AEPD - PS/00452/2019

From GDPRhub
Revision as of 11:26, 31 July 2020 by Silvialoar (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00452/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 57(1) GDPR
Article 58(2) GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: n/a
Fine: 80000 EUR
Parties: AAA
ORANGE ESPAGNE
National Case Number/Name: PS/00452/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: Agencia Española de Protección de Datos (in ES)
Initial Contributor: n/a

Spanish DPA holds that a telephone company had breached Article 6 GDPR, by not having deployed the minimum diligence required to verify that the interlocutor was indeed the one he claimed to be, and consequently the consent was not valid.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant reported to the Spanish DPA the use of his personal data for the fraudulent hiring of six telephone lines in his name. The telephone company alleged that the hiring was valid because it had no way of knowing that it had been done by someone else.

Dispute[edit | edit source]

Holding[edit | edit source]

The Spanish DPA found ORANGE guilty of having processed the complainant's data without his consent since diligent compliance with the principle of legality in the processing of third party data requires the data controller to be in a position to prove valid consent.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

DECISION ON DISCIPLINARY PROCEEDINGS
From the procedure instructed by the Spanish Data Protection Agency and
based on the following:
FIRST: D. A.A.A. (hereinafter the Claimant) dated June 16, 2018
filed a complaint with the Spanish Data Protection Agency. The
complaint is directed against ORANGE ESPAGNE, S.A.U., with NIF A82009812 (in
go ahead, the one claimed).
The claimant states that his data has been used for the recruitment
fraudulent telephone lines without your consent with reference to the following
lines: ***PHONE.1, ***PHONE.2, ***PHONE.3, ***PHONE.4
***phone.5 and ***phone.6 and informs of their inclusion in a
Asnef credit information, as a result of various debts reported by the
Orange company.
The claimant provides the following documentation:
- Office of the National Police Corps - Local Commissariat of Merida - dated
11 February 2019 addressed to the Juzgado de Instrucción nº 1 de Mérida
extension of Police Proceedings number ***DILIGENCIAS.1 of
date 6 July 2018, in which the appellant by way of complaint
The handwritten letter brought to the attention of the National Police possible illicit
criminal offences committed against him and his father (B.B.B.).
- Proceedings number ***DILIGENCIAS.2 AT USCUALADA carried out by
the Directorate General of Police -Generalitat of Catalonia- dated 18
September 2018 as a result of the complaint made by
C.C.C. for an alleged crime of fraud by the reported D.D.D.
- Citation in the Procedure: PREVIEWS ***PREVIEWS.1 agreed
by the Examining Court No. 5 of Igualada addressed to the defendant
D.D.D. to give evidence as an investigator.
- Order of the Court of First Instance and Preliminary Investigation No. 1 of Mérida de
Date 18 March 2019, DPA Preliminary Proceedings Abbreviated
***P.A. ordering the search, arrest and provision
D.D.D. judicial
- Six audio files of the recordings corresponding to
contracting different telecommunication services with the operator
ORANGE, by several people with unequal voices, on behalf
of the appellant. In particular, as the latter has explained:
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/13
- In the files ***FICHEROS.1 and ***FICHEROS.2, the voice
is from D.D.D., the person denounced by the appellant before the
Merida police.
- In the files ***FICHEROS.3 and ***FICHEROS.4, the voice
is from his father, B.B.B.
- In the files ***FILES.5 and ***FILES.6, the voice
it's from D.D.D.'s son, his name is E.E.E.
SECOND: In view of the facts denounced in the complaint and the
documents provided by the complainant, the Subdirectorate General for the Inspection of
Data proceeded to the realization of previous research actions for the
clarification of the facts in question under the powers of investigation
granted to the inspection authorities in Article 57(1) of the Regulation (EU)
2016/679 (General Data Protection Regulations, hereinafter referred to as GPRD), and
in accordance with the provisions of Title VII, Chapter I, Section Two of the Act
Organic 3/2018 of 5 December on the Protection of Personal Data and Guarantee of
digital rights (hereinafter LOPDGDD).
As a result of the investigation carried out, it was found that
that the person responsible for the processing is the one who is being claimed.
The following points are also noted:
On 9 April 2019, in the context of file E/04416/2018, after
the documentation contained therein was analysed, a decision was taken by the
director of the AEPD, agreeing not to admit the claim.
On the 13th of the same month and year, she filed an optional appeal for reinstatement,
providing new recordings identifying different tones of voice that
point to the impersonation of their identity and abundant documentation regarding the
opening of preliminary proceedings in the Court of Instruction number 5 of Igualada,
resulting in a resolution by the DPSA on 22 November 2019,
agreed on the estimation of the above mentioned replacement resource.
On the other hand, in its reply to this appeal, the defendant states that
Agency, which adopted as a precautionary measure the freezing of recovery actions
of the debt and the exclusion of the data from the file by transferring it to the Analysis Group
of Risks to proceed with its study.
They later stated that after exhaustive study there were indications
enough to determine that the hiring has the appearance of legality.
They also provide copies of contracts and recordings of the hiring of six
phone lines deactivated for non-payment on June 1, 2016 and they have
that the orders for the requested terminals were delivered to the adress of the complainant.
They also state that the debt persists, as does the inclusion of
data of the claimant in the solvency file and in this sense they have sent
communications to the claimant.
THIRD: On December 17, 2019, the Director of the Spanish
of Data Protection agreed to initiate sanctioning proceedings against the respondent, by the
alleged violation of Article 6.1 of the GCPD, as defined in Article 83.5 of the GCPD.,
giving it a period of ten working days to make representations and to propose
evidence that he deemed appropriate.
FOURTH: Once the above mentioned agreement was notified, the defendant requested an extension of
time limit and subsequently submitted a written statement in which, in summary
stated that: 'between the telephone lines concerned by these proceedings, the
corresponding to number ***TELÉFONO.1, is the one whose activation occurred in
The last place, more specifically on February 5th 2015, has been between the
contracting of the services until the opening of the sanctioning procedure the deadline
established by law, which is longer than the three years foreseen for the
prescription of the infringement provided for in the LOPDGDD.
Also in the event that this Agency considers that the time limit for the
The statute of limitations for the infringement starts to run from the moment the
The complainant was aware of the facts that led to his complaint, and it should be pointed out to the
..., that all the bills generated by the services contracted were
paid until June 2015 when they are no longer paid by the claimant. By
Therefore, it is clear that the claimant was aware of the alleged
fraudulent hiring no later than the referenced date.
In fact, even if this Agency considers that we are
to a continuing infringement that is characterized by the fact that the conduct constituting
a single illicit is maintained over a prolonged period of time, this part has
to point out that all the telephone lines under analysis in the present
procedure were deactivated and terminated by 1 June
2016, as can be seen from the CRM screenshots.
They were already provided as documents attached to the supplementary submission,
dated 10 October 2018, recordings with third-party verification and
line activation contracts that reliably prove that this party
had a legitimate basis for processing personal data from the
in accordance with Article 6(1)(b) of the Convention on the Rights of the Child.
RGPD. … .
Therefore, no new relevant documentation has been contributed to the
to justify the change of mind and the consequent favourable decision by the
of this Agency.
The disputed lines are deactivated, the debt is not claimed
payment, and the claimant's data is excluded from the files of
equity solvency.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
4/13
This party therefore considers that the diligence
The Committee is pleased to note that the process of registration of the services contracted has been duly followed, and that the
attended to the claimant in compliance with all the legal guarantees required.
All invoices generated by the contracted services were paid until
in June 2015 they stop paying.
That you have not been notified of the Resolution of non-admission to processing of the claim,
nor the filing by the latter of an Appeal for Replacement and the Decision thereon
in the event of an appeal being granted.
A decision is made to close the file both by the
prescription of such an infringement, as well as for the lack of any such requirement, and
the imposition of any sanction on Orange or alternatively the
concurrence of the cases set out in Article 83.2 of the RGPD and Article
76.2 of the LOPDGDD.
Finally, it is considered as requested and the nullity is declared, and in its absence, the
Annulment of the decision granting the appeal by the
AEPD".
FIFTH: On January 24, 2020, the testing period began,
To consider the complaint as reproduced for evidential purposes
by the claimant and his documentation, the documents obtained and generated that
are part of the file and 2.
allegations to the agreement to initiate PS/00452/2019, submitted by the
denounced.
SIXTH: On February 13, 2020, a motion for resolution was formulated, in the
following terms:
"That by the Director of the Spanish Data Protection Agency
sanction ORANGE ESPAGNE, S.A.U., with NIF A82009812, for an infraction of
Article 6.1 of the GPRS, as defined in Article 83(5)(a) of the GPRS, a fine of
80,000.00 (eighty thousand euros)". 
The proposal was notified to the respondent by electronic means with the date
of acceptance of the notification on 17 February 2020, and within the legal deadline of
ten working days granted to the respondent to make representations and to submit the
relevant documents and information, was submitted in writing requesting an extension
of the original term
SEVENTH: Subsequently, on the 24th of the same month and year, the respondent submitted
two written submissions relating to file number E/08079/2018 and to the present
sanctioning procedure, requesting suspension of the deadline for submitting
arguments on the motion for a resolution until such time as cumulation is agreed
of both procedures and the declaration of the nullity of the same.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
5/13
On 27 February 2020, the investigator of the proceedings refused to grant such
Accumulation.
On March 15, 2020, it filed the contested Appeal against
Such a refusal, leading to a decision by the
director of the AEPD, and agreed to uphold in part the appeal
against the Procedural Instructor's Administrative Act PS/00452/2019, issued
dated 27 February 2020, in the sense of linking file E/08079/2018
to PS/00452/2019.
EIGHTH: On March 9, 2020, you will be able to enter the electronic headquarters of the
AEPD the allegations of the respondent to the motion for resolution in which it requests
the decision to close the file, and reject the
imposition of any sanctions on the respondent for having acted in accordance with
Law in relation to the facts attributed to it.
In the alternative, if the disciplinary proceedings are not closed, the
to appreciate the concurrence of the cases contained in Article 83.2 of the RGPD and of the
Article 76.2 of the LOPGDD.
In defence of its claim, it points out that it is not feasible to collate voices to
confirm whether or not it is the same voice in different hires, since
Such an analysis would be proper of a qualified expertise that would guarantee with
a certain degree of certainty about the result of the analysis.
In addition to the above, the following is provided as
attachment number 1 copy of the delivery notes of the terminals
allegedly acquired by the claimant on different dates from
Orange sale.
It adds that in its written statement of 30 August 2018 and in its written statement of 10
October 2018, stated that the debt generated is certain to be due and payable and in
on this basis communicated the personal data to the files of patrimonial solvency and
which subsequently in its pleading of 28 January 2019 in the
of procedure E/08079/2018, it was stated that the data were excluded
of the claimant communicated to the Asnef file, being able to verify that their data do not
have been reported again to any solvency file
heritage.
In addition, it provides as annexed document No. 1 a certificate of
exclusion from the Asnef file, and as annexed document no. 2 certificate of exclusion from
Badexcug file
NINTH: On October 5, 2018 the claimant filed a new claim
on the same facts, which gave rise to file E/08079/2018.
Consequently, the following shall be linked to the present proceedings
file E/08079/2018.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/13
The proceedings in these proceedings have resulted in
The following are accredited:
PROVEN FACTS
FIRST - It is recorded that the claimant's data has been used for the
fraudulent hiring of the following lines: ***PHONE.1, ***PHONE.2
***Phone.3, ***Phone.4, ***Phone.5 and ***Phone.6, and also
The inclusion in the Asnef asset solvency file is recorded. 
SECOND. - Office of the National Police Corps - Local Commissariat of Merida
dated 11 February 2019 addressed to the Juzgado de Instrucción nº 1 de Mérida
extension of Police Proceedings number ***DILIGENCIAS.1 dated 6 July
of 2018, in which the appellant, by means of a handwritten complaint, put
knowledge of the National Police of possible criminal offences committed towards its
person and to his father (B.B.B.).
THIRD - Diligences number ***DILIGENCIAS.2 AT USCUALADA practiced
by the Directorate General of Police -Generalitat of Catalonia- dated 18
September 2018 as a result of the complaint made by C.C.C. by a
alleged crime of fraud by the reported D.D.D.
FOURTH - Citation in the Procedure: PREVIEWS ***PREVIEWS.1
agreed by the Examining Court No. 5 of Igualada addressed to the denounced
D.D.D. to give evidence as an investigator.
FIFTH - Order of the Court of First Instance and Preliminary Investigation No. 1 of Mérida
Date 18 March 2019, DPA Preliminary Proceedings Abbreviated ***P.A. by
that the search for, arrest and bringing to justice of D.D.D. is decreed
SIXTH - Six audio files of the recordings corresponding to the hiring
of various telecommunications services with the operator ORANGE, by
several people with unequal voices, on behalf of the appellant. In particular, according to
has exposed the latter:
In files ***FICHEROS.1 and ***FICHEROS.2, the voice is D.D.D.,
a person reported by the appellant to the police in Merida.
In the files ***FICHEROS.3 and ***FICHEROS.4, the voice is of his father,
B.B.B..
In the files ***FILES.5 and ***FILES.6, the voice is of the son of D.D.D,
his name is E.E.E.
SEVENTH - Reply received by the Respondent on September 9, 2009
2018 from the Respondent stating that they have been able to verify that the
contracts and recordings have the full appearance of legality.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
7/13
LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the
authority, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the
The Director of the Spanish Data Protection Agency is competent to resolve
this procedure.
II
The defendant is charged with an infringement of the
Article 6 of the GPRD, "Lawfulness of processing", which states in paragraph 1 the
cases in which the processing of third party data is considered lawful:
 "1. Processing shall be lawful only if at least one of the following conditions is met
conditions:
(a) the data subject has given his consent to the processing of his data
personal for one or more specific purposes;
(b) processing is necessary for the performance of a contract in which the
interested is a party to or for the application at his request of measures
pre-contractual;
(…)”
The infringement is defined in Article 83.5 of the RGPD, which considers it as such:
“5. Violations of the following provisions shall be sanctioned, in accordance with
with paragraph 2, with administrative fines of up to EUR 20 000 000 or,
in the case of a company, for an amount equivalent to a maximum of 4% of
total annual turnover for the previous financial year, opting for
the largest:
(a) The basic principles for treatment, including the conditions for
consent under Articles 5, 6, 7 and 9.
 The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements
considered to be very serious," he says:
"1. In accordance with the provisions of Article 83(5) of the Regulation (E.U.)
2016/679 are considered as very serious and will prescribe after three years the infringements that
constitute a substantial infringement of the Articles mentioned in that one and, in
In particular, the following:
 (…)
b) The processing of personal data without any
conditions for the lawfulness of processing laid down in Article 6 of
Regulation (EU)2016/679.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
8/13
III
The documentation in the file provides evidence that the
Article 6.1 of the RGPD, since it dealt with the
personal data of the claimant without having any legitimacy to do so. The
personal data of the claimant were incorporated into the information systems
of the company and inclusion in the Asnef credit information file, without
accredited that he had his consent to the collection and processing
of your personal data, or there is some other cause that makes it lawful to
treatment carried out.
In this regard, it has been possible to verify the existence of contracts and
recordings of the company verifying the telephone contracting process in the
which gives consent for the activation of the lines ***PHONE.5,
***PHONE.1, ***PHONE.2, ***PHONE.4, ***PHONE.3 and
***TELEPHONE.6, giving the same full appearance of legality. Likewise, the
has verified that the bills generated by the services have been paid
13,403.19 is currently pending payment
for invoices issued between 26/06/2015 and 26/07/2016.
Therefore, since no irregularities could be established
in the contracts made that allow this company to catalogue the
controversial contracts as fraudulent, as well as being
Once the police report has been filed, this commercial
is not able to attribute falsehood to the registration of lines where the
the regulatory requirements for recruitment. That said, the debt that currently
maintained in this mercantile is considered certain, expired and enforceable."
 Well, on the part of the respondent, the claim of the
The treatment of the claimants has not been sufficiently proven.
personal data has been carried out in accordance with the above-mentioned precepts
previously; it having been established that Orange has associated the personal data
of the claimant to the discharge of six telephone lines he denies having contracted.
 The Contentious-Administrative Chamber of the National Court, in
The Committee has considered that when the owner of the
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
9/13
The burden of proof lies with the person who claims to have been hired.
existence and the data controller of third parties must collect and
keep the necessary documentation to prove the consent of the owner.
We quote, for all, the SAN of 31/05/2006 (Rec. 539/2004), Fundamento de Derecho
Fourth.
The claimant's personal data were recorded in the files of the
claimed and included in the Asnef credit information file and were treated
for the issuance of invoices for services associated with the claimant. Accordingly,
has processed the personal data without proving that
count the legal entitlement to do so.
However, and this is the essential point, the claimed does not prove the legal standing to
the processing of the claimant's data.
In short, the respondent has not provided any document or evidence
any evidence that the entity, in such a situation, would have deployed the
minimum diligence required to verify that your interlocutor was indeed the one
he claimed to hold.
Respect for the principle of legality which is at the heart of the fundamental right
of personal data protection requires proof that the
The controller took the necessary steps to prove that the
extreme. If this is not done - and if it is not demanded by this Agency, which is responsible for ensuring
for the compliance with the regulations of the data protection law of
personal nature - the result would be to empty the principle of legality of its content.
On the other hand, with regard to the allegations made by the respondent, the
notes first of all that the prescription did not occur since it is recorded in the
files the outstanding debt and Orange took action to recover the
debt and therefore there was data processing, as stated in the claim in its
letter of 9 September 2018.
On the other hand, as recognized by the requested in the drafting of the articles
64.2 first and second paragraphs and 65.1, 2 and 4 of the LOPDGDD is not established from
the obligation to notify the Resolution of non-admission to the
The complaint will not be processed, nor will the resolution of the appeal for reversal be accepted.
It should be noted that the reference made by the respondent to Article 118.1 of the
LPACAP, that "when new facts or documents are to be taken into account, not
in the original file, shall be disclosed to the parties concerned in order to
within a period of not less than ten days and not more than fifteen days, make the allegations and
submit the documents and supporting evidence they deem appropriate'.
 However, the present penalty proceedings do not concern new
facts, are the same. Therefore, the sanctioning procedure has been opened with
all the legal guarantees and therefore there is no place for such a claim.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
10/13
With regard to the merits of the dispute, as indicated by the SAN of 12 May
2014,
"Telephone recording which cannot be validly recorded for the purpose of
unambiguous consent, not only because no reference is made to such consent
but, above all, because such consent in Article 6.1 LOPD must be of the
owner of the personal data and in the present case it is clear that he is not,
since the voice on the recording is male and not female.
On the other hand, and with regard to the alleged existence of
tacit consent as a result of the payment of electricity bills by
part of the complainant. That payment does not mean, as this Chamber has stated in
The Committee is concerned about the conformity of the person concerned with the continued treatment of his or her
personal data by ..."
The lack of diligence displayed by the entity in complying with the
obligations imposed by personal data protection regulations
is therefore obvious. Diligent compliance with the principle of lawfulness of processing
of third party data requires that the data controller be in a position
to prove it (principle of proactive responsibility).
IV
According to the provisions of the RGPD in its Article 83.1 and 83.2, when deciding the
imposition of an administrative fine and its amount in each individual case shall be
taking into account the aggravating and mitigating factors listed in the
and any other that may be applicable to the circumstances of the
case.
 "Each supervisory authority shall ensure that the imposition of the fines
administrative offences under this Article for violations of this
Regulation referred to in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.
 "Administrative fines shall be imposed, depending on the circumstances of
each individual case, in addition to or instead of the measures referred to in
Article 58(2)(a) to (h) and (j) In deciding to impose a fine
and its amount in each individual case will be duly taken into account:
(a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation concerned
as well as the number of stakeholders affected and the level of damage and
damages they have suffered;
(b) the intentional or negligent nature of the infringement;
(c) any action taken by the controller or processor
to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of the
treatment, taking into account any technical or organisational measures
applied under Articles 25 and 32;
(e) any previous offence committed by the person responsible for or in charge of the
treatment;
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
11/13
 (f) the degree of cooperation with the supervisory authority in order to put
remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement,
in particular whether the person responsible or the person in charge notified the infringement and, in such
case, to what extent;
(i) where the measures referred to in Article 58(2) have been
ordered in advance against the person responsible or the person in charge
in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to mechanisms
of certification approved in accordance with Article 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as the financial benefits obtained or the losses avoided, directly
or indirectly, through the infringement."
With respect to section 83.2 (k) of the RGPD, the LOPDGDD, section 76,
"Sanctions and corrective measures," he says:
 "In accordance with Article 83(2)(k) of Regulation (EU) 2016/679
may also be taken into account:
(a) the continuing nature of the infringement
(b) The link between the activity of the offender and the carrying out of processing operations
personal data.
(c) The profits obtained as a result of the commission of the offence.
(d) the possibility that the conduct of the person concerned might have led to the commission
of the infraction.
(e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the acquiring entity.
(f) Affecting the rights of minors.
g) To have, when it is not compulsory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases where
there are disputes between them and any interested party."
In accordance with the above-mentioned provisions, for the purpose of setting the amount of the
penalty of a fine to be imposed in the present case for the infringement in the
article 83.5.a) of the RGPD for which the Respondent is held responsible, are considered
The following factors are concurrent:
As aggravating criteria:
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
12/13
- In this case we are dealing with an unintentional negligent action, but
identified significant (Article 83(2)(b)).
- Basic personal identifiers are affected (name, a
identification number, the line identifier) (Article 83(2)(g)).
The balance of the circumstances referred to in Article 83(2) of the GPRS, with
with regard to the infringement committed in breach of the provisions of Article 6 thereof, allows for the establishment
a penalty of 80,000 euros (eighty thousand euros), classified as "very serious", to
effects of prescription of the same, in Article 72.1.b) of the LOPDGDD.
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of penalties whose existence has been established,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: To impose on ORANGE ESPAGNE, S.A.U., with NIF A82009812, by a
violation of Article 6.1 of the GCPD, as defined in Article 83.5(a) of the GCPD, a
fine of 80,000.00 euros (eighty thousand euros).
SECOND: NOTICE this resolution to ORANGE ESPAGNE, S.A.U., with
NIF A82009812
THIRD: To warn the sanctioned person that he must make effective the sanction imposed a
once this decision becomes enforceable, in accordance with the provisions of
Article 98(1)(b) of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), within the payment period
established in article 68 of the General Regulations on Collection, approved by the
by Royal Decree 939/2005 of 29 July 2005, in relation to Article 62 of Law 58/2003,
December 17, by means of its payment, indicating the tax identification number of the
The procedural steps set out in the heading of this document, in the account
restricted No ES00 0000 0000 0000 0000, open on behalf of the Agency
Spanish Data Protection in the bank CAIXABANK, S.A.. In case
Otherwise, it shall be collected during the enforcement period.
Once the notification has been received and once it has been enforced, if the enforcement date is
The deadline for the submission of the application is between the 1st and the 15th of each month, inclusive.
voluntary payment will be until the 20th of the following month or the next business day, and if
is between the 16th and the last day of each month, inclusive, the
payment will be due by the 5th of the second or immediately following month.
In accordance with the provisions of Article 50 of the LOPDGDD, the
This Resolution shall be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure according to art.
48.6 of the LOPDGDD, and in accordance with Article 123 of the
LPACAP, the interested parties may, on an optional basis, file an appeal for replacement
to the Director of the Spanish Data Protection Agency within a
month from the day following notification of this resolution or directly
contentious-administrative appeal before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
13/13
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of the
LPACAP, the final resolution may be suspended in administrative proceedings as a precautionary measure
if the interested party expresses his intention to file an administrative appeal. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Data Protection Agency,
by submitting it through the Agency's Electronic Register
[https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other
registrations provided for in Article 16.4 of the aforementioned Law 39/2015 of 1 October. Also
must send to the Agency the documentation proving the effective intervention
of the contentious-administrative appeal. If the Agency was not aware of the
the lodging of the contentious-administrative appeal within two months of
day following notification of this resolution, would terminate the
precautionary suspension.
Mar Spain Martí
Director of the Spanish Data Protection Agency