the recipient of the callstored in the user's own terminal without Miraclia keeping information on therecipient's phone number. Miraclia provides a storage service in thecloud of the client's audio files and at no time does it disseminate or share withnobody that information, since it is private information of the user of the application " .Likewise, the aforementioned Inspection Services conducted a test consisting ofdownload the application on a mobile terminal. It is verified that during theinstallation the user receives the same text reproduced above about the non-collectionof data of the recipients of the jokes and, among others, the following message:Read these legal Terms and Conditions in detail and click accept if you are over 18years and you accept all of the stipulations. Otherwise, quit the app andremove it from the terminal. Remember, in case you record a joke and share it with your friends,It is because you have requested permission from the person who received the joke and they gave it to you.You are solely responsible for this action ”.Immediately after this text there is a button with the indication"Continue" .On the other hand, the Inspection Services recorded in their report the resultof the investigation actions that gave rise to the reference procedure and theindicated with the number E / 02003/2018, in which a functional test was carried outof the system used by the claimed.EIGHTH: Considering the cross-border nature of this claim, dated03/03/2020, a draft agreement was issued to initiate the sanctioning procedure, which wassubsequently transmitted (03/13/2020) through the IMI System to the control authoritiesinterested parties (they are outlined in said draft start-up agreement, which wasduly notified to that entity on 03/12/2020), without any of them havingraised objections to said project within four weeks of the consultation,It is understood, therefore, that there is an agreement on it.The complaint forwarded by the Slovenian data protection authority issimilar in scope and purpose to those that gave rise to this sanctioning procedure,all of them related to the mobile application for Android called"*** APPLICATION.1". For this reason, the draft initiation agreement transmitted to theinterested authorities through IMI, formalized for the sole purpose of complying with the procedureprovided for in the RGPD and LOPDGDD (articles 60 and 64, respectively), included the samealleged infractions and the same amount of sanction that were set in the agreement ofopening of this procedure.This being the case, and taking into account that the present sanctioning procedure hasas object the analysis of the operation of the application of jokes "*** APPLICATION.1",from the point of view of the protection of personal data, globally considered, and notthe specific action of MIRACLIA in relation to specific claimants,understands that there is no formal opening of a new sanctioning procedure based onthe claim forwarded by the Slovenian data protection authority that couldgive rise to a double sanction for the same infractions, for which it was agreedincorporation to this sanctioning procedure, to resolve in a single act according toC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 12
12/61proceed in law. Likewise, it was ordered that this procedure continue its processingaccording to the cooperation mechanism contemplated in article 60 of the RGPD.NINTH: On 07/14/2020, the General Subdirectorate for Data InspectionAccess the information available on the MIRACLIA entity in “Axesor”. On said websitethere is a turnover in 2018, the last year presented, of 475,823euros and a result for the year of -7,364 euros. Likewise, it is indicated that it is amicroenterprise, with 2 employees.According to the information contained in the Central Mercantile Registry, the "Subscribed Capital"amounts to 6,000 eurosTENTH: On 07/24/2020, a resolution proposal was issued as follows:1. That the Director of the AEPD sanction the entity MIRACLIA, for an infractionof articles 13 and 14 of the RGPD, typified in article 83.5.b) and classified as veryserious for the purposes of prescription in article 72.h) of the LOPDGDD, with a fine foramount of 20,000 euros (twenty thousand euros).2. That the Director of the AEPD sanction the entity MIRACLIA, for an infractionof article 6 of the RGPD, typified in article 83.5.a) and classified as very serious toprescription effects in article 72.1.b) of the LOPDGDD, with a fine in the amount of20,000 euros (twenty thousand euros).3. That the Director of the AEPD requires the entity MIRACLIA so that, within the termthat is determined, adapts the operations to the personal data protection regulationstreatment carried out, the information offered to its clients and the procedurethrough which they must give their consent for the collection and treatmentof your personal data, with the scope expressed in Law Foundation XI of themotion for a resolution. Such adaptation should be implemented equally in all countriesof the European Economic Area in which MIRACLIA operates through the application"*** APPLICATION.1".The MIRACLIA entity was notified of the aforementioned resolution proposal, dated08/03/2020, this Agency received a written allegation requesting the file ofactions based on the following considerations:A. What MIRACLIA calls “Technical Facts”:MIRACLIA is a telecommunications company that operates a service called"*** APPLICATION.1", which is subject to the regulation of " communications serviceelectronic interpersonal based on numbering ”.In this regard, note that the service "*** APPLICATION.1" is in a scenariotechnical and data processing different from that presented in previous actions of theAgency and Ordinary Justice. In fact, the current service scenario on the datesof complaints are subject to the version of the service that has been audited by an engineerin telecommunications collegiate (provides a copy of the corresponding report) of whichdraw the following conclusions or "Final Opinion":C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 13
13/61"1. The numbering-based electronic interpersonal communications service"*** APPLICATION.1" meets the attributes and characteristics defined in the Directive (EU)2018/1972 establishing the European Code of Electronic Communications(CECE), which allow it to be classified as an electronic communications servicenumber-based interpersonal relationships, as defined in article 2 (paragraphs 5 and6) of it.2. The regulatory framework applicable to electronic communications services makesa clear distinction between content production, which implies responsibilityeditorial, and the transmission of content, which does not imply any responsibilityeditorial (Article 2 paragraph 4 of the CECE and judgments of the Court of Justice (ChamberFourth) of June 5, 2019 and June 13, 2019) of the Court of Justice of theEU (CJEU).3. The user of the interpersonal electronic communications service based onnumbering “*** APPLICATION.1” (person who initiates the transmission) determines the wayunilaterally the recipient of the same, on which there is no condition thatrequire that you be a user of the “*** APPLICATION.1” service but rather that you are a recipientfreely chosen by the former based on public numbering resources and onwhose data, of public access and known by the user, does not carry out treatmentsome "*** APPLICATION.1".4. From the moment the electronic communications service beginsinterpersonal based on numbering, “*** APPLICATION.1” is limited to facilitatingphysical means, own or of third parties, for the transmission of the signal between who initiatesthe transmission and the recipient of the same chosen by him, fulfilling the requirementsquality, privacy, security and transparency included in the aforementioned directive.5. “*** APPLICATION.1” does not record the conversation. The recordings aremade by the user who has contracted the service "*** APPLICATION.1" (personthat initiates the transmission) in a private domain exclusively assigned to saiduser (in the cloud by assigning a private URL) who, as part ofyour right for your participation in the edition of the same and by accepting the conditionsof use of “*** APPLICATION.1”, you decide unilaterally to record them for your personal use.6. “*** APPLICATION.1” does not retain data of the final recipient except those that,As a minimum, it allows you to comply with the provisions of the regulations ondata retention and provide the service to the user thereof. That is, the Directive2006/24 / CE on the conservation of data generated or processed in relation to theprovision of electronic communications services, transposed in Spain by theLaw 25/2007.7. “*** APPLICATION.1” offers the possibility that people or entities, who bymake use of networks hosted by public numbering resources can be chosenas recipients of transmissions by users of “*** APPLICATION.1”, they canrequest their inclusion in a “black list” to inhibit the reception of communicationselectronic through the service "*** APPLICATION.1".8. In accordance with the provisions of Recital 173 and Article 95 of theRGPD, which establishes that said Regulation will not impose additional obligations onC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 14
14/61natural or legal persons in the matter of treatment in the framework of the provisionof public electronic communications services in public networks ofcommunication in areas where they are subject to specific obligations to thesame objective established in Directive 2002/58 / CE ”(Directive on privacy andelectronic communications). In this sense, it is important to bear in mind theestablished in Recital 34 of Directive 2002/58 / EC: “It is necessary, therefore,Regarding the identification of the line of origin, protect the rights of the interlocutormaking the call to reserve the identification of the line from which it issaid call and the right of the called party to reject calls fromunidentified lines. " Therefore, the right of the user who startsthe transmission (joker) of not presenting his telephone number to communicate it to therecipient, since, first, user and recipient make use of public resources ofnumbering and transmission is done through public communications networkselectronic and, secondly, it is necessary, as regards the identification of the lineorigin, protect the right of the party making the call to reserve the right toidentification of the line from which the call is made and the right of the interlocutorcall to reject calls from unidentified lines (Considering 34Directive 2002/58 / EC) ” .B. What MIRALCIA calls the “Regulatory framework”:1) At the service of interpersonal communications based on numbering(“*** APPLICATION.1”), the considerations described in article 95 of theRGPD (“ This Regulation will not impose additional obligations on personsphysical or legal in matters of treatment. within the framework of the provision of servicespublic electronic communications in public communication networks of the Union inareas in which they are subject to specific obligations with the same objectiveestablished in Directive 2002/58 / CE ”).2) MIRACLIA does not process the data at any time for the reasonsfollowing:to. These cases are outside the scope of regulation of the RGPD based on theConsidering 18 and article 2.2.c) of the RGPD, for referring to data processingcarried out by a natural person in the exercise of activities exclusivelypersonal or domestic.b. The only person responsible for the treatment is the user of "*** APPLICATION.1" and notMIRACLIA. The user directly performs the treatment because it is the person who,freely, do the necessary editing for the joke act (edit the joke tospend; enter the abomado's phone number and press the call button;decides whether to generate the file with the recording of the joke and, therefore, the URL of theitself, which is personal and only known to the user). Also, it's always your ownuser who spreads the joke in their particular environment.MIRACLIA only intervenes to provide the electronic communications serviceinterpersonal based on numbering, which the user of the service has contracted.Based on this, he proposes that the Agency go to the pranksters with the same actionsanctioning than against MIRACLIA.c. During the entire joke process, the user of the application and responsible for theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 15
15/61treatment does not obtain any economic benefit, so theRecital 18 of the RGPD and article 2.2.c) cited.3) Cite “examples” of other companies that provide electronic communications servicesbased on numbering and on which, according to MIRACLIA, theSpanish Data Protection Agency has not carried out any type of investigation orinspection for similar reasons, in which the communications service provideris never responsible (user of a telephone operator who calls an acquaintance andinsults occur in communication; or calling a public or private center towarn about the existence of a bomb; a computer attack in which the virus uses thecommunication networks and storage of digital information to infect other people;using an application to hold a meeting by video conference between subscriberswith public numbering, which allows the administrator to make a recording of it;the interpersonal electronic communications service of “ Burovoz” ( *** URL.1 ), whichallows its users to record telephone conversations between a user of the service andanother person, who is not a user of the “ Burovoz” service , but has a number ofpublic numbering system phone . The operation of this service isexactly the same as “*** APPLICATION.1” and not only is it 100% legal but itsrecordings have been and are fully valid when presented as evidence in ajudicial process in Spain.4) On the subject of recordings of phone calls made by usersof “*** APPLICATION.1”, Judgment No. 114/1984, of November 29, issued by the ChamberSecond of the Constitutional Court establishes that “ Whoever records a conversation of othersattentive, regardless of any other consideration, to the right recognized in art.18.3 CE; on the contrary, whoever records a conversation with another does not incur, for this alonefact, in conduct contrary to the cited constitutional precept. »5) Article 20 of the Spanish Constitution collects and protects the rights to: “ To theliterary, artistic, scientific and technical production and creation. " , framed all of them insideof the right to freedom of expression held by all Spanish citizens ingeneral and the user of “*** APPLICATION.1”.6) In its final considerations, it adds that compliance with the withholding obligationof data imposed by Law 25/2007 has allowed the entity to serve effectively andwithin the times set by the RGPD to the rights of access, rectification andcancellation requested by multiple recipients of the jokes, as well as the Forces andState Security Bodies for investigations of possible crimes.C. In relation to the complaints outlined in the Background of this resolution, it indicatesthe next:1. The complaint made by claimant 1 should not have been admitted for processing due to the followingreasons:a) The claimant refers to an identity theft by a police officer.b) The claimant did not contact MIRACLIA to request the exercise of the rightsARCOPOL.c) It is very likely that the claimant suffered a joke from some other service of thecompetition, for which it requests the Agency to require the operators ofC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 16
16/61telecommunications the extract of calls received in the abomado number.d) On 10/30/2018, the claimant received a letter from MIRACLIA statingnotified him that "*** APPLICATION.1" did not have in its catalog any joke similar to the onedescribed by him and he was asked to provide the URL of that recording for itscancellation, if outside the "*** APPLICATION.1" service. The claimant did not provide this information, forwhat it is understood that the exercise of rights was sufficiently provided.e) We observe in the dossier of the file that the complainant provides a recording ofWhatsApp. However, "*** APPLICATION.1" never sends the content of thepranks, since they can only be heard in the user's own application.In addition, the files of the recordings of the jokes that users candownload to your device have a filename that looks nothing like the onecontributes as proof. With which it can be deduced that there may have been an act ofmodification and the test should be invalidated at that time.f) It is the intention of this company to study the possibility of filing a criminal complaintagainst this man for false denunciation and damages to the honor of the company.g) For all this, and since MIRACLIA has always agreed to solve the rights of theusers, requests the Agency to archive this matter since it responded to the request foraccess to your data and considering that, with the information available, the joke did not startfrom a user of “*** APPLICATION.1”.2. MIRACLIA also considers that the claim should also have been inadmissiblefiled by claimant 2 for the following circumstances:a) The abused person knows perfectly the person or people joking, sothat he should have filed the lawsuit against them and not against MIRACLIA, which does notdata processing of the abromado.b) It is false that the person overjoyed received a call at 3:30 in the morning,since none of the jokes of “*** APPLICATION.1” can be celebrated at those timeslocal. In addition, "*** APPLICATION.1", as an electronic communications servicenumber-based interpersonal, never make calls to any recipient onceThe joke has occurred, since that is something that can only be done by the user of theapplication.c) The claimant did not contact MIRACLIA to request the exercise of theARCOPOL rights.d) It is also false that once the right of access "*** APPLICATION.1"keep sending emails. “*** APPLICATION.1” has never committed such practices or thecommit.D. Regarding the proven facts, MIRACLIA makes the following considerations:. Proven Fact 1: MIRACLIA owns an electronic communications serviceinterpersonal based on numbering accessed through an applicationcalled “*** APPLICATION.1”. There is a website with the same name,"*** APPLICATION.1", as a commercial information service and customer service that does notIt is part of the electronic communications service provided by MIRACLIA nor has it beenobject of complaint.. Proven Fact 2: By virtue of the provisions of article 95 of the RGPD, theinterpersonal electronic communications services based on public resources fromnumbering that identifies the manager of the call or the owner of the platform or thatindicate where to obtain information on the call or on the exercise of rights. HowC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 17
17/61It has been said "*** APPLICATION.1" is an application to access a serviceinterpersonal electronic communications, reserving the user of the same the rightor not to identify himself and personally record said call.. Proven Fact 4: The reference to hosting jokes on a public site iswrong. Access to the audio is done through a token-based URL as shownused in thousands of private access websites (eg, the package tracking website of acourier service or a multitude of public services for the payment of fines). The URL to thementioned by the inspector is generated automatically on the server, so that whennot be a fixed or static URL can only be accessible by the user of the serviceinterpersonal electronic communications based on public resources whose name is"*** APPLICATION.1". Only the originator of the joke and the recipient have access to this URLof the same if the issuer of the joke wants to do it (it is their responsibility).. Proven Fact 5: this proven fact indicates that through the link*** LINK.1 , you can change the country in which the application operates. However,does not know how the Agency has accessed that pre-production platform that is atest prototype that has never run in production and therefore has nevercould be used by an end user as an electronic communications system. TheThe purpose of this prototype was to offer the electronic communications service inmultiplatform mode, such as Skype, which can be used with an app oron a computer regardless of its Operating System.. Proven Fact 9: No joke appears in any MIRACLIA joke catalogimpersonating any body or person, much less the Police. There are manyother prank services that besides copying the MIRACLIA catalog, it is likely thathave introduced any that impersonate the Police, but MIRACLIA does not know.E. In response to the considerations contained in Law Foundation IV, referred toto the definition of personal or domestic data processing, MIRACLIA carries outthe following statements:. The conversation that takes place for the provision of a service is personal or domestic.electronic interpersonal communications based on numbering. The data fromnumbering are public resources on which an operator does not perform treatment. Theuser of said service and on which treatment is made is who registers in theyourself and choose the recipient of the call based on those public resources. It is saiduser who records the call using complementary tools to the servicebasic electronic communications. The references cited from the CJEU do not refer to thecase of this type of services.In addition, it is the user who freely and sovereignly decides who directs the jokewithin your known contacts or family or friends.. The declaration of the Court of Justice on the aforementioned is not valid for “*** APPLICATION.1”concept, contained in the Judgment of 07/10/2018, according to which “it will not proceed to considerthat an activity is exclusively personal or domestic when it is intended to allowto an undetermined number of people access to personal data or when the activityextends, even in part, to public space and is therefore directed towards theoutside the private sphere of the person who proceeds to process the data ”. Thepurpose of the service is to establish an electronic communication initiated by the joker,who decides to record it and have access to their private recording. Sharing it in your circleprivate is up to the joker, who in the T & Cs is warned that they can break rulesregulatory according to the treatment you make of that data (yours private). The object ofC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 18
18/61service is not in any case indiscriminately sharing the recording.. The proposal indicates that “ MIRACLIA's action is essential given that, without itscontest, data processing would not be possible since it is carried out in the process.MIRACLIA provides the means to make the call, facilitates the means to choose a joke, andit provides the means to record and store a joke . " In this regard, MIRACLIA states thatit is logical that it should be this way, since it has defined "*** APPLICATION.1" as aelectronic interpersonal communications service based on numbering with thatfunctionality and must be governed in everything related to it as described in the rules ofcurrent regulation (Directive (EU) 2018/1972 establishing the European Code ofElectronic Communications (CECE), as defined in article 2, sections 5 and 6, of theherself.F. The constitutional principle by the fact itself“This principle has been called« personal responsibility », which implies that onlyYou can make a person responsible for their own actions, that is, not a thingnot an animal. "*** URL.2Following this principle and delving into what concerns us helps us to show that*** APPLICATION.1 ”as an interpersonal electronic communications service basedin numbering cannot bear any responsibility for the act committed by theuser of “*** APPLICATION.1”, in the same way that it can never be requestedliability to a pistol manufacturer for the act committed by a person doingmisuse of said gun.G. Other final considerations. That the URLs that the abomination may receive from the jokers, once thecall recording, they are NOT public URLs. The URLs generated by the server softwarefor the user of “*** APPLICATION.1” are private and cannot be indexed by theSearch engine spiders, like Google, Bing or Yahoo.. That the Agency take into account File No.: TD / 00007/2017, in which thecase of a person overwhelmed by the Radio4G station and the live broadcast and the entireaudience of radio4G and that ends in the archive of the performances.. Everything stated in this writing is endorsed so much in the technical audit that nowis in the visa phase by the COIT (Official College of Engineers ofTelecommunications) and in the conditions of use that the user accepts before being able touse the platform.Finally, he requests a face-to-face hearing procedure to clarify before theinstructors / inspectors of the Agency the points exposed and warns that, in case of notsee their interests taken care of, reserves the right to go to other higher instancesand / or judicial in Spain and in Europe.With your statement of allegations, you provide a copy of the report corresponding to the auditreferred technique, carried out by a telecommunications engineer on 07/29/2020.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 19
19/61This report is divided into four sections:. Objectives and methodology of the work.. Description of the service "*** APPLICATION.1". Audit results. Final opinion.As indicated, it is based on personal interviews, practical tests of execution of“*** APPLICATION.1” on two mobile devices and testing toolsediting, recording and metadatation of the content of the messages, although it does not provide detailson the development of these tests, limiting himself to listing a series of findings.In the “Audit Result” section, the following is indicated:“Regarding the specific analysis of the service“ *** APPLICATION.1 ”it has been possibleverify the following facts:a) Only a user registered in the service can start the conversation"*** APPLICATION.1".b) The user of the service “*** APPLICATION.1” is the only participant in the process thatyou can freely determine the recipient of the conversationc) To determine the recipient of the conversation, use of resources frompublic numbering.d) It is not required, nor is such circumstance verified or proven by any means, that theRecipient of the conversation is a user of the “*** APPLICATION.1” service.e) Once the connection between the user of "*** APPLICATION.1" and the recipient is establishedconversation allows the direct exchange of interpersonal information throughof electronic communications networks between both people.f) “*** APPLICATION.1” offers the user who hires said service a set of templatespreset for editing a voice message.g) The user who hires the service "*** APPLICATION.1" is the one who freely chooses between thesame to determine the content of the message to be transmitted.h) The recording is made in a personal and private domain exclusively assigned to theuser of the “*** APPLICATION.1” service (person who initiates the transmission), as a servicethat lends “*** APPLICATION.1” to the user in the cloud on their own premises.i) The recording domain offered by “*** APLICACIÓN.1” to the user of said service isa private and secure domain.j) The final decision on whether or not to make the recording of the message in your domainprivate resides exclusively in the user of the service "*** APPLICATION.1".k) “*** APPLICATION.1” offers the user who hires said service a set ofinteractive metadatation tools to perform on possible actions on theedited message.l) “*** APPLICATION.1” offers to any person or entity that is part of a plan ofuse of public numbering resources the possibility of joining “black lists”, tono longer receive calls from users of “*** APPLICATION.1”.m) In fact, certain numbers in the public numbering plan are included bydefect in said "black list" (091, 061, 112, 092, etc.).n) "*** APPLICATION.1" provides the physical means, own or third parties, for the transmissionof the signal between who initiates the transmission and the recipient of the same that you have chosen.o) “*** APPLICATION.1” does not retain data of the final recipient except those that, withminimum character, allows you to comply with the provisions of the regulations on retention ofC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 20
20/61data ” .In the section before the one indicated, the label as "Description of the service*** APPLICATION.1 ”, the information provided by MIRACLIA to the audit engineer is reviewed,that literally matches the “facts” that are detailed as a result of the audit.The aforementioned report includes an Annex II, relative to the “Starting premises and regulationsreference". This Annex refers to the definition of communication serviceinterpersonal electronics introduced by the European Code of Electronic Communications(CECE), which are those who experience the exchange of interpersonal information andinteractively through electronic communications networks between a finite number ofpeople, in which the people who initiate or participate in the communication determine theirrecipients, and add the following:"In the conditions of use of the application *** APPLICATION.1 in article 6 it is indicated that“As with any telecommunications service, it is illegal to use the services of*** APPLICATION.1 for the purpose of harassing or harming anyone ”. There is therefore acontractual declaration that *** APPLICATION.1 is a service subject to the regulation oftelecommunications and, therefore, an implicit recognition that it is a telecommunications serviceelectronic communications in such case ” .In view of all the actions, by the Spanish Agency for the Protection ofData in this procedure are considered the following,PROVEN FACTS1. The MIRACLIA entity is the owner of the mobile application and web service called" *** APPLICATION.1 ". This application allows users to perform prankstelephone calls to third parties. The user selects a joke and a "victim", who is contactedby phone by MIRACLIA from your own system through a hidden number(prank call), making a recording of the conversation that is put intoavailable to the application user.The use of the aforementioned mobile application and web services is regulated in the document called"Terms and Conditions of Use of the Service" , which is declared reproduced in this act atevidential effects. From the content of this document, the following should be highlighted:<< By using the Service, you will be bound by the Terms of Use and the Privacy PolicyPrivacy, expressly accepting its compliance and entering into force a legal contractbinding on us ... if you do not agree to these Terms of Use and / orPrivacy Policy we recommend that you uninstall the application from your terminal.3. Definition of the service*** APPLICATION.1 is an application that allows the user to send jokes consisting ofan audio file pre-recorded via telephone to the destination selected by the user. Theuser can select from a list of jokes and indicate both the destination linesuch as the time you want the recipient to receive the joke. Once theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 21
21/61joke, the application has the functionality to share and record the audio file (in"Recording" below), notwithstanding which, it will be an essential requirement that the userhave the express consent of the person who received the joke to be able toobtain it and later make use of it.(…)NOTE: Since the personal data of the recipient of the call is storedonly and exclusively in the terminal of the user of the application (client), in casethis deletes the application on your terminal or deletes the data associated with it on your terminal,it may stop working in the sense that this deleted information disappears from thesame.(…)5. Payment servicesUsing the application may incur a cost ...The amounts purchased will expire after 6 months without using the application. At that moment,the user's content may be deleted.6. Use of the services offeredThrough these Terms and Conditions of Use of the Service, the User contractswith MIRACLIA a leisure and entertainment service that allows the User to send jokesphone calls to a recipient and then play, download or share the joke.By accepting these Terms and Conditions of Use of the Service, the Userof *** APPLICATION.1 assumes the following responsibilities:(…)b) Share and record jokesThe User, as the owner of the recording, is fully responsible for obtaining theexpress and unequivocal consent of the person who has received the joke, for therecording and dissemination of it.The laws allow the recording of any telephone conversation as long as it is countedwith the consent of at least one of the two parties involved in it. AUser may not download a Recording without obtaining the prior consent of therecipient of the same. The operation of the Service avoids that aRecording if the user of *** APPLICATION.1 does not expressly accept such precondition.In order to share jokes publicly, the Service requires that the person whoshare the joke has obtained permission to do so from all participants in thecall. MIRACLIA is not responsible for the consequences of non-compliance with theObtaining the necessary consents to share the Recording, falling onhim the obligation to indemnify third parties or MIRACLIA from any claim derivedof your actions.(…)8. Limitation of responsibilitiesResponsibilities of MIRACLIA:MIRACLIA acts solely as an intermediary between the sender and the receiver of the joke.MIRACLIA does not decide at any time about the purpose, content and use of the treatmentof the recording and therefore cannot be held responsible for it.(…)If the recipient of the joke (as the owner of the data and exercising their right to object orcancellation) or the originator of the joke (as the owner of the recording) requestMIRACLIA cancellation of the recording, automatically the recording is deleted from theservers that provide service to MIRACLIA.However, prior to the exercise of the right of opposition or cancellation by thereceiver, the joke has been able to be downloaded to the User's device, leavingC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 22
22/61said recording outside the scope of MIRACLIA and, therefore, the entity does notis responsible for the use, disclosure, modification that the User makes of it.(…)9. Data protectionWe have established a Privacy Policy to explain how we collect and useinformation about you (the user) … >>.2. The Agency's Inspection Services, dated September 6, 9 and 12, 2019,carried out tests consisting of downloading the application on a mobile terminal andproceed to use it by arranging for prank calls. As a result ofThese actions obtained the following findings:. During the installation process the user receives, among others, the following messages:Read these legal Terms and Conditions in detail and click accept if you are over 18years and you accept all of the stipulations. Otherwise, quit the app andremove it from the terminal. Remember, in case you record a joke and share it with your friends,it is because you have requested permission from the person who received the joke and they have given it to you.You are solely responsible for this action ” .“Miraclia does not collect data from the recipients of the jokes. Miraclia's activity is theto provide a means of telecommunications so that the owner of the phone being downloadedthe app, choose a joke and record it, leaving the data related to the recipient of the callstored in the user's own terminal without Miraclia keeping information on therecipient's phone number. Miraclia provides a storage service in thecloud of the client's audio files and at no time does it disseminate or share withnobody that information, since it is private information of the user of the application ” (thisparagraph is also included in the privacy policy).Immediately after these texts there is a button with the indication "Continue".. The application “*** APPLICATION.1” consists of 3 tabs: “List” (jokes available),"Examples" and "My jokes." In this last tab the jokes made bythe joker, if they are not eliminated.. The phone number of the prank incoming call is listed as "Private Number" inall cases.. In the version installed for testing, the latest available in the app storeFor Android “Play Store” operating systems, the joker has no option to choose whether thejoke is recorded or not. The joke is always recorded, unless the receiverdecide to delete it by following one of the procedures established for it. If this notoccurs, the recording remains on MIRACLIA's systems until the joker decideseliminate it or, as a general rule, for a period of 6 months after the use ofthe application, established by the entity itself.. At no time during the phone conversation is the application identified*** APPLICATION. 1 as a call manager or to the developer company MIRACLIAas the owner of the platform. Therefore, the receiver of the joke does not know whereYou should go to get more information about the call or to exercise your rights.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 23
23/61. At no time is the person joking.. Nor is it reported at any time during the development of the joke that theconversation is being or may be recorded.. It is verified that at the end of the joke the following phrase is heard: "A friend of hishas played a joke. In case you don't want your friend to be able to listen, downloador spread the joke, or in case you don't want to receive any more jokes, press 5 on your keyboardafter the signal. Beeep "From the end of the joke until the announcement occurs, a period of10 second quiet time.. The "erasure" of the prank recording and the disqualification to continue receiving prankspressing the 5 key after hearing the signal indicated in the final speech, has been unstablein the tests carried out. On one occasion when the 5 key was pressed before the signal andanother later, the mechanism failed; on two other occasions when it was pressed only onceafter the signal, it was successfully removed. It was found that there is no confirmationjoke erasure simply after about 10 secondsfrom the indicated signal to press key 5, communication is cut off.In cases where the removal worked correctly, the joke disappears from the listof jokes made by the joker, and therefore cannot be shared, downloaded orheard. It has also been found that the phone number was blocked for thereceiving more jokes.. In the list of jokes made by the joker, next to each of the jokes noeliminated by the receiver of the joke following the indicated procedure, threeicons: one to download the audio file of the recording of the telephone conversationof the joke, another to listen to it and a third to share it. In the latter case,sends the link to the audio file of the recording via the chosen mediumto share it. This is the only time the joker knows the link to the fileaudio.. In the event that the joker presses his finger on a certain joke from thelist of jokes performed, a pop-up window appears offering the possibility ofdelete the audio file from MIRACLIA systems, but this action is not asintuitive like the previous three as it lacks a specific icon.. Saved jokes include the destination phone number, joke type, date andtime of completion.. Uninstalled the application and reinstalled again, it is observed that the phone numbersdestination of the jokes made appear as "?????????", which suggests thatThis data is stored locally, and not on MIRACLIA's servers.. Prank calls can be instant or scheduled by specifying date andexecution time. In this case, the recipient's phone is stored in thethe entity MIRACLIA until the moment of making the call. In this regard, MIRACLIAC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 24
24/61has stated in its submissions that the phone number to which the joke is addressed isqueued with the call to be made, which disappears from their systems when the callis done.The acting inspector programmed a joke on his terminal for deferred execution alreadythen said terminal was turned off. The call was made at the scheduled time,which turns out that the phone was stored in the MIRACLIA systems untiltime to run the joke (minutes, hours, days or months). There are only two options for deleting the recording: that the joker follows theerasure procedure described from the application; or request it from MIRACLIA,difficult question for the affected person considering that it is not revealed in anymoment who manages the call, nor the company responsible for it. In addition, forThe affected person will need to know the link to the audio file and does not have thisinformation, unless the user provides it (you can eliminate the joke knowing theurl of the recording and using the mechanism enabled on the web together with the request forphone line number blocking).3. MIRACLIA offers on its website "*** APLICACIÓN.1.es" a free and immediate system toinclude a phone number in the list of blocked phones.Due to the active inspection, a test was carried out by registering the numbernumber corresponding to the second SIM of the acting inspector's terminal.Subsequently, a prank was attempted on that phone number and the application did notallowed its execution.4. MIRACLIA does not have a platform where jokes made are publishedso that any third party can access, but the recordings of the jokes areare housed in a public site, which enables access to them through thelink to the audio file, which can be broadcast indiscriminately by the userjoker.5. On 12/02/19 it is verified that through the link *** LINK.1 , it can be changedthe country in which the application operates. These countries include bothto the European Union (Austria, Belgium, Germany, etc.) and outside it (China, UnitedStates, Argentina, Brazil, South Korea, etc.). It is also verified that the terms andTerms of use of the service are written in Spanish, Italian, French, English andGerman.6. On 12/03/2019 an installation of the application was carried out, verifying that theThe process does not give the option to configure another country or another language, although the terms and conditionsof use of the service are written in Spanish, Italian, French, English and German, theThe same languages ​​that are available when accessing the web over the Internet.7. Claimant 1 has stated that, on *** DATE.1 , he received on his line ofmobile phone *** PHONE. 1 a prank call through the app"*** APPLICATION.1", in which a person pretended to be a police officer. Denounce that thecall was recorded and disseminated to third parties without their knowledge or consent; and that thecall occurs from a hidden number.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 25
25/618. Claimant 2 has stated that, on *** DATE.2, she was the subject of a callprank phone call carried out using the application “*** APPLICATION.1”, which wasrecorded and disseminated by social networks with the mention of his name without his permission (providesthe link to the audio object of the complaint " *** LINK.1 ")On 08/26/2019, the Inspection Services access the web"*** APLICACIÓN.1.es", to the URL corresponding to the recording of the joke made to theclaimant 2. It is verified that using the right button differentoptions, including playback and download of the recording.9. The Agency's Inspection Services have verified that the reported jokesby complainants 1 and 2 are listed in the joke catalog available at"*** APPLICATION.1".FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each Authority ofControl, and as established in articles 47, 48, 64.2 and 68.1 of the LOPDGDD, theDirector of the Spanish Agency for Data Protection is competent to resolve thisprocess.Article 63.2 of the LOPDGDD determines that: “The procedures processed byThe Spanish Agency for Data Protection will be governed by the provisions of the Regulation(EU) 2016/679, in this organic law, by the regulatory provisions issuedin their development and, insofar as they do not contradict them, in the alternative, by the regulationsgeneral information on administrative procedures. "IIArticle 56.1 of the RGPD, relative to the “Competence of the supervisory authorityprincipal ” , states the following:"1. Without prejudice to the provisions of article 55, the supervisory authority of the main establishmentor the sole establishment of the person in charge or the person in charge of the treatment will be competent toact as the main supervisory authority for cross-border processing carried out bysaid manager or manager in accordance with the procedure established in article 60 ” .Said article 60 regulates the “Cooperation between the main supervisory authority and theother interested control authorities ” :“ 1. The main supervisory authority shall cooperate with the other interested supervisory authorities ofin accordance with this article, striving to reach consensus. The supervisory authorityThe principal and the supervisory authorities concerned shall exchange all relevant information.2. The main supervisory authority may at any time request other supervisory authoritiescontrol interested parties providing mutual assistance pursuant to Article 61, and may carry outjoint operations pursuant to Article 62, in particular to conduct investigations ormonitor the application of a measure relating to a controller or processorestablished in another Member State.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 26
26/613. The lead supervisory authority shall notify the other supervisory authorities without delayrelevant information in this regard. It will transmit a draft decision without delayto the other interested control authorities to obtain their opinion on the matter and will haveduly consider their views.4. In the event that any of the interested control authorities raises an objectionrelevant and motivated regarding the draft decision within four weeks of theconsultation pursuant to paragraph 3 of this article, the lead supervisory authority shall submit thematter, in case it does not follow what is indicated in the pertinent and motivated objection or it considers that saidobjection is not pertinent or is not motivated, to the consistency mechanism contemplated in article63.5. In the event that the main supervisory authority plans to follow what is indicated in the relevant objectionand motivated received, will present to the opinion of the other interested control authorities arevised draft decision. Said revised draft decision shall be submitted to the procedureindicated in section 4 within a period of two weeks.6. In the event that no other interested supervisory authority has presented objections to thedraft decision transmitted by the main supervisory authority within the period indicated in theparagraphs 4 and 5, the lead supervisory authority and the supervisory authorities shall be deemedInterested parties agree with said draft decision and will be bound by it.7. The main supervisory authority shall adopt and notify the decision to the main establishment or thesole establishment of the controller or the person in charge of the treatment, as appropriate, and will informthe decision to the interested supervisory authorities and the Committee, including a summary of therelevant facts and motivation. The supervisory authority before which aThe claim will inform the claimant of the decision.(…)12. The main supervisory authority and the other interested supervisory authorities will be providedreciprocally the information required in the framework of this article by electronic means,using a standard form ”.Regarding the matters regulated in these precepts, the aforementioned is taken into accountin Recitals 124, 125, 126 and 130 of the RGPD.In accordance with the provisions of the previous regulations, in the presentcourse, referring, among others, to a claim presented before the control authority ofa Member State (Slovenia), in relation to processing in the context ofactivities of a single establishment of a controller that affect or are likely tosubstantially affect data subjects in more than one Member State (data processingborder), the main supervisory authority, in this case the Spanish Agency forData Protection, is obliged to cooperate with the other interested authorities.The Spanish Data Protection Agency, in application of the powers thatconferred by the RGPD, it is competent to adopt the decisions designed to producelegal effects, be it the imposition of measures that guarantee compliance with theregulations or the imposition of administrative fines. However, it is obliged to involveclosely and coordinate the control authorities interested in the process of takingdecision-making and take your opinion into account to the greatest extent. It also establishesthat the binding decision to be taken is jointly agreed.Article 60 of the RGPD regulates this cooperation between the supervisory authorityprincipal and other interested control authorities. Section 3 of this articleexpressly establishes that the main supervisory authority will transmit to the otherinterested control authorities, without delay, a draft decision to obtain theiropinion on the matter and will duly take into account their points of view, following toThis is done in the procedure provided for in sections 4 and following. The control authoritiesC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 27
27/61Interested parties have a period of four weeks to formulate reasoned objectionsabout the draft decision, it being understood that there is agreement on said project ifno authority raises objections within the indicated period, in which case all of themthey are linked by the repeated project.The aforementioned article 60, paragraph 12, provides that the main supervisory authority and theOther interested control authorities will provide each other with the informationrequired within the framework of this article by electronic means. It is up tothrough the "Internal Market Information System" (IMI System).On the other hand, article 58.4 of the RGPD establishes that the exercise of the powersconferred to the supervisory authority must respect the procedural guarantees established inthe law of the Union and the Member States.The Spanish procedural rules, specifically, Law 39/2015, of October 1, onCommon Administrative Procedure of Public Administrations (LPACAP), establishesthat the procedures of a sanctioning nature will always be initiated ex officio byagreement of the competent body, which must contain, among other indications, theidentification of the person or persons allegedly responsible, the facts thatmotivate the initiation of the procedure, its possible qualification and the sanctions that couldcorrespondIn accordance with the rules expressed above, considering the charactercross-border of this claim, on 03/03/2020, a draft agreement was issued forinitiation of sanctioning procedure, which was subsequently transmitted through the SystemIMI to the interested control authorities, which are outlined in the background,without any of them raising objections to said project within fourweeks from the consultation, understanding, therefore, that there was an agreement on it.On the other hand, in section 4 of the aforementioned article 64 of the LOPDGDD it establishes thatthe processing periods established in this article will be automaticallysuspended when information, consultation, request for assistance ormandatory pronouncement of a body or agency of the European Union or of one orvarious control authorities of the Member States in accordance with the provisions of theRGPD, for the time between the request and the notification of the pronouncement to theSpanish Agency for Data Protection.IIIThis procedure is initiated by virtue of the claims received in thisAgency against the entity MIRACLIA, in which those affected (abromados) denounce theuse of your personal data to make a joke by using theapplication "*** APPLICATION.1", by phone call to your mobile phone lines.The recording of the call made without the knowledge of those affected and thedissemination of said recording to third parties, also without their consent.The procedure, therefore, is aimed at the global analysis of the application"*** APPLICATION.1" from the point of view of data protection regulationspersonal and in relation to the people who receive the prank calls.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 28
28/61Any analysis of the position of the users of the application is ignored(jokers), as well as the information that MIRACLIA offers to them and theprocessing of your personal data.In accordance with the foregoing, the conclusions that could be derived from thisprocedure will not suppose any pronouncement regarding the previous aspectsdiscarded.IVBeforehand, it is appropriate to consider the allegation made by MIRACLIA inrelation to the position he occupies, in his opinion, in the personal relationship between joker andabbreviated. The aforementioned entity considers that its intervention is limited to providing a means ofleisure between individuals, which acts as an intermediary in a relationship between individuals.In accordance with this approach, MIRACLIA understands that the regulations ofprotection of personal data is not applicable to the present case, because spending aprank through an application or a medium in which the user is sovereign of theThe information provided is an act carried out in the domestic or personal sphere and, therefore,Therefore, excluded from the scope of protection of said regulation as established in thearticle 2.2 of the RGPD and article 2.2.a) of the LOPDGDD. It says to article 2.2 of the RGPD:"2. This Regulation does not apply to the processing of personal data:c) carried out by a natural person in the exercise of exclusively personal activities ordomestic ” .This Agency, on the other hand, considers that the action of the claimed entity does notcan be included in this exception for three reasons:. MIRACLIA is not a natural person: article 2.2.c) of the RGPD, when establishing the exceptionindicated, expressly refers to the processing of personal data carried out by aPhysical person.. Your activity is carried out in connection with a professional or commercial activity. I knowIt is constituted as a limited company, for profit and commercial character.. The RGPD applies in full to those responsible or in charge of the treatment thatprovide the means to process personal data related to activitiespersonal or domestic (if indeed it was).Regarding these issues, recital (18) of the RGPD states the following:"This Regulation does not apply to the processing of personal data by a personphysical activity in the course of an exclusively personal or domestic activity and, therefore, without connectionsome with a professional or commercial activity. Personal or domestic activities includeinclude correspondence and the keeping of a directory of addresses, or activity in the networkssocial and online activity carried out in the context of the aforementioned activities. However, theThis Regulation applies to those responsible or in charge of the treatment that provide themeans to process personal data related to such personal or domestic activities ”.We are facing business activities, with a business model based onin making pranks through an app for a fee.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 29
29/61To define what is to be considered as treatment of a character exclusivelypersonal or domestic, although in this case the application of thoseprecepts without going into that analysis, it is convenient to take into account theCJEU doctrine stated in the Lindqvist, Rynes and Jehovah's Witnesses judgments(STJUE of July 10, 2018, C-25/17).In accordance with these judgments, it can be considered that the CJEU understands, withgeneral nature, that the exception of activities of an exclusively personal nature ordomestic must be interpreted in the strict sense, only when the data processingaffects " incidentally " the private life or privacy of "other people", other thanresponsible for the personal data. It is also said by the Court that thecharacter of personal or domestic activities is not defined exclusively by oppositionto the dissemination of data, as MIRACLIA seems to indicate, but that dissemination implies thata processing of personal data related to the private or family life of individuals does notmay be considered excluded from the protective regulations, so that there may be othercases in which even treating personal or domestic data, this does notIt could be understood as included within the exception provided for in article 2.2 c) of the RGPD.We must not lose sight of what is the processing of personal data that is carried out inthe present case: it consists of a telephone call, to a telephone from a third person,whose voice, when he answers the call, is recorded in the MIRACLIA technical system.As can be seen, in this case it is not that the private life or intimacy of other peopleis "incidentally" affected, but the very object of this data processing is,precisely, the voice of the third person who is called. That is, the treatment ofPersonal data of the third party called is not a mere "incidental" nuisance withina more general data processing, but the use of your personal data isprecisely the goal of treatment. Therefore, in no case should it be considered thatsaid data processing of the voice of the abromado is merely incidental, but isit is a "main" treatment.The CJEU of July 10, 2018, C-25/17, Jehovah's Witnesses, establishes ainterpretation about the concept of exclusively personal or domestic activitiesand it says like this:42 As the Court has held, Article 3 (2), second indent, of the Directive95/46 should be interpreted in the sense that it only contemplates the activities that are registeredwithin the framework of private or family life of individuals. In this regard, it will not proceed to considerthat an activity is exclusively personal or domestic, for the purposes of said precept, whenis intended to allow an undetermined number of people access to personal data orwhen the activity extends, even in part, to the public space and is therefore directedtowards the outside of the private sphere of the person who proceeds to the processing of the data (see,in this regard, the judgments of November 6, 2003, Lindqvist, C-101/01, EU: C: 2003: 596,paragraph 47; of December 16, 2008, Satakunnan Markkinapörssi and Satamedia, C-73/07,EU: C: 2008: 727, paragraph 44, and of December 11, 2014, Ryneš, C-212/13, EU: C: 2014: 2428,paragraphs 31 and 33).In the case of MIRACLIA, it turns out that “abused” natural persons transferinformation to said entity, since the voice of the abromado is recorded in the applicationproportionate, and also those who are going to be pranksters also transmit it to MIRACLIA,because they provide you with the recipient phone numbers of the calls you will makesaid entity. This Telephone is registered in the entity's systems until the completion ofC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 30
30/61the call, the conversation is recorded for the purpose of providing a content servicemultimedia accessed through mobile devices, offering the possibilityto play, download and share the audio file. This assumes first thatsuch activity is directed out of the joker's personal and private sphere, in theinterpretation of the CJEU, which is excluded in any case by the exception “exclusivelypersonal and private ”.As a result, “pranksters” individuals would transmit personal data toMIRACLIA, which records (that is, "processes" such data) by recording them. But MIRACLIAit also "treats" in its systems the telephone number of said third parties,being able to potentially (when not materially) establish a link between acertain phone number and a certain voice recorded in their systems. That is to say,MIRACLIA processes personal data to which it cannot be applied in anycase the exception to which we refer.But, in addition, although initially there is no link between MIRACLIA andthe "victim", data processing is also carried out consisting of a record of thepeople who don't want any more jokes.The performance of MIRACLIA is essential given that, without its assistance, thedata processing carried out in the process. MIRACLIA provides the means to do thecall, facilitate the medium to choose a joke, and facilitate the medium to record and storea joke, which means that it determines the means of treatment and the purposes, organizes,encourages and coordinates the activities of pranksters through its application*** APPLICATION. 1, and therefore participates, together with the pranksters, in determining thepurpose and means of the processing of personal data of the abromados.In addition, MIRACLIA, "attending to its own objectives" (commercial) influences thepranksters acting and encourages it, for which it will be held responsible,together with the jokers, of the data processing carried out from theoverjoyed people.VAnother of the preliminary questions raised by MIRACLIA has to do with theexistence or not of personal data. Question whether the information can be considered datapersonal, since MIRACLIA is unable to identify the abbreviated in asimple and without disproportionate means, and points out that the only one who can identify theabromado is the user, who is anonymous to the entity.He adds that he is not able to identify the abbreviated or to link him with any otherdata and that the voice is not personal data if it does not allow the holder to be identified or if it isdisproportionate efforts are required to identify it.The RGPD defines the concept of "personal data" in its art. 4.1) as: “allinformation about an identified or identifiable natural person ("the data subject"); I knowAny person whose identity can be determined shall be considered identifiable natural person,directly or indirectly, in particular by means of an identifier, such as aname, an identification number, location data, an online identifier or one or morevarious elements of the physical, physiological, genetic, psychic, economic,C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 31
31/61cultural or social of said person ”.According to these definitions, the information relating to the personsrecipients of the pranks that are carried out using the application"*** APPLICATION.1" collected by the MIRACLIA entity conforms to the data definitionpersonal. In addition to the phone number, MIRACLIA also records the voiceof people abused through the timely recording of the joke, susceptible tobe disseminated, as well as other user data.In relation to the voice recording, Report 497/2007 of the Legal Office ofthis Agency affirms that “ the sound recordings will allow to identify a person,even more so if that recording is attached to a file and therefore will be included in thescope of the LOPD ”. In the same sense, the Hearing has statedNational.To the latter, add that the judgment of the National High Court dated 03/19/2014(rec.176 / 2012) says that “ the voice of a person constitutes personal data, such andas can be deduced from the definition offered by article 3.a) of the LOPD, as<< any information concerning identified or identifiable natural persons >>,This question is not controversial ”.We are facing a broad concept that can comprise objective information, such asit can be, for example, the name and surnames, or subjective information, such asbe the assessment of an examiner in a professional examination. The CJEU has thus understood it,for example, in the STJUE of December 20, 2017, C-434/16, Peter Nowak.That the RGPD considers the voice as personal data is undeniable. The opinion4/2007, of June 20, 2007, on the concept of personal data (WP136), of the Group ofWork of art. 29, also collects it, with examples. In example 2, on Bankingsays: “In telephone banking operations, in which the voice of the customerinstructs the bank is recorded on tape, the recorded instructions should beconsidered as personal data ”. Similarly, both this Opinion 4/2007, andOpinion 3/2012 on the evolution of biometric technologies (WP193) establishesthat the voice can be both a personal data, raw, as well as used with techniquesbiometric.So that this acoustic characteristic of the human person can be consideredpersonal data, the RGPD determines that said information must refer to a personidentified or identifiable physical person, and considers an identifiable person the one whose identitycan be determined, directly or indirectly through said personal data.MIRACLIA starts from an erroneous premise, which consists in considering thatwe are dealing with personal data because the MIRACLIA entity itself could not identify theperson whose voice is recorded (that is, the "interested", the abbreviated) since they do not storethe recipient's number.This argument is wrong. The data protection regulations (Recital 26of the RGPD) part of the basis of a comprehensive protection of the fundamental right of theprotection of data of the natural person, therefore, as we have already reasoned previously,the exceptions must be interpreted strictly and the concept of dataC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 32
32/61staff with broad criteria.Recital 26 of the RGPD, in the part that now interests, reads like this:“The principles of data protection must apply to all information relating to a personidentified or identifiable physical. The pseudonymised personal data, which could be attributed to anatural person through the use of additional information, information aboutan identifiable natural person. In order to determine whether a natural person is identifiable, thetake into account all the means, such as singularization, that thedata controller or any other person to directly or indirectly identify thePhysical person".As can be seen, the RGPD considers that a person is identifiablewhen said person can be identified either by (i) the person responsible for the treatment, orwell by (ii) any other person.As we have seen previously, the “joker” could be considered responsibleof the treatment together with MIRACLIA, so that being the case, there is no doubt that thePrankster can identify the voice of the person receiving the prank call. But,Even if it is considered that the joker is not responsible for the treatment, it would beconsidered as a "third person other than the person responsible", and the RGPD considers, evenin that case, that the "abused" is a person identifiable by the "joker", whichdetermines that the data of the voice of said identifiable person is to be considered datapersonal.The data protection regulations, therefore, do not restrict the concept of "datapersonal "or" identifiable person "exclusively in the event that the person responsible for thetreatment is who can identify, directly or indirectly, the interested party whose dataare treated (the abromado), but extends its perimeter of protection beyond saidcircumstance and considers that if said person (the abromado), as a consequence of themeans made available to the joker by the person in charge (MIRACLIA), -such as thesingularization (by voice, for example) -, can be identified, directly or indirectly,by "any other person" other than the person responsible, (and this even if said abbreviatedidentifiable for the person in charge, since it is not required to do so) considers saidinformation as personal data referring to a natural person, and therefore it is applicablethe data protection regulations.In the event that it is considered that there are two joint managers regardingof the same treatment, the CJEU has taken care to emphasize that the protection regulationsdata does not require or imply that each of them have access to personal data inquestion, so there may be some of those responsible who without having access to thepersonal data will remain responsible (see paragraph 69 of the judgment of 29of July 2019, C-40/17, Fashion ID, which in turn cites paragraph 29 of the judgment of 5June 2018, C-210/16, Wirtschaftakademie Schleswig-Holstein, and paragraph 65 of theJudgment of July 10, 2018, C-25/17, Jehovah's Witnesses).SAWArticle 5 " Principles relating to treatment" of the RGPD establishes:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 33
33/61"1.The personal data will be:a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty andtransparency");b) collected for specific, explicit and legitimate purposes, and will not be further processed asmanner incompatible with said purposes; in accordance with article 89 (1), the treatmentfurther use of personal data for archival purposes in the public interest, research purposesScientific and historical or statistical purposes shall not be considered incompatible with the initial purposes("Purpose limitation");c) adequate, relevant and limited to what is necessary in relation to the purposes for which they areprocessed ("data minimization");d) accurate and, if necessary, updated; All reasonable steps will be taken to ensure thatpersonal data that are inaccurate with respect to the data are deleted or rectified without delaypurposes for which they are processed ("accuracy");e) maintained in a way that allows the identification of the interested parties for no longer thannecessary for the purposes of processing personal data; personal data maybe kept for longer periods provided they are treated exclusively for archival purposesin the public interest, scientific or historical research purposes or statistical purposes, in accordance withArticle 89 (1), without prejudice to the application of technical and organizational measuresappropriate regulations imposed by this Regulation in order to protect the rights and freedoms of thedata subject ("limitation of the conservation period");f) treated in such a way as to guarantee adequate security of personal data, includingprotection against unauthorized or illegal processing and against its loss, destruction or damageaccidental, through the application of appropriate technical or organizational measures ('integrity andconfidentiality ').2. The person responsible for the treatment will be responsible for compliance with the provisions of section 1and capable of demonstrating it ('proactive responsibility') ”.In relation to the aforementioned principles, what is stated in theRecital 39 of the aforementioned RGPD:"39. All processing of personal data must be lawful and fair. For natural persons it mustbe fully clear that they are being collected, used, consulted or otherwise processedpersonal data concerning them, as well as the extent to which such data is or will be processed.The principle of transparency requires that all information and communication regarding the treatment ofsuch data is easily accessible and easy to understand, and that simple and clear language is used.This principle refers in particular to the information of the interested parties about the identity of theresponsible for the treatment and the purposes thereof and the information added to guarantee afair and transparent treatment with respect to the affected natural persons and their right toobtain confirmation and communication of the personal data that concerns them that are the subject oftreatment. Natural persons must be aware of the risks, regulations,safeguards and rights relating to the processing of personal data as well as the way ofenforce your rights in relation to the treatment. In particular, the specific purposes of theprocessing of personal data must be explicit and legitimate, and must be determined in thetime of collection. Personal data must be adequate, relevant and limited to whatnecessary for the purposes for which they are processed. This requires, in particular, ensuring thatlimit the storage period to a strict minimum. Personal data should only be processed if thepurpose of the treatment could not reasonably be achieved by other means. To ensure thatpersonal data is not kept for longer than necessary, the controller mustestablish deadlines for its elimination or periodic review. All measures must be takenreasonable to ensure that inaccurate personal data is rectified or deleted.Personal data must be treated in a way that guarantees security and confidentialityadequate personal data, including to prevent unauthorized access or use of suchdata and the equipment used in the treatment ”.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 34
34/61VIIArticle 4 of the RGPD, under the heading "Definitions", provides the following:"2)" treatment ": any operation or set of operations carried out on personal data orsets of personal data, whether by automated procedures or not, such as collection,registration, organization, structuring, conservation, adaptation or modification, extraction, consultation,use, communication by transmission, broadcast or any other form of access authorization,collation or interconnection, limitation, deletion or destruction ”.In accordance with these definitions, the use that said entity makes of theinformation (personal data) collected from the abused person constitutes aprocessing of personal data, with respect to which the controller must comply with thethe principles established in article 5.1 of the RGPD, according to which personal datawill be “treated in a lawful, loyal and transparent manner in relation to the interested party (legality,loyalty and transparency) ” ; and developed in Chapter III, Section 1, of the same Regulation(Articles 12 and following).Article 12.1 of the aforementioned Regulation establishes the obligation of the person responsible fortreatment of taking the appropriate measures to "provide the interested party with all informationindicated in articles 13 and 14, as well as any communication in accordance with theArticles 15 to 22 and 34 relative to the treatment, in a concise, transparent, intelligible andeasy access, with clear and simple language, in particular any information aimed atchild. The information will be provided in writing or by other means, including, if applicable,by electronic means. When requested by the interested party, the information may be providedverbally provided that the identity of the interested party is proven by other means ”.Article 13 of the aforementioned legal text details the “information that must be providedwhen the personal data is obtained from the interested party ” and article 14 thereofRegulation refers to the “information that must be provided when personal datahave not been obtained from the interested party " .In the first case, when the personal data is collected directly from theinterested party, the information must be provided at the same time that thatdata Collect. Article 13 of the RGPD details this information in the termsfollowing:"1. When personal data relating to him are obtained from an interested party, the person responsible for thetreatment, at the time these are obtained, will provide all the information indicated tocontinuation:a) the identity and contact details of the person in charge and, where appropriate, of their representative;b) the contact details of the data protection officer, if applicable;c) the purposes of the treatment to which the personal data are intended and the legal basis of the treatment;d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of theresponsible or a third party;e) the recipients or categories of recipients of the personal data, if applicable;f) where appropriate, the intention of the person responsible to transfer personal data to a third country orinternational organization and the existence or absence of an adequacy decision of the Commission,or, in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1,second paragraph, reference to adequate or appropriate guarantees and the means to obtain aC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 35
35/61copy of these or the fact that they have been provided.2. In addition to the information mentioned in section 1, the data controller will provide theinterested party, at the time the personal data is obtained, the following informationnecessary to guarantee fair and transparent data processing:a) the period during which the personal data will be kept or, when this is not possible, the criteriaused to determine this term;b) the existence of the right to request the data controller access to personal datarelating to the interested party, and their rectification or deletion, or the limitation of their treatment, or to oppose thetreatment, as well as the right to data portability;c) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2,letter a), the existence of the right to withdraw consent at any time, without affectingthe legality of the treatment based on the consent prior to its withdrawal;d) the right to file a claim with a supervisory authority;e) if the communication of personal data is a legal or contractual requirement, or a necessary requirementto sign a contract, and if the interested party is obliged to provide personal data and isinformed of the possible consequences of not providing such data;f) the existence of automated decisions, including profiling, referred to in theArticle 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logicapplied, as well as the importance and expected consequences of such treatment for theinterested.3.When the controller plans the further processing of personal data for apurpose other than that for which they were collected, will provide the interested party, prior to saidfurther processing, information on that other purpose and any additional information relevant to theof section 2.4.The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent that theinterested party already has the information ”.In the second case, when the personal data is not obtained from the interested party, theInformation that must be provided to the same is established in article 14 of the RGPD:"1. When the personal data has not been obtained from the interested party, the person responsible for the treatmentwill provide you with the following information:a) the identity and contact details of the person in charge and, where appropriate, of their representative;b) the contact details of the data protection officer, if applicable;c) the purposes of the treatment to which the personal data are intended, as well as the legal basis of thetreatment;d) the categories of personal data in question;e) the recipients or categories of recipients of the personal data, if applicable;f) Where appropriate, the intention of the person responsible to transfer personal data to a recipient in athird country or international organization and the existence or absence of a decision on the adequacy ofthe Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49,Section 1, second paragraph, reference to adequate or appropriate guarantees and the means toobtain a copy of them or the fact that they have been loaned.2. In addition to the information mentioned in section 1, the data controller will provide theinterested party the following information necessary to guarantee fair data processing andtransparent with respect to the interested party:a) the period during which the personal data will be kept or, when that is not possible, thecriteria used to determine this term;b) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of theresponsible for the treatment or a third party;c) the existence of the right to request the data controller access to personal dataC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 36
36/61relating to the interested party, and their rectification or deletion, or the limitation of their treatment, and to oppose thetreatment, as well as the right to data portability;d) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2,letter a), the existence of the right to withdraw consent at any time, without affectingto the legality of the treatment based on the consent before its withdrawal;e) the right to file a claim with a supervisory authority;f) the source from which the personal data come and, where appropriate, if they come from access sourcespublic;g) the existence of automated decisions, including profiling, referred to in theArticle 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logicapplied, as well as the importance and expected consequences of such treatment for theinterested.3. The data controller will provide the information indicated in sections 1 and 2:a) within a reasonable period, once the personal data has been obtained, and at the latest within amonth, taking into account the specific circumstances in which said data is processed;b) if the personal data are to be used for communication with the interested party, no later than themoment of the first communication to said interested party, orc) if it is planned to communicate them to another recipient, at the latest at the time the datapersonal information are communicated for the first time.4. When the person responsible for the treatment plans the subsequent treatment of personal data fora purpose other than that for which they were obtained, will provide the interested party, before saidfurther processing, information on that other purpose and any other relevant information indicated insection 2.5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent that:a) the interested party already has the information;b) the communication of such information is impossible or involves a disproportionate effort,in particular for the treatment for archival purposes in the public interest, research purposesscientific or historical or statistical purposes, subject to the conditions and guarantees indicated in theArticle 89 (1), or to the extent that the obligation referred to in paragraph 1 of theThis article may make it impossible or seriously impede the achievement of the objectives of suchtreatment. In such cases, the controller will adopt adequate measures to protect the rights,freedoms and legitimate interests of the interested party, including making the information public;c) the obtaining or the communication is expressly established by the Law of the Union or of theMember States that apply to the controller and establish measuresappropriate to protect the legitimate interests of the data subject, ord) when personal data must continue to be confidential on the basis of aobligation of professional secrecy regulated by the law of the Union or of the Member States,including an obligation of secrecy of a statutory nature ”.For its part, article 11.1 and 2 of the LOPDGDD provides the following:"Article 11. Transparency and information to the affected1. When personal data are obtained from the affected party, the person responsible for the treatment may givecompliance with the duty of information established in article 13 of Regulation (EU) 2016/679providing the affected party with the basic information referred to in the following section and indicatingan electronic address or other means that allows easy and immediate access to theremaining information.2. The basic information referred to in the previous section must contain, at least:a) The identity of the person responsible for the treatment and their representative, if applicable.b) The purpose of the treatment.c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU)C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 37
37/612016/679.If the data obtained from the affected party were to be processed for profiling, theBasic information will also include this circumstance. In this case, the affected party must beinformed of their right to object to the adoption of automated individual decisions thatproduce legal effects on him or significantly affect him in a similar way, when there isthis right in accordance with the provisions of article 22 of Regulation (EU) 2016/679 ” .In relation to this principle of transparency, it also takes into account theexpressed in Recitals 32, 39 (already outlined), 42, 47, 58, 60 and 61 of the RGPD. I knowreproduces below part of the content of these Recitals:(32) Consent must be given by a clear affirmative act that reflects a manifestation offree, specific, informed, and unequivocal will of the interested party to accept the data processingof a personal nature that concern you ...(42)… In order for consent to be informed, the interested party must know at least theidentity of the person responsible for the treatment and the purposes of the treatment for which thepersonal information…(47) The legitimate interest of a data controller, including that of a controller who ismay communicate personal data, or that of a third party, may constitute a legal basis for thetreatment, provided that the interests or rights and freedoms of the interested party do not prevail,taking into account the reasonable expectations of the interested parties based on their relationship with theresponsible ... In any case, the existence of a legitimate interest would require an assessmentmeticulously, even if a data subject can reasonably foresee, at the time and in thecontext of the collection of personal data, which may be processed for that purpose. InIn particular, the interests and fundamental rights of the interested party could prevail over theinterests of the data controller when personal data is processedin circumstances in which the interested party does not reasonably expect that a treatment will be carried outsubsequent…(58) The principle of transparency requires that all information directed to the public or the interested party beconcise, easily accessible and easy to understand, and use clear and simple language, and,also, if applicable, it is displayed ...(60) The principles of fair and transparent treatment require that the interested party be informed of theexistence of the treatment operation and its purposes. The controller must provide theinterested party as much additional information is necessary to guarantee fair treatment andtransparent, taking into account the specific circumstances and context in which thepersonal information. The interested party must also be informed of the existence of the preparation ofprofiles and the consequences of such elaboration. If personal data is obtained frominterested parties, they must also be informed of whether they are obliged to provide them and of the consequencesin case they didn't ...(61) Data subjects should be provided with information on the processing of their personal data inthe time they are obtained from them or, if they are obtained from another source, within a reasonable time,depending on the circumstances of the case ...The Constitutional Court, among others, in its STC 39/2016, of March 3, by appointmentin turn of STC 292/2000, of November 30, has established that the right toInformation is part of the essential content of the right to data protection. So inits FJ2, from STC 39/2016, states:“The duty of prior information is part of the essential content of the right to the protection ofC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 38
38/61data, as it is an indispensable complement to the need for consent of the affected party.The duty of information on the use and destination of personal data required by the Organic Law ofprotection of personal data is closely linked to the general principle ofconsent to the processing of data, because if its purpose and recipients are not known,consent can hardly be given. Therefore, when assessing whether theright to data protection for breach of the duty of information, dispensation of theConsent to the processing of data in certain cases should be an element to take into accountgiven the close link between the duty of information and the general principle ofconsent.(…)They are thus characteristic elements of the constitutional definition of the fundamental right toprotection of personal data «the rights of the data subject to consent to the collection and use of theirpersonal data and to know about them. And they are essential to make thiscontent the recognition of the right to be informed of who owns your personal data and withwhat purpose, and the right to be able to oppose such possession and use by requiring whoever corresponds toterminate the possession and use of the data. That is, requiring the owner of the file to inform youof what data you have about yourself, accessing your appropriate records and entries, and what destinationhave had, which also reaches possible assignees; and, where appropriate, require you torectify or cancel them ”(STC 292/2000, of November 30, FJ 7)”.MIRACLIA does not inform the interested party at any time, that is, the abromado, of thecontent of your rights in accordance with the provisions of the RGPD. This determines that theData processing carried out in no case can be considered lawful.Article 12.1 of the RGPD establishes that said information must be provided “bywritten"; Only if requested by the interested party, the information may be provided verbally alwaysthat the identity of the interested party is proven by other means. In the present case, it has notno written information has existed, nor has the identity of the interested party beendemonstrated by any means.Article 13.1 of the RGPD establishes that “when obtained from an interested partypersonal data relating to him ” (as is the case, since the call is made toabbreviated and therefore personal data, your voice, comes directly from abbreviated),the person in charge of the treatment, "at the moment in which these [data] are obtained" , willwill provide all the information indicated below in said section.As can be seen from the facts in the file, MIRACLIA has not reportedpreviously of any of these circumstances to the abrupt, so that thefundamental right to the protection of data of the abromados, who have not hadknowledge, prior to the recording that MIRACLIA always makes of your data intheir systems, of the circumstances that the regulations establish that they must know.The affected person responds to a phone call, which will be recorded, not only withouthave been able to give their consent, but without having been informed, at that time, ofso that you are aware of the treatment that is intended to be carried out with your datapersonal and circumstances required by the regulations for the protection of the rightfundamental. Among these circumstances, it is worth highlighting that provided for in letter c) of section1 of said article 13 of the RGPD: the interested party must be informed at the time ofObtaining your personal data, among other circumstances, from the legal basis of thetreatment, to which it is necessary to add what is established in letter d), that is, when thetreatment is based on art. 6, section 1, letter f) -Legitimate interest-, theinterested what are the legitimate interests of the person in charge or of a third party that are allegedC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 39
39/61as a legal basis for the treatment.This lack of information on what is the legal basis of the treatment or in case ofclaiming legitimate interest, what those legitimate interests are, is of great importance. TheRGPD intends that the interested party (the abbreviated) can have knowledge at that time(at the time of collection of your personal data) of what are the legitimate intereststhat are hypothetically alleged by the controller to process your personal data withoutneed your consent. It is at this time that it will be done by theresponsible for the treatment the weighting between the legitimate interests that may beclaim for the person responsible and the interests or fundamental rights and freedoms of theinterested party who require the protection of their personal data, in particular when theinterested is a child. Such weighting cannot be done at a later time,unilaterally by the person in charge, without taking into account the rights, freedoms and interestsabominated himself, since it is simply enough to say that he would be denied not only his right toinformation, but their right to make allegations, to be heard before the claim of theresponsible for using your personal data without your consent (as that isprecisely the virtuality of the use of legitimate interest as the legal basis of thetreatment, and what MIRACLIA intends here as responsible for the treatment).The judgment of the CJEU of July 29, 2019, C-40/17, Fashion ID, establishes theguidelines on who would, in any case, request the consent of theinterested in the event that there are two, or more, data controllers. As well asIt also determines to whom the information obligation corresponds to the interested party, andwhen this information is to be given. And it follows from this sentence that, applying it topresent case, would correspond to MIRACLIA.Sections 102 to 104 of the Fashion ID ruling establish:“102 As regards the consent mentioned in articles 2, letter h), and 7, letter a), ofDirective 95/46, it turns out that this must be given prior to the collection and communication bytransmission of data of the interested party. In these circumstances, it is the responsibility of the administrator of theInternet, and not the provider of the social module, request said consent, insofar as it isthe fact that a visitor visits that Internet site which triggers the process ofprocessing of personal data. Indeed, as the Advocate General pointed out in point 132 of hisconclusions, it would not be consistent with an effective and timely protection of the rights of the interested partythat consent was only given to the joint controller of the treatment involvedsubsequently, namely to the provider of said module. However, the consent that mustbe provided to the administrator refers only to the operation or to the set of operations ofprocessing of personal data whose purposes and means are effectively determined by said administrator.103 The same can be said with respect to the information obligation established in article 10 ofDirective 95/46.104 From the wording of said provision, it follows, in this regard, that the person responsible for thetreatment or its representative must communicate to the person from whom the data is collectedminus the information mentioned in said provision. Therefore, it turns out that the person responsibleof the treatment must give such information immediately, that is, at the moment in whichcollect the data (see, in this regard, the judgments of May 7, 2009, Rijkeboer,C-553/07, EU: C: 2009: 293, paragraph 68, and of November 7, 2013, IPI, C-473/12, EU: C: 2013: 715,paragraph 23) ".As is known, there is no unlimited right and the right to information from theinterested party, as an essential part of the fundamental right to the protection of their datapersonal, is not alien to this principle. Now, as an exception, it must beC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 40
40/61interpreted strictly, so that only in the cases established bythe law may be understood that there may be an exception to the right to information.As established in section 39 of the STJUE of November 7, 2013, C-473/12, Institut professionnel des agents immobiliers (IPI) v Geoffrey Englebert and others,to which we will make more extensive reference later:39 In accordance with established case law, the protection of the fundamental right to privacy requiresthat the exceptions to the protection of personal data and the restrictions to such protection areestablish without exceeding the limits of what is strictly necessary (judgments of December 162008, Satakunnan Markkinapörssi and Satamedia, C-73/07, Rec. p. I-9831, paragraph 56, and of 9November 2010, Volker und Markus Schecke and Eifert, C-92/09 and C-93/09, Rec. p. I-11063,paragraphs 77 and 86).The only limitations on the right to information are found in article 23 of theRGPD and express legislative measures are needed to agree them, respecting in allcase the essential of the rights and freedoms, and provided that the assumptions assessedthat are related in said precept.Although in reference to consent, MIRACLIA has indicated that it cannotmeet some regulatory provisions because the very fact of spendinga joke or surprise effect. However, nothing has been alleged regarding the limitationsindicated, nor do they seem to be applicable to the present case. MIRACLIA nomentions any legislative measure that entails the possibility of exceptions in the caseof the application *** APPLICATION.1 the fundamental right to data protectionpersonal data of the interested party, the abromado, so that any subsequent analysis would lacksense. In addition, the possibility of excepting through legislative measures the rightsFundamentals of individuals are of such importance as the security of the state, thedefense, public security, prevention, investigation, detection or prosecution ofcriminal offenses etc. Therefore, in no case does this possibility of exempting theThe data subject's right to information is linked to the possibility of joking throughof an online application, and not to a commercial interest, so there can be nocommercial interests that serve as justification for the interested-abused to beDeny your right to be informed in the terms of article 13 RGPD.Therefore, the actions of MIRACLIA are not excluded from the obligation ofprovide interested parties with the right to information, with the content established in theArticle 13 RGPD, at the time the personal data is obtained from the interested party.When personal data is obtained from the interested party, in no case will such informationcan be provided later, much less never be given, as is the case hereoccupies us. In short, the interested parties must in any case be informed so that thetreatment may be considered lawful, which has certainly not been the case.The same can be said about compliance with the provisions of article 14 of theRGPD, which regulates the information that must be offered to the interested party when the data does notare collected directly from it, as occurs in relation to the telephone numberAbromado's mobile, which is provided to MIRACLIA by a third party, the joker.In general, no information does MIRACLIA offer to the interested party / affected (personreceiving the joke call) in the documents "Terms and Conditions of Use of theService ” and “ Privacy Policy ” , beyond indicating that “ Miraclia does not collect data fromC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 41
41/61recipients of the jokes ” , which, as has been seen, is not true.The only information directed to the abbreviated results from the locution that is reproduced at theend of the prank call, with the following message:"A friend of yours has played a prank on you. In case you don't want your friend to be able tolisten, download or spread the joke, or in case you do not want to receive more jokes,press 5 on your keyboard after the beep. Beeep ”.As can be seen, in said locution it is not specified that the joke wasrecorded and that, through the indicated action, is deleted from the entity's systems. NoOtherwise, it includes details on any of the aspects established in theArticles 13 and 14 of the RGPD.On the other hand, at no point during the telephone conversation dididentifies the application *** APPLICATION.1 as the call manager or the companyMIRACLIA developer as the owner of the platform, so that the receiver of thejoke does not know where to go to get more information about the call orexercise your rights; at no time is the joker mentioned; and I don't knowinforms at no time, during the development of the joke, that the conversation isbeing or can be recorded.Consequently, the facts presented constitute a violation of the principle oftransparency regulated in articles 13 and 14 of the RGPD, which gives rise to the application ofthe corrective powers that article 58 of the aforementioned Regulation grants to the AgencySpanish Data Protection.Finally, it should be noted that MIRACLIA has alleged that, on the occasion of thepresent proceedings, knowing the imputation made for the first time in relation to theinformation defects, has proceeded immediately to rectify them by completing theinformation offered at the end of the prank conversation as follows:- That someone has played a joke to have a good time.- That for the same you have used the application *** APPLICATION.1 property ofMIRACLIA TELECOMUNICACIONES, SL- That to oppose said joke reaching the joker and to suppress it he canpress key 5.- You have more information by pressing key 1.And by pressing the 1 key, the detailed explanation is offered, also included on the web.Thus, from the information that was not provided to the interested party, it has now included:- The identity of MIRACLIA- The contact details of the Data Protection Officer- The conservation period- The basis of legitimation- The exercise of the rights in full that, although those of opposition anddeletion (and also the access when requested) are now specifiedformally.However, it does not provide any proof of this; not even the text or recordingof the locution inserted at the end of the conversation, so that it can be assessedC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 42
42/61correctly the supposed information offered. And neither does MIRICLIA point out anything aboutof the precautions adopted to ensure that the interested party has effectively agreedto the information or to the measures that it will apply in those cases in whichthe communication before the reproduction of the locution.VIIIOn the other hand, articles 6 and 7 of the same RGPD refer, respectively, to the"Legality of the treatment" and the "Conditions for consent":Article 6 of the RGPD."1. The treatment will only be lawful if at least one of the following conditions is met:a) the interested party gave their consent for the processing of their personal data for one or morespecific purposes;b) the treatment is necessary for the execution of a contract in which the interested party is a party or forthe application at his request of pre-contractual measures;c) the treatment is necessary for the fulfillment of a legal obligation applicable to the person in chargeof the treatment;d) the treatment is necessary to protect vital interests of the interested party or of another natural person;e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in theexercise of public powers conferred on the data controller;f) the treatment is necessary for the satisfaction of legitimate interests pursued by theresponsible for the treatment or by a third party, provided that those interests do not prevailinterests or fundamental rights and freedoms of the interested party that require the protection ofpersonal data, in particular when the interested party is a child.The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by thepublic authorities in the exercise of their functions.2. Member States may maintain or introduce more specific provisions in order toadapt the application of the rules of this Regulation with respect to the treatment incompliance with paragraph 1, letters c) and e), setting more precisely specific requirements oftreatment and other measures that guarantee a lawful and equitable treatment, including otherspecific treatment situations in accordance with Chapter IX.3. The basis of the treatment indicated in section 1, letters c) and e), must be established by:a) Union law, orb) the law of the Member States that applies to the controller.The purpose of the treatment must be determined in said legal basis or, in relation to theTreatment referred to in section 1, letter e), will be necessary for the fulfillment of a missioncarried out in the public interest or in the exercise of public powers conferred on the person responsible fortreatment. Said legal basis may contain specific provisions to adapt the applicationof rules of this Regulation, among others: the general conditions that govern the legality of thetreatment by the person in charge; the types of data being processed; the interestedaffected; the entities to which personal data may be communicated and the purposes of suchcommunication; the limitation of the purpose; the data conservation periods, as well as theprocessing operations and procedures, including measures to ensure alawful and equitable treatment, such as those relating to other specific treatment situations in accordance withof Chapter IX. The law of the Union or of the Member States will fulfill an objective of interestpublic and will be proportional to the legitimate aim pursued.4. When the treatment for a purpose other than that for which the personal data was collectedis not based on the consent of the interested party or on the law of the Union or of the Statesmembers that constitute a necessary and proportionate measure in a democratic society tosafeguard the objectives indicated in article 23, paragraph 1, the data controller, withC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 43
43/61in order to determine if the treatment for another purpose is compatible with the purpose for which they were collectedinitially personal data, will take into account, among other things:a) any relationship between the purposes for which the personal data was collected and the purposesthe planned further processing;b) the context in which the personal data was collected, in particular with regard to therelationship between the interested parties and the data controller;c) the nature of the personal data, specifically when special categories of data are processedpersonal data, in accordance with article 9, or personal data regarding convictions and offensescriminal, in accordance with article 10;d) the possible consequences for the data subjects of the planned further processing;e) the existence of adequate guarantees, which may include encryption or pseudonymization ”.Article 7 of the RGPD."1. When the treatment is based on the consent of the interested party, the person in charge must becapable of demonstrating that he consented to the processing of his personal data.2. If the consent of the interested party is given in the context of a written statement that is alsorefer to other matters, the consent request will be presented in such a way that it distinguishesclearly of other matters, in an intelligible and easily accessible way and using clear languageAnd simple. Any part of the declaration that constitutes infringement of this will not be binding.Regulation.3. The interested party will have the right to withdraw their consent at any time. The withdrawal ofConsent will not affect the legality of the treatment based on consent prior to itswithdrawal. Before giving consent, the interested party will be informed of this. It will be so easy to remove theconsent how to give it.4. When assessing whether consent has been freely given, the greatest possible consideration will be given topossible the fact whether, among other things, the performance of a contract, including the provision of aservice, is subject to consent to the processing of personal data that are not necessaryfor the execution of said contract ”.What is expressed in recitals 32, 39, 40 to 44 and 47 of the RGPD is taken into accountin relation to the provisions of articles 6 and 7 above.It is also necessary to take into account the provisions of article 6 of the LOPDGDD:"Article 6. Treatment based on the consent of the affected party1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, it is understoodBy consent of the affected party, any manifestation of free will, specific, informed andunequivocal by which he accepts, either through a statement or a clear affirmative action, theprocessing of personal data that concerns you.2. When it is intended to base the treatment of the data on the consent of the affected person for aplurality of purposes, it will be necessary to state specifically and unequivocally that saidconsent is given for all of them.3. The execution of the contract may not be subject to the affected party consenting to the treatment of thepersonal data for purposes that are not related to the maintenance, development or controlof the contractual relationship ” .In accordance with the above, data processing requires the existence of alegal basis that legitimizes it, such as the consent of the interested party validly given,necessary when there is no other legal basis than those mentioned in article 6.1of the RGPD or the treatment pursues a purpose compatible with that for which the data were collecteddata.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 44
44/61Article 4 of the RGPD defines "consent" in the following terms:"Article 4 DefinitionsFor the purposes of these Regulations, the following shall be understood as:11. "consent of the interested party": any manifestation of free will, specific, informed andunequivocal by which the interested party accepts, either through a declaration or a clear actionaffirmative, the processing of personal data that concerns him ”.Consent is understood as a clear affirmative act that reflects afree, specific, informed and unequivocal manifestation of the interested partyaccept the processing of personal data concerning you, provided withsufficient guarantees to prove that the interested party is aware of the fact that he gives hisconsent and the extent to which it does so. And should be given for all activities oftreatment carried out with the same or same purposes, so that, when the treatmenthas several purposes, consent must be given for all of them specifically andunequivocal, without the execution of the contract being subject to the consent of the affected partythe processing of your personal data for purposes that are not related to themaintenance, development or control of the business relationship. In this regard, the legality of theTreatment requires that the interested party be informed about the purposes for which thedata (informed consent).Consent must be given freely. It is understood that consent does notis free when the interested party does not have a true or free choice or cannot deny orwithdraw your consent without suffering any harm; or when you are not allowed to authorizeseparate the different personal data processing operations despite being adequatein the specific case, or when the fulfillment of a contract or service provision isdependent on consent, even when it is not necessary for saidcompliance. This occurs when consent is included as a non-partnegotiable of the general conditions or when the obligation to be ofagreement with the use of personal data additional to those strictly necessary.Without these conditions, the provision of consent would not offer the interested party atrue control over your personal data and their destination, and this would make it illegalthe processing activity.The Article 29 Working Group analyzed these issues in its document"Guidelines on consent under Regulation 2016/679" , revised andapproved on 04/10/2018; which has been updated by the European Committee for the Protection ofData on 05/04/2020 through the document “Guidelines 05/2020 on consentin accordance with Regulation 2016/679 ” . From what is indicated in this document, interest nowhighlight some aspects related to the validity of consent, specificallyon the elements "specific", "informed" and "unequivocal":<< 3.2. Specific manifestation of willArticle 6, paragraph 1, letter a), confirms that the consent of the interested party for the treatment ofyour data must be given "for one or more specific purposes" and that an interested party can choose withwith respect to each of these purposes. The requirement that consent must be "specific"It is intended to guarantee a level of control and transparency for the interested party. This requirement has notbeen modified by the GDPR and remains closely linked to the requirement ofinformed consent". At the same time, it must be interpreted in line with the requirement of"Dissociation" to obtain "free" consent. In short, to fulfill the character ofC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 45
45/61"Specific" the data controller must apply:i) the specification of the purpose as a guarantee against deviation of use,ii) disassociation in consent requests, andiii) a clear separation between the information related to obtaining consent for thedata processing activities and information related to other issues.Ad. i): In accordance with article 5, section 1, letter b), of the RGPD, obtaining theValid consent is always preceded by the determination of a specific, explicit andlegitimate for the intended processing activity. The need for specific consent inCombination with the notion of purpose limitation contained in Article 5 (1) (b),works as a guarantee against the gradual extension or blurring of the purposes for which it isperforms the data processing once an interested party has given their authorization to the collectioninitial data. This phenomenon, also known as deviation of use, poses a riskfor the interested parties as it may lead to an unforeseen use of personal data by theresponsible for the treatment or third parties and the loss of control by the interested party.If the controller is based on article 6, paragraph 1, letter a), the interested partiesThey must always give their consent for a specific purpose for the processing of the data. Inconsistent with the concept of purpose limitation, with article 5, paragraph 1, letter b), and withrecital 32, consent may cover different operations, provided that saidoperations have the same purpose. Needless to say, specific consent can only bebe obtained when the interested parties are expressly informed about the intended purposes for the use ofthe data concerning them.Without prejudice to the provisions on compatibility of purposes, consent must bespecific for each purpose. The interested parties will give their consent understanding that they have controlabout your data and that these will only be processed for said specific purposes. If a responsible treatsdata based on consent and, in addition, you want to process said data for another purpose, you mustobtain consent for that other purpose, unless there is another legal basis that better reflects thesituation…Ad. ii) The consent mechanisms should not only be separated in order to comply with the"free" consent requirement, but must also comply with the consent requirement"specific". This means that a data controller seeking consent toseveral different purposes, it must facilitate the possibility of opting for each purpose, so that userscan give specific consent for specific purposes.Ad. iii) Finally, those responsible for the treatment must provide, with each request forseparate consent, specific information about the data that will be processed for each purpose, with theIn order for the interested parties to know the impact of the different options they have. Of thisThus, data subjects are allowed to give specific consent. This question overlaps with therequirement that those responsible provide clear information, as stated abovein section 3.3 >>.<< 3.3. Informed manifestation of willThe GDPR reinforces the requirement that consent must be informed. In accordance with theArticle 5 of the RGPD, the requirement of transparency is one of the fundamental principles,closely related to the principles of loyalty and lawfulness. Provide information tointerested parties before obtaining their consent is essential for them to make decisionsinformed, understand what they are authorizing and, for example, exercise your right to withdrawYour consent. If the person in charge does not provide accessible information, the user's control will beIllusory and consent will not constitute a valid basis for the processing of the data.If the requirements for informed consent are not met, the consent will not bevalid and the person in charge may be in breach of article 6 of the RGPD.3.3.1. Minimum content requirements for consent to be "informed"In order for consent to be informed, it is necessary to communicate certain elements to the interested party.that are crucial to being able to choose. Therefore, the GT29 is of the opinion that at least theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 46
46/61following information to obtain valid consent:i) the identity of the data controller,ii) the purpose of each of the processing operations for which consent is requested,iii) what (type of) data will be collected and used,iv) the existence of the right to withdraw consent,v) information on the use of data for automated decisions in accordance with theArticle 22 (2) (c), where relevant, andvi) information on the possible risks of data transfer due to the absence of adecision of adequacy and adequate guarantees, as described in article 46 >>.In the present case, MIRACLIA affirms in its allegations that consent does notcan be the legal basis for playing a joke, understanding that the treatmentof the personal data of the abromados that it carries out is protected in the legitimate interest of theArticle 6.1.f) of the RGPD.However, this is not what emerges from the information inserted in thedocument called "Terms and Conditions of Use of the Service" (Proven FactSecond), in which it is indicated up to three times that the user must have theexpress and unequivocal consent of the person who has received the joke so thatthe recording can be made and the audio file can be shared later, as a requirementoperation of the service ( “The operation of the Service prevents thea Recording if the user of *** APPLICATION.1 does not expressly accept such conditionprevious ”) . In said document, MIRACLIA expressly declares that “it is not responsibleof the consequences of failure to obtain the necessary consentsto share the Recording ” .That is, MIRACLIA bases the processing of personal data directly on theconsent of the "abromado", which I have to be collected by the "joker" himself.MIRACLIA is aware, then, that said legal basis for the treatment ismerely formal, fictitious. If you consider that a joke can never be based on theconsent of the abromado himself, it is not understood what is indicated in his reviewed document,knowing that the joker will never proceed to seek the consent of the abomination.On the other hand, the processing of personal data carried out by the person responsible for theMIRACLIA treatment in no case can be considered "lawful" since it is notprovides the interested party with the information to which, in accordance with the rules of protection ofpersonal data, you have the right, as concluded in the Basis of Lawprevious.Nor can it be considered lawful from the moment in which, as said lackinformation, the interested party is deprived of their right to know the legal basis of thetreatment alleged by the person in charge, and specifically, when referring to the legitimate interest, it isdeprived of their right to know what are said legitimate interests alleged by theresponsible or a third party that would justify the treatment without taking into account theirconsent.In the same way, the interested party is deprived of his right to argue for what causessaid legitimate interest alleged by the controller could be counteracted by the rightsor interests of the interested party. The interested party having not been given an opportunity to allege themagainst the controller, any weighing that the controller makes without taking into accountC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 47
47/61the circumstances that the interested party could allege who has not been allowed to do soit would be flawed, because it is an act contrary to an imperative norm.If the norm requires that the subject be informed of their rights, and it is not done, theThe consequence must be the nullity of subsequent acts (the same weighting carried outwould be vitiated of nullity of full rights, as well as the same data processingcarried out on a null weighting and without any value).On the other hand, there is no legal measure that exempts said obligation toprovide the aforementioned information by the person in charge, as stated.Therefore, it cannot be understood that it is applicable as a legal basis for the treatmentof personal data that of the legitimate interest provided for in article 6.1.f) of the RGPD.However, although we understand that legitimate interest is not applicable, it is interestinghypothetically analyze the terms in which the weighting that foresees should be carried outsaid article between the legitimate interest of the data controller and data protectionpersonal nature of the interested party, that is, how said legitimate interest plays, if it wereapplicable.Well, if this were the case, the CJEU, already in its judgment of May 4, 2017,C-13/16, Rigas Satskime, paragraphs 28 to 34, determined what are the requirements for atreatment may be lawful on the basis of legitimate interest. The CJEU judgment of 29July 2019, C-40/17, Fashion ID, echoing the cited sentence, collects saidrequirements.28 In this regard, article 7, letter f), of Directive 95/46 - (current article 6.1.f) of the RGPD) - fixesthree cumulative requirements for the processing of personal data to be lawful: first, that thedata controller or the third party or third parties to whom the data is communicated pursue alegitimate interest; second, that the treatment is necessary for the satisfaction of that interestlegitimate and, third, that the fundamental rights and freedoms of the interested party do not prevail in thedata protection.Regarding the first of the requirements, that is, that the person responsible for the treatment orthird parties pursue a legitimate interest, we are faced with a commercial interest, which couldbe considered legitimate in itself, concretized in making money by selling jokesTo thirds. However, these benefits are obtained at the cost of affecting the rights andlegitimate interests to the protection of your personal data of the interested parties (abromados),Therefore, this interest will have to be weighed against that of individualsFrom what the second of the requirements does, however, we consider that theprocessing of personal data that is carried out by the appellant is not necessary orstrictly necessary for the satisfaction of their legitimate interest (the cited judgment of 4May 2017, C-13/16, Rigas Satskime, in its section 30, declares “ As regards therequirement that data processing be necessary, it should be remembered that theexceptions and restrictions to the principle of protection of personal datathey must be established without exceeding the limits of what is strictly necessary ” ).This principle that treatment should be strictly necessary for thesatisfaction of legitimate interest must be interpreted in accordance with the provisions ofArticle 5.1.c) RGPD, which refers to the principle of data minimization,C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 48
48/61noting that the personal data will be “adequate, pertinent and limited to whatnecessary in relation to the purposes for which they are processed ” .Leaving aside, as we have already mentioned, the issue that theinterested / abused does not know for what purposes or with what legal basis theirdata, it is understood that the recording of the voice of the interested parties in theMIRACLIA, which is carried out in any case and in all circumstances, as well as, asIt has been revealed in the administrative file that the telephone numbers of theinterested parties are stored in said systems until the call is made, it is aexcessive treatment. If the legitimate interest pursued is to collect for a person, thejoker, can play a joke, it does not seem necessary, as an intrinsic requirement of saidtreatment, (i) that personal data (telephone and voice) are stored. Neither canconsidered legitimate, and therefore we consider that it would be an excessive treatment, thepossibility that the joker (ii) downloads the voice of the abused to be able to go tosaid recording as many times as you want and to be able to broadcast it without any restriction, soin addition (iii) security measures would be lacking to prevent said subsequent treatment by thejoker. If what MIRACLIA intends, with purely commercial interest, is to charge forplay a joke, such treatment could be done without the need to record the voice orphone number, and without having to give the possibility, omnimous and unlimited, to the joker ofdownload the voice of the abomination to your terminal to be able to broadcast it later withoutany limitation. Therefore, the second requirement regarding non-excessive use would not existor necessary.Third, in terms of balancing or balancing, that is, it does notthe fundamental rights and freedoms of the interested party prevail in the protection ofdata, the CJEU has understood (Rigas Satskime ruling) that it depends on the circumstancesof the particular case in question.In relation to this weighting, the Working Group of art. 29 of the Directive95/46 issued Opinion 06/2014 on the concept of legitimate interest of the person responsible for thetreatment. Said Group, in its Opinion says that“… Such an examination requires a full consideration of a number of factors, in order toensure that the interests and fundamental rights of the individual are duly taken into accountaffected. At the same time, it is a modular test, which can range from simple tocomplex, and need not be unduly burdensome.Factors to be considered when performing such a balancing testwill understand:- the nature and source of the legitimate interest, and whether the data processing is necessary for theexercise of a fundamental right, is otherwise in the public interest or benefits fromrecognition of the affected community;- the impact on the data subject and their reasonable expectations about what will happen to their data,as well as the nature of the data and the way in which they are processed;- additional guarantees that could limit an undue impact on the interested party, such as theminimization of data, privacy protection technologies, increasedtransparency, the general and unconditional right to opt-out and the portability of datadata.(a) Regarding the nature and source of the alleged legitimate interest, this is an interest ofmercantile character, as has already been shown. The TS, in its STS ruling1921/2017, of May 5, 2017, Rec. 407/2016, has already shown that it cannotthe interest of gas traders prevail over the interest of consumersC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 49
49/61holders of electricity supply contracts, since the latter have a rightfundamental against a purely commercial interest, so that the person, the consumerIn this case, it has the legal power to impose on third parties the duty to refrain from allintrusion into their intimate sphere and the prohibition of them to make use of and known, (withcitation of the judgments of TC 73/1982, 89/1987, 231/1988, 134/1999 and 115/2000).(b) It should be added, following the list of recommended requirements for weighting, thatthe data processing that the appellant intends to carry out is not at all necessaryfor the exercise of a fundamental right, so it will have to decline in the face ofneed for protection of their fundamental right by the interested parties.(c) Nor can it be considered that the processing of personal data proposed byMIRACLIA results from the public interest or who benefit from the recognition of theaffected community.(d) Regarding the reasonable expectations for the interested party regarding the use ofyour personal data and the repercussions for him, it is enough to mention that with the treatment ofpersonal data that the appellant intends to carry out, the interested party loses all power todisposition on them, since the data is registered by system, before being able to giveyour consent or even to be informed, so that the joker-user can douse of the personal data of the abromado, his voice, downloading it in his own terminal andsubsequently spreading it among other third parties whenever and however you want, and this withregardless of whether the interested party may make use of a hypothetical right toblocking or deletion of your data in front of MIRACLIA, which as easily canbe observed from the mechanics of the application of the system, it will not be effective in any case if thejoker has already downloaded the voice on his terminal, since its broadcast no longerit would depend on that entity.(e) Regarding the nature of the data, we consider that voice is dataparticularly sensitive. And it is because we all know that the voice identifiesunivocally to a subject among a more or less broad community. But the olderabundantly, the voice can also be considered a sensitive data in another sense, and isthat the RGPD allows the voice to be considered as biometric data, as long as it isapply, or may be applied, techniques aimed at allowing to uniquely identifya natural person (art. 9.1 RGPD). It does not appear that the data processing that theresponsible intends to carry out with the application *** APPLICATION. 1 is aimed atapply treatment techniques to the voice that convert it into biometric data, butAlthough that is not the objective of the data processing carried out by the person in charge, it does notThere is no doubt that the voice can constitute the raw material, the raw data, from thewhich a technique could be applied so that said personal data, the voice, would turn out to bea biometric data. As the Supreme Court has had the opportunity to consider in the aforementionedpreviously ruling STS 1921/2017, of May 5, 2017, Rec. 407/2016, the criterionof “risk” is a criterion to take into account when a personal data, together with others, and withinfringement of the principle of information or access, may lead to the identification of theinterested.(f) Regarding the last of the weighting criteria mentioned, namely the guaranteesadditional that could limit an undue impact on the interested party, such as theminimization of data, privacy protection technologies, increasedtransparency, we consider that it is absolutely necessary to increase theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 50
50/61transparency in the sense of providing potential abused, in advance of therecord of your voice or your telephone, all the circumstances referred to in the article13 GDPR. And in addition to this, the fact of recording the voice of the abromado in the systems of theRecurrent is considered excessive, in the sense of art. 5.1.c) RGPD.In short, and to end this point, it does not result from data processingpersonal carried out by MIRACLIA that concurs, beyond its own commercial interest,no circumstance that justifies the recording of the voice of the abbreviated usingas legal basis for the treatment the legitimate interest of article 7.f) of the Directive. Theprocessing of personal data carried out by MIRACLIA is not necessary for satisfactionlegitimate interest, and in addition the legitimate interest of the appellant does not prevail over thefundamental rights and freedoms of the interested party in the protection of their datapersonal.Consequently, it cannot be considered that the processing of personal data thatcarried out by MIRACLIA is protected by the legitimate interest provided for in article 6.1.f) of theRGPD. And neither does the interested party give their consent to said data processing,which is illegal, furthermore, as the right to information has been totally waivedof the interested party in the terms provided in the regulations for the protection of personal data.In accordance with the foregoing, the aforementioned events constitute a violation of theArticle 6 of the RGPD, which gives rise to the application of the corrective powers that the article58 of the RGPD granted to the Spanish Agency for Data Protection.IXIn its allegations to the proposed resolution, MIRACLIA indicates that theArguments contained in the preceding legal grounds are not valid for"*** APPLICATION.1", which is in a technical and data processing scenariodifferent from the one presented in previous actions of the Agency and ordinary Justice.For the present case, according to MIRACLIA, “*** APPLICATION.1” fits the definition ofnumbering-based electronic interpersonal communications services, definedin Article 2, paragraphs 5 and 6, of Directive (EU) 2018/1972, which establishes theEuropean Code of Electronic Communications (recast version).Based on this consideration, MIRACLIA understands that I only intervened by facilitatingthe necessary means to provide the service that the user has contracted, onlydata controller of the person who receives the prank call; whatThe conversation that takes place for the provision of the service is personal or domestic, in theinsofar as the purpose of the service is to establish communication initiated by thejoker, MIRACLIA limiting itself to providing the means for transmission; and what does not doprocessing of prank call recipient data beyond complianceof the conservation obligations imposed by Law 25/2007, on data conservationrelating to electronic communications and public communications networks.For the same reason, MIRACLIA understands that it is not obliged to facilitate theinformation to which the RGPD refers, as the provisions of the Recital173 and Article 95 of said Regulation, in relation to Directive 2002/58 / EC, on theprivacy and electronic communications. According to this article, the RGPD will not imposeC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 51
51/61additional obligations to natural or legal persons regarding treatment in theframework of the provision of public services of electronic communications in networkspublic communication of the Union in areas in which they are subject to obligationsspecific with the same objective established in Directive 2002/58 / EC, and, in accordance withWith this Directive, electronic communications services cannot be required tointerpersonal resources based on public numbering resources that identifies the manager of thecall or the owner of the platform or indicate where to obtain information about thecall or on the exercise of rights. Likewise, the user's right must be respectedof the service to not identify themselves and to record the call in a personal way.These allegations must be rejected, as they do not yet exist in the domestic legal systemany provision transposing Directive (EU) 2018/1972, the term of whichtransposition has not yet elapsed. This being the case, it cannot be said that the activitydeveloped through the application "*** APPLICATION.1" fits a category of servicesof electronic communications that, at this time, does not exist in our systemlegal.On the other hand, article 95 of the RGPD is not applicable to the present case, whichprohibits the imposition of “additional obligations on natural or legal persons intreatment matter in the framework of the provision of public services ofelectronic communications on public communication networks of the Union in areas wherethose that are subject to specific obligations with the same objective established in theDirective 2002/58 / CE ” , which does not appear among the Directives that will be repealed by theDirective (EU) 2018/1972 with effect from 12/21/2020. The present act is notreferred to Directive 2002/58 / EC nor does it imply the imposition of specific obligations with thesame objective intended by this DirectiveIn any case, it should be added that MIRACLIA bases these allegations on the result ofthe audit carried out on the application “*** APPLICATION.1” by an engineer oftelecommunications in July 2020, well after the period analyzed by theInspection of this Agency. Although the responsible entity states that the version of theaudited application corresponds to the version in force at the time they were formulatedcomplaints, there is no evidence to prove it. Furthermore, this claim does notwanted was raised in its arguments at the opening of the procedure and supposes an approachdifferent from the position that MIRACLIA has maintained during the previous phases, in whichshowed his willingness to correct some of the deficiencies revealed anddefended the legitimate interest of the entity for the data processing carried out.In addition, it starts from premises and has established facts that cannot beaccepted, mainly those related to the existence of a conversation between auser of “*** APPLICATION.1”, who starts it, and a third party. It is stated that “the person whostart the conversation must be the user who hires the service *** APPLICATION.1 ” and that“Once the connection between the user of *** APPLICATION.1 and the recipient of theconversation the direct exchange of interpersonal information is allowed throughelectronic communications networks between the two ” . However, as it has beencredited, the application user simply schedules a call, in which noparticipates, which is carried out from MIRACLIA systems with the purpose of reproducingto the recipient a voiceover (the one corresponding to the joke selected by the user),So that call does not put two people in communication, nor is there any“Direct interpersonal information exchange” . If there is a call between theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 52
52/61user and recipient of the joke, that conversation would never take place with theintermediation of "*** APPLICATION.1".In the same way, it cannot be accepted that the user of “*** APPLICATION.1” is thewho decides to record the content of the message that he edits himself. The callAs a joke, it remains in MIRACLIA systems, without it being necessary toThis involves the participation of the user of “*** APPLICATION.1”, which is limited to using the mediathat facilitates the entity itself to access the audio file generated by the system, withoutsaid user takes no action to edit its content.Regarding this question, the approach contained inthe audit report provided by MIRACLIA, according to which the service rating ofelectronic communications that is included in the Conditions of Use of the applicationimplies an implicit recognition of the nature of the service (in Annex II to theThe audit literally states the following: “In the conditions of use of theapplication *** APPLICATION.1 in article 6 it is indicated that “as with anytelecommunications, it is illegal to use the services of *** APPLICATION.1 for the purposeto harass or harm anyone ”. There is therefore a contractual declaration that*** APPLICATION. 1 is a service subject to telecommunications regulation and, therefore, aimplicit recognition that it is an electronic communications service insuch case ” ).It is obvious that the position that MIRACLIA occupies in everything related to the functioningof the application “*** APPLICATION.1” cannot be determined by a pact betweenindividuals or a contractual declaration, but for the legal determinations that resultapplicable.It can even be said that the aforementioned allegations should be rejectedeven if we consider the provisions of the European Communications CodeElectronic, which defines the interpersonal communication services including in thisconcept the transport of signals and other types of services that allow communication.It distinguishes “three types of services that may partially overlap, namely:internet access defined in article 2, point 2, of Regulation (EU) 2015/2120 of theEuropean Parliament and of the Council (1); interpersonal communication services, such asare defined in this Directive, and services consisting wholly or mainly of thesignal transport ” (Recital 15 of Directive (EU) 2018/1972, by whichestablishes the European Code of Electronic Communications).In accordance with its article 2 "Definitions" , for the purposes of the aforementioned Directive:<< shall be understood as:4) "electronic communications service": the one generally provided in exchange for aremuneration through electronic communications networks, which includes, with the exception of theservices that provide content transmitted through networks and communications serviceselectronic or exercise editorial control over them, the following types of services:a) the “internet access service”, understood as defined in point 2) of the paragraphsecond of article 2 of Regulation (EU) 2015/2120;a) the “interpersonal communications service”, andC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 53
53/61b) services consisting, in whole or mainly, in the transport of signals, such asare the transmission services used for the provision of machine-to-machine servicesand for broadcasting;5) “interpersonal communications service”: the one generally provided in exchange for aremuneration that allows a direct, interpersonal and interactive exchange of information throughof electronic communications networks between a finite number of people, in which the initiator ofthe communication or participant in it determines the recipient or recipients and does not include services thatallow interpersonal and interactive communication as a mere secondary possibility that goesintrinsically linked to another service;6) "numbering-based interpersonal communications service": communications serviceinterpersonal that either connects or allows communications with public numbering resourcesassigned, that is, of a number or numbers of the national or international numbering plans, orallows communication with a number or numbers from the national numbering plans orinternational; >>.In relation to these definitions, what is stated in theRecitals 17 and 18 of the same Directive:(17) Interpersonal communication services are services that allow the exchangeinterpersonal and interactive information and services that include voice callstraditional between two people, as well as all kinds of emails,group chat or messaging. Interpersonal communications services only cover thecommunications between a finite, that is, potentially not unlimited, number of natural persons, whoIt is determined by the sender of the communication. Communications in which they interveneLegal persons must fall within the scope of the definition when the personsindividuals act on behalf of those legal persons or intervene on at least one side of thecommunication. Interactive communication assumes that the service allows the recipient of theinformation reply. Services that do not meet these requirements, such as linear broadcasting,video on demand, websites, social media, blogging, or sharing information betweenmachines, should not be considered interpersonal communications services. Inexceptional circumstances, a service should not be considered a communications serviceinterpersonal if the device of interpersonal and interactive communication is a characteristicminor and purely auxiliary to another service and, for objective technical reasons, cannot be used withoutsaid main service and its integration is not a means to circumvent the applicability of the rules thatregulate interpersonal communication services. As elements for theExclusion from the definition, the terms “minor” and “purely auxiliary” should be interpreted in arestrictive and from an objective end-user perspective. A communications featureinterpersonal can be considered less when its objective utility for an end user is verylimited and when, in fact, it is hardly used by end users. An example of acharacteristic that can be considered is outside the scope of the definition ofInterpersonal communication services could be, in principle, a communication channel of aonline game, depending on the characteristics of the service communication device.(18) Interpersonal communication services using numbers from a national plan andInternational numbering links to publicly assigned numbering resources. ThoseNumber-based interpersonal communications services encompass both services inwhich end user numbers are assigned to ensure end-to-end connectivityextreme, such as services that enable end users to come into contact withpeople to whom those numbers have been assigned. It should not be considered that the mere use ofa number as an identifier is equivalent to the use of a number to connect withpublic allocation numbers and therefore should not be considered sufficient by itself toqualify a service as a number-based interpersonal communications service. TheC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 54
54/61Interpersonal communication services independent of numbering should only besubject to obligations when the public interest requires the application of regulatory obligationsspecific to all types of interpersonal communication services, regardless ofthat use numbers for the provision of their service. It is justified to treat differentlynumbering-based interpersonal communication services, as they participate in ainteroperable ecosystem publicly guaranteed and therefore also benefit from it.Therefore, an interpersonal electronic communications service based onnumbering should allow a direct, interpersonal and interactive exchange of informationbetween people, without this interpersonal and interactive communication being included in theservice in question as a mere secondary possibility.Consequently, MIRACLIA is not a provider of networks and communicationsnor does it provide electronic communications services.On the other hand, due to the circumstances set forth, this Agency understands that it is notapplicable to the present case the doctrine of the Constitutional Court alleged byMIRACLIA, which supports the recording of a conversation between people by one of theparticipants. And neither does this Agency consider that the present case raisesany controversy that affects the right to freedom of expression of citizens.Also in its allegations to the proposed resolution, MIRACLIA points out asProven Fact 1 is false, which indicates that said entity is the owner of amobile application called "*** APLICACIÓN.1", marking that it is a service toaccessed through a mobile application. However, in relation to this thisquestion, we refer to the many references that the document “Terms andConditions of Use of the Service ” contains on the application“ *** APPLICATION.1 ”(ex:“Service definition: *** APPLICATION.1 is an application…” ).And it also considers wrong the reference to the hosting of jokes on a sitepublic, as access to the audio is done through a private URL to which onlyThe issuer of the joke and the recipient of the joke have access, if they so wish.Well, this Agency understands that what is indicated in Proven Fact 4 is not contraryto what was indicated by MIRACLIA when it points out that there is “ no platform on whichpublish the jokes made so that any third party can access, but therecordings of the jokes are housed in a public place, which makes it possible toaccess to them through the link to the audio file, which can be broadcastindiscriminately by the joker user ” .In relation to what is stated in Proven Fact 5, it is alleged that the link to whichthe Agency's Inspection Services accessed to verify that"*** APPLICATION.1" operates in other countries of the European Economic Area corresponds toa pre-production platform that has never worked. However, as recorded inInspection procedure, access was made from the offices of the Agency itself toinformation that on that day was in production, available to any third partynetwork user, that is, publicly accessible information. Inspection Services do nothave made no access to MIRACLIA systems in development. In any case, thisentity does not deny the information contained in the aforementioned Proven Fact, on theoperation of the application “*** APPLICATION.1” in the countries indicated and theavailability to the public of the terms and conditions of use in the languages ​​indicated.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 55
55/61On the claims that are outlined in the Background,MIRACLIA repeatedly warns that they should not have been admitted for processing, taking into accountthat the respective claimants did not previously address the entity exercising therights recognized by the personal data protection regulations.In this regard, on the one hand, it should be noted that this Agency, in use of thepowers and prerogatives attributed to it, determined as the object of the proceedings theglobal analysis of the application “*** APPLICATION.1” from the point of view of the regulationsprotection of personal data and in relation to the people who receive the callsas a joke, regardless of the specific incidents of the claimsraised, which served to motivate the initiation of appropriate investigations in relation towith the treatment of the personal data of the people who receive the calls fromjoke, which matches that the object of the claims; and, on the other hand, that the exercise ofthose rights is not established as a necessary budget to be able to formulatea claim before this Agency. The decision whether or not to make this claim or theThe use of any other means to defend their rights is exclusive to the claimant. InIn any case, it is considered convenient to point out that the decision that is adopted results from thefacts declared proven, without any scope being attributed to the questionshighlighted by MIRACLIA in relation to the statements made by thecomplainants about sending the recording by whatsapp, making callsother than the prank call, the sending of emails or the attention given byMIRACLIA to requests for exercise of rights.Unlike the present case, the precedent cited by MIRACLIA, in whichdeals with the case of a person who received a prank call from a radio station,refers to a claim for protection of rights due to failure to attend to the request forcancellation of data that had previously been raised with the person in charge, and as such wasprocessed by this Agency.Finally, MIRACLIA requests a face-to-face hearing procedure to clarify beforethe instructors / inspectors of the Agency the points exposed and warns that, in case ofnot seeing their interests taken care of, reserves the right to go to other higher instancesand / or judicial in Spain and in Europe. This hearing is not foreseen in the regulationsapplicable procedural procedure, so that it is not obliged to carry out this procedure nor does it harm theright of defense of the interested entity, which, obviously, will have thepossibility of challenging the resolution in all the channels provided for in the aforementioned regulations.XIn the event of an infringement of the RGPD precepts, among thecorrective powers available to the Spanish Data Protection Agency, such assupervisory authority, article 58.2 of said Regulation contemplates the following:“2 Each supervisory authority shall have all the following corrective powerslisted below:(…)b) punish any person in charge or in charge of the treatment with warning when thetreatment operations have infringed the provisions of this Regulation; "(...)C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 56
56/61d) order the person in charge of the treatment that the treatment operationscomply with the provisions of this Regulation, where appropriate, of acertain way and within a specified time;(…)i) impose an administrative fine in accordance with article 83, in addition to or instead of themeasures mentioned in this section, according to the circumstances of each caseparticular;" .According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d)above is compatible with the sanction consisting of an administrative fine.XIIn the present case, the processing of personal data thatthe MIRACLIA entity performs without having previously informed the owner of the data and withoutstanding for it.The interested party does not even know that their personal data is being processedby this entity, which uses an application designed to use personal dataprovided by a third party and by the interested party. The application is created with a purposethat requires the processing of personal data. Thanks to the application it is subjected totreatment the telephone line to which the communication is sent, theconversation held by the interlocutors.In accordance with the findings obtained, it is considered that the factsexposed could violate the principle of transparency established in articles 12, 13 and14 of the RGPD, as well as the principle of legality of the treatment regulated in article 6 of theRGPD, which, if confirmed, could lead to the commission of individual violationstypified in article 83.5 of the RGPD, which under the heading " General conditions for theimposition of administrative fines ” provides the following:"Violations of the following provisions will be sanctioned, in accordance with section 2, withadministrative fines of up to EUR 20,000,000 or, in the case of a company, aamount equivalent to a maximum of 4% of the total annual global business volume for the yearprevious financial statement, opting for the one with the highest amount:a) the basic principles for the treatment, including the conditions for consent in accordance withof articles 5, 6, 7 and 9;b) the rights of the interested parties in accordance with articles 12 to 22; (…) ” .In this regard, the LOPDGDD, in its article 71 establishes that “They constituteoffenses the acts and conducts referred to in sections 4, 5 and 6 of article 83of Regulation (EU) 2016/679, as well as those that are contrary to this laworganic ” .For the purposes of the limitation period, article 72 of the LOPDGDD indicates:“Article 72. Violations considered very serious.1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, they are considered veryserious and will prescribe after three years the infractions that suppose a substantial violation of theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 57
57/61articles mentioned therein and, in particular, the following:(…)b) The processing of personal data without any of the conditions of legality of thetreatment established in article 6 of Regulation (EU) 2016/679.(…)h) The omission of the duty to inform the affected party about the processing of their personal datain accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679 and 12 of this LawOrganic ”.In order to determine the administrative fine to be imposed, theprovisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate :"1. Each supervisory authority shall guarantee that the imposition of administrative fines in accordance withto this article for the infractions of this Regulation indicated in paragraphs 4, 9 and 6are in each individual case effective, proportionate and dissuasive.2. Administrative fines will be imposed, depending on the circumstances of each individual case,as an additional or substitute for the measures referred to in article 58, paragraph 2, letters a) to h)and j). When deciding the imposition of an administrative fine and its amount in each individual case,will duly take into account:a) the nature, seriousness and duration of the offense, taking into account the nature, scope orpurpose of the processing operation in question as well as the number of interested partiesaffected and the level of damages they have suffered;b) intentionality or negligence in the infringement;c) any measure taken by the person in charge of the treatment to mitigate the damages anddamages suffered by the interested parties;d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account thetechnical or organizational measures that have been applied by virtue of articles 25 and 32;e) any previous infringement committed by the person in charge or the person in charge of the treatment;f) the degree of cooperation with the supervisory authority in order to remedy the infringement andmitigate the possible adverse effects of the violation;g) the categories of personal data affected by the infringement;h) the way in which the supervisory authority learned of the infringement, in particular if theresponsible or the manager notified the infringement and, if so, to what extent;i) when the measures indicated in article 58, paragraph 2, have been previously orderedagainst the person in charge or the person in charge in relation to the same matter, thecompliance with said measures;j) adherence to codes of conduct under article 40 or to certification mechanismsapproved in accordance with Article 42, andk) any other aggravating or mitigating factor applicable to the circumstances of the case, such asfinancial benefits obtained or losses avoided, directly or indirectly, through theinfringement."For its part, article 76 " Sanctions and corrective measures" of the LOPDGDDhas:"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679will be applied taking into account the graduation criteria established in section 2 of the aforementionedArticle.2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, they may alsobe taken into account:a) The continuing nature of the offense.b) The linking of the offender's activity with the processing of personal data.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 58
58/61c) The benefits obtained as a result of the commission of the offense.d) The possibility that the affected person's conduct could have led to the commission of the offense.e) The existence of a merger by absorption process subsequent to the commission of the offense, which does notit can be attributed to the absorbing entity.f) Affecting the rights of minors.g) Have, when not mandatory, a data protection officer.h) The submission by the person in charge or in charge, on a voluntary basis, to mechanisms ofalternative conflict resolution, in those cases in which there are controversies betweenthose and anyone interested. "In accordance with the transcribed precepts, in order to set the amount of thefine sanctions to be imposed in the present case on the defendant, as responsible foroffenses typified in article 83.5.a) and b) of the RGPD, the fine thatit would correspond to impose for each one of the imputed infractions.It is estimated that they concur as aggravating factors, applicable to the two offensesof the RGPD for which MIRACLIA is responsible, the following factors that reveal aGreater unlawfulness and / or culpability in the conduct of the entity:. The nature, severity and duration of the offense, taking into account the nature,scope or purpose of the processing operations in question: the severity of theinfringement is determined by the processing operations carried outMIRACLIA, which include the collection of personal data to make them available tothird parties, also offering them functionalities or tools for the dissemination of saidpersonal data, despite the fact that its treatment is contrary to the RGPD. The duration of theinfringement, considering that it is linked to the operation of the application itself"*** APPLICATION.1" is determined by the exploitation period of said application.. The intentionality or negligence appreciated in the commission of the offense: thisThis circumstance results from the design of the application itself, which has not foreseen in any waycompliance with personal data protection regulations. It is an aggravationespecially significant since the respondent, without any doubt, knew thedefects appreciated by this Agency in the operation of the application fromvarious precedents, in which it was sanctioned for the infringement of the principle ofconsent. MIRACLIA is not unaware that its conduct involves a violation of the RGPD anddecided to go ahead with it.. The continuing nature of the infringement: the result of the uninterrupted exploitation of theapplication “*** APPLICATION.1”.. The linking of the offender's activity with the performance of data processingpersonal and benefits obtained as a result of the commission of the offense: allthe operations that constitute the commercial or commercial activity carried out by theclaimed involve personal data processing operations, and all of them affectedfor the same regulatory breaches. So all the benefits of this businessare the result and consequence of the permanent infringement of the data protection regulationsfor which the respondent is responsible. The volume of data and treatments that constitutes the object of the file; and number ofinterested parties: it is taken into account that the defects appreciated in the data processingaffect all the people who receive a prank call using the applicationC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 59
59/61"*** APPLICATION.1".. The nature of the damages caused to the interested persons or third parties:The damages that may arise from the processing of the data and its dissemination areunpredictable, without MIRACLIA having taken any precaution in this regard.. The accused entity does not have adequate procedures in place for action in thecollection and processing of personal data, so that the infringement is notconsequence of an anomaly in the operation of these procedures but adefect in the personal data management system designed by the person in charge.Considering the exposed factors, the initial assessment of the fine collected in theopening agreement amounted to 50,000 euros per house one of the offenses charged.However, the company has requested a reduction ofthat fine, since it represents 25% of its turnover, which amounted to 476,000 eurosin 2018, in which there were losses.The economic information available regarding MIRACLIA corresponds to theyear 2018, last year presented. There is a turnover for that fiscal year475,823 euros and a result for the year of -7,364 euros. Likewise, it is verified thatIt is a micro-company, with 2 employees. According to the information in theCentral Commercial Registry, the "Subscribed Capital" amounts to 6,000 eurosConsidering this circumstance, it is deemed appropriate to propose the imposition ofa fine of 20,000 euros for each of the offenses committed[infringement of the principle of transparency due to non-compliance with the provisions ofarticles 13 and 14 of the RGPD, typified in article 83.5.b) and classified as very serious toprescription effects in article 72.h) of the LOPDGDD; and violation for non-complianceof the provisions of article 6 of the RGPD, typified in article 83.5.a) and qualified asvery serious for the purposes of prescription in article 72.1.b) of the LOPDGDD].XIIIn accordance with the provisions of article 58.2.d) of the RGPD, eachcontrol may “order the person in charge of the treatment that the operations oftreatment are in accordance with the provisions of this Regulation, where appropriate,in a certain way and within a specified period… ” .In this case, considering the circumstances expressed in relation to theAppreciated defects in the operation of the application "*** APPLICATION.1", from thepoint of view of data protection regulations, it is appropriate to require MIRACLIA tothat, within the period to be determined, adapts to the personal data protection regulationsthe processing operations carried out, the information offered to its customers and theprocedure by which they give their consent for the collection andprocessing of your personal data; establishing, in addition, mechanisms that allowprove that the interested party has effectively accessed the information offered and thatgave their consent for the collection and processing of personal data. Everythingthis with the scope and in the sense expressed in the Fundamentals of Law of theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 60
60/61present resolution.In those cases in which the interested party was not duly informed aboutthe circumstances regulated in articles 13 and 14 of the RGPD or the interested party had notGiven your consent, MIRACLIA will not be able to carry out the collection and treatment ofPersonal information.On the other hand, it is appropriate that the MIRACLIA entity cease its illegal use of thepersonal data contained in their information systems relating tointerested parties who have not given their informed consent to do soThese measures will be applicable in all countries of the Economic AreaEuropean countries where MIRACLIA operates through the application "*** APPLICATION.1" andwith respect to interested parties residing in said countries.It is noted that not meeting the requirements of this body may beconsidered as a serious administrative offense by “not cooperating with thecontrol ” in the face of the requirements made, such conduct may be assessed at the time ofthe opening of an administrative procedure punishing with a pecuniary fine.Therefore, in accordance with the foregoing, the Director of the AgencySpanish Data Protection RESOLVES:FIRST: Sanction the entity MIRACLIA TELECOMUNICACIONES, SL, for ainfringement of articles 13 and 14 of the RGPD, typified in article 83.5.b) and qualifiedas very serious for the purposes of prescription in article 72.h) of the LOPDGDD, with afine of 20,000 euros (twenty thousand euros).SECOND: Sanction the entity MIRACLIA TELECOMUNICACIONES, SL, for ainfringement of article 6 of the RGPD, typified in article 83.5.a) and classified as veryserious for the purposes of prescription in article 72.1.b) of the LOPDGDD, with a fine foramount of 20,000 euros (twenty thousand euros).THIRD: Require the entity MIRACLIA TELECOMUNICACIONES, SL so that, in thewithin three months, adapt the regulations on the protection of personal datatreatment operations carried out, the information offered to its clients and theprocedure by which they must give their consent for the collectionand processing of your personal data, with the scope expressed in the Basis ofLaw XII. Such adaptation must be implemented equally in all countries of the SpaceEconomic European in which MIRACLIA operates through the application"*** APPLICATION.1".FOURTH: NOTIFY this resolution to MIRACLIA TELECOMUNICACIONES, SLFIFTH: Warn the sanctioned person that he must enforce the sanction imposed oncethis resolution is executive, in accordance with the provisions of art. 98.1.b) of theLaw 39/2015, of October 1, on the Common Administrative Procedure of thePublic Administrations (hereinafter LPACAP), within the established voluntary payment periodin art. 68 of the General Collection Regulations, approved by Royal DecreeC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 61
61/61939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17,by means of their entry, indicating the NIF of the sanctioned person and the procedure number thatIt appears in the heading of this document, in the restricted account number ES00 00000000 0000 0000 0000 , opened in the name of the Spanish Agency for Data Protection atthe banking entity CAIXABANK, SA. Otherwise, it will be collected inexecutive period.Notification received and once executive, if the execution date is foundBetween the 1st and the 15th of each month, both inclusive, the deadline for making the voluntary paymentwill be until the 20th day of the following or immediately subsequent business month, and if it is among the16th and last day of each month, both inclusive, the payment term will be until the 5th ofsecond following month or immediately subsequent business month.In accordance with the provisions of article 50 of the LOPDGDD, thisResolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of theLOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, theInterested parties may optionally file an appeal for reconsideration before the Director ofthe Spanish Agency for Data Protection within one month from the dayfollowing notification of this resolution or directly contentious appealadministrative before the Contentious-Administrative Chamber of the National Court, within accordance with the provisions of article 25 and paragraph 5 of the fourth additional provisionof Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,within two months from the day following the notification of this act,as provided in article 46.1 of the aforementioned Law.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,may provisionally suspend the final resolution through administrative channels if the interested partyexpresses its intention to file a contentious-administrative appeal. If this is theIn this case, the interested party must formally communicate this fact by writing to theSpanish Agency for Data Protection, presenting it through the Electronic Registryof the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of theremaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.You must also send the Agency the documentation that proves the filingeffective contentious-administrative appeal. If the Agency is not aware of thefiling of the contentious-administrative appeal within a period of two months from thefollowing the notification of this resolution, it would terminate the suspensionprecautionary.Mar Spain MartíDirector of the Spanish Agency for Data Protection