ORANGE ESPAGNE S.A.U. – €80,000 Fine (Spain, 2020)

A customer of the data controller filed a complaint with the Spanish DPA (AEPD), alleging that up to six phone lines had been opened in his name despite the data subject not having given his consent. It was a fraud by which someone pretends to be a real client of the company - after obtaining their documentation - and calls the operator to contract voice or Internet products pretending to be that real user. The situation also led to the inclusion of the customer who reported the operator in the files of ASNEF (Asociación Nacional de Establecimientos Financieros de Crédito), in whose records the customers of companies with outstanding invoices are stored. Orange replied to the AEPD that the consent had been unequivocal and did not attribute falsity to the line registrations that have met the regulatory recruitment requirements Is the processing of personal data, without the express consent of the person involved in the contract, a violation of Article 6(1)(a) GDPR? The AEPD considered that ORANGE ESPAGNE did not act with due diligence to identify the contracting parties. Therefore, it processed personal data without accrediting that it had the legal basis to do so. Furthermore, it was not aligned with the principle of proactive liability, which consists of previously determining that it met the requirements for processing the complainant's data. The fact that it was a non-intentional negligent action, that basic personal identifiers were affected and the continued nature of the infringement were considered aggravating factors, determining the amount of the fine in €80,000.