AEPD (Spain) - EXP202205208
From GDPRhub
| AEPD - EXP202205208 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(d) GDPR Article 5(2) GDPR art. 8 Ley 25/2007, de 18 de octubre, de conservación de datos relativos a las comunicaciones electrónicas y a las redes públicas de comunicaciones. |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 15.04.2022 |
| Decided: | 04.04.2025 |
| Published: | 17.06.2025 |
| Fine: | 70,000 EUR |
| Parties: | XFERA MÓVILES, S.A. |
| National Case Number/Name: | EXP202205208 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | ap |
The DPA fined a telecommunications company €70,000 for providing inaccurate data in the course of an investigation related to unwanted advertising calls to a data subject.
English Summary
Facts
XFERA MÓVILES, S.A. (also known as Yoigo, the controller) is a telecommunications company. On 15 April 2022, a data subject presented a complaint to the DPA. The data subject received several advertising calls related to the controller’s services despite being included in an Advertising Exclusion List (the Robinson List[1]). During its investigation, the DPA found no contractual relationship between the controller and the owners of the telephone lines from which the calls were made.
The DPA dismissed the case on 22 July 2022 on the basis that it had not found a violation of data protection laws. The data subject filed an internal appeal in August 2022. The DPA carried out an investigation and began a sanctioning procedure for an alleged violation of the principle of data accuracy (Article 5(1)(d) GDPR) in April 2024.
The DPA requested information from the controller on the holders of the phone lines that had called the data subject. After further investigation, the DPA found that the data provided by the controller was not accurate, as the ID documents did not match with information from the Tax Authority (and one of the IDs was proven to be false).
The controller argued that the calls came from prepaid accounts, and therefore it did not have the responsibility to identify them. According to the controller, it only had the obligation to retain data in accordance with obligations under national data retention laws. The controller also argued that the DPA had no competence, as the case related to national data retention laws[2] and not the GDPR. Finally, the controller argued that the DPA’s sanctioning procedure based on data inaccuracy was not related to the complaint regarding unwanted advertising calls.
Holding
The DPA first dismissed the arguments on competence and sanctioning procedure. In terms of competence, the DPA affirmed that the case fell under its competence despite the national data retention law. Under this law, the Secretariat of State for Telecommunications and Digital Infrastructure (SETID) is competent for the failure to maintain a prepaid phone line logbook. However, Article 8 specifies that the quality of data falls under the scope of Spanish data protection law, and that the DPA is the authority responsible for ensuring compliance with data protection requirements. According to the DPA, data accuracy (Article 5(1)(d) GDPR) is directly related to the quality of data.
The DPA cited Supreme Court case law[3] to support the broadening of the case; here, the Court acknowledges the possibility of setting fines for violations found during the DPA’s investigations. This means that the DPA is not strictly bound by the facts of the complaint. By limiting the procedure to the facts of the case, the DPA would fail to fulfill its duty.
The DPA later held the controller responsible for the lack of data accuracy. Under the GDPR, the controller is liable for actions by the processor that violate the GDPR, unless the processor acts as a controller. Furthermore, the principle of accountability (Article 5(2) GDPR) places a proactive obligation on the controller to demonstrate compliance with data protection principles under Article 5(1) GDPR. The DPA analysed the contract between the controller and distributors of its products (processors) and concluded that YOIGO is a controller in accordance with CJEU case law[4] and EDPB Guidelines[5].
The DPA noted that the controller had no measures in place to detect errors or inaccuracies in its data, including measures to ensure that ID numbers correspond to existing IDs. Therefore, the fine imposed on the controller was based on data inaccuracy and the absence of technical and organisational measures.
Finally, the DPA stated that the controller could not be held accountable for the content of the calls with the data subject. However, due to the lack of data accuracy, the DPA was not able to investigate the potential violation of advertising calls without a legitimate basis.
The DPA found a violation of Article 5(1)(d) GDPR, based on the inaccurate information given by the controller during its investigation. The DPA imposed a fine of €70,000, taking into account the fact that the data inaccuracy was an obstacle during its investigations, and the fact that the violation occurred within a framework of data processing activities that the controller carries out on a regular basis.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/46 File No.: EXP202205208 SANCTIONING PROCEDURE RESOLUTION BACKGROUND.......................................................................................................2 FIRST: Complaint filed....................................................................................2 SECOND: Transfer of the complaint to the respondent....................................................3 THIRD: Filing resolution......................................................................................3 FOURTH. Appeal for reconsideration..................................................................................3 FIFTH: Preliminary investigation actions...........................................................3 SIXTH: Initiation of sanctioning proceedings...........................................................5 SEVENTH: Objections to the initiation agreement....................................................5 EIGHTH: Proposed resolution...............................................................................10 NINTH: Objections to the proposed resolution....................................................10 TENTH: Turnover...................................................................................11 PROVEN FACTS...................................................................................................12 FIRST...................................................................................................................12 SECOND...................................................................................................12 THIRD...................................................................................................................12 FOURTH...................................................................................................................12 FIFTH...................................................................................................................13 SIXTH...................................................................................................................13 SEVENTH..................................................................................................................13 EIGHTH........................................................................................................................13 LEGAL GROUNDS.................................................................................................13 I. Jurisdiction........................................................................................................13 II. Procedure........................................................................................................13 III. Preliminary Issues..............................................................................................14 IV. Arguments of the Respondent......................................................................................14 1. Expiration of Proceedings......................................................................................15 2. Factual Situation of the Procedure......................................................................16 3. Jurisdiction of the AEPD....................................................................................18 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/46 3. Marketing Model for Prepaid Cards Data Controller....19 4. Inaccuracy of Data.......................................................................................34 5. Proportionality of the Sanction...........................................................................36 V. Proposed Evidence Collection.................................................................................39 VI. Obligation. Article 5.1 d) GDPR..................................................................................40 VII. Classification and qualification of the infringement...........................................................42 VIII. Sanction........................................................................................................42 IX. Adoption of measures........................................................................................43 RESOLVES:..............................................................................................................44 FIRST:..............................................................................................................44 SECOND:............................................................................................................44 THIRD:...............................................................................................................44 FOURTH:...............................................................................................................44 RESOLUTION OF THE SANCTIONING PROCEDURE From the procedure initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: Complaint filed A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on April 15, 2022. The complaint is directed against XFERA MÓVILES, S.A. with Tax Identification Number (NIF) A82528548 (hereinafter, XFERA). The complainant files a complaint for receiving commercial calls on his mobile line ***TELÉFONO.1 promoting YOIGO services. He justifies the receiving line's registration on the advertising exclusion list by providing a copy of the Account Verification email received on December 15, 2021, and a screenshot proving the receiving line's registration. Provides several screenshots of the incoming call log that prove the receipt of the following calls: Calls were received from the calling line ***TELÉFONO.2 on April 12, 2022, at 1:53 PM, April 13, 2022, at 5:32 PM, and April 14, 2022, at 5:21 PM. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/46 Calls were received from the calling line ***TELÉFONO.3 on April 11, 2022, at 5:51 PM. Calls were received from the calling line ***TELÉFONO.4 on March 18, 2022, at 6:14 PM and on March 19, 2022, at 5:12 PM and 5:34 PM. SECOND: Transfer of the complaint to the respondent In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), on May 6, 2022, this complaint was forwarded to XFERA, so that it could analyze it and inform this Agency within one month of the actions taken to comply with the requirements set forth in the data protection regulations. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was recorded on May 13, 2023, as recorded in the acknowledgment of receipt included in the file. On June 14, 2022, this Agency received a response letter indicating, in essence, that XFERA is affiliated with ADigital and performs checks on all its Lista Robinson commercial campaigns. Such filtering with Lista Robinson is also required of all its Telesales distributors who may use proprietary databases outside of XFERA. It claims to have a tool through which they can obtain information from its systems that would allow them to check whether they have commercially impacted a specific number. The result obtained, XFERA states, in relation to the indicated numbering is that there are no results for calls. This would mean that this numbering has not been included in any telephone marketing action authorized by said operator. THIRD. Resolution to Close the Case On July 22, 2022, this Agency issued a resolution to close the case. This was because "After analyzing the reasons presented by the respondent, which are included in the file, it was found that there was no reasonable evidence of the existence of an infringement within the jurisdiction of the Spanish Data Protection Agency, and therefore, the opening of a sanctioning procedure is not appropriate." FOURTH. Appeal for Reconsideration On August 3, 2022, the complainant filed an appeal for reconsideration against the aforementioned resolution to close the case. Following the processing of the appropriate procedure, in which the respondent was granted the opportunity to present his or her objections, this Agency issued a resolution granting the appeal and ordering the claim to continue processing. With this, the complaint was deemed admissible for processing. FIFTH: Preliminary investigative actions The Subdirectorate General of Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in this matter, pursuant to the functions assigned to the supervisory authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD (General Data Protection Act), having learned of the following: The Data Inspection consulted the operator responsible for the three telephone numbers from which the calls were allegedly made. Calls: - Phone number ***TELÉPHONE.4 Current operator XFERA MÓVILES, S.A. INDIVIDUAL - Telephone number ***TELÉFONO.3 Current operator XFERA MÓVILES, S.A. INDIVIDUAL - Telephone number ***TELÉFONO.2 Current operator XFERA MÓVILES, S.A. INDIVIDUAL XFERA has been requested to provide information to the owners of the aforementioned lines, and the company has provided the following information in its response: 1. Contact and identification details of the owner of the telephone number ***TELÉFONO.4 in March 2022: B.B.B. DNI ***NIF.2 2. Contact and identification details of the owner of the telephone number ***TELÉFONO.3 in April 2022: C.C.C. DNI ***NIF.2 3. Contact and identification details of the owner of the telephone number ***TELÉFONO.2 in April 2022: D.D.D. DNI ***NIF.3 XFERA was again requested to provide information regarding "Whether there was any type of contractual relationship for making commercial telephone calls with the owners of the lines, as well as the contact postal address." The entity indicated that, in relation to the owners of the indicated numbers and the dates mentioned, there was no contractual relationship for making telephone calls in any of the three cases referenced. Xfera Móviles only knows the contact postal address of C.C.C., which it has identified as the owner of the telephone line ***TELÉFONO.3. Therefore, the Inspection requested information from C.C.C. at the address provided, stating that the line ***TELÉFONO.3 was in his name with the company ***EMPRESA.1, and only during the months of April to June 2022. He also states that, by reviewing the invoices for these months, he has verified that no calls were made to said number from the line ***TELÉFONO.3, and what's more, not a single call was made from that line during the time it was in his name, which, he claims, would make it impossible for the call to have been made. He provides the full invoice for April 2022, which shows no record of any calls made from this number. He also expressly denies having engaged in making commercial calls without the consent of the person who may have been called, expressing his surprise at this claim. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/46 Regarding the confirmation of the commercial calls, the operator ***COMPANY.2 has been asked to confirm the existence of calls made to the complainant's number (***PHONE.1) from the numbers and on the dates described by the complainant. Calls were received from the numbers ***TELÉFONO.4 on March 18, 2022, at 6:14 PM (rejected), on March 19, 2022, at 5:12 PM (4 seconds) and at 5:34 PM, ***TELÉFONO.3 on April 11, 2022, at 5:51 PM, and ***TELÉFONO.2 on April 12, 2022, at 1:53 PM (7 seconds), on April 13, 2022, at 5:32 PM (6 seconds), and on April 14, 2022, at 5:21 PM. The operator stated that, in relation to the request for calls made from the telephone number ***TELÉFONO.4, given that the calls requested are for a period of more than one year, it is not possible to provide This data is stored in the computer system for a limited period of twelve months, according to Law 25/2007 on Data Retention by Electronic Communications Operators. The Inspectorate requested that the Tax Agency provide the tax addresses of the other two telephone line holders identified by XFERA: - B.B.B., DNI ***NIF.2 - D.D.D., DNI ***NIF.3 The AEAT responded by providing the following information: - Tax address of B.B.B.. The search in the Tax Agency's system did not yield any results for the indicated DNI ***NIF.2 - Tax address of D.D.D.. The Tax Agency has in its database an individual with the indicated DNI ***NIF.3. However, the name and surname of this individual do not correspond to those indicated. SIXTH: Initiation of sanctioning proceedings On April 4, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party for the alleged violation of Article 5.1.d) of the GDPR, as defined in Article 83.5 of the GDPR. SEVENTH: Objections to the Commencement Agreement After notification of the aforementioned commencement agreement in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), the respondent submitted a written statement of objections in which, in summary, it states the following: LEGAL-FORMAL ARGUMENTS Expiration of the appeal for reconsideration filed on August 3, 2022. The ruling granting the appeal for reconsideration filed against the ruling that dismissed the claim was issued after the one-month period had elapsed, thus resulting in a violation of Article 25.1 b) of the LPACAP in relation to Article 124.2 of the same law. For this reason, the proceedings should have been closed, with the effects provided for in Article 95 of the LPACAP. Expiration of the preliminary investigation proceedings. Subsidiarily, it is considered that the deadline provided for in Article 67.2 of the LOPDGDD (Organic Law on the Protection of Personal Data) regarding the duration of the preliminary investigation proceedings has not been respected, since the twelve-month period provided for expired on July 15, 2023. Despite this, no report on the preliminary investigation proceedings was issued until April 1, 2024. Therefore, it is considered that the case should have been declared closed and the proceedings should have been closed, as established in Article 25.1 b) of the LPACAP. LEGAL AND MATERIAL ALLEGATIONS. Under this heading, the respondent includes various allegations: Data subject to retention Conduct attributed to XFERA. A reading of the initiation agreement reveals that the alleged infringing conduct has nothing to do with the commercial calls received by the complainant, but rather with the fact that "inaccurate data" was provided regarding the ownership of the requested telephone lines, resulting in an alleged violation of Article 5.1 d) of the GDPR. Discrepancy with the facts described in the Agreement. The telephone lines where the discrepancy was detected are prepaid and were marketed under the "Lebara" brand. Since these are prepaid lines, XFERA does not need to know the cardholder/user's identifying information to provide the service, collecting only personal information for the purposes of complying with the Sole Additional Provision of Law 25/2007, of October 18, on the retention of data related to electronic communications. Lebara is one of the prepaid brands under which the defendant provides telecommunications services. It does not offer "contract" services but rather only "card" services, that is, based on the purchase of prepaid cards and vouchers. Therefore, many of its lines have a very high turnover. This clarification is essential for the present proceedings, because the acquisition of one of these prepaid cards is a legal transaction of sale, with a single transaction, in which a person goes to a point of sale, acquires a card, and uses it until the prepaid balance is used up. Once this balance is exhausted, you can choose to top up the balance (maintaining the number) or purchase a new card. For this reason, the user's identity is irrelevant to Lebara. Therefore, the only information XFERA manages on customers who purchase Lebara prepaid cards is that provided for in the Sole Additional Provision of Law 25/2007; According to this Law and the aforementioned Provision: "Mobile telephone service operators that market services with a prepaid card activation system must keep a record book recording the identity of customers who purchase a smart card using this payment method." “Identification will be carried out by means of a document proving the identity, recording in the registry book the name, surname, and nationality of the buyer, as well as the number corresponding to the identification document used and the nature or title of said document.” Supporting Documentation It points out the inaccuracy of the AEPD on page 6 of the Agreement, when it states that “in accordance with articles 1, 2, and 3 of Law 25/2007, of October 18, on the conservation of data relating to electronic communications and public communications networks, the operators of these networks and services are obliged to retain ownership data for the telephone lines they assign to their users”; This statement is not true for prepaid SIM card users, such as those at issue in this case: XFERA only knows the identity of the person who purchased the card, and only because it is required to do so by Law 25/2007. The regulation establishes that "identification will be carried out by means of a document proving identity"; but in no case does it allow or require obtaining and keeping a copy of the buyer's identity document. The AEPD has also issued a statement in this regard. Marketing Model It points out that telecommunications companies do not own the vast majority of the points of sale that sell their products and services. In the case of Lebara, this brand does not even have its own stores. In the case at hand, the prepaid cards corresponding to the ***TELÉFONO.4 and ***TELÉFONO.2 lines were marketed through the platform of the entity Fullcarga Ibérica S.L., (...). Fullcarga freely markets the cards through its extensive distribution network, made up of a multitude of small businesses. To this end, it is subject to the XFERA Code of Conduct, whose obligations extend to all establishments participating in its network. The Code of Conduct specifically prohibits, among other actions, "sending the sales form through the tool provided for this purpose with incorrect, false, or incomplete sales data from the end customer" and "obtaining registrations irregularly, impersonating the customer and/or their personal data." Regarding data protection, Fullcarga is responsible for, among other things, the processing of "the sale of SIM cards (including the identification and inclusion of data in the Register Book)" (Annex 4 of the contract). Upon consultation with my client, Fullcarga confirmed that both sales were made by a merchant affiliated with its network, with whom XFERA has no direct relationship. This merchant is called E.E.E., with National Identity Document (DNI) ***NIF.4 and domiciled at ***ADDRESS.1. It considers that XFERA is not responsible for the alleged events. XFERA is not the owner of the points of sale that sell prepaid cards of the brand "Lebara." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/46 In practice, each point of sale is responsible for fulfilling the obligation to collect customer data, in order to comply with the obligation to maintain the registration book provided for in the sole additional provision of Law 25/2007. Since it cannot require customers to provide a copy of their identification document when purchasing a prepaid card, and does not need to process their personal data for any other purpose, XFERA is unable to verify the accuracy of the data collected by points of sale and (therefore) cannot be held liable for any inaccuracies committed by said businesses. Therefore, it considers that Article 28 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (hereinafter, "LRJSP") has been violated, which establishes that "only natural and legal persons (...) who are found responsible for such acts due to intent or negligence may be sanctioned for acts constituting an administrative infraction." It emphasizes that, from a contractual perspective, the agreement signed between XFERA and the SIM card marketing platform (Fullcarga) subjected the latter, and its sales network, to a code of conduct in which they were obligated to "take appropriate measures to prevent contract registrations" that included "incorrect, false, or incomplete sales data of the end customer," with high penalties for failure to do so. Furthermore, it understands that XFERA has implemented various procedures to combat fraud and has provided specific instructions to points of sale on how to collect data from interested parties for inclusion in the registry required by Law 25/2007. To this end, it is developing the controls implemented to detect fraudulent actions or registrations in which the established procedure has not been followed. It therefore understands that if any of these points of sale disregard these instructions, Article 28.10 of the GDPR provides that it will be considered a data controller. Jurisdiction of the AEPD It points out a possible violation of the principle of specialization due to the lack of material jurisdiction of the AEPD. In this sense, by retaining the data only in compliance with Law 25/2007, it considers that the specific sanctioning regime provided for in said law would apply in cases where the personal data entered by the operators into the registry book is incorrect or incomplete. This regulation, in section 5 of its sole additional provision, establishes a sanctioning regime regarding the maintenance of the logbook that pursues the same objective as the principle of accuracy provided for in the GDPR: to ensure that the data contained in the logbook is correct. It is understood that in this case, there is an apparent conflict between both regulations that must be resolved in favor of the specific regulation (in this case, Law 25/2007) over the general regulation (the GDPR), since the principle invoked requires that the specific regulation be analyzed first and, if the requirements for its application are met, it will have priority over the general regulation. Therefore, the authority to resolve sanctioning procedures arising from the violation of the obligation to properly maintain the registry book in question falls upon the "Secretary of State for Telecommunications and the Information Society," as provided in section 6 of the sole additional provision of Law 25/2007. The resolution of the sanctioning procedure issued by the SETID is provided. Based on the principle of specialization, this Spanish Data Protection Agency is not competent to sanction XFERA for the existence of inaccuracies in the data kept regarding the purchasers of the SIM cards associated with the numbers ***TELÉFONO.4 and ***TELÉFONO.2, since the SETID is, in application of the sole additional provision of Law 25/2007: a special material rule on the GDPR that necessarily displaces it. Liability Furthermore, it considers that Article 4 of the LOPDGDD has been violated since the exemption of the data controller from ensuring the accuracy of the data provided directly by the data subject was intended precisely to prevent the commission of an error by the data subject, when providing their personal data, from resulting in a sanction for the data controller, who merely reflects the information provided to them in their systems. Reasons for the Initiation Agreement and Proportionality of the Proposed Sanction Furthermore, the Court considers that the initiation agreement lacks proper reasoning regarding the determination of the facts, as it does not specify the legal criteria on which the breach of the obligations relating to due diligence is based, in order to ensure the accuracy of the data. Regarding the grading criteria included in the Agreement, the Court considers that, since the data is false and does not correspond to any interested party, the damage suffered by the affected interested parties cannot be taken into account as a criterion for gradation of the fine. It also considers that there is no intention or negligence in the violation, due to the impossibility of verifying the veracity of the data provided by the points of sale. Likewise, it highlights the grading criteria that have not been taken into consideration: in addition to the lack of actual harm to a data subject and the absence of intentionality or negligence due to their lack of responsibility regarding the conduct of the points of sale, their adherence to the Self-Control Code of Conduct for "Data Processing in Advertising Activities," approved by the AEPD, the lack of benefit derived from the allegedly infringing conduct, and the collaborative spirit demonstrated during the AEPD's investigative actions. In light of these circumstances, it requests a reduction in the severity of the violations and the sanction to be imposed. In its written statement, the party requests the production of the following evidence: 1. Documentary evidence, consisting of the attachment to the proceedings of the documents provided with this brief; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/46 2. Further documentation, consisting of this worthy Free Agency submitting a letter to the Secretary of State for Telecommunications and Digital Infrastructure, located in Madrid, Cl. Poeta Joan Maragall 41, 7th floor, with the email address [email protected], requesting a copy of the sanctioning file SAN00067/23, within the framework of which the resolution provided as document no. 2 of this statement of allegations was issued; 3. Written testimony, consisting of this worthy Free Agency submitting a letter to Fullcarga Ibérica, S.L., (…), requesting its legal representative to answer the following questions: a. Were two "Lebara" brand prepaid cards marketed through your IT platform, corresponding to the mobile lines ***TELÉFONO.4 and ***TELÉFONO.2, on February 23, 2022, and March 3, 2022, respectively? b.If so, can you confirm which specific establishment, among those affiliated with your network, sold the aforementioned prepaid cards? c. Does Fullcarga provide any instructions to the establishments affiliated with its network on how to complete the details of prepaid mobile phone card acquirers in order to comply with the identification obligations provided for in Law 25/2007, of October 18? EIGHTH: Proposed Resolution On January 23, 2025, a proposed resolution was formulated, proposing: “FIRST That the Presidency of the Spanish Data Protection Agency sanction XFERA MÓVILES, S.A. with NIF A82528548, for a violation of Article 5.1 d) of the GDPR, classified in Article 83.5 of the GDPR, with a fine of ONE HUNDRED THOUSAND EUROS (€100,000). SECOND That the Presidency of the Spanish Data Protection Agency order XFERA MÓVILES, S.A. with NIF A82528548, pursuant to Article 58.2.d) of the GDPR, within a period of 6 months, to introduce the necessary procedures and mechanisms to verify the accuracy of the data that the operator itself collects at the time. to process registrations and portability." NINTH: Objections to the proposed resolution After notification of the aforementioned proposed resolution in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), and after granting an extension to the deadline for objections at the request of the interested party, objections have been received that, while reiterating previously presented arguments, provide new ones, essentially the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/46 - Processing of the appeal for reconsideration: the claim was initially archived and would only have been admitted after the resolution of the appeal for reconsideration filed by the complainant. This would significantly exceed the 3-month deadline for processing under Article 65 of the LOPDGDD. - The factual situation that gave rise to the sanctioning procedure. The initial complaint referred solely to the receipt of commercial communications, and now the AEPD (Spanish Agency for Data Protection) ignores the reason for the complaint and issues a sanction for inadequacy in the data kept by XFERA. - The existence of a report from the Ministry of the Interior that, it is alleged, shifts responsibility for identifying prepaid line holders to the owner of the establishment or point of sale. For these purposes, the report would indicate that said establishment would be required to complete the data; the telecommunications operator could not verify its veracity and concluded that "the operator's attitude is satisfactory." This is within the framework of a sanctioning procedure processed by the Secretary of State for Telecommunications and Digital Infrastructure (hereinafter SETID) in relation to non-compliance with Law 25/2007, of October 18. - Regarding XFERA's liability, Article 4 of the LOPDGDD excludes the data controller from liability in cases where inaccurate data is provided directly by the data subject. - Regarding the proportionality of the sanction, they consider that the severity of the violation cannot be considered an aggravating factor. The AEPD indicates that the severity stems from the fact that the non-compliance would have prevented determining the authorship of the calls under investigation, when XFERA's obligations do not cover the content of the calls. - It also disagrees with the consideration of intentionality or negligence as an aggravating factor. Given that throughout its allegations it attempts to demonstrate the absence of negligence, this would be consistent with its argument. - It considers that the aggravating factor of connection with the routine processing of personal data should refer to the specific case of Law 25/2007, and not to a generic connection with the performance of its ordinary activity. - Finally, it proposes taking into consideration mitigating factors such as the blocking of the line when it became aware of the fraud, and the lack of processing of special categories; TENTH: Business Volume According to the report collected from the AXESOR tool, the entity XFERA MÓVILES, S.A. It is a large company, with a turnover of 2,098,178,000 euros in 2023. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/46 In light of all the actions taken by the Spanish Data Protection Agency in this proceeding, the following facts are considered proven: PROVEN FACTS FIRST. On April 15, 2023, A.A.A. filed a complaint with the Spanish Data Protection Agency against XFERA MÓVILES, S.A. with Tax Identification Number (NIF) A82528548 for receiving commercial calls advertising YOIGO services, despite having been included on the Robinson List for advertising exclusion. Accompanying your complaint, please provide several screenshots that identify the telephone lines ***TELEPHONE.2 ***TELEPHONE.3 ***TELEPHONE.4 as those from which the commercial calls for which you are complaining were made, as well as information on the dates and times of these calls. SECOND. XFERA is the operator that provided service, on the date the calls were made, to the telephone lines from which the calls that are the subject of the complaint were made. THIRD. The file, submitted by the respondent, contains a contract for the provision of services for the processing and management of balance top-up requests, dated September 1, 2021, signed between XFERA MÓVILES, S.A.U., (…) and LYCAMOBILE, (jointly referred to as XFERA), and FULLCARGA IBERICA, S.L., (…) (the provider). Pursuant to this contract, FULCARGA assumes the role of data processor for the performance of the services entrusted in the aforementioned contract. FOURTH. At the request of the AEPD Inspection, XFERA provides the following information on the holders of the aforementioned telephone lines: - Contact and identification details of the holder of the telephone number ***TELÉFONO.4 in March 2022: B.B.B. DNI ***NIF.2 - Contact and identification details of the phone number holder ***TELÉFONO.3 in April 2022: C.C.C. DNI ***NIF.2 - Contact and identification details of the phone number holder ***TELÉFONO.2 in April 2022: D.D.D. DNI ***NIF.3 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/46 FIFTH. Operator ***COMPANY.2 confirms that the complainant's number received the following calls from the numbers indicated in the complaint: - From ***TELEPHONE.4, calls were received on March 18, 2022, at 6:14 PM (rejected), on March 19, 2022, at 5:12 PM (4 seconds), and at 5:34 PM. ***TELEPHONE.3 on April 11, 2022, at 5:51 PM. - From ***TELEPHONE.2 on April 12, 2022, at 1:53 PM (7 seconds), on April 13, 2022, at 5:32 PM (6 seconds), on April 14, 2022, at 5:21 PM. SIXTH. There was no contractual relationship between XFERA and the owners of the telephone lines from which the calls in question were made on the dates identified in the claim. SEVENTH. According to the information provided by the Tax Agency, a search for the DNI provided by XFERA as corresponding to B.B.B. yields no results. Furthermore, the DNI that XFERA indicates as corresponding to D.D.D. belongs to another person. EIGHTH. The prepaid cards corresponding to the ***TELÉFONO.4 and ***TELÉFONO.2 lines were marketed through the platform of the entity Fullcarga Ibérica S.L., (...) under the contract signed between both parties on September 1, 2021. LEGAL BASIS I. Jurisdiction In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the President of the Spanish Data Protection Agency is competent to resolve this procedure. Data Protection. II. Procedure C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/46 Furthermore, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development, and, insofar as they do not contradict them, in a subsidiary capacity, by the general rules on administrative procedures." In accordance with Article 64 of the LOPDGDD, and taking into account the characteristics of the alleged violations committed, a sanctioning procedure is initiated. The procedure will last a maximum of twelve months from the date of the initiation agreement. After this period, the procedure will expire and, consequently, the proceedings will be closed, in accordance with the provisions of Article 64 of the LOPDGDD. III. Preliminary Questions According to Article 4.1 of the GDPR, personal data is understood to be any information relating to an identified or identifiable natural person ("the data subject"). An identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. Likewise, section 2 of said provision states the following regarding the concept of personal data processing: any operation or set of operations carried out on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of access, comparison or interconnection, restriction, deletion, or destruction; In the present case, in accordance with the provisions set forth in the aforementioned precepts and as reflected in the background information and proven facts, there is evidence of processing of personal data, in this case of the telephone lines from which the calls received by the complainant were made, and that such processing is carried out by XFERA in its capacity as operator of the telephone numbers from which the calls subject to the complaint were made, and in its capacity as data controller, given that it determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR: "Controller" or "controller": the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing; if determined by Union or Member State law. According to the data obtained from AXESOR, XFERA MÓVILES, S.A. It is a large company, with a turnover of €2,098,178,000 in 2023. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/46 IV. Arguments of the Respondent In response to the arguments presented by the respondent entity, both to the initiation agreement and the proposed resolution, the following should be noted: .1 Expiration of proceedings In relation to the alleged expiration of the appeal for reconsideration filed on August 3, 2022, the respondent considers that the resolution of the appeal filed by the claimant, once the period provided for in Article 25.1 b) of the LPACAP (Spanish Acronym for the Public Prosecutor's Law) has elapsed, results in its expiration and, therefore, the proceedings should have been closed. In this regard, it should be noted that, contrary to what the complainant indicated, this is not a case provided for in Article 25 of the LPACAP (Lack of Express Resolution in Procedures Initiated Ex officio) but rather in Article 24, Section 1, third paragraph, which provides the following: "Silence will also be dismissive in procedures for challenging acts and provisions and in ex officio review procedures initiated at the request of interested parties. However, when the appeal has been filed against the dismissal of an application due to administrative silence due to the expiration of the deadline, it will be deemed to have been granted if, upon the expiration of the deadline, the competent administrative body has not issued and notified an express resolution, provided that it does not refer to the matters listed in the previous paragraph of this section." (emphasis added) It should also be noted that the Administration is required to issue an express resolution in accordance with the provisions of Article 21.1 of the same regulation, and in this regard, Section 3. b) of the aforementioned Article 24 states the following: “3. The obligation to issue an express resolution referred to in the first section of Article 21 shall be subject to the following regime (…): b) In cases of dismissal due to administrative silence, the express resolution after the deadline has expired shall be adopted by the Administration without any connection to the meaning of the silence.” (emphasis added) Based on the foregoing, it can be concluded that the processing carried out by this AEPD complies with the provisions of the LPACAP and, therefore, we are not facing a case of expiration of the proceedings, as indicated by the respondent. Regarding the respondent's claim regarding the expiration of the preliminary investigation procedures, it should be noted that this sanctioning procedure arose from the upholding of the appeal for reconsideration filed by the complainant, by resolution of April 10, 2023, as recorded in the file. Considering that the upholding of this appeal resulted in the execution of preliminary investigations and the subsequent initiation of the present sanctioning procedure, in response to the dismissal of the proceedings initially ordered, it must be considered that this date is the one to be taken as a reference for the beginning of the twelve-month period established in Article 67.2 of the LOPDGDD (Spanish Organic Law on the Protection of Personal Data) - as amended prior to 05/10/2023, applicable to the case at hand. For these purposes, it is important to note that the claimant in the appeal for reconsideration provided a call list, so this was new documentation that was evaluated by the AEPD. Therefore, the statute of limitations for the preliminary proceedings begins when the appeal is upheld. The documentation was not included in the original complaint. The resolution on the appeal for reconsideration is dated April 10, 2023. In addition to this argument, it should also be noted that this provision is included in Title VIII of the LOPDGDD (Organic Law on Personal Data Protection), procedures in the event of a possible violation of data protection regulations. In this sense, and as we have said, in contrast to the initially agreed dismissal, the procedure for a possible violation of personal data protection regulations was only initiated after the appeal for reconsideration filed by the complainant was upheld. Considering the above, and that the agreement to initiate the sanctioning procedure, as recorded in the file, was signed on April 4, 2024, it must be understood that the deadline provided for in Article 67.2 of the LOPDGDD was duly respected. Regarding the allegation regarding the passage of a period of more than three months from the receipt of the complaint to its admission for processing, it is important to remember that the deadline was exceeded due to the facts indicated by the respondent. Initially, the complaint was dismissed and was only admitted for processing after the resolution of the appeal for reconsideration filed by the complainant. Therefore, said admission for processing was not a consequence of the ordinary processing of the complaint, but rather after the review activity carried out in the processing and resolution of the appeal for reconsideration. In any case, the admission for processing does not in any way prejudge the consideration of a breach that would give rise to the processing of a sanctioning procedure; rather, this procedure was only initiated after the preliminary investigative actions provided for in Article 67 of the LOPDGDD and detailed in the background of this resolution. .2 Factual circumstances of the procedure Among the allegations classified as legal and material, the respondent party indicates that the AEPD has modified the factual circumstances of the procedure. Although the complaint was filed regarding the receipt of unsolicited or unconsented commercial calls, the subject of the sanctioning procedure is an alleged inaccuracy of the data retained by XFERA under the obligations of Law 25/2007, of October 18. Regarding this allegation, the procedure followed was as follows: - Indeed, the complaint concerns the receipt of commercial calls by the complainant. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/46 - As established by the proven facts, XFERA is the telecommunications operator that owns the lines from which the commercial calls that are the subject of the complaint were allegedly made. - During the investigation, the Inspection of this AEPD requested XFERA to identify the owners of the telephone lines. This was done in order to determine possible responsibilities for the reported calls. - XFERA provided this Agency with the identity data stored in its systems. - As indicated in the proven facts of this resolution, after consulting the AEAT (Spanish Tax Agency), it was concluded that the data was clearly inaccurate. Regarding one of the telephone lines, the DNI provided by XFERA as corresponding to the individual owner of one of the lines "does not provide results." Likewise, the DNI that XFERA indicates as corresponding to another of them corresponds to another person. There were therefore clear indications that XFERA had breached the principle of accuracy of personal data (Article 5.1.d GDPR) since personal data that did not correspond to its ownership were attributed to the telephone line in question. This alleged violation would have sanctioning powers that fall to this AEPD, as it constitutes a breach of the GDPR. ` In this regard, the Supreme Court's ruling of 11/11/2024 states the following: “With these clarifications regarding the manner in which the order admitting the appeal formulates the question of cassation interest, the question to be elucidated is actually whether, in the initiation, processing, and resolution of a sanctioning procedure, the Spanish Data Protection Agency is bound, and in what form and degree, by the content of the claim filed with it. And, having formulated the question in these terms, to answer it we must state the following: The Spanish Data Protection Agency, in the initiation, processing, and resolution of a sanctioning procedure, may address factual and legal issues related to or related to the facts and arguments set forth in the claim that gave rise to the procedure. And, more specifically, in the course of a sanctioning procedure initiated following one or more claims regarding personal data protection, when If the AEPD determines that the individual violations reported have their common origin in a document or instrument of general scope that defines the entity's data protection policy, the AEPD may, and should, make the same document containing the responsible entity's privacy policy the subject of the sanctioning procedure, in order to examine it, detect any shortcomings or deficiencies, and consequently adopt the necessary measures within the sanctioning procedure itself; it is understood that the subject of the file must be informed of all of this, so that during the processing of the procedure, they may have the opportunity to formulate allegations and, where appropriate, propose evidence, without any defenselessness. Naturally, the Supreme Court recognizes the possibility of sanctioning violations arising from the issues at issue in the proceedings, without this Agency having to be constrained by the specific narrative of the facts detailed by the complainant. To do otherwise would imply a dereliction of duty in the face of evidence that reveals the possible commission of an violation. 1. Jurisdiction of the AEPD Separately, the material allegations by the respondent essentially concern the classification of the unlawful conduct allegedly committed, the lack of jurisdiction of the AEPD, and the respondent's responsibility for its commission, given the events that occurred. Regarding the possible lack of jurisdiction of this Agency, the respondent notes that the sanctioning authority for failure to maintain the prepaid line book/registry, in accordance with Law 25/2007, of October 18, would correspond to the SETID. In this regard, it is worth noting that, according to Article 8 - Data Protection and Security - of said Law: "2. The obligations relating to measures to guarantee data quality and confidentiality and security in the processing thereof shall be those established in Organic Law 15/1999, of December 13, and its implementing regulations. (...) 4. The Spanish Data Protection Agency is the public authority responsible for ensuring compliance with the provisions of Organic Law 15/1999, of December 13, and the implementing regulations applicable to the data contemplated in this Law." In this sense, it must be taken into account that data quality is directly related to its accuracy, in the sense that it reflects a real situation. In other words, inaccurate data cannot be assumed to meet the quality requirement. Furthermore, it is clear from the above provision that the quality of the information must be guaranteed in accordance with the provisions of personal data protection regulations. These regulations must be understood to refer to the GDPR and the LOPDGDD. Consequently, based on the foregoing, it can be concluded that this obligation—to guarantee the quality of the data processed in compliance with Law 25/2007—corresponds to the principle of data accuracy provided for in Article 5.1 d) of the GDPR, and that its compliance must be guaranteed in accordance with the provisions of the personal data protection regulations currently in force: the GDPR and the LOPDPGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/46 Having said that, and given that the AEPD is the competent entity to ensure compliance with personal data protection regulations—as, in addition to the GDPR and the LOPDGDD, Article 8.4 of Law 25/2007 itself expressly states—the allegation regarding material incompetence to resolve the alleged commission of the offense committed by the defendant, the subject of this sanctioning procedure, must be rejected. This obligation derives from Law 25/2007, but with or without an obligation, the personal data processed by a data controller must comply with the GDPR's accuracy principle. In its arguments regarding the proposed resolution, the respondent emphasizes the possible existence of a "conflict of laws." If it is considered that both the AEPD and the SETID have sanctioning jurisdiction for the same violation, the conflict of laws should be resolved in favor of the latter, based on the principle of specialization. In this regard, it is not necessary to resort to conflict of laws to resolve the issue. The rationale for imposing sanctions for each of these bodies must be analyzed. Law 25/2007, of October 18, grants the SETID the power to sanction violations such as (sole additional provision, section 5): "Failure to maintain the aforementioned registry book; repeated or systematically incomplete maintenance of said registry book; deliberate failure to transfer and deliver data to the persons and in the cases provided for in this provision; incomplete maintenance of the registry book or failure to transfer and deliver data to the persons and in the cases provided for in this provision." The purpose of this Law is to ensure that telecommunications operators retain data relating to their customers and subscribers, in case it is necessary to make them available to law enforcement agencies. The legally protected right is public safety, and the SETID is entrusted with ensuring this through its sanctioning powers. To this end, it applies the regime of violations and sanctions provided for in Law 25/2007 itself. On the contrary, in this case, the AEPD is supervising compliance with the basic principles of the fundamental right to data protection, which corresponds to the data subjects. The truth is that, as explained in this resolution, the principle of accuracy has not been guaranteed by linking names, addresses, telephone numbers, and identification documents that were inaccurate. This resolution sanctions non-compliance with a basic principle of personal data protection, established in Article 5.1.d) of the GDPR, and does not apply the sanctioning regime of Law 25/2007, but rather that of the GDPR itself, supplemented by the provisions of the LOPDGDD. A different matter is whether, in order to determine the substantive regime applicable to the sector of personal data retention in electronic communications, a sectoral regulation is used, in this case Law 25/2007, just as this Agency does in many other sectors to determine whether there has been any violation of data protection regulations in these sectors. Furthermore, there is no record, nor has it been alleged by the interested party, that the SETID has opened any disciplinary proceedings for these same events, so that a possible "bis in idem" could be prosecuted (in which, as we have said, it would be deemed that each Administration acts to protect a different legal right). 3. Marketing model for prepaid cards. Data Processor The defendant points out its lack of liability for the alleged breach, given the conditions under which the telephone cards are sold by the authorized points of sale. It understands that the impossibility of exercising control over the practices carried out by these points of sale and, above all, the impossibility of preventing cases of fraud in the identification of purchasers—and, therefore, in the data collected to comply with Law 25/2007 and fulfill the purposes set forth therein—is the circumstance that means that XFERA cannot be held responsible for the conduct that is the subject of this proceeding. Certainly, the principle of liability provided for in Article 28 of the LRJSP (Law of the Spanish Civil Code) stipulates that: "Only natural and legal persons may be sanctioned for acts constituting an administrative infraction, as well as, when a law recognizes their capacity to act, groups of affected parties, unions and entities without legal personality, and independent or autonomous assets, who are found liable for such acts based on intent or negligence." However, the method of attributing liability to legal persons does not correspond to the intentional or reckless forms of culpability that are attributable to human conduct. Therefore, in the case of infractions committed by legal persons, although the element of culpability must be present, it is necessarily applied differently than it is to natural persons. According to STC 246/1991, of December 19, Rec 1274/1988, "(...) this distinct construction of the imputability of the authorship of the infringement to the legal entity arises from the very nature of the legal fiction to which these subjects respond. They lack the volitional element in the strict sense, but not the capacity to violate the rules to which they are subject. The capacity to violate and, therefore, direct blameworthiness derives from the legal asset protected by the rule being violated and the need for such protection to be truly effective and from the risk that, consequently, must be assumed by the legal entity subject to compliance with said rule" (in this regard, STS of November 24, 2011, Rec 258/2009). To the above, it should be added, following the judgment of January 23, 1998, partially transcribed in the Supreme Court rulings of October 9, 2009, Rec 5285/2005, and of October 23, 2010, Rec 1067/2006, that "although the culpability of the conduct must also be subject to proof, it must be considered, in order to assume the corresponding burden, that the volitional and cognitive elements necessary to assess such conduct ordinarily form part of the proven typical conduct, and that their exclusion requires proof of the absence of such elements, or, in its normative aspect, that the due diligence required by the person claiming their absence has been exercised; in short, invoking the absence of culpability is not sufficient to exonerate a person from typically unlawful conduct." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/46 Finally, it should be noted that the National Sanctions of June 22, 2021, Rec. 1210/2018, when assessing the subjective or culpability element, stated that the plaintiff's culpability cannot be considered excluded or attenuated by the possible fraudulent acts of a third party, since the plaintiff's liability does not arise from the latter's acts, but from its own. The role of the data processor The role of the data processor responds to the need to respond to phenomena such as the outsourcing of services by companies and other entities. Therefore, in cases where the data controller entrusts a third party with the provision of a service that requires the data processor to process personal data on its own behalf, the processing or processing operations are carried out by the data processor, in the name and on behalf of the data controller, as if the latter were carrying them out. Therefore, the existence of a data processor depends on a decision taken by the data controller, who may decide to carry out certain processing operations itself or contract all or part of the processing to a data processor. That is to say, the data processor, in order to be such, does not have any personal interest in the outcome of the processing entrusted to it, without prejudice to the financial compensation it receives for the service provided, which is what occurs in the present case. Data processors have no personal interest; they act on behalf of and in the name of the controller, carrying out its orders and for its purposes, and this is what determines their status as data processors from the outset. This determines that the data controller is liable for actions contrary to the GDPR carried out by its data processors, unless the latter acted as actual data controllers, deciding on the purposes and means of the processing, which was not the case in the present case. Thus, the ECJ ruling of December 5, 2023, in Case C-683/21, regarding the question of whether an administrative fine under Article 83 of the GDPR may be imposed on a controller in relation to processing operations carried out by a processor, determines that, “83 As regards, secondly, the question of whether an administrative fine under Article 83 of the GDPR may be imposed on a controller in relation to processing operations carried out by a processor, it should be recalled that, according to the definition in Article 4(8) of the GDPR, a processor is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” 84 Since, as indicated in paragraph 36 of this judgment, a controller is responsible not only for all processing of personal data carried out by the controller itself, but also by the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/46 processing carried out on its behalf, that controller may be imposed an administrative fine pursuant to Article 83 of the GDPR in a situation where the personal data are subject to unlawful processing and where it is not the controller, but a processor to whom it has engaged, who has carried out the processing on its behalf. 85 However, the controller's liability for the conduct of a processor cannot extend to situations where the processor has processed personal data for its own purposes or where it has processed such data in a manner incompatible with the framework or methods of processing as determined by the controller or in a manner that cannot reasonably be considered that the controller had given its consent. Indeed, in accordance with Article 28(10), of the GDPR, the data processor must, in this case, be considered a data controller with respect to said processing." (emphasis added) To the above, we must add the ruling of the National Court of February 8, 2024, rec. 0002250/2021, regarding ***COMPANY.4, which determines that, “Well, the appellant company is the data controller, as it determines the purpose and means of the processing carried out for the purposes indicated in its Privacy Policy: “At ***COMPANY.5, we process the client or user's data for the provision of the service, as well as for other purposes that the client or user permits or authorizes under the terms stated in this Privacy Policy or in the specific Conditions of each Product or Service ***COMPANY.5 contracted.” While companies ***COMPANY.6, ***COMPANY.7, and ***COMPANY.8 are considered data processors. The foregoing is derived from the contracts signed by the plaintiff with the aforementioned companies. …. Well, it has not been proven that the aforementioned companies, as data processors of the party The plaintiff has not determined the purposes and means of the processing, nor has it used the data of the plaintiff's clients for its own purposes, nor has it interacted with data subjects outside the structure and commercial name of the appellant company, but has acted under the plaintiff's name to fulfill the purposes of the latter, using the latter's systems to carry out transactions with the clients. Therefore, Article 28.10 of the GDPR cannot be invoked for an alleged attribution of liability to the data processors that, furthermore, implies the exoneration of the data controller, that is, the company herein appellant. Furthermore, according to the aforementioned contracts, a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/46 clause is included that affects them any possible sanctions that the plaintiff company could suffer for breach of data protection obligations. (emphasis added) On the other hand, EDPB Guidelines 7/2020 on the concepts of "controller" and "processor" in the GDPR, version 2.0, adopted on July 7, 2021, determine that, “30 Following the fact-based approach, the word "determines" means that the entity that actually exercises decisive influence over the purposes and means of the processing is the controller. Typically, the processing contract establishes who is the determining party (the "controller") and who is the party that follows the instructions (the "processor"). Even when the processor offers a service that is predefined in a specific way, it must provide the controller with a detailed description of the service, and the controller must make the final decision on approving how the processing will be carried out and request any changes it deems necessary. Furthermore, the data processor cannot modify, at a later date, the essential elements of the processing without the approval of the controller. … 39. The question is where the line should be drawn between decisions reserved to the controller and those that can be left to the processor's discretion. It is clear that decisions regarding the purpose of processing must always be made by the controller. 40. Regarding the determination of the means, a distinction must be made between essential and non-essential means. Essential means are traditionally and inherently reserved to the controller. These must necessarily be determined by the controller, although the determination of non-essential means may also be left to the controller. Essential means are means closely linked to the purpose and scope of the processing, such as the type of personal data processed ("what data will be processed?"), the duration of the processing ("how long will it be processed?"), the categories of recipients ("who will have access to the data?"), and the categories of data subjects ("who owns the personal data processed?"). In addition to being related to the purpose of the processing, essential means are closely linked to the question of whether the processing is lawful, necessary, and proportionate. Non-essential means relate to more practical aspects of the processing itself, such as the choice of a particular type of hardware or software or the decision on the details of security measures, which may be left to the data processor. 41. Although decisions regarding non-essential resources may be left to the processor, the controller must still stipulate certain elements in the contract with the processor: for example, in relation to the security requirement, the adoption of all measures required under Article 32 of the GDPR may be ordered. The contract must also establish that the processor will assist the controller in ensuring compliance with, for example, the provisions of Article 32. In any case, the controller remains responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that the processing complies with the Regulation (Article 24). To this end, the controller must take into account the nature, scope, context, and purposes of the processing, as well as the risks to the rights and freedoms of natural persons. For this reason, the data controller must have complete information about the means used, enabling them to make an informed decision. To enable the controller to demonstrate the legality of the processing, it is advisable to document, in the contract or other legally binding instrument between the controller and the processor, at least the necessary technical and organizational measures. … 74. The GDPR establishes specific obligations that are directly binding on data processors, as specified in Section II, Section 1 of these Guidelines. A data processor may be held liable or sanctioned when it fails to comply with these obligations or acts outside or contrary to the lawful instructions of the controller. … 80 Second, processing must be carried out on behalf of a data controller, but not under its direct authority or control. Acting "on behalf of" someone means serving the interests of another and refers to the legal concept of "delegation." In the case of data protection regulations, the processor's task is to implement the instructions given by the controller, at least with regard to the purposes of the processing and the essential elements of the means. The legitimacy of processing under Article 6 and, where applicable, Article 9 of the Regulation derives from the controller's activity, and the processor must only process the data in accordance with the controller's instructions. However, as previously indicated, the controller's instructions may leave some discretion regarding how to best serve the controller's interests, thereby allowing the processor to choose the most appropriate technical and organizational means. 81. Acting "on behalf of" someone also means that the processor cannot carry out the processing for its own purposes. As stipulated in Article 28(10), a processor infringes the GDPR when it fails to follow the controller's instructions and begins to determine its own purposes and means of processing. In these cases, the data processor will be considered responsible for said processing and may be sanctioned for failing to adhere to the controller's instructions. (emphasis added) Based on the above, the file submitted by the respondent includes a contract for the provision of services for processing and managing top-up requests. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/46 of balance, dated September 1, 2021, and signed between XFERA MÓVILES, S.A.U., with CIF A-82528548 and LYCAMOBILE (jointly referred to as XFERA), and FULLCARGA IBERICA, S.L., with CIF B-31867534 (the provider). This contract specifies that XFERA is an authorized entity for The provision of personal mobile communications services, currently operating under the brands YOIGO, MASMOVIL, LLAMAYA, LEBARA, HITS MOBILE, LYCAMOBILE, and other brands and their distinctive signs (emphasis added). The aforementioned contract, dated September 2021, is intended to replace the contract previously signed (in October 2019) by both parties, with the aim of establishing the terms and conditions governing THE PROVIDER's provision of: a) The services of processing and managing balance top-up requests made by prepaid service customers, and b) The sale of SIM cards at points of sale associated with THE PROVIDER's distribution network. The third clause of the aforementioned contract, dated September 2021, states the following: XFERA will supply THE PROVIDER with SIM cards of the following brands for sale in its distribution network. LLAMAYA, LEBARA, and LYCAMOBILE. THE SUPPLIER will acquire said SIM cards in accordance with the economic conditions of acquisition and payment established by XFERA (…) THE SUPPLIER undertakes to comply with and enforce within its distribution network the code of conduct and marketing conditions of XFERA's trademarks, as detailed in Annex 2, and to ensure that all distributors in said network sign their respective contracts or commercial agreements to respect and follow said code of conduct and marketing conditions. (…) SIXTH. MARKETING OF TOP-UPS BY THE SUPPLIER THE SUPPLIER shall only have the right to market and sell the products directly to end consumers, through its own distribution channels. It shall not be permitted to use the sales channels and points of sale of a third-party network without XFERA's prior written consent. considered a very serious breach of contract. Sales authorizations to sub-distributors will be granted by XFERA, in writing, and are limited to the term of the contract. Under no circumstances will they be automatically extended with the contract extension, but must be explicitly extended in writing with each contract renewal. THE SUPPLIER must request authorization to carry out top-ups through new web stores to end customers, both directly and through THE SUPPLIER's customers. This type of top-ups cannot be carried out without prior, express, and written authorization from XFERA. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/46 Failure to comply with this provision by THE SUPPLIER will be considered a serious breach of contract, sufficient to carry out the effects established in clause eleven of this document. Contract. To ensure that the actual sale to retailers is made by THE SUPPLIER, and not a sub-distributor or reseller, XFERA's commercial policy for all its recharging entities requires that the service at the point of sale be unequivocally provided by THE SUPPLIER by complying with each and every one of the following Requirements (…) ELEVENTH.- PROTECTION OF PERSONAL DATA (…) In order to provide the Services to XFERA, the SUPPLIER must process personal data for which XFERA is the controller. The SUPPLIER will act in the name and on behalf of the latter, assuming the position of data processor, all in compliance with Article 28 of the General Data Protection Regulation (EU) ("GDPR") and other applicable regulations, as well as in accordance with the provisions of the Data Processing Order Annex attached to this Contract, as Annex 4 as part of the contract. inseparable from it. SIXTEENTH.- SUPPLIER CODE OF ETHICS In order to comply with national, European, and international standards, as well as international conventions and other trade practices, and to ensure adequate corporate responsibility and sustainable development, XFERA requires its suppliers to comply with a group policy of ethical standards and responsible conduct, as well as relevant sustainability requirements. (…) The SUPPLIER must regularly provide XFERA with information and data related to the SUPPLIER's compliance with the Code and the measures taken to ensure compliance. XFERA will also have the right to conduct audits in accordance with this section to verify the SUPPLIER's compliance with the Code. The SUPPLIER will promptly inform XFERA of any suspected breach of the Code or any of its annexes. The SUPPLIER must reflect the content of the Code in its agreements with its subcontractors. If the SUPPLIER detects a breach of the Code, it must, upon written notification to XFERA, remedy said breach as soon as possible. If said substantial breach is not remedied within thirty (30) calendar days after such notification, the SUPPLIER will be deemed to have breached the Contract, and XFERA will have the right to terminate it in accordance with the provisions set forth therein. After reviewing the data processing contract (Annex 4), it states the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/46 i. The purpose and nature of the processing order are defined in clause 1 of the Main Agreement, which includes various services provided by the SUPPLIER. ii. The processing to be carried out by the Processor is to provide the services of processing and managing top-up requests made by Customers of XFERA's prepaid mobile electronic communications service; the marketing of SIM cards (including the identification and inclusion of data in the Register); and the development, maintenance, and management of the Single Sales Portal for XFERA's distribution network. iii. The personal data processed under the terms of this Agreement will include the identification, contact, and payment data of XFERA customers who top up their accounts, as well as their nationality and ID number, which will be provided upon purchase of the SIM card. The following processing activities will be carried out on this data: collection, recording, structuring, extraction, consultation, communication by transmission, and storage. Clause 2.1 states the following: The DATA PROCESSOR will process personal data arising from the provision of the contracted service in accordance with the following obligations: • Limit itself to performing the actions necessary to provide the DATA CONTROLLER with the contracted service, in accordance with the provisions of the Main Service Contract. Specifically, the DATA PROCESSOR undertakes to process personal data in accordance with the instructions provided by the DATA CONTROLLER at all times, as well as with the provisions of the applicable personal data protection regulations, including with respect to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law applicable to the DATA PROCESSOR, in which case the DATA PROCESSOR will inform the DATA CONTROLLER of this legal requirement prior to processing, unless such law prohibits it for important reasons of public interest. Clause 3 - Obligations of the DATA CONTROLLER - states the following: The DATA CONTROLLER has the following obligations: (...) • Ensure, beforehand and throughout the processing, the DATA PROCESSOR'S compliance with the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/46 From all of the foregoing, it can be concluded that XFERA had - and should have exercised - supervisory authority over the actions of FULLCARGA and, therefore, over the points authorized by it. To which must be added the status of data processor FULLCARGA with respect to the personal data processed by this entity in accordance with the purposes and means previously identified by the data controller, XFERA. This implies, a sensu contrario and in accordance with data protection regulations, the aforementioned judgments, and Guidelines 7/2020, that the data controller is responsible for the actions carried out by its data processor unless the latter determines the purposes and means, although this last issue has not been established in the procedure. Therefore, in accordance with the foregoing, XFERA MÓVILES is the data controller for the processing being carried out. It is the entity that has decided to entrust a data processor to carry it out on its behalf and on its behalf. It is the entity that has the true capacity to exercise control over the processing of personal data. It determines which personal data will be processed on its behalf and on its behalf, the reasons for and how they should be processed, as it defines the purpose of the processing of personal data that its activity encompasses and chooses the means it deems appropriate. And in accordance with all of the aforementioned and for the specific case, XFERA MÓVILES is responsible for the violation of the GDPR even when the contracting of a specific prepaid mobile line was materially carried out through its data processor. This is directly related to the principle of proactive accountability of the data controller provided for in Article 5.2 of the GDPR, which states that "the controller shall be responsible for compliance with paragraph 1 and able to demonstrate this ("proactive accountability")." This means that the controller must ensure the effective application of the processing principles both when determining the means of processing and during the processing itself, whether it carries out the processing of personal data directly or instructs a data processor to do so on its own behalf (for the purposes of data protection regulations, this is the same thing), through the articulation of a series of technical and organizational measures of all kinds, which must be subject to regular review and update. This implies that the controller assumes its own responsibility by directing, reviewing, and coordinating the processing, including that of the staff and the data processor who provide services to it. Opinion 3/2010 of the Article 29 Working Party (WP29) - WP 173 - issued during the period in which the repealed Directive 95/46/EEC was in force, the provisions of which are currently applicable, states that the "essence" of proactive accountability is the controller's obligation to implement measures that, under normal circumstances, ensure compliance with data protection rules in the context of processing operations and to have available documents demonstrating to data subjects and the Authorities what measures have been adopted to achieve compliance with data protection rules. For these purposes, the provisions of Recital 74 of the GDPR are taken into account: “The controller's liability should be established for any processing of personal data carried out by the controller or on its own behalf. In particular, the controller should be obliged to implement timely and effective measures and must be able to demonstrate the compliance of the processing activities with this Regulation, including the effectiveness of the measures. Such measures should take into account the nature, scope, context, and purposes of the processing, as well as the risk to the rights and freedoms of natural persons.” (emphasis added) Completing the above and developing Article 5.2 of the GDPR, Articles 24 and 25 of the same legal text must be cited. The latter indicates, with respect to "Data Protection by Design and by Default," that the fundamental right to the protection of personal data is much more than mere technology, as its focus is on the risks to the rights and freedoms of data subjects arising from the processing of personal data, "1. Taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity that processing entails for the rights and freedoms of natural persons, the data controller shall implement, both when determining the means of processing and at the time of processing, appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement data protection principles, such as data minimization, and integrate the necessary safeguards into the processing to comply with the requirements of this Regulation and protect the rights of data subjects. 2. The data controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each of the specific processing purposes are processed…” XFERA MÓVILES appears to maintain that the responsibility lies with the data processor with whom it signed a contract and by virtue of which it was obliged to implement organizational security measures appropriate to the risk. As explained by this Agency in the preceding paragraphs, XFERA is the one who has determined the purposes and means of processing, is the data controller, is responsible for the accuracy of the data retained by the processing actions carried out by its data processor on its behalf, and is subject to the obligations of the GDPR, especially regarding proactive accountability. This is XFERA's responsibility because it is the data controller and is obliged to integrate and deploy data protection into everything that constitutes its organization, in all its areas of action, whether they affect its C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/46 employees or its data processors. It must be kept in mind that ultimately, the determining purpose is to guarantee the protection of the data subject, as the focus is on the risks to the rights and freedoms of data subjects arising from the processing of personal data by the data controller. Consequently, the data controller must carry out an analysis of the risks to the rights and freedoms of natural persons in data processing, implementing appropriate technical and organizational measures to apply the principles of data protection and integrate the necessary safeguards into the processing, in order to comply with the requirements of the GDPR, and must be able to demonstrate that the processing complies with the provisions of the aforementioned regulation. And in light of the principle of proactive accountability (Article 5.2 GDPR), the data controller must be able to demonstrate that it has taken into account all the elements provided for in the GDPR. And, among the actions it carries out to ensure that its data processor complies with the principles of the GDPR, are not merely preventive measures, such as signing the contract, establishing obligations therein, and even issuing instructions. They can and should be complemented by reactive or ex post control measures, such as conducting controls or audits to verify the possible existence of errors or inaccuracies. In this case, these relate to the identification data of prepaid line holders, for which, as stated, XFERA is the data controller. All of this merely reflects a lack of diligence on the part of the data controller when it comes to ensuring the accuracy of the data being processed. In this regard, it should not be forgotten that the affected database contains The personal data of thousands of customers is processed on a large scale. The law establishes that the data must remain available to law enforcement agencies for criminal investigations, meaning that possible inaccuracies or errors in the data may, in turn, lead to the failure or slowdown of such investigations. As has been demonstrated and argued throughout this sanctioning procedure, it is considered that XFERA had not implemented adequate measures and controls to ensure the accuracy of the customers' personal data. This meant, in this case, that the AEPD investigation could not be successful because the identity provided did not correspond to the true owners of the prepaid lines. Furthermore, it constitutes a breach of the obligations imposed by the GDPR. Therefore, it is emphasized that the data controller must establish, in its relationship with the data processor, clear modalities for such assistance and provide precise instructions to the data processor. processing on how to comply with them appropriately and document it beforehand through a contract or another (binding) agreement and also subsequently during the term of the same, and verify at all times during the development of the contract its compliance in the manner established therein. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/46 In this regard, nothing has been proven, or even provided, in relation to ex-post measures (i.e., after the data has been incorporated by the data processor) aimed at verifying the accuracy or veracity of the data. The only statement in this regard, contained in the allegations to the proposed resolution, is the following: “Based on the above, it can be concluded that XFERA did exercise control and supervision over the actions of FULLCARGA and the points authorized by it, having controls aimed at ensuring the accuracy of the data collected, without requiring their infallibility." However, it does not clarify, much less justify, what those controls would be. In relation to this aspect, it is appropriate to bring up the content of Supreme Court Judgment 1562/2020, of June 15, 2020, Rec. 601/2019, which states the following: "In this regard, the Supreme Court Judgment of June 5, 2004, which confirmed, in cassation proceedings for the Unification of Doctrine, the Judgment of this National Court of October 16, 2003, echoing the arguments of this Court, refers to the differentiation of two controllers depending on whether the decision-making power is directed to the file or the data processing itself. Thus, the controller of the file is the one who decides the creation of the file and its application, as well as its purpose, content, and use, that is, the one who has the decision-making power over all the data recorded in said file. The data controller, however, is the subject to whom decisions regarding the specific activities of a particular data processing operation can be attributed, that is, regarding a specific application. This would apply to all those cases in which the decision-making power must be distinguished from the actual execution of the activity comprising the processing. With this, as also argued by the Supreme Court of April 26, 2005 (cassation for unification of doctrine 217/2004), the Spanish legislator intends to adapt to the requirements of Directive 95/46/EC, which aims to provide a legal response to the increasingly common phenomenon of the so-called outsourcing of IT services, where multiple operators operate, many of them insolvent, created with the aim of ensuring impunity or irresponsibility for those who follow them in the subsequent links of the chain. Currently, the new Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data (repealing Directive 95/46/EC, and directly applicable from May 25, 2018) also distinguishes between the roles of controller and processor. The former is defined in Article 4(7) as "a natural or legal person (...) who determines the purposes and means of the processing." The latter is defined in Article 4(8) as someone who "processes personal data on behalf of the controller." This is in conjunction with Articles 24 and 28 of the same European Data Protection Regulation. Data controller and processor who, without a doubt, are also responsible for data protection violations, in this new regulatory framework, in accordance with the provisions of Article 82.2 of Regulation (EU) 2016/679 a. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/46 whose wording: Any controller involved in the processing operation shall be liable for the damages caused if said operation does not comply with the provisions of this Regulation. A processor shall only be liable for the damages caused by the processing when it has not complied with the obligations of this Regulation specifically directed to processors or has acted outside or contrary to the lawful instructions of the controller. It follows from all of the above that the presence, in the present case, of a data processor ZZZZ in no way exempts the now appellant entity XXXX from liability, and this is despite the forcefulness of the clauses contained in the contract and annex thereto signed by both companies (proven facts 9 and 10) insofar as the personal data processed was for the purpose of carrying out an advertising campaign for car and motorcycle insurance marketed by (XXXX), ultimately for the benefit of said XXXX, with the plaintiff entity being the one that ultimately determines the purposes and means of the repeated data processing, and therefore cannot be exonerated from liability." The Supreme Court continues, in relation to the alleged possible exemption from liability regarding the provisions of the "data processor" contract, as follows: "The sanctioned conduct of obstruction or impediment by XXXX of its client's exercise of the right to object to the processing of their data is evident in that said company did not adopt any type of measure or precaution to prevent the sending of advertising to its client's email addresses by the companies it entrusted with carrying out the advertising campaigns. The adoption of the necessary measures or precautions to ensure the effectiveness of the right to object to the processing of their data by XXXX, as the data controller, persists even though the advertising campaigns are not carried out using data from its own files, but rather using databases from other companies contracted by XXXX. In this case, it was proven that the appellant did not inform the companies with which it contracted the advertising services. The complainant's objection to receiving advertising from the Mutual Society, nor did it ultimately adopt any provisions to ensure the exclusion of its client from advertising mailings contracted with third-party entities." With regard to the application of the principle of culpability in the field of sanctioning law regulated by the GDPR, the investigated entity refers to the doctrine established by the CJEU (Court of Justice of the European Union) of December 5, 2023 (Case C-807/21, Deutsche Wohnen SE and Staatsanwaltschaft Berlin). So, it is worth asking what are the parameters of due diligence that the investigated entity should have observed in relation to the conduct under examination. The answer is that the due diligence it should have observed was that required to comply with the obligations imposed by Articles 5.2, 24, and 25 of the GDPR, in light of the doctrine of the National Court and the jurisprudence of the Supreme Court. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/46 The Supreme Court ruling of October 17, 2007 (rec. 63/2006) is fully applicable to the case. After referring to the fact that entities whose activities involve continuous processing of client and third-party data must observe an adequate level of diligence, it states: “[...] the Supreme Court has held that negligence exists whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in assessing the degree of diligence, the professionalism of the subject must be especially considered, and there is no doubt that, in the case under consideration, when the appellant's activity involves constant and extensive handling of personal data, rigor and exquisite workmanship must be emphasized. care to comply with the legal provisions in this regard." Furthermore, the National Court on personal data protection has declared that "simple negligence or failure to comply with the duties that the Law imposes on those responsible for files or data processing to exercise extreme diligence is sufficient..." (Judgment of the National Court of June 29, 2001). Consequently, the allegations must be dismissed since the entity under investigation has violated the obligations imposed by the GDPR as the controller of the processing carried out on its behalf and on its behalf, in relation to the responsibilities required of all data controllers by Article 24 of the GDPR. The allegations do not distort the essential content of the violation declared to have been committed, nor do they constitute sufficient grounds for justification or exculpation. In this regard, and specifically in relation to the principle of accuracy, it is also worth remembering that the National Court, in its ruling of March 1, 2024, Rec. 1757/2021, provides that the data controller must verify the accuracy of the data subject's data by implementing appropriate measures when a contract is entered into. Precisely for this reason, it is necessary to ensure that the person making the contract is who they claim to be, and appropriate preventive measures must be adopted to verify the identity of a person whose personal data will be processed. This is why the requirement for identification documentation is based, as the Court has reiterated in its rulings of October 3, 2013 (Rec. 54/2012), November 21, 2014 (Rec. 45/2014), among others. This obligation is transferable to cases of representation, in which it is necessary to verify not only the data of the interested party but also those of the representative acting on behalf of the representative and their effective representation. Consequently, the allegation regarding the lack of culpability of the respondent party in the commission of the alleged infringement is dismissed. Ultimate responsibility for the processing remains with the controller, who is the party responsible for determining the existence of the processing and its purpose. Thus, let us remember that, as a general rule, operators are responsible for the processing of their customers' data. In this regard, XFERA has signed a contract with FULLCARGA, one of whose sales points is the sale of the telephone cards corresponding to the lines that are the subject of this claim. Compliance with all applicable legal obligations should have been guaranteed in the process, including compliance with the principle of data accuracy provided for in Article 5.1 d) of the GDPR. This lack of adequate mechanisms leads us to similarly reject the claim regarding the lack of direct impact on an identified data subject, as the revealed conduct reveals a degree of negligence in establishing controls aimed at ensuring the accuracy of the data collected by the respondent. The principle of accuracy was violated; the DNI that XFERA indicates as corresponding to D.D.D. belongs to another person. Therefore, that DNI, which belongs to an identified person, was associated with a first and last name that did not correspond to them and probably with the ownership of a line that was not theirs. The same situation occurred with B.B.B., who was assigned a DNI that not only was not theirs, but, as the Tax Agency report clarifies, does not even exist. The Ministry of the Interior's report The respondent cites a report issued by the Ministry of the Interior during the SETID process for alleged non-compliance, also by XFERA MÓVILES, with its data retention obligations under Law 25/2007, of October 18. The report contains statements such as: - "...the registration book is located on the premises of said point of sale, and the point of sale is responsible for completing it"; - "It is the point of sale's responsibility to visually verify the identification document provided by the contracting party" and - "(there is no obligation to keep a photocopy of the DNI), the operator can never verify the accuracy of the data provided by the points of sale, so the ultimate responsibility for violations must always fall on said points." In this regard, we cannot forget that these statements are part of the accusation against XFERA for the alleged violation of its data retention obligations under Law 25/2007. And within this framework, the statements made perfect sense, such as that data collection occurs in person at the retail establishment, that the responsibility for said collection lies with the owner of said establishment, and that the operator cannot verify the veracity of what was transferred. However, in this sanctioning procedure, we are within the scope of verifying the obligations that the data controller (in this case, XFERA, as argued in the previous section) has as guarantor of the accuracy of the retained data. We insist that this is kept so that, if necessary, it can be made available to law enforcement agencies within criminal investigations for serious crimes. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/46 And for these purposes, while it is true that the data is collected by the data processor (a decision, as also explained above, voluntarily adopted by the data controller, who could also choose to collect said data using its own resources), it is no less true that the data controller is obliged to guarantee compliance with the principle of accuracy. And it has both preventive and reactive means at its disposal to ensure this guarantee is met. This has not been proven in this case. 3. Inaccuracy of the data Possibility of verification Regarding the verification of the accuracy of the data, XFERA states that it would be impossible for it to verify the veracity of the data provided. In this regard, it states: - The data is physically collected by the data controller. - The data controller is contractually obliged to verify the identity appearing on the identification document and transfer it to the database. - In accordance with the minimization principle of Article 5.1.c of the GDPR, a copy or image of the identification document cannot be retained. - The operator has no way of verifying the accuracy of the data. Based on these premises, XFERA asserts that it would have no means at its disposal to verify the accuracy of the data. On the contrary, the conclusion is that it must simply accept the data uploaded to the database and would not be able to perform any verification. Even accepting these premises, the results of this Agency's inspection of the Tax Agency's data must be taken into account. Regarding one of the telephone lines, the result was that the DNI provided did not match the first and last name provided. However, regarding the other line, a non-existent DNI number was provided, meaning it did not correspond to any person. In this regard, it is noted that XFERA did not have any security mechanism in place to prevent non-existent DNI numbers from being accepted. But Not only that, as explained in relation to the responsibility of the data processor or controller, no control, audit, sampling, or similar mechanism has been provided that would allow for the possible existence of errors or inaccuracies in the data. That is, as XFERA acknowledges, its role in this matter, as data controller, was to accept each and every one of the data entered by its C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/46 data processors, without performing any verification. This is done in the knowledge, as it is also acknowledged, that there may be fraud, impersonation, and even document falsification crimes aimed at registering inaccurate data subjects, which, we also stress, can lead to the failure of criminal investigations. As indicated above, the only statement contained in the defendant's allegations regarding possible ex post control of the retained data is the following: "Based on the above, it can be concluded that XFERA did exercise control and supervision over the actions of FULLCARGA and the points authorized by it, with controls aimed at ensuring the accuracy of the data collected, without requiring their infallibility." However, it does not mention the measures taken to implement this control, nor is it documented. In this procedure, the penalty is not imposed solely on the mere production of a result, as XFERA claims (this would be a case of strict liability prohibited by our legal system and sanctioning law), but because this result of inaccurate data is preceded by the absence of technical and organizational measures, which in this case constitutes gross negligence in the fulfillment of its obligations as the controller of personal data. Article 4 of the LOPDGDD The respondent invokes Article 4 of the LOPDGDD, which establishes that: “2. For the purposes set forth in Article 5.1.d) of Regulation (EU) 2016/679, the data controller shall not be liable, provided that the data controller has taken all reasonable measures to ensure that the data is deleted or rectified without delay, if the inaccuracy of personal data: a) Was obtained by the data controller directly from the data subject.” The data subject asserts that liability is excluded if the person contracting the prepaid line provides false data. First, nothing has been clarified regarding the true origin of the inaccuracy of the data, since the respondent merely repeats that they have no way of verifying the data entered by their data processor. But, secondly, it cannot be ignored that the first of the reproduced paragraphs contains the clause "provided that it has taken all reasonable measures to ensure that inaccurate personal data are deleted or rectified without delay." And this is the key to this non-compliance: XFERA had not adopted measures to verify the accuracy of the data. To the point that, as has been proven, one of the DNI numbers provided does not even exist. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 37/46 Instead, XFERA simply states that it must accept the data entered by its data processor as valid, without any possibility of verifying it. And, let us not forget, this retention obligation is intended to ensure that subsequent criminal investigations can be successful. 3. Proportionality of the Sanction The defendant's arguments disagree with the circumstances of the gradation of the amount taken into account in the proposed resolution. This is true in two respects: first, by rejecting circumstances that would aggravate the amount, and second, by proposing other circumstances that, in its opinion, would mitigate it. Circumstances taken into account in the proposal and objected to by XFERA. First, in XFERA's opinion, there is no intentionality or negligence in the infringement, due to its impossibility of verifying the veracity of the data submitted by the points of sale. In this regard, the opposite can be stated from what XFERA indicated. The procedural instruction has established the lack of real controls in the data processor's activity. The respondent has not provided any control measures beyond the formal establishment of a service contract, in addition to a contract, in which the processor is required to identify prepaid card users, without the information provided being subject to any subsequent verification or control. This has resulted, as stated in the proven facts, according to the information provided by the Tax Agency, in one of the DNI numbers provided by XFERA does not correspond to any individual; in other words, it was a non-existent DNI number. Furthermore, the DNI number indicated as corresponding to one individual actually corresponds to another. In its allegations to the proposed resolution, the respondent adds that, although the seriousness of the violation is reflected in the difficulties that may arise when identifying the commercial calls alleged by the complainant, it aggravates XFERA's alleged negligence. In this regard, it alleges that XFERA's obligations as a telecommunications operator do not cover the content or purposes that callers may use for their calls, which is why the making of these calls is not attributable or binding on this party at any level. It is clear that XFERA cannot be held responsible for the content of the calls. However, what the proposed resolution alleges is emphasizing is that the failure to maintain accurate and correct data meant that this Agency was unable to sanction a potential violation consisting of making commercial calls without a legitimate basis. Thus, it is true that XFERA is not responsible for the content of any call, but it is responsible for the failure to retain adequate and accurate data, which, had it occurred, would have allowed this Agency to determine the party responsible for a possible administrative violation within its jurisdiction. Not to mention that the same would have occurred if the data subject's identity had been requested by a judge to determine possible liability for a criminal offense. Furthermore, the defendant disagrees with the finding that gross negligence was present. Considering, in XFERA's opinion, that it was unable to verify the veracity of the data provided, this would constitute a case of "strict liability" or liability for the result. In this regard, having analyzed the existence of a circumstance such as gross negligence as provided for in the proposed resolution, it is clear that the reason for this existence is similar to the main argument used throughout this resolution to allege the violation, that is, the lack of controls over the activity of the data processor and the data resulting from the contracts entered into by the data processor. Thus, the consideration of this circumstance in the grading of the sanction is not sufficiently justified, as it forms part of the substantial motivation for the allegation. Therefore, it is considered that the circumstance of gross negligence should not be applied to this violation, and the amount of the sanction is reduced as detailed in the eighth ground of this resolution. The complainant also objects to the inclusion of the aggravating circumstance of connection with the routine processing of personal data. It indicates that this aggravating circumstance could not be applied generically, but rather related to the type of processing to which this case refers. And so it is. Pursuant to the sole additional provision of Law 25/2007, of October 18, operators that sell prepaid telephone cards are obliged to retain the data established in said provision for each and every customer who purchases them. Therefore, this type of processing is part of their routine, daily activity. Every time a contract is signed, the obligation arises, as we say, for all customers. It is difficult to argue that XFERA is a party with respect to whom a "connection with the routine processing of personal data" occurs, a circumstance provided for in Article 76 of the LOPDGDD (Spanish Organic Law on Personal Data Protection). Circumstances not considered and which, in XFERA's opinion, would mitigate its liability First, it states that the lack of actual harm to a data subject was not taken into consideration. In this regard, it should be noted that in this proceeding, the existence of harm to a data subject was not established as an aggravating factor. However, the absence of such harm cannot be considered a mitigating factor. Furthermore, it should be noted that, in the investigation carried out in this proceeding, the lack of accurate data from the respondent prevented the proper investigation of the infringement initially reported. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/46 They claim to have adhered to the Self-Regulation Code of Conduct for "Data Processing in Advertising Activities," approved by the AEPD. Nor can this circumstance be considered a mitigating factor, since mere formal adherence to the code of conduct has no significance in the case under trial. It should be remembered that the penalty is for the processing of inaccurate data and not for the conduct of advertising activities, even if the initial complaint referred to the latter. There would be no benefit derived from the allegedly infringing conduct. The sanctions must be effective, proportionate, and dissuasive in each individual case, in accordance with the provisions of Article 83.1 of the GDPR. Accepting the absence of benefits as a mitigating factor is not only contrary to the factual assumptions contemplated in Article 76.2.c) of the LOPDGDD, but also contrary to the provisions of Article 83.2.k) of the GDPR and the aforementioned principles. Thus, considering the absence of benefits as a mitigating factor would nullify the deterrent effect of the fine, to the extent that it lessens the effect of the circumstances that actually affect its quantification, giving the person responsible a benefit that they have not deserved. This would be an artificial reduction of the penalty, which could lead to the understanding that violating the rule without obtaining benefits, financial or otherwise, will not produce a negative effect proportional to the seriousness of the offense. The ruling of the National Court, dated 05/05/2021, rec. 1437/2020 states: "It also considers that the non-commission of a prior violation should be considered as a mitigating circumstance. However, Article 83.2 of the GDPR establishes that, for the imposition of the administrative fine, circumstance "e)" must be taken into account, among others. This is an aggravating circumstance; the fact that the grounds for its application are not met means that it cannot be taken into consideration, but it does not imply or allow, as the plaintiff claims, its application as a mitigating circumstance." Applied to the case under trial, the lack of grounds for its application with respect to Article 76.2.c) of the LOPDGDD, that is, obtaining benefits as a result of the violation, does not allow its application as a mitigating circumstance. Furthermore, the "collaborative spirit" demonstrated during the AEPD's investigative actions is alleged. The fulfillment of a legal obligation cannot be considered a mitigating factor, since, in accordance with Article 52 of the LOPDGDD (Spanish Data Protection Act), the subjects under investigation must provide the required cooperation during the AEPD inspection. Therefore, and in light of the foregoing, the allegations presented must be rejected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/46 Finally, for the same reason, that is, if viewed positively, they would constitute aggravating circumstances, but they are not mitigating circumstances if they are absent. Factors such as: - The blocking of the telephone line when the inaccuracy of the data was verified, - The failure to process special categories of personal data, can be dismissed. I. Proposed Evidence The following is a response to the evidence proposed by the respondent: 1. Documentary evidence, consisting of the attachment to the proceedings of the documents provided with this document. It was accepted and attached to the file. 2. Further documentation, consisting of this worthy Free Agency serving a letter to the Secretary of State for Telecommunications and Digital Infrastructure, in order to request a copy of the sanctioning file SAN00067/23, within the framework of which the resolution provided with the written allegations was issued; In this regard, upon analyzing the resolution provided by the respondent, it is observed that it orders the closing of the sanctioning procedure initially opened against XFERA for its alleged failure to comply with the obligations to identify prepaid cardholders in accordance with Law 25/2007. The filing is based on the report issued by the Ministry of the Interior, which contains statements such as: "It is the point of sale's responsibility to visually check the accreditation document provided by the person contracting the service before entering said information in the logbook to verify its accuracy." "This Group is aware that the communications operator has automatic and manual procedures to combat fraud." In this regard, the proposed practice should be rejected for two reasons: first, because its implementation would not alter the outcome of this case, since it relates to the operator's or distributor's responsibility for compliance with Law 25/2007 itself, and does not address aspects related to data protection and the unique relationship between the controller and the processor, as explained in this resolution. And second, because, regardless of the above reason, the resolution containing the criteria that it seeks to be applied to this sanctioning procedure is already in the file, provided by the defendant itself. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/46 3. Written testimony, in the form of this Agency's free letter, to FULLCARGA IBÉRICA, S.L., so that its legal representative may answer the following questions: a. Were two "Lebara" brand prepaid cards marketed through your IT platform, corresponding to the mobile lines ***TELÉFONO.4 and ***TELÉFONO.2, on February 23, 2022, and March 3, 2022, respectively? b. If so, can you confirm which specific establishment, among those affiliated with your network, sold the aforementioned prepaid cards? c. Does Fullcarga provide any instructions to the establishments affiliated with its network on how to complete the data of prepaid mobile phone card acquirers in order to comply with the identification obligations provided for in Law 25/2007, of October 18? This evidence should be rejected, as its implementation would in no way alter the outcome of this sanctioning procedure. Indeed, the proven facts of this proposal already include the customer contracting and identification procedure in this case, through the distributor FULLCARGA IBÉRICA. However, as explained in this proposal, the attribution of the violation, pursuant to the GDPR, falls to the data controller. II. Obligation. Article 5.1 d) GDPR Article 5 of the GDPR, Principles relating to processing, provides that 1. Personal data shall be: d) accurate and, where necessary, kept up-to-date; all reasonable steps shall be taken to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are erased or rectified without delay ("accuracy"); In relation to Article 5.1 d), this provision requires that "reasonable steps be taken to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are erased or rectified without delay." In this regard, the National Court stated in its ruling of February 27, 2008, Appeal 210/2007, "... The principle of truthfulness or accuracy is highly relevant, as it is not only necessary that data be collected for processing in accordance with a series of criteria (principle of proportionality) and that they be used for purposes compatible with those that motivated their collection (principle of purpose), but it also requires that those who collect and process personal data guarantee and protect that the information being processed is not inaccurate and is up-to-date. The failure to comply with or violate the principle of truthfulness may have significant consequences for the data subject..." Likewise, Article 5.1.d) does not require the adoption of disproportionate measures to update the data, but rather reasonable measures, taking into account the available means and the purpose for which the data is collected. The data is used. This is also stated in Recital 39 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/46 (…) All reasonable measures must be taken to ensure that inaccurate personal data are rectified or deleted. (…) The San (National Court of Justice) of March 1, 2024 (RCA 0001757/2021) provides that “In this regard, the STS (Supreme Court of Justice) of December 13, 2021 (Rec. 6109/2020) establishes that “(…) said contracting company is required, as necessary diligence so that it cannot be accused of failing to comply with its obligations regarding the protection of personal data—both with regard to the requirement for the data subject's consent and with regard to the principle of truthfulness and accuracy—to implementation of control and verification measures aimed at ensuring that the person seeking to hire is who they claim to be, that is, that they match the holder of the DNI provided. Thus, the data controller is required to verify the accuracy of the data subject's data by implementing appropriate measures when a contract is made. Precisely for this reason, it is necessary to ensure that the person hiring is who they claim to be, and appropriate preventive measures must be adopted to verify the identity of a person whose personal data will be processed. This is why the requirement for identification documentation is based, as the Court has reiterated, among others, in judgments of October 3, 2013 (Recital 54/2012), November 21, 2014 (Recital 45/2014), etc. Therefore, given the circumstances of this sanctioning procedure, it can be stated that the respondent has breached the obligation set forth in the aforementioned Article 5.1 d). Thus, as confirmed by the proven facts, according to the information provided by the Tax Agency, the search for the DNI provided by XFERA as corresponding to B.B.B. yields no results. Furthermore, the DNI that XFERA indicates as corresponding to D.D.D. belongs to another person. III. Classification and qualification of the infringement Based on the available evidence, it is considered that the known facts constitute an infringement, attributable to the respondent, as defined in Article 83.5 of the GDPR, which stipulates the following: “5. Violations of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of a company, by an amount equivalent to a maximum of 4% of the total annual global turnover of the preceding financial year, whichever is higher: a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7, and 9;” For the purposes of the statute of limitations for violations, the alleged violation expires after three years, in accordance with Article 72.a) of the LOPDGDD (Spanish Data Protection Act), which classifies the following conduct as very serious: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 43/46 “a) The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679.” I. Penalty This violation may be sanctioned with a fine of a maximum of €20 million or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, whichever is higher, in accordance with Article 83.5 of the GDPR. Likewise, it is considered appropriate to grade the sanction to be imposed according to the following criteria established in Article 83.2 of the GDPR: a) the nature, severity, and duration of the infringement, taking into account the nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered; b) the intentionality or negligence of the infringement; c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects; d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32; e) any prior infringements committed by the controller or processor; f) the degree of cooperation with the supervisory authority to remedy the infringement and mitigate the potential adverse effects of the infringement; (g) the categories of personal data affected by the breach; (h) the manner in which the supervisory authority became aware of the breach, in particular whether the controller or processor notified the breach and, if so, to what extent; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the breach. In the present case, the following circumstances are considered to be present: - The nature, severity, and duration of the infringement, taking into account the nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damages and losses they have suffered [Article 83.2.a) GDPR]. It should be taken into account that the inaccuracy of the data transmitted to the AEPD has hindered the investigation of a possible administrative infringement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 44/46 - The connection between the infringer's activity and the processing of personal data (Article 76.2, letter b) of the LOPDGDD): XFERA, as a result of its business activity, routinely and continuously processes the personal data of a large number of data subjects. The provision of electronic communications services to the public is XFERA's main activity and necessarily involves the processing of personal data of the entity's clients (or potential clients), not only with respect to the documentation sent by them through the channels established by the controller, but also for all types of activities. Thus, the violation occurs within the framework of personal data processing that the controller routinely carries out in its business and that is closely linked to it. As indicated in the Fourth Ground, point 5, of this resolution, the circumstance of gross negligence, which was taken into account in the proposed resolution, is ruled out. Based on this, and considering the circumstances detailed above, it is deemed appropriate to reduce the amount of the fine to SEVENTY THOUSAND EUROS (€70,000). I. Adoption of Measures It is agreed that the controller will be required to adopt appropriate measures to align its actions with the regulations mentioned in this act, in accordance with the provisions of the aforementioned Article 58.2 d) of the GDPR, according to which each supervisory authority may "order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period...". The imposition of this measure is compatible with the sanction of an administrative fine, as provided for in Article 83.2 of the GDPR. Specifically, it is ordered that, within 6 months, XFERA must introduce the necessary procedures and mechanisms to verify the identity of customers who purchase a prepaid card. It is noted that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution may be considered an administrative violation pursuant to the provisions of the GDPR, classified as a violation in Articles 83.5 and 83.6, and such conduct may lead to the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with applicable legislation and having assessed the criteria for the grading of sanctions whose existence has been proven, the Presidency of the Spanish Data Protection Agency RESOLVES: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 45/46 FIRST: TO IMPOSE on XFERA MÓVILES, S.A.U., with NIF A82528548, for a violation of Article 5.1.d) of the GDPR, as defined in Article 83.5 of the GDPR, a fine of 70,000.00 euros (SEVENTY THOUSAND euros). SECOND: ORDER XFERA MÓVILES, S.A.U., with NIF (Tax Identification Number) A82528548, pursuant to Article 58.2.d) of the GDPR, to demonstrate, within 6 months of this resolution becoming final and enforceable, that it has complied with the measures established in the ninth legal ground of this resolution. THIRD: NOTIFY this resolution to XFERA MÓVILES, S.A.U. FOURTH: This resolution will become enforceable once the deadline for filing an optional appeal for reconsideration expires (one month from the day following notification of this resolution) without the interested party having exercised this right. The sanctioned party is hereby notified that they must enforce the imposed sanction once this resolution becomes enforceable, in accordance with the provisions of Article 58.2.d. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to Article 68 of the General Collection Regulations. 62 of Law 58/2003, of December 17, by depositing the fine, indicating the sanctioned party's NIF (Tax Identification Number) and the procedure number shown in the heading of this document, into the restricted account IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency at CAIXABANK, S.A. Otherwise, collection will be carried out during the enforcement period. Once the notification has been received and enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for making the voluntary payment will be the 20th of the following month or the next business day after, and if it is between the 16th and last day of each month, inclusive, the payment deadline will be the 5th of the second following month or the next business day after. In accordance with the provisions of Article 50 of the LOPDGDD (Spanish Organic Law on the Protection of Personal Data), this Resolution will be made public once it has been notified to the interested parties. Any appeal against this resolution, which terminates the administrative process pursuant to Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the President of the Spanish Data Protection Agency within one month from the day following notification of this resolution, or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of Article 25 and Section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this decision, as provided for in Article 123 of the LOPDGDD. 46.1 of the aforementioned Law. Finally, it is noted that, in accordance with the provisions of Article 90.3 a) of the LPACAP (Spanish Civil Code), a final administrative decision may be provisionally suspended if the interested party expresses their intention to file an administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registries provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. They must also submit to the Agency the documentation proving the effective filing of the administrative appeal. If the Agency does not become aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will terminate the precautionary suspension. 938-100325 Lorenzo Cotino Hueso President of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es
- ↑ For more information, see https://www.listarobinson.es/que-es
- ↑ Law 25/2007, of October 18, on the conservation of data relating to electronic communications and public communications networks (Ley 25/2007, de 18 de octubre, de conservación de datos relativos a las comunicaciones electrónicas y a las redes públicas de comunicaciones), 251, de 19/10/2007. Available at https://www.boe.es/buscar/act.php?id=BOE-A-2007-18243&p=20140510&tn=1
- ↑ STS 5358/2024, 11 November 2024, ECLI:ES:TS:2024:5358 https://4dlegal.es/wp-content/uploads/2025/05/STS-5358-2024-11-XI-2024-Sala-3.a-TS-ROJ-1792-2024.pdf
- ↑ CJEU Case C-683/21, Nacionalinis visuomenės sveikatos centras, 5 December 2023. https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0683 See also GDPRhub summary CJEU - C-683/21 - Nacionalinis visuomenės sveikatos centras
- ↑ Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 07 July 2021 (Version 2.1). Available https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en
