XFERA MOVILES S.A. (YOIGO) – €20,000 Fine (Spain, 2020)

A claimant, an individual, lodged a complaint with the AEPD because he/she found out from his/her bank account that a contract had been entered into in his/her name and with his/her personal data without his/her consent, and also because he/she had been included in a creditworthiness file for an unpaid debt related to the aforementioned contract. The AEPD requested from YOIGO information on the contracts signed with the claimant, as well as information on the debt that led to its inclusion in a solvency list. In the contracts provided by the claimant, there is no signature of the claimant accepting the content of the contracts. The AEPD first proposed a sanction for infringement of Article 6 (1) GDPR but withdrew these charges due to the non-existence of the infringement when the complainant responded with allegations and documents which this time, unlike those provided in the evidence phase, were signed by the complainant. Furthermore, the complainant argued that the events had taken place before the entry into force of the GDPR and the LOPDGDD and would therefore not be the applicable rules. On the other hand, it did not make any reference in its allegations to the breach of Article 31 GDPR in relation to its obligation to collaborate with the data protection supervisory authority. Is the failure to cooperate with the data protection supervisory authority a breach of Article 31 GDPR in conjunction with Article 58(1)(e) GDPR? Having assessed all the various documents provided by the complainant, it seems fair to conclude that, in view of the circumstances of the case, it exercised a minimum and reasonable diligence in identifying the person who signed the contracts and provided as her own the NIE and the name of the complainant. Furthermore, as regards its duty to cooperate with the supervisory authority, the defendant did not comply with its obligation to cooperate and make allegations regarding the infringement of Article 31 GDPR in conjunction with Article