AEPD (Spain) - PS/00484/2020

From GDPRhub
(Redirected from AEPD - PS/00484/202)
AEPD - PS/00484/202
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 16.03.2021
Fine: 100000 EUR
Parties: Vodafone España, S.A.U.
National Case Number/Name: PS/00484/202
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) fined Vodafone €100,000 (reduced to €60,000 for voluntary payment and acknowledgement of responsibility) for repeatedly processing of personal data of a data subject that had opposed the processing.

English Summary

Facts

The claimant had been receiving several unsolicited SMS by Vodafone, more worrying because they informed about the creation of invoices of services that they had not contracted. The claimant exercised their right to oppose but continued to receive these messages.

Dispute

Is this a violation of Article 6(1)(a) GDPR?

Holding

The AEPD held that this behaviour was a violation of Article 6(1)(a) GDPR and fined Vodafone €100,000, that were reduced to €60,000 for voluntary payment and acknowledgement of responsibility.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/13











     Procedure No.: PS / 00484/2020

RESOLUTION R / 00198/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY


In the sanctioning procedure PS / 00484/2020, instructed by the Spanish Agency for
Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed
by A.A.A., and based on the following,


                                 BACKGROUND

FIRST: On February 18, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against VODAFONE

SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed:

<<





Procedure Nº: PS / 00484/2020




           AGREEMENT TO START THE SANCTIONING PROCEDURE



Of the actions carried out by the Spanish Agency for Data Protection and in

based on the following:




                                     ACTS



FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated November 10,

2020 filed a claim with the Spanish Data Protection Agency. The
claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (as
successive, the claimed).




The reasons on which the claim is based are the following:





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/13








"After several complaints to you (last resolution with reference number
E / 01699/2019) in which they urged VODAFONE to permanently delete and, after the

which, VODAFONE sent me a letter by certificate and a new confirmation by
email of having proceeded, after an incident, to solve it, I continue to receive SMS

initially accused more than a year ago and I no longer know what to do ... not only
for continuing without the guarantee that my data will be permanently deleted, if not, because
They are SMS in which it is indicated that an invoice is generated in my name and, although

reassure that I have nothing pending, I have no guarantee that this way
It is ... I beg you to take action on your part so that these

SMS. "



And, among other things, it provides the following documentation:

 - Letter from the complained party, dated March 24, 2020 and sent within the framework of the
file E / 01520/2020, in which you are informed that your phone was assigned

incorrectly to another customer, hence the SMS notices I was receiving.
They proceed to correct the incident, and guarantee that you will no longer receive any SMS

plus.



 - Attach two screenshots of your mobile phone, where two notices are displayed,

submitted on May 11 and November 9, 2020.



- Emails addressed to the address *** EMAIL.1 from temalegales@vodafone.es,

on the facts that are the object of this claim.



SECOND: As background to the present sanctioning procedure, it is necessary to

manifest:



1.- The claimant was a client of the defendant years ago. He stated that he received SMS

of the entity notifying about invoices for services not contracted, so it put the
facts made known to the entity requesting clarification and requesting the deletion

of his data and, despite receiving a positive response, he continued to receive the same
SMS. It provided documentation.




2.- The claims filed with this Agency by the claimant were transferred
dated January 9 and May 23, 2019 to the one claimed, giving rise to the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/13








files E / 01699/2019 and E / 06311/2019. This Agency proceeded to

file of the claims for having been attended to them, and therefore the
problems solved.




3.- In a new claim dated November 9, 2019, it stated the
claimant who continued to receive SMS dated October 9, 2020, provided the SMS,

resulted in E / 11566/2019. It was inadmissible for having sent the claimed letter dated
October 30, 2019 to the claimant indicating that the incident was resolved, not
consisting of SMS after said communication.




4.- Thus, in another claim dated December 23, 2019, provide SMS
of December 13, 2019 for which it is transferred to the DPD, giving rise to the

E / 01520/2020. We proceeded to file, since the entity stated that the number
The phone number was associated with another customer and that the incident had been resolved.




5.- Well, the claimant contributes new SMS sent to the mobile, she has received again
two notices on the mobile phone, sent on May 11 and November 9 of the year

2020, showing that the event continues to occur.






                                FOUNDATIONS OF LAW




                                                  I



        By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.




                                                 II






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/13








       The claimed facts are specified in the treatment of the data of the

claimant by the claimed without standing to do so, by sending
SMS to your mobile phone informing you of the generation of invoices in your name and
subsequent emails to your personal Gmail account clarifying the

circumstances in which these SMS shipments have occurred.




       Said treatment could be constitutive of an infringement of article 6, Lawfulness
of the treatment, of the RGPD that establishes that:




       "1. The treatment will only be lawful if at least one of the following is met
terms:




       a) the interested party gave their consent for the processing of their data
personal for one or more specific purposes;


       b) the treatment is necessary for the performance of a contract in which the
interested is part or for the application at the request of this of measures
pre-contractual;




       (…)




       In article 4 of the RGPD, Definitions, in its section 11, it states that:



       "11)" consent of the interested party ": any manifestation of free will,

specific, informed and unequivocal by which the interested party accepts, either through
a statement or a clear affirmative action, the processing of personal data that

they concern him ”.



       Also article 6, Treatment based on the consent of the affected party,

of the new Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (hereinafter LOPDGDD), states

what:




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/13








        "1. In accordance with the provisions of article 4.11 of the Regulation (EU)
2016/679, the consent of the affected party is understood to be any manifestation of will

free, specific, informed and unequivocal for which it accepts, either through a
declaration or a clear affirmative action, the processing of personal data that

concern.



        2. When the data processing is intended to be based on consent

of the affected party for a plurality of purposes, it will be necessary to record in a
specific and unequivocal that said consent is granted for all of them.




        3. The execution of the contract may not be subject to the consent of the affected party
processing of personal data for purposes that are not related to the
maintenance, development or control of the contractual relationship ”.




        Article 83.5 a) of the RGPD, considers that the infringement of "the principles
basic to the treatment, including the conditions for consent in accordance with

of articles 5, 6, 7 and 9 ”is punishable, in accordance with section 5 of the
mentioned Article 83 of the aforementioned Regulation, “with administrative fines of

€ 20,000,000 maximum or, in the case of a company, of an equivalent amount
at a maximum of 4% of the total global annual turnover for the financial year
above, opting for the one with the highest amount ”.




        On the other hand, the LOPDGDD for the purposes of prescription states in its article 72:
"Violations considered very serious:




        1. In accordance with the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that

suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:




        (…)







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/13








        b) The processing of personal data without the concurrence of any of the
conditions of legality of the treatment established in article 6 of the Regulation

(EU) 2016/679.




        (…) "



                                                III




        The documentation in the file offers clear indications that the
claimed violated article 6 of the RGPD, since it processed the

personal data of the claimant without having any legitimacy to do so,
materialized in that you continue to receive SMS sent to your mobile phone related to
billing, even though you have requested in the past the deletion of your data and the

claimed, guaranteed that similar notices would no longer be received, within the framework of
various claims that he filed with this Agency.




        It is important to highlight that this Agency transferred the
claims made by the claimant to the respondent giving rise to the

files E / 01699/2019, E / 06311/2019, E / 11566/2019 and E / 01520/2020. In all
They stated that the incident was already resolved.




        Thus it appears that, in the framework of file E / 01520/2020, which has led to the
present sanctioning procedure, the claimant provided a response from the claimed
dated March 24, 2020, in which it stated:




        “Through this letter, we want to inform you that we have returned to
review your case, since the incident was already resolved, as you were informed by the

last April 5, 2019.

        On this occasion, we have noticed that his mobile number was associated with
to another Vodafone customer as a contact number, hence the receipt from you

of SMS.

        We inform you that this incident has already been resolved, so that
you will not receive any more notices of invoice availability. "



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/13








        Despite all the above, the claimant continued to receive SMS sent to her
mobile for the claimed. As evidenced by the two screenshots provided by that

of your mobile phone, where two notices are displayed, sent on May 11 and
November 2020 by Vodafone.




        Consequently, it has carried out a processing of personal data without
has proven that it has the legal authorization to do so.




                                                IV




        In order to establish the administrative fine to be imposed, they must
observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which
they point out:




        "1. Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this

Regulations indicated in paragraphs 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.




        2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute title for the measures contemplated

in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:




        a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that

have suffered;

        b) intentionality or negligence in the infringement;

        c) any measure taken by the person in charge or in charge of the treatment

to alleviate the damages suffered by the interested parties;

        d) the degree of responsibility of the person in charge or the person in charge of the
treatment, taking into account the technical or organizational measures that have

applied by virtue of articles 25 and 32;
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/13








        e) any previous infringement committed by the person in charge or the person in charge of the
treatment;


        f) the degree of cooperation with the supervisory authority in order to establish
remedy the violation and mitigate the possible adverse effects of the violation;


        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority learned of the infringement, in
in particular if the person in charge or the person in charge notified the infringement and, if so, in what

measure;

        i) when the measures indicated in article 58, paragraph 2, have been
previously ordered against the person in charge or the person in charge of

regarding the same matter, compliance with said measures;

        j) adherence to codes of conduct under article 40 or to mechanisms
certification approved in accordance with Article 42, and


        k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct or
indirectly, through the infringement.




        In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its

Article 76, “Sanctions and corrective measures”, establishes that:



        "two. In accordance with the provisions of article 83.2.k) of Regulation (EU)

2016/679 may also be taken into account:



        a) The continuing nature of the offense.


        b) The linking of the activity of the offender with the performance of treatments
of personal data.

        c) The benefits obtained as a result of the commission of the offense.


        d) The possibility that the affected person's conduct could have led to the
commission of the offense.

        e) The existence of a merger process by absorption after the commission

of the infringement, which cannot be attributed to the absorbing entity.

        f) Affecting the rights of minors.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/13








        g) Have, when not mandatory, a delegate for the protection of
data.


        h) The submission by the person in charge or in charge, with character
voluntary, to alternative dispute resolution mechanisms, in those

assumptions in which there are controversies between those and any interested party. "


      In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, for the purpose of setting the amount of the fine
impose in the present case on the entity claimed by the offense typified in the
Article 83.5.a) of the RGPD for which the complainant is held responsible, in a
initial assessment, the following factors are considered concurrent:


    -In the present case we are facing a serious negligent action (article 83.2 b).

    -Basic personal identifiers are affected (name, surname,
        mobile phone number) (article 83.2 g).


    -The obvious link between the business activity of the claimed and the
        processing of personal data of clients or third parties (art. 83.2 k in
        relationship with art. 76. 2 b) of the LOPDGDD.

- Any previously committed offense (article 83.2 e).

     - The serious lack of diligence demonstrated then, after having notified the
claimant who attended to his right to object to the processing of his data, proceeded
again to send you commercial communications.


        In accordance with the indicated precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the sanction to be imposed in

In this case, it is considered that the sanction to be imposed should be adjusted according to
with the following criteria established in article 76.2 of the LOPDGDD:




    - The linking of the activity of the offender with the performance of treatment of
        personal data, (section b).




    The balance of the circumstances contemplated in article 83.2 of the RGPD, with
regarding the offense committed by violating the provisions of article 6.1 of the
RGPD allows setting a penalty of 100,000 euros (one hundred thousand euros), considered as

"Very serious", for the purposes of prescription of the same, in the 72.1.a of the LOPDGDD.


     Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/13








       HE REMEMBERS:






    1. INITIATE SANCTIONING PROCEDURE for VODAFONE ESPAÑA, S.A.U.,
       with NIF A80907397, for the alleged violation of article 6.1. GDPR

       typified in article 83.5.a) of the aforementioned RGPD.


    1. APPOINT D. B.B.B. as instructor. and as secretary to Dña. C.C.C., indicated
       Whereas any of them may be challenged, if applicable, in accordance with the
       established in articles 23 and 24 of Law 40/2015, of October 1, of Ré-

       Legal Regime of the Public Sector (LRJSP).


    2. INCORPORATE to the sanctioning file, for evidentiary purposes, the
       claim filed by the claimant and its attached documentation, the
       documentation of E / 01699/2019, E / 06311/2019, E / 11566/2019 and

       E / 01520/2020.


    3. THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
       October, of the Common Administrative Procedure of the Administrations

       Public, the corresponding penalty would be 100,000 euros (one hundred thousand
       euros), without prejudice to what results from the instruction.


    4. NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U., with NIF
       A80907397, granting you a hearing period of ten business days so that

       formulate the allegations and present the evidence that it deems appropriate.
       In your statement of allegations you must provide your NIF and the number of
       procedure at the top of this document.


If within the stipulated period it does not make allegations to this initiation agreement, the same

It may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).




In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the

term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the penalty to be imposed in

the present procedure. With the application of this reduction, the sanction would be


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/13








established at 80,000 euros, resolving the procedure with the imposition of this
sanction.




In the same way, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the penalty would be set at 80,000 euros and its payment will imply the termination of the

process.



The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the preceding paragraph, it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be

set at 60,000 euros.



In any case, the effectiveness of either of the two mentioned reductions will be

conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts

indicated above, 80,000 euros or 60,000 euros, you must make it effective
by entering the account number ES00 0000 0000 0000 0000 0000 open to

name of the Spanish Agency for Data Protection in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the cause of reduction of the amount to which

welcomes.




Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity
entered.




The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/13








After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.



Mar Spain Martí

Director of the Spanish Agency for Data Protection






>>


SECOND: On March 9, 2021, the defendant has proceeded to pay the
sanction in the amount of 60,000 euros making use of the two planned reductions
in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.


                            FOUNDATIONS OF LAW

                                             I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection

is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the

information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.

                                             II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/13








"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,

except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,

20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.


The percentage of reduction foreseen in this section may be increased
regulations.

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:


FIRST: DECLARE the termination of procedure PS / 00484/2020, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U ..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


                                                                                 936-031219
Mar Spain Martí

Director of the Spanish Agency for Data Protection







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es