AEPD - PS/00430/2020
|AEPD - PS/00430/2020|
|Relevant Law:||Article 4(11) GDPR|
Article 6(1) GDPR
Article 6 Law on Data Protection
|Parties:||Vodafone España, S.A.U.|
|National Case Number/Name:||PS/00430/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA (AEPD) found Vodafone España, S.A.U. in violation of Article 6(1) GDPR for sending the complainant email communications despite the fact that Vodafone has already been sanctioned twice by the Spanish DPA on these same facts. As a result, Vodafone paid a fine of €120,000 imposed by the DPA.
English Summary[edit | edit source]
Facts[edit | edit source]
The claimant complained to the Spanish DPA (AEPD) that he/she was still receiving invoicing emails from Vodafone España, S.A.U. despite no longer being a client. The claimant had previously complained about receiving email communications from Vodafone and the DPA had also previously sanctioned Vodafone twice for breaches of Article 6(1) GDPR regarding these same facts (PS/00278/2019 and PS/00186/2020).
Vodafone claimed that there was an error in the system that "hooked" the claimant's email address, however, this was supposedly fixed subsequent to the first two sanctions imposed by the Spanish DPA.
After receiving yet another communications from Vodafone (despite claims that the error was fixed), the claimant asked Vodafone to delete all the information it had concerning him/her from their system and to stop sending email communications to him/her. The claimant also complained to the DPA a final time.
Dispute[edit | edit source]
Does the continuous sending of communications to a data subject that has already complained about these communications twice constitute a violation of Article 6(1) GDPR that requires a fine to be imposed?
Holding[edit | edit source]
The Spanish DPA (AEPD) held that Vodafone was sending the data subject email communications without his/her consent. The DPA first outlined Article 6(1)(a) and (b) GDPR, Articles 4(11) GDPR on consent, as well as Article 6 of the Spanish Data Protection Law (LOPDGDD) on consent.
The DPA therefore held that there was a clear violation of Article 6 GDPR as Vodafone processed the data subject's personal data without a legal basis. The data subject continued to receive email communications despite no longer being a client and despite having complained twice to the Spanish DPA on these same facts.
As this was the third complaint on the same facts and the error clearly had not been solved, the Spanish DPA decided to impose a fine for a third violation of Article 6(1) GDPR. The DPA considered this a "very serious" offense due to the repetitive nature and therefore imposed a fine of €200,000. However, as Vodafone made a voluntary, early and guilty payment, this was reduced to €120,000 in accordance with Spanish national law on administrative fines.
Comment[edit | edit source]
Interesting to note that the Spanish DPA (AEPD) had already imposed a fine of €100,000, reduced to €80,000 for voluntary, early and guilty payment, Vodafone in PS/00186/2020.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14 Procedure No.: PS / 00430/2020 RESOLUTION R / 00089/2021 ON TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTARY In the sanctioning procedure PS / 00430/2020, instructed by the Spanish Agency for Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed by A.A.A., and based on the following, BACKGROUND FIRST: On January 14, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against VODAFONE SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure Nº: PS / 00430/2020 AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection and in based on the following: ACTS FIRST: D. A.A.A. (hereinafter, the claimant) dated September 8, 2020 filed a claim with the Spanish Agency for Data Protection. The claim is directed against Vodafone España, S.A.U. with NIF A80907397 (in ahead, the claimed one). The claimant states, that he continues to receive emails from the claimed to despite having been sanctioned for these same facts in the proceedings sanctioners PS / 00278/2019 and PS / 00186/2020. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/14 For this reason, he requests that the claimed person delete all their information from their systems and leave to send you communications. Attach the following documentation to the claim: - Email received by the claimant of the claimed dated 8 of September 2020. SECOND: As background to the present sanctioning procedure, it is necessary to manifest: 1.- On April 3, 2019, the claimant filed another claim against the claimed since he had requested the operator to delete his data and to Despite this, he continued to receive emails from her, which replied: “That once the facts described by the claimant have been analyzed, it does not maintain service any assets in Vodafone, or amounts pending payment ”. However, I continue receiving communications from said entity. Based on the above, the sanctioning procedure was opened by this Agency PS / 00278/2019, and the Director of the Spanish Agency for Data Protection, issued the January 13, 2020, resolution of said procedure, being its notification on 16 January 2020, for violation of article 6.1. of the RGPD typified in the article 83.5.a) of the aforementioned RGPD. On August 28, 2019, within the framework of the aforementioned procedure, the The complained party sent this Agency the following information in relation to the facts reported: It states that: “due to a computer error in its systems, the mail The claimant's electronic mail was “hooked” and continued to be recorded in the sending informative communications regarding electronic invoices issued by Vodafone, which is the reason why it has received these communications ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/14 They state that: “said error was solved, so the claimant will not return to receive any communication regarding electronic invoicing from Vodafone or no other that has not previously consented ”. On the other hand, they provided a copy of the email they sent to claimant to inform you of the aforementioned aspects. 2.- On March 11, 2020, the claimant filed a new claim against the one claimed since he had received a notice in his email address availability of electronic invoice from the claimed company, which constitutes a recurrence of the facts sanctioned in the procedure sanctioner PS / 00186/20, processed by this Agency against the claimed party. Based on the above, the sanctioning procedure was opened by this Agency PS / 00186/2020, and the Director of the Spanish Agency for Data Protection, issued the August 31, 2020, resolution of said procedure, its notification being the same day, same month and year, for violation of article 6.1. of the RGPD typified in the Article 83.5.a) of the aforementioned RGPD. Thus, the claimant has received a new email from the one claimed on September 8, 2020. Subsequently, on November 16, 2020, the claimant provides new emails sent by the claimed, showing that the fact continues occurring. “Attach New Vodafone invoice available 1 message email@example.com September 28, 2020, 5:08 PM To: *** EMAIL.1 Dear customer: You already have your electronic invoice available for this month dated payment 09/30/2020. You can check or download the PDF from My Vodafone or directly from your Smartphone with the My Vodafone App. New Vodafone invoice available 1 message firstname.lastname@example.org 28 October 2020, 2:28 PM To: *** EMAIL. 1. Dear customer: You already have your C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/14 electronic invoice for this month with payment date 10/30/2020. You can consult or download the PDF from My Vodafone or directly from your Smartphone with the App My Vodafone. Greetings Vodafone ”. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II The claimed facts are specified in the treatment of the data of the claimant by the claimed without their consent, or any other cause legitimizing said treatment, by sending emails to your personal account. Said treatment could be constitutive of an infringement of article 6, Lawfulness of the treatment, of the RGPD that establishes that: "1. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/14 b) the treatment is necessary for the performance of a contract in which the interested is part or for the application at the request of this of measures pre-contractual; (…) " In article 4 of the RGPD, Definitions, in its section 11, it states that: "11)" consent of the interested party ": any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data that they concern him ”. Also article 6, Treatment based on the consent of the affected, of the new Organic Law 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights (hereinafter LOPDGDD), states what: "1. In accordance with the provisions of article 4.11 of the Regulation (EU) 2016/679, the consent of the affected party is understood to be any manifestation of will free, specific, informed and unequivocal for which it accepts, either through a declaration or a clear affirmative action, the processing of personal data that concern. 2. When the data processing is intended to be based on consent of the affected party for a plurality of purposes, it will be necessary to record in a specific and unequivocal that said consent is granted for all of them. 3. The execution of the contract may not be subject to the consent of the affected party processing of personal data for purposes that are not related to the maintenance, development or control of the contractual relationship ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/14 Article 83.5 a) of the RGPD, considers that the infringement of “the principles basic for the treatment, including the conditions for consent in accordance with of articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the mentioned Article 83 of the aforementioned Regulation, “with administrative fines of € 20,000,000 maximum or, in the case of a company, of an equivalent amount at a maximum of 4% of the total global annual turnover of the financial year above, opting for the highest amount ”. On the other hand, the LOPDGDD for the purposes of prescription states in its article 72: “Violations considered very serious: 1. In accordance with the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that and, in in particular, the following: (…) b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. (…) " III The documentation in the file offers clear indications that the claimed violated article 6 of the RGPD, since it processed the personal data of the claimant without having any legitimacy for it, materialized in the referral to your email address communications with origin in "email@example.com" and whose subject is "you already have your Electronic bill". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/14 Likewise, after the evidence obtained, it appears that at first the claimant denounced the processing of their data after a request for suppression. The claimant provided a response from the claimed, within the framework of a claim before SESIAD, in which they stated that the claimant ceased to be a client of the company (does not maintain any active service in Vodafone, or amounts pending payment) and the last invoice issued in your name was dated May 15 2017. However, the claimant continued to receive invoice notices in the last months of 2018, 2019 and 2020, exactly the same as those claimed in this instead of dates September 8, 28 and October 28, 2020. In the sanctioning procedure PS / 00278/2019, the claimed said said error, claiming that it was due to a computer error in their systems, the mail The claimant's electronic mail was “hooked” and continued to be recorded in the sending of informative communications regarding electronic invoices issued by Vodafone, but stated that the error had already been solved and due to these facts sanctioned the defendant. It is clear that the date of signature of the Resolution by the Director of the Spanish Agency for Data Protection was on January 13, 2020 and The date of notification to the party of the respondent took place on January 16, 2020. On March 11, 2020, the claimant filed a new claim against the claimed since he had received a notice of availability of electronic invoice from the claimed company, which constitutes a recurrence of the facts sanctioned in the procedure sanctioner PS / 00186/20, processed by this Agency against the claimed party. Based on the above, the sanctioning procedure was opened by this Agency PS / 00186/2020, and the Director of the Spanish Agency for Data Protection, issued the August 31, 2020, resolution of said procedure, its notification being the same day, same month and year, for violation of article 6.1. of the RGPD typified in the Article 83.5.a) of the aforementioned RGPD. Well, the claimant has once again stated that he continues to receive emails electronic, despite resolutions PS / 00278/2019 and PS / 00186/2020. It is clear that the claimant has again received on September 8, 28 and 28 October 2020 in your email address a notice of availability of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/14 electronic invoice from the claimed company, which constitutes a recidivism of the sanctioned acts in the sanctioning procedures PS / 00278/2019 and PS / 00186/2020, processed in this Agency against said company. Consequently, it has carried out a processing of personal data without has proven that it has the legal authorization to do so. IV In order to establish the administrative fine to be imposed, they must observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which point out: "1. Each supervisory authority shall ensure that the imposition of fines administrative under this article for the infractions of this Regulations indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to mitigate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge of the treatment, taking into account the technical or organizational measures that have applied by virtue of articles 25 and 32; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/14 e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the violation and mitigate the possible adverse effects of the violation; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in particular if the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in Article 58 (2) have been previously ordered against the person in charge or the person in charge in regarding the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the infringement. In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offense. b) The linking of the offender's activity with the performance of treatments of personal data. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the offense. e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/14 g) To have, when not mandatory, a delegate for the protection of data. h) The submission by the person in charge or in charge, with character voluntary, to alternative dispute resolution mechanisms, in those assumptions in which there are controversies between those and any interested party. " In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, in order to fix the amount of the fine sanction to impose in the present case on the entity claimed for the offense typified in the Article 83.5.a) of the RGPD for which the claimed person is responsible, in an assessment initial, the following factors are considered concurrent: - In the present case we are facing an unintentional negligent action, but significant (article 83.2 b) - Basic personal identifiers are affected (name, surname, address) (article 83.2 g) -The evident link between the business activity of the claimed and the processing of personal data of clients or third parties (art. 83.2 k in relationship with art. 76. 2 b) of the LOPDGDD. - Any previously committed offense (article 83.2 e). - The serious lack of diligence demonstrated then, after having notified the claimant who attended to his right to object to the processing of his data, proceeded again to send you commercial communications. In accordance with the indicated precepts, and without prejudice to what results from the instruction of the procedure, in order to fix the amount of the sanction to be imposed in In the present case, it is considered that the sanction to be imposed should be adjusted according to with the following criteria established in article 76.2 of the LOPDGDD: - The linking of the offender's activity with the performance of treatment of personal data, (section b). The balance of the circumstances contemplated in article 83.2 of the RGPD, with regarding the offense committed by violating the provisions of article 6.1 of the RGPD allows setting a penalty of 200,000 euros (two hundred thousand euros), considered as “very serious”, for the purposes of prescription thereof, in 72.1. of the LOPDGDD. Therefore, based on the foregoing, by the Director of the Agency Spanish Data Protection, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/14 HE REMEMBERS: 1. INITIATE SANCTIONING PROCEDURE for VODAFONE ESPAÑA, S.A.U., with NIF A80907397, for the alleged violation of article 6.1. of the RGPD typified in article 83.5.a) of the aforementioned RGPD. 1. APPOINT D. B.B.B. as instructor. and as secretary to Dña. C.C.C., indicated when any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, of Ré- Law of the Public Sector (LRJSP). 1. INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its attached documentation, the documentation of sanctioning procedures PS / 00278/2019 and PS / 00186/2020. 2. THAT, for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of the Administrations Public, the penalty that may correspond would be 200,000 euros (two hundred thousand euros), without prejudice to what results from the instruction. 3. NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF A80907397, granting you a hearing period of ten business days so that formulate the allegations and present the evidence it deems appropriate. In your statement of allegations you must provide your NIF and the number of procedure at the top of this document. If within the stipulated period it does not make allegations to this initiation agreement, the same It may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; it which will entail a reduction of 20% of the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/14 established at 160,000 euros, resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 160,000 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the recognition of responsibility, provided that this recognition of responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph it may be done at any time prior to the resolution. In In this case, if both reductions should be applied, the amount of the penalty would be set at 120,000 euros. In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts indicated above, 160,000 euros or 120,000 euros, you must make it effective by entering the account number ES00 0000 0000 0000 0000 0000 open to name of the Spanish Data Protection Agency in Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which welcomes. Likewise, you must send proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/14 After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On February 2, 2021, the defendant has proceeded to pay the sanction in the amount of 120,000 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts to which the Initiation Agreement refers. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/14 "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction, but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00430/2020, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-031219 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es