AEPD - PS/00450/2019

From GDPRhub
AEPD - PS/00450/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: n/a
Fine: 70.000 EUR
Parties: n/a
National Case Number/Name: PS/00450/2019
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD.es (in ES)
Initial Contributor: Pablo Rossi

AEPD fined telecoms company XFERA MOVILES EUR 70.000 for breaching the principles of integrity and confidentiality (5.1 f GDPR). The claimant's personal data were visualized by a third party due to an error in charging a bill.


English Summary[edit | edit source]

Facts[edit | edit source]

On May 14, 2019, the claimant received a call from a client of XFERA MOBILES. In that call, the client informed the complainant that XFERA MOVILES had charged his bank account with a bill of the claimant, being possible for him to visualize her personal data (name, ID and phone number). AEPD informed XFERA MOBILES about the claim, but did not receive any answer.


Dispute[edit | edit source]

Was the error by the controller in charging a bill, which allowed a third party to visualize the claimant's personal data, an infringement of the principles of integrity and confidentiality?

Holding[edit | edit source]

AEPD considered that the facts reported allow to conclude that the controller was not able to guarantee adequate security in the processing of the complainant's personal data, thus violating Article 5.1 f) of the GDPR (Integrity and confidentiality).

Comment[edit | edit source]

It is remarkable that in this case, the controller has not used the existing mechanisms in the Spanish Law of administrative procedure (accepting its responsibility and payment in advance) to reduce the fine by 40%.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

PS/00450/2019 938-300320
DECISION ON DISCIPLINARY PROCEEDINGS
From the procedure instructed by the Spanish Data Protection Agency and based on the following:
BACKGROUND
FIRST: Mrs. A.A.A. (hereinafter, the complainant) on 14 May 2019 filed a complaint with the Spanish Data Protection Agency. The claim is directed against Xfera Móviles, S.A. with NIF A82528548 (hereinafter, the claimant). 
The claimant states that, on May 14, 2019, she received a call from a Masmovil client who explained that Masmovil had debited her bank account with an invoice, and therefore her personal details were included in the invoice. He added that he had contacted the complainant and she had told him that everything had been caused by an error.
He provides the following documentation: screenshot (relating to the charge made on 10 May 2019) sent by the third party to the complainant.  
In the charge appears the name, surname, ID card and telephone number of the claimant  
SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant and the facts and documents of which this Agency has become aware, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigative actions for the clarification of the facts in question, by virtue of the investigative powers granted to the supervisory authorities in Article 57. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two of Organic Law 3/2018 of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD).
As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one claimed.
The party complained of is informed of this complaint on 7 August 2019, requiring it to send this Agency, within a period of one month, information on the response given to the complainant in relation to the exercise of the rights regulated in Articles 15 to 22 of the RGPD, the causes that have led to the incident that has given rise to the complaint and the measures adopted to prevent the similar incidents, implementation dates and checks made to verify their effectiveness.
After the given period, no response has been obtained from the claimed party.
THIRD: On January 24, 2020, having received no information whatsoever on the request made within the framework of the previous actions of investigation by the claimed entity, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against Xfera Móviles, S.A, by virtue of the powers established in Article 58.2 of the RGPD and in Articles 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), for the infringement of Article 5.1 f) of the RGPD, typified in Article 83.5 a) of the RGPD and considered very serious in 72.1.a), for the purposes of prescription, and to order Xfera Móviles S.A. in accordance with the provisions of article 58.2 d) of the RGPD, so that within a period of ten days it proceeds to order the person responsible for or in charge of the processing, that the processing operations comply with the provisions of the RGPD, establishing an initial sanction of 70,000 euros (seventy thousand euros).
FOURTH: The agreement to initiate the sanctioning procedure was sent by electronic notification, Notific@, on 3 February 2020, and expired ten days later. 
FIFTH : Once the agreement to initiate the proceedings has been formally notified, the defendant has not submitted any written allegations at the time of this resolution. Therefore, the provisions of Article 64 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, are applicable, which in section f) establishes that if no allegations are made within the period of time set for the content of the agreement to initiate the proceedings, the latter may be considered a proposal for a resolution when it contains a precise statement of the responsibility attributed, and therefore a resolution is issued.
PROVEN FACTS
FIRST: On 14 May 2019, the complainant received a call from a Masmovil client who told her that Masmovil had charged her bank account with an invoice, and therefore her personal details were included in the invoice.
SECOND: It is recorded in the screenshot file (relating to the charge made on 10 May 2019) sent by the third party to the complainant.  
The position contains the name, surname, ID card and telephone number of the complainant  
C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es
3/6
THIRD: On August 7, 2019, the claimant is notified of this claim by means of electronic notification, Notific@, and it is accepted on the 14th of the same month and year, not answering this requirement.
FOURTH: On January 24, 2020, this sanctioning procedure was initiated for the infringement of Article 5.1 f) of the RGPD (integrity and confidentiality), being notified. No written allegations were presented. 
LEGAL GROUNDS 
I
By virtue of the powers that Article 58.2 of the RGPD recognises to each supervisory authority, and as established in Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.
II
Article 4.11 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights, defines the consent of the interested party as "any free, specific, informed and unequivocal expression of will by which the interested party accepts, either by means of a declaration or a clear affirmative action, the processing of personal data concerning him".
In this sense, Article 6.1 of the RGPD establishes that "in accordance with Article 4.11 of Regulation (EU) 2016/679, consent of the data subject means any freely given, specific, informed and unambiguous expression of his/her will by which he/she accepts, whether by statement or by clear affirmative action, the processing of personal data concerning him/her".

On the other hand, Article 5 regulates the principles relating to the processing of personal data, establishing that they must be (a) processed in a lawful, fair and transparent way in relation to the data subject ("lawfulness, fairness and transparency"); (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; according to Article 89(1), further processing of personal data for archiving purposes in the public interest, for the purpose of scientific and historical research or for statistical purposes shall not be considered incompatible with the original purposes ("purpose limitation"); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimization'); (d) accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate in relation to the purposes for which they are processed are erased or rectified without delay ('accuracy');
C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es
4/6
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing of the personal data; personal data may be kept for longer periods provided that they are processed solely for archiving purposes in the public interest or for the purposes of scientific or historical research or statistical purposes, in accordance with Article 89(1), without prejudice to the application of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject ('limitation of storage period'); (f) processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, through the implementation of appropriate technical or organisational measures ('integrity and confidentiality').
The controller shall be responsible for compliance with paragraph 1 and shall be able to prove it ("proactive responsibility").
III
It is considered that the facts reported, i.e. the viewing of the claimant's data by an outside third party, make it possible to establish that the claimant has not been able to guarantee adequate security in the processing of the claimant's personal data, thereby violating Article 5.1 f) of the RGPD, which governs the principles of integrity and confidentiality of personal data, as well as the proactive responsibility of the data controller to demonstrate compliance.
IV
Article 72(1)(a) of the LOPDGDD states that 'in accordance with the provisions of Article 83(5) of Regulation (EU) 2016/679, infringements that substantially infringe the articles mentioned therein, and in particular the following, shall be considered very serious and shall be subject to a three-year limitation period:
(a) Processing of personal data in breach of the principles and guarantees laid down in Article 5 of Regulation (EU) 2016/679
V
Article 58(2) of the GPRS states: 'Each supervisory authority shall have all the following corrective powers
(b) to sanction any controller or processor with a warning where processing operations have infringed the provisions of this Regulation
(d) to order the controller or processor to comply with the provisions of this Regulation, where appropriate in a particular manner and within a specified time limit;
(i) to impose an administrative fine pursuant to Article 83 in addition to or in addition to
place of the measures referred to in this paragraph, depending on the circumstances
of each individual case;
VI
This offence is punishable by a fine of 20,000,000 euros as
maximum or, in the case of an enterprise, an amount equivalent to 4% as
maximum of the total annual overall turnover of the previous financial year,
opting for the higher amount, in accordance with Article 83.5 of the RGPD.
Likewise, it is considered that the sanction to be imposed should be graduated in accordance with
with the following criteria established by Article 83.2 of the RGPD:
The following are aggravating factors:
In the present case we are dealing with non-intentional negligent action, but
identified significant (Article 83(2)(b))
Basic personal identifiers are affected (name,
surname), in accordance with Article 83(2)(g)
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of penalties whose existence has been established,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: To impose XFERA MÓVILES, S.A., with NIF A82528548, for a
violation of Article 5.1(f) of the GPRS, as defined in Article 83.5 of the GPRS, a
fine of 70,000 euros (seventy thousand euros).
SECOND: ORDER Xfera Móviles, S.A. with NIF A82528548, in accordance with
provided for in Article 58(2)(d) of the GPRS, to proceed within ten days to
order the controller or processor, that the processing operations
treatment are in accordance with the provisions of the RGPD.
THIRD: TO NOTIFY this resolution to XFERA MÓVILES, S.A.
FOURTH: To warn the sanctioned party that he must make effective the sanction imposed a
once this decision becomes enforceable, in accordance with the provisions of
Article 98(1)(b) of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), within the time limit for payment
established in Article 68 of the General Regulations on Collection, approved by the
by Royal Decree 939/2005 of 29 July 2005, in relation to Article 62 of Law 58/2003,
December 17, by means of its payment, indicating the tax identification number of the
The procedural steps set out in the heading of this document, in the account
restricted No ES00 0000 0000 0000 0000, open on behalf of the Agency
Spanish Data Protection in the bank CAIXABANK, S.A.. In case
Otherwise, it shall be collected during the enforcement period.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/6
Once the notification has been received and once it has been executed, if the execution date is
The deadline for the submission of the application is between the 1st and the 15th of each month, inclusive.
voluntary payment will be until the 20th of the following month or the next business day, and if
is between the 16th and the last day of each month, inclusive, the
payment will be due by the 5th of the second or immediately following month.
In accordance with the provisions of Article 50 of the LOPDGDD, the
This Resolution shall be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure according to art.
48.6 of the LOPDGDD, and in accordance with Article 123 of the
LPACAP, the interested parties may, on an optional basis, file an appeal for replacement
to the Director of the Spanish Data Protection Agency within a
month from the day following notification of this resolution or directly
contentious-administrative appeal before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
Finally, it is noted that in accordance with the provisions of Article 90.3 a) of the
LPACAP, the final resolution may be suspended in administrative proceedings as a precautionary measure
if the interested party expresses his intention to file an administrative appeal. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Data Protection Agency,
by submitting it through the Agency's Electronic Register
[https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other
registrations provided for in Article 16.4 of the aforementioned Law 39/2015 of 1 October. Also
must send to the Agency the documentation proving the effective intervention
of the contentious-administrative appeal. If the Agency was not aware of the
the lodging of the contentious-administrative appeal within two months of
day following notification of this resolution, would terminate the
precautionary suspension.
Mar España Martí
Director of the Spanish Data Protection Agency