LYCAMOBILE S.L. – €60,000 Fine (Spain, 2020)

On 23 October 2019, a complaint was lodged before a court relating to the fact that the personal data of users have been falsified by Lycamobile or a mobile telephone establishment authorized by that entity. The personal data of the users of the prepaid cards which are registered in the Lycamobile register do not correspond to the data of the person who acquires the prepaid mobile phone card. In addition, it was indicated that the use of the personal data of a third person that is not related to the facts stated in the complaint, has caused the complainant serious non-consensual patrimonial harm. On 17 March 2020, the AEPD initiated the sanctioning procedure, transferred the documents to the defendant, and the latter sent allegations. Is the use of personal data without the consent of the persons concerned a breach of Article 6 (1) (a) GDPR? The AEPD considered that the defendant company carried out the treatment without having any legitimacy to do so. The personal data were incorporated into the company's information systems, without it being proven that the company had legitimately contracted, had its consent to the collection and subsequent processing of its personal data, or that there was any other cause that made the processing carried out lawful. In setting the amount of the penalty, the AEPD took into account: the link between the business activity of the respondent and the processing of personal data (83 (2) (k) GDPR); the fact that basic personal identifiers are affected (83 (2) (g) GDPR); the intentionality or negligence of the infringement (83 (2) (b) GDPR) and the lack of cooperation with the Spanish Data Protection Agency (83 (2) (f) GDPR). Therefore, in view of the aggravating factors applied to the case, the Director of the Spanish DPA imposed a penalty of EUR 60000 on the company Lycamobile S.L.