数据安全 | Vodafone因违反GDPR被西班牙数据保护局罚款4万欧元

西班牙数据保护局（以下简称AEPD）于2021年11月23日公布了一项其于2021年10月29日做出的PS/00269/2021号决定，事由是关于一项移动线路所有权意外变更的投诉，Vodafone España S.A.U.（以下简称Vodafone）被认为是违反了《一般数据保护条例》（以下简称GDPR）中的第6条第1款，因此被AEPD处以5万欧元的罚款，后因Vodafone主动缴纳罚款而将罚款将至4万欧元。

该决定指出，投诉人的移动电话线路所有权在未经同意的情况下发生了变化。此外，该决定解释说，投诉人的帐户上有属于第三方电话线的费用，而第三方的账单与其银行帐户有联系。

AEPD指出，GDPR第6(1)条确立了处理个人资料可能被视为合法的个案，但根据前述案件事实，Vodafone违反了《条例》第6(1)条的规定。此外,AEPD认为, 根据GDPR第83(2)(b)条的故意或疏忽性质的侵权行为，现有证据无法确认所有权人提出了变更所有权的请求，这导致了第三方账单与投诉人的银行账户被联系起来。此外，AEPD认为，根据GDPR第83(2)(k)条与GDPR第83(2)(c)条，Vodafone的业务活动与处理客户或第三方的个人资料之间存在明显的联系。

最后，AEPD决定对Vodafone处以5万欧元的罚款，根据该决定中关于降低罚款的条件，罚款减少了20%，最终罚款金额为4万欧元。

以下为英文原文，翻译有部分删减：

Spain: AEPD imposes €40,000 fine to Vodafone for unlawul processing

The Spanish data protection authority ('AEPD') published, on 23 November 2021, its decision in proceeding PS/00269/2021, as issued on 29 October 2021, in which it imposed a fine of €50,000 on Vodafone España S.A.U., then reduced to €40,000 for voluntary payment, for violations of Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint regarding an unexpected change of ownership over the claimant's mobile line.

Background to the case 

In particular, the decision states that there had been a change in the ownership of the complainant's mobile phone line without her consent. Furthermore, the decision explains that the complainant's account had been charged with amounts belonging to a third party's telephone line and that the third party's bills had been linked to her bank account.

Findings of the AEPD 

The AEPD stated that the facts set out above imply, on the part of the respondent, the infringement of Article 6(1) of the GDPR, which establishes the cases in which the processing of personal data may be considered lawful. In addition, the AEPD considered, as an aggravating factor, the intentional or negligent nature of the infringement according to Article 83(2)(b) of the GDPR, because of the evident failure to verify the request for a change of ownership, which resulted in the linking of bills from a third party to the claimant's bank account. Moreover, the AEPD considered, as a further aggravating factor, the obvious link between the respondent's business activity and the processing of personal data of customers or third parties, as per Article 83(2)(k) of the GDPR in conjunction with Article 83(2)(c) of the GDPR. 

Outcomes 

Finally, the AEPD imposed a fine of €50,000, which was reduced by 20% to €40,000 upon use of one of the reductions provided for in the decision.  

来源：

https://www.dataguidance.com/news/spain-aepd-imposes-40000-fine-vodafone-unlawul