AEPD (Spain) – PS-00456-2025

30 January 2026

Arielsan: Created page with “{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00456-2025 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00456-2025.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod…”

{{DPAdecisionBOX

|Case_Number_Name=PS-00456-2025
|ECLI=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=

|Initial_Contributor=ARIEL SANTIAGO BASSANO
|
}}

The Spanish DPA fined MAJOREL SP SOLUTIONS, S.A with 80,000 euros for transferring personal data from its employees to a third party without the proper Legal basis, in violation to Art. 6 (1) GDPR.

== English Summary ==

=== Facts ===
MAJOREL SP SOLUTIONS, S.A. (the Data Controller) entered into an agreement with a Chinese company (known as Bussiness Company N° 2) and a third party, under which the Controller would provide customer service activities for the Spanish market.

On 15 January 2024, employees were informed of the existence of the agreement. However, the general contractual terms were not provided until 6 February 2024, when the contract was already being performed, and were signed only by the HR representative. The notice stated that employees´ personal data would be shared with the counterparties solely for the execution of the agreement.

During training sessions, employees were asked to write down their personal mobile phone numbers and dates of birth on a blank sheet of paper. This information was required to receive authentication credentials for accessing the Client’s platform. No specific privacy notice or additional information regarding the data transfer was provided.

Some employees subsequently received SMS messages directly from the Client on their personal phones, despite having given no explicit authorization. Union representatives suggested using corporate email addresses as an alternative authentication method, but this option was rejected, as the Client required the mobile phone number as a double authentication factor.

In its response to the DPA, the data controller argued that the Client’s platform required two-factor authentication via mobile phone and that, due to the lack of corporate devices, employees’ personal phones were used on a temporary basis, despite the Data Protection Officer having advised against this practice.

=== Holding ===
The DPA upheld the complaint and found an infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The Authority clarified that the necessity for the performance of a contract must be interpreted strictly and covers only processing that is objectively necessary, not merely useful or convenient.

The Authority concluded that requiring employees to use their personal mobile phones as a double authentication factor in an employment relationship is unlawful, a position previously confirmed by the Spanish National Court (SAN 487/2024 ECLI:ES:AN2024:847). Employers should had been required to provide the necessary work tools and could not rely on employees’ personal devices when less intrusive alternatives exist.

The DPA also found that the Controller failed to properly follow the recommendations of its Data Protection Officer. The Authority considered that the damage caused could have been avoided.

The DPA imposed a €80,000 fine. In determining the amount of the fine, the Authority applied the criteria set out in [[Article 83 GDPR#2|Article 83(2) GDPR]].

== Comment ==
Following the initiation of the sanctioning procedure, the Data Controller acknowledged responsibility and opted for voluntary payment. As a result, it benefited from the reductions provided under the applicable administrative procedure rules and paid a reduced fine of EUR 48,000.

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

<pre>
1/20

• File No.: EXP202406971

– RESOLUTION OF TERMINATION OF PROCEEDINGS DUE TO
ACKNOWLEDGMENT OF LIABILITY AND VOLUNTARY PAYMENT

From the proceedings initiated by the Spanish Data Protection Agency and based on the following

BACKGROUND

FIRST: On November 7, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against MAJOREL SP

SOLUTIONS, S.A. (hereinafter, MAJOREL SP SOLUTIONS, S.A.), by means of the following agreement:

<< File No.: EXP202406971

AGREEMENT TO INITIATE SANCTIONING PROCEEDINGS

Based on the actions taken by the Spanish Data Protection Agency and

on the following,

FACTS

FIRST: The Spanish Data Protection Agency has become aware of

certain facts that could constitute a possible infringement attributable to MAJOREL SP
SOLUTIONS, S.A., with Tax Identification Number A82112665 (hereinafter, MAJOREL SP SOLUTIONS, S.A.).

The facts brought to the attention of this authority were the following:

On January 15, 2024, MAJOREL SP SOLUTIONS, S.A. The company informed the legal representatives of the workers that it would begin providing services to the company ***COMPANY.2.

It is alleged that on February 6, 2024, when there were already workers providing services to
***COMPANY.2, MAJOREL SP SOLUTIONS, S.A., sent them a document with the

general characteristics of the commercial contract signed by both parties, from which the
complainant highlights the following paragraph: “The personal data of the representatives,
employees, or any other person acting on behalf of each
party, and which are provided to the other party for the development and execution of the
contract, will be processed by the receiving party exclusively for the execution,

management, and control of the contract, and compliance with the corresponding
legal obligations, specifically the GDPR.”

The complainant states that the document is only signed by the Human Resources representative of MAJOREL SP SOLUTIONS, S.A., and does not include:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 2/20

information regarding consent to transfer data to an international company (***COMPANY.2).

She maintains that, during employee training, MAJOREL SP SOLUTIONS, S.A.

asked employees for their phone numbers to ensure they were up to date.

The request was made on a blank sheet of paper, on which the employees present at the training wrote their personal phone number and date of birth.

MAJOREL SP SOLUTIONS, S.A. later informed them that they would receive passwords to use the client’s applications on that phone number. No

document was provided to them proving the rights to transfer this data,

nor was the purpose or the request for express authorization from the employee to transfer the data provided.

The complainant also indicates that some employees have received messages on their mobile phones from ***COMPANY.2 with access credentials for the computer applications,

leading them to deduce that MAJOREL SP SOLUTIONS, S.A. has provided the employees’ phone numbers to that company without prior consultation or authorization.

The complainant further states that the two union sections sent emails to the HR representative of MAJOREL SP SOLUTIONS, S.A.,

inquiring about the situation and offering the possibility of using the corporate email address assigned to each employee. The HR representative responded that this was not possible, since the client had enabled sending emails via personal phones.

The complainant indicates that the Madrid office is also working on the same campaign with ***COMPANY.2, and therefore assumes that the same procedures were followed with the employees at that workplace.

The following documentation is available:

a) Complaint filed with the Spanish Data Protection Agency (AEPD), dated March 15, 2024.

b) Screenshot of a message received on an employee’s mobile phone from ***COMPANY.2 (***COMPANY.3) informing them of the password.

c) Emails sent by the union representatives and MAJOREL SP SOLUTIONS, S.A. regarding the transfer of employee data to ***COMPANY.2 during February 2024.

d) Contract between MAJOREL SP SOLUTIONS, S.A. and ***COMPANY.2 for the
provision of customer service for this company, dated 6/02/2024.

SECOND: As a consequence of the known facts, on 13/05/2024, the
Presidency of the Spanish Data Protection Agency instructed the Sub-Directorate

General for Data Inspection (SGID) to initiate the preliminary investigation proceedings referred to in Article 67 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD).

THIRD: The Deputy Directorate General for Data Inspection carried out preliminary investigative actions to clarify the facts in question, pursuant to the functions assigned to supervisory authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VIII of the Spanish Organic Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 3/20

As a result of the actions taken, the following facts have come to light:

As a result of a complaint, this Agency has become aware of a possible infringement of data protection regulations in relation to the transfer of personal data of the representatives and employees of the company

MAJOREL SP SOLUTIONS, S.A. (operating under the brand name ***COMPANY.4) to the company ***COMPANY.2 (trading as ***COMPANY.2), for the execution of a service agreement signed between them.

The purpose of said agreement is the collaboration between ***COMPANY.3 (China) and

***COMPANY.2 with the authorized subsidiary MAJOREL SP SOLUTIONS, S.A., for the performance of customer service activities in the Spanish market, as well as to regulate the relationships and obligations between the parties arising from the provision of Contact Center services.

According to the complaint, the aforementioned contract did not include information regarding

consent to transfer employees’ personal data to an
international company.

The complainant indicates that some employees of MAJOREL SP SOLUTIONS,
S.A., have received messages from ***COMPANY.2 containing login credentials for the

applications of said company, leading them to conclude that there has been a transfer of the employees’
phone numbers.

Given the importance of this information, this Agency deems it necessary
to thoroughly investigate the described facts and the data processing carried out in order to,

if applicable, determine the potential consequences for the
rights and freedoms of the individuals involved.

On May 16, 2025, a request for information was sent to MAJOREL SP SOLUTIONS, S.A. regarding the following:

1. Legal basis for the international transfer of data concerning the workers’ representatives and employees of MAJOREL SP SOLUTIONS, S.A. to ***COMPANY.2.

2. Categories of data and data transferred concerning the workers’ representatives and employees of MAJOREL SP SOLUTIONS, S.A.

3. If the transferred data includes the personal telephone numbers of the employees, this must be justified.

4. Actions taken by MAJOREL SP SOLUTIONS, S.A. to communicate the employees’ data.

5. Number of employees affected, and information regarding the transfer of their data provided to the workers’ representatives and employees. 6. Whether a report has been requested from the Data Protection Officer of MAJOREL SP SOLUTIONS, S.A.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 4/20

(The Data Protection Officer’s reports must be provided, if applicable).

7. Whether a risk analysis or a data protection impact assessment was carried out prior to this transfer (This analysis or assessment must be provided, if applicable).

8. Data protection measures that have been implemented to protect the transfer of employee data.

9. Any other information you deem relevant.

On May 30, 2025, MAJOREL SP SOLUTIONS, S.A. It submitted a written response to the aforementioned request for information, in which, among other things, it stated:

1. “Clarification regarding the contractual relationship with ***COMPANY.2.

In its request for information, the Spanish Data Protection Agency (AEPD) states that there is a transfer of data from the representatives and employees of ***COMPANY.5 to the company

***COMPANY.2, which it refers to as ***COMPANY.2. However, currently

***COMPANY.5 has a direct contractual relationship with

***COMPANY.3 ***COMPANY.6, the company that owns the trademark

***COMPANY.2. The company they mention was a subsidiary of the former
business group that comprised ***COMPANY.5, and it is unknown what relationship it may have
in the events in question.

2. Background

***COMPANY.2 has a tool called ***COMPANY.7 to access and work on its systems, since it is through this application that a token is created, enabling two-factor authentication for the agent of

COMPANY.5. In this way, only those who have been previously registered in the tool will be able to access this application.

To receive this token, we must enter a series of personal data from
employees, including their mobile phone number, which is where they receive the
credentials via SMS. The client has insisted that it is not possible
to send them a corporate email as an alternative method, emphasizing
the importance of having a correct phone number, since otherwise the agent

cannot complete the onboarding process and create a user account.

The data requested by the ***COMPANY.3 tool is as follows:

(Image of two lines of an Excel spreadsheet attached)

Since not all agents have professional mobile phones, as a temporary solution,

our agents’ personal phones were used.

This issue was discussed a few months ago, and the opinion of the
Data Protection Officer (hereinafter, “DPO”) and the Legal Director of

COMPANY.5 was sought. They determined that the use of personal phones for

professional purposes is contrary to data protection regulations (attached
as ANNEX 1).

Therefore, we are in a transition process, and mobile phones and SIM cards have been purchased for all new

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 5/20

team members since July 15th. Regarding
new hires prior to that date, we are removing all personal
phones and replacing them with corporate phones. We expect to complete

this process in the coming weeks.

Currently, of the 364 active employees of ***COMPANY.2, 203
have a personal phone associated with their account.

3. Legal Basis, Data Categories, and Information for Employees

The legal basis for the transfer of data between ***COMPANY.5 and

***COMPANY.2 is the necessity for the performance of a contract to which the
data subject is a party in the performance of a contractual obligation (Art. 6.1.b) of the
GDPR).

This legal basis requires that this processing is indeed

necessary for the performance of the contractual obligations existing between
the agent and ***COMPANY.5. Although the need to transfer this data to the client’s tool is not stipulated in the contract,

this contractual obligation must be considered within the broader context of the agreement

entered into (1). We can determine that the transfer of the aforementioned personal data
is strictly necessary for the execution of the

contract, since the client must protect its systems from unauthorized access and,
in order for us to provide the service in compliance with the client’s
security standards, it is necessary to provide the data required to
unequivocally identify the agents. Otherwise, the employee would not
be able to provide the services for which they were hired because, without

this two-factor authentication, the client’s personal data they access
would be unprotected.

Furthermore, the personal data transferred to ***COMPANY.2 has the sole
purpose of creating your user account in the client’s tool, and will not be used for

any other purpose, in accordance with the principle of purpose limitation
of Article 5.1.b) of the GDPR. The agents are aware of the creation
of these users since they access the client’s tool to be able to
provide the service, as it allows them to enter the client’s systems through
a VPN.

Therefore, they have reasonable expectations that, in order

to create these users, it is necessary for ***COMPANY.5 to share their
personal data. Otherwise, it would be impossible to have traceability of
each user and maintain an adequate level of security, preventing fraud or
any other security incident.

On the other hand, in our Employee Privacy Policy, we inform

about this type of processing with its corresponding legal basis,

informing you about the processing of your data for the proper management of the registration
of a user in a provider’s software to allow them to be granted
access to their tools while working for us (we include
screenshots of the Privacy Policy, as well as attaching ANNEX 2, the privacy policy

of ***COMPANY.5). Therefore, this data transfer has always been informed and transparent, in accordance with the principles of lawfulness, fairness, and transparency of Article 5.1.a) of the GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 6/20

The categories of data we transfer to ***EMPRESA.2 are the following:

– Name.

– National Identity Document (DNI).

– Name.

– Gender.

– Telephone country code.

– Mobile phone number.

– Date of joining the service (effective date).

– Nationality (ID not required)

– Province/continent (ID not required)

All this data is used to create the user account, as well as to verify identity in case of doubt or to recover the user account in the event of a technical incident.

Notwithstanding the above, as we have already indicated, following the report from our
Data Protection Officer (DPO), we are working to replace personal telephones with
professional ones as soon as possible, taking into account the existing technical
circumstances.

4. Measures applied for the international transfer of data

The tool ***COMPANY.7 is owned by ***COMPANY.2 and is managed
primarily in China, a country outside the European Economic Area (EEA).

The data collected is used to access a secure environment that
allows ***COMPANY.5 to fulfill its contractual obligations, as the
data controller must adopt the appropriate

technical and organizational measures to ensure compliance with the requirements of the
regulations.

***COMPANY.5 carried out a third-country protection assessment

(China), as well as an impact assessment of the transfer from Spain to

China, determining the need to implement a series of additional

measures to ensure that said transfer complies with the regulations

(attached as ANNEX 3).

5. Measures Adopted or in the Process of Adaptation to Resolve

Taking all of the above into account, we understand that the transfer of data from
our employees to ***COMPANY.2 for the creation of a user account in its

tool for security reasons is legitimate, as it is necessary for the
execution of the contract, has been communicated, and there were reasonable expectations
on the part of the employees of said tool. However, the use of personal phones
for this purpose would not fall under the aforementioned scenario.

Therefore, we propose several mitigating measures:

1. Inform all employees of a new policy that includes
more specifically the possible transfer of data to clients.

2. Send a specific communication to the service agents of

***COMPANY.2 regarding said data transfer.

3. Change the personal phone numbers in the client’s tool
to professional numbers.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 7/20

FOURTH: According to the report obtained from the AXESOR tool, the entity
MAJOREL SP SOLUTIONS, S.A. is a company incorporated in 1998 with a
turnover of €201,821,516 in 2023.

LEGAL BASIS

I
Jurisdiction

In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2 and 68.1 of

Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Presidency of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

II
Procedure

Likewise, Article 63.2 of the LOPDGDD establishes that: “The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the implementing regulations issued thereunder and, insofar as they do not contradict them, subsidiarily, by the general rules on administrative procedures.”

In accordance with Article 64 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights), and taking into account the
characteristics of the alleged infringement, a sanctioning procedure is initiated.

The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After this period, the procedure will expire and, consequently, the proceedings will be archived, in accordance with the provisions of
Article 64 of the LOPDGDD.

If no objections are raised to this initiation agreement within the stipulated period, it

may be considered a proposed resolution, as established in Article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).

III

Preliminary Issues

Article 4.1 of the GDPR defines “personal data” as: “any information relating to an

identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 8/20

Article 4.2 of the GDPR defines “processing” as: “any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

Article 4.7 of the GDPR defines the “controller” or “controller” as:

“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its appointment may be laid down by Union or Member State law.”

Article 4.8 of the GDPR, in turn, defines the “processor” or “processor” as the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
… In this case, in accordance with Articles 4.1 and 4.2 of the GDPR,
the processing of personal data is established, since MAJOREL

SP SOLUTIONS, S.A., among other processing activities, collects and stores
personal data of its employees, such as: National Identity Document (DNI), name, gender, country code of the
telephone, mobile phone number, date of joining the service, nationality,
province, and date of birth.

MAJOREL SP SOLUTIONS, S.A. carries out this activity in its capacity as data processor

since it is the entity that collects the data of its employees, for the purpose of
creating their user accounts in the IT system of its client ***EMPRESA.2,

all pursuant to Article 4.8 of the GDPR.

Breach of Obligation. Article 6 GDPR

Article 6 of the GDPR states:

“1. Processing will only be lawful if at least one of the following conditions is met:

b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract:

The legal basis for processing under Article 6(1)(b)
must be interpreted in the context of the GDPR as a whole, the objectives

set out in Article 1, and in parallel with the duty of controllers to process personal data in accordance with the data protection principles set out in Article 5 of the GDPR. This requires processing personal data fairly and transparently and in accordance with the obligations of purpose limitation and data minimization. Article 5(1)(a)

of the GDPR establishes that personal data must be processed lawfully, fairly, and transparently in relation to the data subject. The principle of fairness includes, among other things,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 9/20

Other considerations include the recognition of reasonable expectations of data subjects, the consideration of the possible adverse consequences that the processing may have on them, and the consideration of the relationship and the possible effects of an imbalance between them and the controller.

Regarding the scope of application of Article 6.1.b) of the GDPR, it applies when either of the following two conditions is met:

– The processing in question must be objectively necessary for the performance of the contract with the data subject.

– Or the processing must be objectively necessary for the application, at the request of the data subject, of pre-contractual measures.

The necessity of the processing is a prerequisite in both cases of Article 6.1.b) of the GDPR. It is important to point out from the outset that the concept of “necessary for the performance of a contract” does not consist of a mere assessment of what is permitted in the contract clauses. of the terms in which they are

drafted. The concept of necessity has an independent meaning in
EU law and must reflect the objectives of data protection law.

Therefore, it also requires that the fundamental right to privacy and the protection of personal data be taken into account, as well as the requirements of the data protection principles, in particular the principle of fairness.

It is also necessary to identify the purpose of the processing, and, in the context of

contractual relationships, this processing may serve various purposes. These purposes must be specified and clearly communicated to the data subject, thus respecting
the obligations of purpose limitation and transparency that the controller must fulfill. When assessing what is necessary, a combined and fact-based assessment of the processing for the objective pursued must be carried out,

evaluating whether it is less intrusive than other options available to
achieve the same objective. If there are other realistic and less intrusive alternatives,
the processing is not necessary.

Therefore, the Article 6.1.b) of the GDPR does not cover processing that is useful
but not objectively necessary to perform the service that is the subject of the contract or
to take the relevant pre-contractual measures at the request of the data subject, even

if necessary for the other business purposes of the data controller.

In this case, among the categories of data that MAJOREL SP SOLUTIONS,
S.A. transferred to ***EMPRESA.2, is the personal mobile phone number of the
employees, in order to create the user account, as well as to verify identity in case

of doubts or to recover the user account in the event of a technical incident.

The principle of third-party ownership of the means obliges the company to provide the
employee with the necessary means for the performance of the employment relationship (Art. 1.1 of the Workers’ Statute). The use of the personal phone cannot be considered
necessary for the performance of the employment relationship, and consent is not a
valid basis if the employee is not offered an alternative means of processing. that does not involve the processing

of your personal data (Guidelines 2/2017 of the European Data Protection Board).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 10/20

This Agency has already indicated in several of its resolutions that it is illegal to use a personal mobile phone as a two-factor authentication method (Resolution of January 3, 2023), and in general terms has indicated that its use is not permitted for work-related purposes (Resolution of October 10, 2023).

The National Court has also indicated the illegality of this practice, making express mention of Article 19.7 of the Third National Collective Bargaining Agreement for the Contact Center Sector.

In this regard, the Judgment of the National Court, Social Chamber, No.
Resolution 14/2024 of February 5, 2024, (Roj: SAN 487/2024 –

ECLI:ES:AN2024:847), states in its ninth Legal Basis:
“Finally, the last of the claims in the petition remains to be resolved, concerning the declaration that
the content of clause nine of the individual teleworking agreement be declared null and void, specifically the clause that states the employee is not required to provide the company with their mobile phone number for receiving SMS messages and/or accessing applications that allow

identity verification, all in accordance with the provisions of Article 19.7 of the collective bargaining agreement.

Said clause of the remote work agreement establishes the following:
For cybersecurity reasons, both the Company and DXC, as well as their clients, are progressively deploying authentication and access methods to systems or applications necessary for the provision of services.” Therefore, the Company and

DXC may request the employee’s mobile phone number on a case-by-case basis for receiving SMS messages and/or accessing applications that allow for identity verification, only during established working hours.The processing of mobile phone numbers will be limited to the purpose of verifying the
identity of the Employee during access to systems and applications,
this processing being based on the legitimate interest of the Company and DXC in

guaranteeing the security of information and systems.

The Court certainly recognizes that one of the most widespread procedures for
guaranteeing the security of computer communications consists of using
authentication methods through SMS messages that send a code that the
recipient must use to access certain applications.

We do not question the use of these mechanisms to guarantee the identification of those accessing
such applications; what is controversial is that the
SMS messages are sent to each employee’s personal mobile phone, since
this forces them to use their personal tools and
devices for work.

Art. Section 19.7 of the agreement establishes that companies may not use tools,

applications, or devices belonging to employees that are not provided by the
company itself. If a two-factor authentication system is required, the company must provide the necessary tools and resources for its use. As an exceptional case, and solely for this purpose, if the employee rejects the tool provided by the company, they may consent to the use of their own devices or tools.

It follows from this agreement that the negotiators agree to prohibit the use of employee applications and devices and that, if two-factor authentication is necessary, as occurs with the sending of SMS messages that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 11/20

contain a code to access the applications, the employer is responsible for providing the necessary tools and resources.

This conventional provision is violated by the clause contained in the

individual remote work agreements, which, as can be seen, requires the employee to use their personal telephone for authentication.

We should also uphold this claim.

The statements of the defendant reveal the existence of a
contractual relationship between MAJOREL SP SOLUTIONS, S.A. and ***COMPANY.2, which

uses its IT tool ***COMPANY.7 to access and work on its
systems. It is through this application that a token is created, enabling
two-factor authentication of the MAJOREL SP SOLUTIONS, S.A. agent by sending
an SMS to the agent’s personal mobile phone. This would constitute an
unlawful transfer of data.

Currently, of the 364 active users of the ***COMPANY.2 service, 203
have their personal mobile phone numbers associated with the service.

In this case, MAJOREL SP SOLUTIONS, S.A. allegedly provided
***COMPANY.2 with the personal phone numbers of its employees,
along with other identifying data, for the purpose of creating user accounts on the

IT tools. of said company. The company itself acknowledges that, given the
lack of corporate terminals, it was decided to temporarily use employees’
personal telephones to receive the authentication codes
necessary to access the systems of ***COMPANY.2.

This communication of personal data cannot be considered covered by the

legal basis of Article 6.1.b) of the GDPR (performance of a contract to which the data subject is a party), as argued by the respondent. The performance of the employment contract does not
require or justify the transfer of the employee’s personal telephone number to a third party
foreign. This data, belonging to the employee’s private sphere, is neither
necessary nor proportionate for the fulfillment of the obligations arising from the

employment relationship, especially since the company itself acknowledges that it was a
provisional measure adopted for internal organizational reasons.

Furthermore, it is documented that the Data Protection Officer of MAJOREL SP
SOLUTIONS, S.A. issued a report expressly warning that the use of personal phones
for professional purposes was contrary to data protection regulations,

which demonstrates that the company was fully aware of the unlawfulness
of such processing and, despite this, continued it, affecting more than two hundred
employees.

The possibility of the employer using the employee’s mobile phone terminals and lines

for work purposes requires that such use has been
voluntarily and freely chosen by the data subject, after having received the required information
regarding the processing of their personal data and the possibility of revoking
the consent given, at any time and without detrimental consequences.

This express expression of will could be considered freely given, among other

circumstances, if the company had previously provided and offered an alternative
option. In any case, the employer and data controller must also guarantee that corporate applications will not access

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 12/20

the private data of its employees and that there is a technical separation between the work and personal use of employees’ mobile phones.

None of the aforementioned circumstances apply in this case.

Consequently, the transfer of personal data without consent or an adequate legal basis would constitute unlawful processing, violating the provisions of Article 6.1 of the GDPR. MAJOREL SP SOLUTIONS, S.A. would have acted as the data controller by deciding to communicate its employees’ data to a third party, without any of the conditions of lawfulness provided for in the GDPR being met.

Therefore, in accordance with the evidence available at this time, and in accordance with the initiation of sanction proceedings, it is considered that the known facts could constitute an infringement attributable to MAJOREL SP SOLUTIONS, S.A., for violation of the aforementioned article.

V
Classification of the infringement of Article 6.1.b) of the GDPR and its classification for the purposes of

statute of limitations

Article 83.5 of the GDPR classifies as an administrative infringement the violation of the following article, which will be sanctioned, in accordance with paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, up to

4% of its total global annual turnover of the preceding financial year, whichever is higher:

“(a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9;”

For its part, the LOPDGDD, in its Article 71, Infringements, states that:
“The acts and conduct referred to in paragraphs 4,
5 and 6 of Article 83 of Regulation (EU) constitute infringements” 2016/679, as well as any that are contrary to this Organic Law.”

For the sole purpose of the statute of limitations, Article 72.1 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights) establishes the following:

“In accordance with the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein, and in particular the following, are considered very serious and shall be subject to a three-year statute of limitations:

(b) The processing of personal data without any of the conditions for lawful processing established in Article 6 of Regulation (EU) 2016/679 being met.”

VI
Proposed Sanction

In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 13/20

“1. Each supervisory authority shall ensure that the imposition of administrative fines under this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 is, in each individual case, effective, proportionate and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, as an additional measure to, or in lieu of, the measures provided for in Article 58(2)(a) to (h) and (j).” When deciding on the imposition of an administrative fine and its amount in each individual case, due consideration shall be given to:

(a) the nature, seriousness, and duration of the infringement, taking into account the nature, scope, or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage suffered;

(b) whether the infringement was intentional or negligent;

(d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures implemented pursuant to Articles 25 and 32;

(e) any prior infringements committed by the controller or processor;

(f) the degree of cooperation with the supervisory authority to remedy the infringement and mitigate its possible adverse effects;

(g) the categories of personal data affected by the infringement; (h) how the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement; (i) where the measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or to approved certification mechanisms pursuant to Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.

For its part, Article 76, “Sanctions and Corrective Measures,” of the LOPDGDD (Spanish Data Protection Law) stipulates:
“1. The sanctions provided for in paragraphs 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the criteria for determining the severity of the sanction established in paragraph 2 of said article.

2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:
a) The continuing nature of the infringement.
b) The connection between the infringer’s activity and the processing of personal data.

c) The benefits obtained as a result of committing the infringement.
d) The possibility that the affected party’s conduct may have induced the commission of the infringement.
e) The existence of a merger by acquisition subsequent to the commission of the infringement, which cannot be attributed to the entity.” Absorbent.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 14/20

f) The impact on the rights of minors.

g) To have, when not mandatory, a data protection officer.

h) The voluntary submission by the controller or processor to

alternative dispute resolution mechanisms, in those cases where
disputes arise between them and any interested party.

In this case, considering the seriousness of the possible infringement, and paying particular attention to
the consequences that its commission causes for those affected,
a fine would be appropriate, in addition to the adoption of measures, if

appropriate.

The fine imposed must be, in each individual case, effective, proportionate,
and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR. To guarantee these principles, the turnover of

MAJOREL SP SOLUTIONS, S.A. is considered as a preliminary matter, at €201,821,516 for the year 2023.

For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence available at this time of
the initiation of the sanctioning procedure, and without prejudice to the outcome of the
investigation, it is considered appropriate to determine the sanction to be imposed according to

the following circumstances, contemplated in the aforementioned provisions.

As a preliminary matter, the following circumstances are considered to exist:

• The nature, severity, and duration of the infringement, taking into account

the nature, scope, or purpose of the processing operation in question,

as well as the number of data subjects affected and the level of damages they have suffered (Article 83.2(a) of the GDPR): of the 364
employees of MAJOREL SP SOLUTIONS, S.A. actively providing services to

COMPANY.2, 203 employees have their personal mobile phone numbers associated with their data,

at least from 6/02/2024, the date of signing the contract, until 30/05/2025, the date of
the response to this Agency by the respondent.

• Intentionality/Negligence in the infringement (Article 83.2, letter b), of the
GDPR): the request made by the union sections was not duly addressed, and it also appears that from 9/04/2024, the date of the
Data Protection Officer’s response, the party against whom the complaint was filed was aware of the irregularity and had not

prevented it at least until its response to this Agency on 30/05/2025.

• The categories of personal data affected by the
infringement (Article 83.2, letter g), of the GDPR): the data of the workers that were
transferred to ***EMPRESA.2 were of 9 types, namely: National Identity Document (DNI), name, gender, telephone country code, mobile telephone number, date of joining the service,

nationality, province, and date of birth.

The assessment of the circumstances contemplated in Article 83.2 of the GDPR, with respect to the infringement committed by violating the provisions of Article 6.1.b) of the GDPR, allows for an initial administrative fine of €80,000 (EIGHTY THOUSAND EUROS).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 15/20

VII
Corrective Measures

If the infringement is confirmed, the resolution issued may establish the corrective measures that the infringing entity must adopt to end the non-compliance with personal data protection legislation, in this case, Article 6.1.b) of the

GDPR, in accordance with the provisions of Article 58.2.d) of the GDPR, according to which each supervisory authority may “require the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specific manner and within a specified time frame…”

Thus, the responsible entity may be required to adapt its actions to the personal data protection regulations, to the extent expressed in the preceding Legal Basis.

This document establishes the alleged infringement and the facts
that could give rise to this possible violation of data protection regulations.

From this, the measures to be adopted are clearly inferred, without prejudice to the fact that the specific procedures, mechanisms, or instruments for
implementing them correspond to the sanctioned party, since it is the data controller who fully knows their organization and must decide, based on
proactive responsibility and a risk-based approach, how to comply with the GDPR and the

LOPDGDD.

MAJOREL SP SOLUTIONS, S.A. states that it is in the process of providing
professional phones and SIM cards to all active employees of the ***COMPANY.2 service, and proposes several measures to mitigate this situation:

– Avoid using personal data, such as personal phone numbers, for
work purposes.

However, in this case, regardless of the foregoing, in accordance with the evidence currently available regarding the initiation of disciplinary proceedings, the resolution adopted may require

MAJOREL SP SOLUTIONS, S.A. to, within a maximum period of 3 months from the date of enforcement of the final resolution of these proceedings,

adopt the following measures:

– Cease data processing: do not use the mobile phones of MAJOREL SP SOLUTIONS, S.A. employees who provide services to ***COMPANY.2 as access terminals to the latter’s computer application.

The imposition of these measures is compatible with the sanction consisting of an administrative fine, as provided for in Article 83.2 of the GDPR.

Please be advised that failure to comply with any order to adopt measures imposed by this agency in the resolution of this sanctioning procedure may be considered an administrative infringement in accordance with the GDPR, specifically classified as an infringement in Articles 83.5 and 83.6, and such conduct may lead to the initiation of further administrative sanctioning proceedings.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 16/20

Furthermore, please note that neither acknowledgment of the infringement committed nor, where applicable, voluntary payment of the proposed amounts, exempts you from the obligation to adopt the appropriate measures to cease the conduct or correct the effects of the infringement committed, and from the obligation to demonstrate compliance with this requirement to the Spanish Data Protection Agency (AEPD).

Therefore, in light of the foregoing, the President of the Spanish Data Protection Agency hereby resolves:

FIRST: To initiate disciplinary proceedings against MAJOREL SP
SOLUTIONS, S.A., with Tax Identification Number A82112665, for the alleged infringement of Article 6.1.b) of the GDPR, as defined in Article 83.5 of the GDPR.

SECOND: To appoint R.R.R. as investigating officer and S.S.S. as secretary,

indicating that they may be challenged, if necessary, in accordance with Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).

THIRD: To incorporate into the file, for evidentiary purposes, the documents obtained and generated by the General Sub-Directorate of Data Inspection in the actions prior to the initiation of this sanctioning procedure.

FOURTH: That, for the purposes set forth in Article 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the applicable sanction would be an administrative fine of €80,000.00, without prejudice to the outcome of the investigation.

FIFTH: To notify MAJOREL SP SOLUTIONS, S.A., with Tax Identification Number A82112665, of this agreement, granting it a period of ten business days to submit any allegations and present any evidence it deems appropriate. In your written statement of allegations, you must provide your Tax Identification Number (NIF) and the procedure number shown in the heading of this document.

In accordance with Article 85 of the LPACAP (Law on Administrative Procedure of Public Administrations), you may acknowledge your responsibility within the time limit granted for submitting allegations to this initiation agreement. This will result in a 20% reduction of the penalty to be imposed in this procedure. With this reduction, the penalty would be set at €64,000.00, and the procedure will be resolved with the imposition of this penalty.

Likewise, you may, at any time prior to the resolution of these proceedings, make voluntary payment of the proposed penalty, which will result in a 20% reduction. With this reduction, the penalty will be set at €64,000.00, and payment will terminate the proceedings, without prejudice to the imposition of any corresponding measures.

The reduction for voluntary payment of the penalty is cumulative with the reduction applicable for acknowledging responsibility, provided that this acknowledgment of responsibility is made within the period granted for submitting allegations to the initiation of the proceedings.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 17/20

of responsibility is made within the period granted for submitting allegations to the commencement of the proceedings. The voluntary payment of the amount referred to in the preceding paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the penalty would be set at €48,000.00.

In any case, the effectiveness of either of the aforementioned reductions will be conditional upon the withdrawal or waiver of any administrative action or appeal against the penalty.

Should you choose to make a voluntary payment of either of the amounts
indicated above (€64,000.00 or €48,000.00), you must do so

by depositing the funds into account number IBAN: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) held in the name of the Spanish Data Protection Agency at CAIXABANK, S.A., indicating in the payment details the reference number of the procedure shown in the header
of this document and the reason for the reduction in the amount you are claiming.

You must also send proof of payment to the General Sub-Directorate of Inspection to continue with the procedure in accordance with the amount
deposited.

In compliance with Articles 14, 41, and 43 of the LPACAP (Law on the Legal Regime of Public Administrations and Common Administrative Procedure), you are hereby notified that, henceforth, all notifications sent to you will be made exclusively electronically, through the Single Authorized Electronic Address (dehu.redsara.es) and the Electronic Headquarters (sedeaepd.gob.es). Failure to access these notifications will result in a record of your rejection in the file, thus completing the process and continuing the procedure. You are informed that you may provide this Agency with an email address to receive notifications when they are available, and that failure to respond to this notification will not invalidate it.

Finally, please note that, in accordance with Article 112.1 of the LPACAP, no administrative appeal may be filed against this decision.

1479-010725
Lorenzo Cotino Hueso

President of the Spanish Data Protection Agency

SECOND: On November 19, 2025, MAJOREL SP SOLUTIONS, S.A.
proceeded to pay the fine in the amount of €48,000.00, taking advantage of the

two reductions provided for in the initial agreement transcribed above, which
implies acknowledgment of responsibility in relation to the facts referred to
in the initial agreement and their legal classification.

THIRD: The initial agreement transcribed above indicated that, should the infringement be confirmed, the responsible party could be required to adopt

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 18/20

appropriate measures to bring its actions into compliance with the regulations mentioned in this
act, in accordance with the provisions of Article 58.2 d) of the GDPR, according to which

each supervisory authority may “require the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specific manner and within a specified
time period…”.

Having acknowledged responsibility for the infringement, the imposition of
the measures included in the initial agreement is warranted.

LEGAL BASIS

Jurisdiction

In accordance with the powers conferred upon each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Presidency of the Spanish Data Protection Agency is competent to resolve this procedure.

Likewise, Article 63.2 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights) stipulates that: “The procedures

processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the implementing regulations issued thereunder, and, insofar as they do not contradict them, subsidiarily, by the general rules on administrative procedures.”

II
Termination of the Procedure

Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading
“Termination of Sanctioning Procedures,” provides the following:

“1. Once a sanctioning procedure has been initiated, if the offender acknowledges their responsibility,
the procedure may be resolved by imposing the corresponding sanction.

2. When the sanction is solely monetary, or when a

monetary sanction and a non-monetary sanction are applicable but the
inappropriateness of the latter has been justified, voluntary payment by the alleged offender, at
any time prior to the resolution, will imply the termination of the procedure,
except with regard to restoring the altered situation or determining
compensation for the damages caused by the commission of the infraction.

3. In both In cases where the sanction is solely monetary, the competent body for resolving the proceedings will apply reductions of at least 20% to the proposed sanction amount. These reductions are cumulative.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 19/20

These reductions must be specified in the notification initiating the proceedings, and their effectiveness is conditional upon the withdrawal or waiver of any administrative action or appeal against the sanction.

The percentage reduction provided for in this section may be increased by regulation.

III
Voluntary Payment and Acknowledgment of Responsibility

In accordance with the provisions of Article 85 of the LPACAP (Law on Administrative Procedure and Common Administrative Procedure), the notification of the initiation of proceedings informed the appellant of the possibility of acknowledging responsibility and making voluntary payment of the proposed sanction, which would entail two cumulative reductions of 20% each. With the application of these two

reductions, the penalty would be set at €48,000.00, and its payment would imply
the termination of the proceedings, without prejudice to the imposition of the
corresponding measures.

Following notification of the aforementioned initiation agreement, MAJOREL SP SOLUTIONS, S.A. has
acknowledged its responsibility and voluntarily paid the penalty,

taking advantage of the two reductions provided for. In accordance with section 3 of
Article 85 of the LPACAP (Law on Administrative Procedure), the effectiveness of the aforementioned reductions will be conditional upon
withdrawal or waiver of any action or appeal through administrative channels against the
penalty.

It should be noted that, in accordance with the provisions of the LPACAP (Law on Administrative Procedure of Public Administrations), as well as the jurisprudence of the Supreme Court on this matter, the exercise of voluntary payment by the alleged offender does not exempt the administration from the obligation to resolve and notify all proceedings, regardless of how they were initiated. Likewise, Article 88 of the aforementioned law establishes that the resolution that concludes the proceedings will decide all issues raised by the interested parties and any other issues arising therefrom.

Therefore, in accordance with the applicable legislation and having assessed the criteria for determining the severity of the sanctions, the President of the Spanish Data Protection Agency resolves:

FIRST: To declare the commission of the infringements and to confirm the sanctions determined in the operative part of the initial agreement transcribed in this resolution.

The sum of the aforementioned amounts totals €80,000.00.

Following MAJOREL SP SOLUTIONS, S.A.’s prompt payment and

acknowledgment of liability, pursuant to Article 85 of the LPACAP (Law on Administrative Procedure of Public Administrations),
the aforementioned total is reduced by 40%, resulting in a final amount of
€48,000.00.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 20/20

The effectiveness of these reductions is conditional, in all cases, on the
withdrawal or waiver of any administrative action or appeal.

SECOND: DECLARE the termination of procedure EXP202406971, in accordance with the provisions of Article 85 of the LPACAP.

THIRD: ORDER MAJOREL SP SOLUTIONS, S.A. to notify the Agency, within three months of this resolution becoming final and enforceable, of the adoption of the measures described in the legal grounds of the initiation agreement transcribed in this resolution.

FOURTH: NOTIFY MAJOREL SP SOLUTIONS, S.A. of this resolution.

FIFTH: In accordance with the provisions of Article 85 of the LPACAP, which conditions the reduction for voluntary payment and acknowledgment of liability on the withdrawal or waiver of any action or appeal through administrative channels, this resolution will become final and fully enforceable upon notification.

In accordance with Article 50 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights), this Resolution will be made public. Publication will take place once the resolution has been notified to the interested parties.

This resolution, which concludes the administrative process as stipulated by Article 50 of the LOPDGDD, may be appealed. Pursuant to Article 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal with the Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.

However, in accordance with the provisions of Article 90.3.a) of the LPACAP, the final administrative decision may be provisionally suspended if the interested party expresses their intention to file an administrative appeal. If this is the case, the interested party must formally notify the Spanish Data Protection Agency in writing, submitting it through the Agency’s Electronic Registry [https://sedeaepd.gob.es/sede-electronica-web/], or through any of the other registries provided for in Article 16.4 of Law 39/2015 of October 1. They must also provide the Agency with documentation proving the effective filing of the administrative appeal. If the Agency does not receive notification of the filing of the administrative appeal within two months of the day following notification of this resolution, the precautionary suspension will be terminated.

1259-101025
Lorenzo Cotino Hueso
President of the Spanish Data Protection Agency

6 Jorge Juan Street www.aepd.es
28001 – Madrid sedeaepd.gob.es
</pre>

FRA visit to international IDEA

Federal Trade Commission Chairman Andrew N. Ferguson Appoints Deputy Director for Bureau of Consumer Protection