AEPD - PS/00436/2019

From GDPRhub
AEPD - PS/00436/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 58(1) GDPR
Article 83(5) GDPR
Type: Investigation
Outcome: Violation Found
Decided: n/a
Published: 26.03.2020
Fine: 5.000 EUR
Parties: XFERA MÓVILES, S.A.
National Case Number/Name: PS/00436/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: {{{Initial_Contributor}}}

The AEPD fined mobile network operator Xfera Móviles, S.A.U. EUR. 5,000 because it failed to comply with the AEPD's order to provide all necessary information as required in Article 58(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Following a complaint against the mobile network operator Xfera Móviles, S.A.U., the AEPD ordered the controller to provide all information that was necessary for the AEPD to investigate the complaint. The controller did not comply.

Dispute[edit | edit source]

Holding[edit | edit source]

The AEPD considered all aggravating and mitigating circumstances in this particular case and imposed the fine of EUR. 5,000.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS/00436/2019938-090320PROCEDURE RESOLUTIONof the procedure instructed by the Spanish Data Protection Agency and based on the following FIRST: On September 20, 2018, a document submitted by A.A.A. was entered into this Spanish Data Protection Agency. (hereinafter, the claimant), by which it makes a claim against XFERA MÓVILES, S.A. with ID number A82528548 (hereinafter, the claimed). SECOND: In accordance with the provisions of Article 65 of Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LOPDGDD hereinafter), the claim was transferred to the responsible or the delegate of Data Protection in his case had appointed, requiring him to send this agency the information and documentation requested. THIRD: Once the period of one month had expired, which was given to the respondent to inform the Spanish Data Protection Agency, as indicated in the second precedent, without the respondent providing the pertinent answer, the request for information was repeated, granting an additional period of five days which was not answered. FOURTH: In relation to the investigative actions referred to in code E/00413/2019, the respondent was sent a new request for information, alluding to the complaint mentioned in the first paragraph, so that, within ten working days, he could present the information and documentation indicated in it to this Agency.  The request, which was made in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected by the party responsible on June 28, 2019, as stated in the Notific@ certificate in the file. FIFTH: On November 29, 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of Article 58. 1 of the RGPD, typified in Article 83.5 of the RGPD.
2/5 SIXTH: The aforementioned agreement to commence, which was registered on December 2, 2019, with registration number 089439/2019, was not accepted by the party responsible, and it is understood that it was rejected in accordance with the provisions of Article 43.2 of the LPACAP on December 13, 2019, as stated in the Notific@ certificate in the file. According to the provisions of art. 43.3 of the aforementioned LPACAP, "The obligation referred to in article 40.4 will be understood to have been fulfilled by making the notification available at the electronic headquarters of the Administration or body acting or at the single authorized electronic address. "SEVENTH: On February 4, 2020, a proposal for a resolution was formulated, proposing that the Director of the Spanish Data Protection Agency sanction XFERA MÓVILES, S.A., for an infringement of Article 58.1 of the RGPD,typified in Article 83.5 of the RGPD,a fine of 5,000.00  Likewise, the procedure was made clear so that within a period of ten days it could claim whatever it considered in its defense and present the documents and information that it considered pertinent, in accordance with Article 89.2 of the LPACAP. EIGHTH: The proposed resolution, which was registered on February 4, 2020 with registration number 009586/2020, was not taken up by the Responsible Party, and was deemed rejected in accordance with the provisions of Article 43.2 of the LPACAP on February 15, 2020, as stated in the Notific@ certificate in the file. After the ten working days granted in the proposed resolution for the presentation of allegations, the claimant has not presented any allegations. In view of the foregoing, the Spanish Data Protection Agency considers the following to be proven facts in the present proceedings, FIRST: The information requests indicated in the second and fourth antecedents were notified electronically, in accordance with the provisions of Article 43 of the LPACAP. The request made in the context of the file with reference code E/07400/2018, in which the deadline for response was one month.2 The request made within the framework of the investigation actions referred to with code E/00413/2019, in which the term to respond was ten working days. THIRD: The notification of the agreement to initiate the present sanctioning procedure was made electronically through the Notific@ system, not being received by the person responsible and, consequently, being understood as rejected according to the terms of the agreement.
3/5 provided for in art. 43.2 of LPACAP, on December 13, 2019. Fourth: The notification of the proposed resolution was done electronically through the Notific@ system, not being collected by the responsible and understood to be rejected in accordance with the provisions of art. 43.2 of the LPACAP on February 15, 2020. By virtue of the powers that article 58.2 of the RGPD grants to each supervisory authority, and in accordance with the provisions of articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. With the above-mentioned conduct of the defendant, the power of investigation that Article 58.1 of the RGPD confers on the supervisory authorities, in this case the AEPD, has been obstructed. Therefore, the proven facts are considered to constitute an infringement, attributable to the defendant, for violation of Article 58. 1 of the RGPD, which provides that each supervisory authority shall have, among its powers of investigation: "(a) to order the controller and the processor, and where appropriate the representative of the controller or processor, to supply any information which the controller or processor may require for the performance of his duties; (b) to conduct inquiries in the form of data protection audits; (c) to carry out a review of the certificates issued pursuant to Article 42(7); (d) to notify the controller or processor of alleged infringements of this Regulation; (e) to obtain from the controller and the processor access to all personal data and to all information necessary for the performance of their duties ” IIIThis infringement is defined in Article 83.5(e) of the RGPD, which considers the following to be comotal: "failure to provide access in breach of Article 58(1)". In the same article it is established that this infringement can be sanctioned with a fine of twenty million euros (20,000,000 euros) as a maximum or, in the case of a company, of an amount equivalent to four percent (4%) as a maximum of the total annual business volume of the previous financial year, opting for the higher amount.C/ Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
4/5 For the purposes of the period of limitation of the infringements, the infringement charged shall expire after three years, in accordance with Article 72. 1 of the LOPDGDD, which classifies the following conduct as very serious: "(ñ) Failure to provide the staff of the competent data protection authority with access to personal data, information, premises, equipment and means of processing that are required by the data protection authority for the exercise of its investigative powers. (o) Resistance to or obstruction of the exercise of the inspection function by the competent data protection authority. "IVThe fine that is imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with that established in Article 83.1 of the RGPD. 2 of the RGPD, and with the provisions of article 76 of theLOPDGDD, with respect to paragraph k) of the mentioned article 83.2 RGPD.Consequently, the following facts have been taken into account as aggravating factors:-Art. 83.2 b) RGPD: the intentionality or negligence in the infringement. This is a company that is not newly created and should have procedures established for the fulfilment of the obligations provided for in the data protection regulations, among them, to respond to the requirements of the supervisory authority. k) RGPD: any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement.  The complaint refers to the particular case of a person, but the processing of data to which it refers may potentially affect a very large number of customers of the entity responsible or users of the service provided by the entity responsible. Therefore, in accordance with applicable legislation and having assessed the criteria for the downgrading of penalties whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO IMPOSE XFERA MÓVILES, S.A., with NIF A82528548, for an infringement of Article 58.1 of the RGPD, typified in Article 83.5 of the RGPD, a fine of 5,000.00 euros (five thousand euros).SECOND: TO NOTIFY this resolution to XFERA MÓVILES, S.A.THIRD: TO WARN the sanctioned party that it must make effective the sanction imposed once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the period for payment of volunteers established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of 29 July, in relation to art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the Tax Identification Number of the sanctioned party and the procedure number that appears in the heading of this document, into account C/Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
5/5restringida nº ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period. Once the notification has been received, and once it has been enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for voluntary payment will be the 20th of the following month or the next working month, and if it is between the 16th and last day of each month, inclusive, the deadline for payment will be the 5th of the second following month or the next working month. In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. . 6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46. Finally, it is noted that in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution may be suspended in administrative proceedings if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. He will also have to send to the Agency the documentation that accredits the effective lodging of the contentious-administrative appeal. If the Agency were not aware of the lodging of the contentious-administrative appeal within the period of two months from the day following the notification of the present resolution, it would terminate the precautionary suspension. Mar España MartíDirector of the Spanish Data Protection Agency